diff --git a/.claude/CLAUDE.md b/.claude/CLAUDE.md new file mode 100644 index 000000000000..216448a3cdb5 --- /dev/null +++ b/.claude/CLAUDE.md @@ -0,0 +1,301 @@ +# ComplianceAsCode/content + +## Project Overview + +This repository produces SCAP data streams, Ansible playbooks, Bash scripts, and other artifacts for compliance scanning and remediation. + +Each supported operating system or platform is called a **product**. To see the full list of products, check the subdirectories under `products/` — each subdirectory name is a product ID (e.g., `rhel9`, `ocp4`, `ubuntu2404`). Product-specific configuration lives in `products//product.yml`. + +## Repository Structure + +``` +applications/openshift/ # OCP4 and Kubernetes rules, organized by component +linux_os/guide/ # Linux rules (RHEL, RHCOS, etc.), organized by system area +controls/ # Compliance framework mappings (CIS, STIG, SRG, NIST, etc.) +products/ # Product definitions, profiles, and product-specific controls +shared/templates/ # Reusable check/remediation templates (60+ types) +shared/macros/ # Jinja2 macro files for generating OVAL, Ansible, Bash, etc. +components/ # Component definitions mapping rules to packages/groups +``` + +### Discovering Rule Directories + +- **OCP4/Kubernetes rules** live under `applications/openshift/`, organized by component (e.g., `api-server/`, `kubelet/`, `etcd/`). Each component directory contains rule subdirectories. The rule ID prefix typically matches the component directory name with hyphens replaced by underscores (e.g., rules in `api-server/` use the `api_server_` prefix). Browse `applications/openshift/` to see all component directories. +- **Linux rules** (RHEL, RHCOS, Fedora, Ubuntu, etc.) live under `linux_os/guide/`, organized by system area (e.g., `system/`, `services/`, `auditing/`). Browse the subdirectories to find the appropriate category for a rule. +- When placing a new rule, find 2-3 existing rules with a similar prefix or topic and place the new rule alongside them. + +## Rule Format + +Each rule lives in its own directory. The **directory name is the rule ID**. The directory contains `rule.yml` and optionally a `tests/` subdirectory. + +### `rule.yml` Fields + +```yaml +documentation_complete: true # Must be true for the rule to be built + +title: 'Short descriptive title' + +description: |- # Full description, supports HTML tags and Jinja2 macros + Description text here. + +rationale: |- # Why this rule matters + Rationale text here. + +severity: medium # low, medium, high, unknown + +identifiers: # Product-specific CCE identifiers + cce@ocp4: CCE-XXXXX-X + cce@rhel9: CCE-XXXXX-X + +references: # Compliance framework references + cis@ocp4: 1.2.3 # CIS benchmark section + nist: CM-6,CM-6(1) # NIST 800-53 controls + srg: SRG-APP-000516-CTR-001325 # DISA SRG ID + stigid@rhel9: RHEL-09-XXXXXX # STIG rule ID (product-scoped) + nerc-cip: CIP-003-8 R6 # NERC CIP references + pcidss: Req-2.2 # PCI DSS requirements + +ocil_clause: 'condition when rule fails' # Used in OCIL questionnaire + +ocil: |- # Manual check instructions + Run the following command: + 
$ oc get ...
+ +platform: ocp4 # Platform applicability (optional) + +warnings: # Optional warnings section + - general: |- + Warning text, often includes openshift_cluster_setting macro. + +template: # Optional - uses a shared template for checks + name: yamlfile_value + vars: + ocp_data: "true" + filepath: '/api/path/here' + yamlpath: '.spec.field' + values: + - value: 'expected_value' + operation: "pattern match" + +fixtext: 'Remediation instructions' # STIG fixtext (optional) +srg_requirement: 'SRG requirement' # SRG requirement text (optional) +``` + +## Templates + +Templates generate OVAL checks, Ansible playbooks, and Bash remediation scripts automatically. + +### `yamlfile_value` (primary OCP4 template) + +Checks values in YAML/JSON files or API responses. + +```yaml +template: + name: yamlfile_value + vars: + ocp_data: "true" # "true" for OCP API data + filepath: '/apis/...' # API path or file path + yamlpath: '.spec.config.field' # JSONPath-like expression + check_existence: "at_least_one_exists" # Optional existence check + entity_check: "at least one" # How to evaluate multiple matches + values: + - value: 'expected' # Expected value or regex + type: "string" # string, int, boolean + operation: "pattern match" # equals, not equal, pattern match, + # greater than or equal, less than or equal + entity_check: "at least one" # Per-value entity check +``` + +### `file_permissions` (RHEL) + +```yaml +template: + name: file_permissions + vars: + filepath: /etc/cron.d/ + filemode: '0700' +``` + +### `shell_lineinfile` (RHEL) + +```yaml +template: + name: shell_lineinfile + vars: + path: '/etc/sysconfig/sshd' + parameter: 'SSH_USE_STRONG_RNG' + value: '32' + datatype: int # Optional + no_quotes: 'true' # Optional +``` + +### `sysctl` (RHEL) + +```yaml +template: + name: sysctl + vars: + sysctlvar: net.ipv6.conf.all.accept_ra + datatype: int +``` + +### `service_enabled` / `service_disabled` (RHEL) + +```yaml +template: + name: service_disabled + vars: + servicename: avahi +``` + +### `package_installed` / `package_removed` (RHEL) + +```yaml +template: + name: package_removed + vars: + pkgname: avahi + pkgname@ubuntu2204: avahi-daemon # Platform-specific overrides +``` + +## Common Jinja2 Macros + +Used in rule descriptions, OCIL, fixtext, and warnings fields: + +- `{{{ openshift_cluster_setting("/api/path") }}}` - Generates OCP API check instructions +- `{{{ openshift_filtered_cluster_setting({'/api/path': jqfilter}) }}}` - Filtered API check with jq +- `{{{ openshift_filtered_path('/api/path', jqfilter) }}}` - Generates filtered filepath for templates +- `{{{ full_name }}}` - Expands to product full name (e.g., "Red Hat Enterprise Linux 9") +- `{{{ xccdf_value("var_name") }}}` - References an XCCDF variable +- `{{{ weblink("https://...") }}}` - Creates an HTML link +- `{{{ describe_service_disable(service="name") }}}` - Standard service disable description +- `{{{ describe_service_enable(service="name") }}}` - Standard service enable description +- `{{{ describe_file_permissions(file="/path", perms="0700") }}}` - File permission description +- `{{{ describe_sysctl_option_value(sysctl="key", value="val") }}}` - Sysctl description +- `{{{ complete_ocil_entry_sysctl_option_value(sysctl="key", value="val") }}}` - Full OCIL for sysctl +- `{{{ complete_ocil_entry_package(package="name") }}}` - Full OCIL for package check +- `{{{ fixtext_package_removed("name") }}}` - Fixtext for package removal +- `{{{ fixtext_sysctl("key", "value") }}}` - Fixtext for sysctl setting +- `{{{ fixtext_directory_permissions(file="/path", mode="0600") }}}` - Fixtext for dir permissions + +## Control File Format + +Control files map compliance framework requirements to rules. They exist in two layouts: + +### Single-file format + +```yaml +# controls/stig_rhel9.yml (or products/rhel9/controls/stig_rhel9.yml) +policy: 'Red Hat Enterprise Linux 9 STIG' +title: 'DISA STIG for RHEL 9' +id: stig_rhel9 +source: https://www.cyber.mil/stigs/downloads/ +version: V2R7 +reference_type: stigid +product: rhel9 + +levels: + - id: high + - id: medium + - id: low + +controls: + - id: RHEL-09-211010 + levels: + - high + title: RHEL 9 must be a vendor-supported release. + rules: + - installed_OS_is_vendor_supported + status: automated +``` + +### Split-directory format + +``` +controls/cis_ocp.yml # Top-level: policy, title, id, levels +controls/cis_ocp/ # Directory with section files + section-1.yml # Controls for section 1 + section-2.yml # Controls for section 2 + ... +``` + +Section files contain nested controls: + +```yaml +controls: + - id: '1' + title: Control Plane Components + controls: + - id: '1.1' + title: Master Node Configuration Files + controls: + - id: 1.1.1 + title: Ensure that the API server pod specification... + status: automated + rules: + - file_permissions_kube_apiserver + levels: + - level_1 +``` + +### Control entry fields + +- `id` - Control identifier (e.g., "RHEL-09-211010", "1.2.3") +- `title` - Human-readable title +- `levels` - Applicable compliance levels +- `rules` - List of rule IDs that satisfy this control +- `status` - `automated`, `manual`, `inherently met`, `does not meet`, `pending`, `not applicable` +- `notes` - Optional notes explaining status or implementation + +## Profile File Format + +Profiles select which rules apply to a product. Located at `products//profiles/.profile`. + +```yaml +documentation_complete: true +title: 'Profile Title' +description: |- + Profile description text. +platform: ocp4 +metadata: + version: V2R7 + SMEs: + - github_username + +selections: + - control_id:all # Include all rules from a control file + - rule_id # Include a specific rule + - '!rule_id' # Exclude a specific rule + - var_name=value # Set a variable value +``` + +Common selection patterns: +- `stig_rhel9:all` - Pull in all rules from the stig_rhel9 control file +- `cis_ocp:all` - Pull in all rules from the cis_ocp control file +- `!audit_rules_immutable_login_uids` - Exclude a specific rule +- `var_sshd_set_keepalive=1` - Set a variable + +## Build Instructions + +```bash +# Build a single product (full build) +./build_product ocp4 + +# Build data stream only (faster, skips guides and tables) +./build_product ocp4 --datastream-only + +# Build with only specific rules (fastest, for testing individual rules) +./build_product ocp4 --datastream-only --rule-id api_server_tls_security_profile +``` + +Build output goes to `build/`. The data stream file is at: +`build/ssg--ds.xml` + +## Guidelines for Claude + +1. **Always show proposals before making changes.** Present the full content of any new or modified file and wait for explicit approval. +2. **Follow existing patterns.** Before creating a rule, find 2-3 similar existing rules and match their style exactly. +3. **Check for duplicates.** Before creating a new rule, search for existing rules that might already cover the requirement. +4. **Use the correct directory.** Find existing rules with the same prefix to determine the right directory. When in doubt, browse `applications/openshift/` or `linux_os/guide/` to find the appropriate component or category. +5. **Preserve formatting.** This project uses consistent YAML formatting. Match the indentation and style of surrounding content. +6. **Don't invent references.** Only include reference IDs (CCE, CIS, STIG, SRG, NIST) that the user provides or that exist in source documents. diff --git a/.claude/skills/find-rule/SKILL.md b/.claude/skills/find-rule/SKILL.md new file mode 100644 index 000000000000..78e7b37e3f63 --- /dev/null +++ b/.claude/skills/find-rule/SKILL.md @@ -0,0 +1,77 @@ +--- +disable-model-invocation: true +--- + +Search for existing rules that match the following requirement: + +$ARGUMENTS + +Follow these steps: + +1. **Extract key concepts** from the requirement text. Identify: + - Technical terms (e.g., "TLS", "audit", "encryption", "RBAC") + - Component references (e.g., "API server", "kubelet", "etcd", "SSH") + - Specific settings or parameters mentioned + - Any reference IDs (SRG-xxx, CIS section numbers, STIG IDs, NIST controls) + +2. **Respect scope constraints.** If the user specifies a scope (e.g., "only OpenShift control plane", "only node-level"), restrict results to that scope. Do not return rules outside the requested scope. OCP4/Kubernetes rules live under `applications/openshift/` and Linux rules live under `linux_os/guide/`. If no scope is specified, search both. + +3. **Search broadly** across rule titles, descriptions, and template configurations: + - Search `applications/openshift/` and `linux_os/guide/` for `rule.yml` files + - Search for keywords in titles, descriptions, template vars, and reference fields + - If reference IDs were provided, search for those exact IDs in rule.yml files + +4. **Check control files** in `controls/` and `products/*/controls/` for matching control IDs or titles that already map to this requirement. + +5. **Note product applicability** for each matched rule. Check the `identifiers` section of each rule.yml for `cce@` entries (e.g., `cce@ocp4`, `cce@rhel9`). The product IDs after `@` correspond to subdirectory names under `products/`. This tells the user which products the rule applies to. + +6. **Present results** organized by match strength. For every rule, include a **Rationale** — a concise (1-2 sentence) explanation of why this rule satisfies or partially satisfies the requirement. Write the rationale so that a maintainer unfamiliar with the rule can understand the connection without reading the full rule.yml. Focus on *what the rule checks* and *how that maps to the requirement*. + + **Strong matches** (title or template directly addresses the requirement): + - Rule ID, file path, title, severity + - Template type and key vars (if templated) + - Matching references (SRG, CIS, STIG, NIST) + - Product applicability (which products have CCE identifiers) + - Whether the rule has an automated template or is manual review only + - **Rationale:** Why this rule is a strong match for the requirement + + **Partial matches** (related but not exact): + - Same fields as above + - **Rationale:** What aspect of the requirement this rule covers and what it does not + + **Weak matches** (tangentially related): + - Rule ID, file path, title + - **Rationale:** Why it was included despite being tangential + +7. **Include a summary table** at the end mapping requirement aspects to rule IDs, so the user can quickly see coverage. + +8. **Always suggest a control structure** with a `notes` field that includes a concise rationale for each rule, explaining why it was included for this control. This helps maintainers understand the reasoning without needing to read every rule.yml. When no strong automated matches exist, say so clearly and use `status: partial` or `status: manual` as appropriate. Example: + + ```yaml + - id: X.Y.Z + title: Control Title + status: automated + notes: |- + automated_rule_1 - Rationale for why this rule satisfies the control. + automated_rule_2 - Rationale for why this rule satisfies the control. + rules: + - automated_rule_1 + - automated_rule_2 + ``` + + For partial or manual controls, also include guidance for assessors: + + ```yaml + - id: X.Y.Z + title: Control Title + status: partial + notes: |- + automated_rule_1 - Rationale for why this rule partially covers the control. + The remaining aspects of this control require manual verification: [manual steps]. + rules: + - automated_rule_1 + ``` + + When suggesting rules for partial/manual controls, only include rules that provide automated value. Omit rules that are themselves manual-only (no template, no automated check) unless they are the only matches available. + +9. **Rules can appear in multiple controls.** The build system handles this correctly. Each control should list the complete set of rules needed to satisfy it, even if some rules also appear in other controls. This ensures each control is self-contained and readers don't need to cross-reference other controls to understand coverage. diff --git a/.claude/skills/manage-profile/SKILL.md b/.claude/skills/manage-profile/SKILL.md new file mode 100644 index 000000000000..775f873fefb0 --- /dev/null +++ b/.claude/skills/manage-profile/SKILL.md @@ -0,0 +1,135 @@ +--- +disable-model-invocation: true +--- + +Create or update a versioned profile. + +Arguments: $ARGUMENTS + +Expected arguments: ` [version]` + +Actions: +- `create` — Create a new versioned profile pair (versioned + unversioned) +- `update` — Bump an existing profile to a new version + +For example: +- `create cis ocp4 1.7.0` +- `update cis ocp4 1.8.0` + +## Background: Profile Versioning Pattern + +This project uses a two-file versioning pattern for profiles (browse existing profiles under `products//profiles/` for examples): + +- **Versioned profile** (e.g., `cis-v1-7-0.profile`): Contains the actual `selections`, `metadata.version`, and all profile configuration. Users pin to this for a stable baseline. +- **Unversioned profile** (e.g., `cis.profile`): Contains `extends: cis-v1-7-0` and no `selections` of its own. Users referencing this always get the latest version. + +When multiple products are specified (e.g., `ocp4,rhcos4`), both profile pairs are created/updated under their respective `products//profiles/` directories. + +--- + +## Action: `create` + +### Step 1: Validate + +1. Parse the product list (comma-separated). Valid product IDs are subdirectory names under `products/`. +2. Verify `products//profiles/` exists for each product. +3. Check that the profile does not already exist. If it does, suggest using `update` instead. +4. Convert the version to a filename-safe format by replacing dots with dashes (e.g., `2.0.0` → `v2-0-0`). + +### Step 2: Check for a Control File + +Check if a control file exists that matches the profile name. Control files live under `controls/` and `products/*/controls/`, typically named `_.yml` or as a split directory with the same base name. If found: + +1. Read the control file's top-level YAML to check the `product` field. +2. If the `product` field does not list all the products from the argument, warn the user and offer to update it. A control file needs all target products listed in its `product` field to work with each product's profile. Check existing multi-product control files for examples of this pattern. + +### Step 3: Show the Proposed Files + +For each product, show the two files that will be created: + +**Versioned profile** (`products//profiles/-.profile`): +```yaml +--- +documentation_complete: true + +title: ' for <Product Full Name>' + +platform: <product> + +metadata: + version: <Version> + +description: |- + <Description text.> + +selections: + - <control_id>:all +``` + +**Unversioned profile** (`products/<product>/profiles/<name>.profile`): +```yaml +--- +documentation_complete: true + +title: '<Title> for <Product Full Name>' + +platform: <product> + +metadata: + version: <Version> + +description: |- + <Description text.> + +extends: <name>-<version> +``` + +Ask the user to confirm before creating. + +### Step 4: Apply + +Create all files for each product after approval. + +--- + +## Action: `update` + +### Step 1: Validate + +1. Parse the product list. +2. Locate the existing unversioned profile for each product at `products/<product>/profiles/<name>.profile`. +3. Read the unversioned profile to find the current `extends` target (e.g., `cis-v1-7-0`). +4. Read the current versioned profile to get its `selections` and other configuration. +5. Convert the new version to filename-safe format (e.g., `2.1.0` → `v2-1-0`). + +If the unversioned profile doesn't use `extends`, warn the user that it doesn't follow the versioning pattern and offer to convert it. + +### Step 2: Show the Proposed Changes + +For each product, show what will happen: + +1. **New versioned profile** (`<name>-<new_version>.profile`): Created with the same `selections` as the current versioned profile (the user can modify selections afterward). +2. **Previous versioned profile** (`<name>-<old_version>.profile`): Add `status: deprecated` to mark it as superseded. +3. **Unversioned profile** (`<name>.profile`): Update `extends` to point to the new version and update `metadata.version`. + +Ask the user to confirm before applying. + +### Step 3: Apply + +After approval: + +1. Create the new versioned profile by copying the current versioned profile's content and updating `metadata.version`. +2. Add `status: deprecated` to the previous versioned profile. +3. Update the unversioned profile's `extends` field to reference the new versioned profile. +4. Update the unversioned profile's `metadata.version` to the new version. +5. Show the final state of all modified/created files. + +--- + +## Notes + +- **Product full names** for titles/descriptions: Read the `full_name` field from `products/<product>/product.yml` for each product. +- **Version format in filenames**: Replace dots with dashes and prefix with `v` (e.g., `2.0.0` → `v2-0-0`, `V2R3` → `v2r3`). +- **Version format in metadata**: Use the version as provided by the user (e.g., `V2.0.0`, `V2R3`). +- Always show the full proposed file contents before creating or modifying. +- When updating, preserve all existing `selections`, `filter_rules`, variables, and other configuration from the current versioned profile. diff --git a/.github/workflows/automatus-cs9.yaml b/.github/workflows/automatus-cs9.yaml index 08e494a96134..3a56db1f7708 100644 --- a/.github/workflows/automatus-cs9.yaml +++ b/.github/workflows/automatus-cs9.yaml @@ -40,7 +40,7 @@ jobs: - name: Test if there are no content changes run: echo "CTF_OUTPUT_SIZE=$(stat --printf="%s" output.json)" >> $GITHUB_OUTPUT id: ctf - - uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v4 + - uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v4 if: ${{ steps.ctf.outputs.CTF_OUTPUT_SIZE != '0' }} with: name: output.json @@ -58,7 +58,7 @@ jobs: - name: Build product if: ${{ steps.ctf.outputs.CTF_OUTPUT_SIZE != '0' }} run: ./build_product rhel9 --derivatives - - uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v4 + - uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v4 if: ${{ steps.ctf.outputs.CTF_OUTPUT_SIZE != '0' }} with: name: ${{ env.DATASTREAM }} @@ -73,7 +73,7 @@ jobs: - name: Checkout uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v4 - name: Get cached CTF output - uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v4 + uses: actions/download-artifact@70fc10c6e5e1ce46ad2ea6f2b72d43f7d47b13c3 # v4 id: get_ctf_output with: name: output.json @@ -130,7 +130,7 @@ jobs: with: path: 'output.json' prop_path: 'ansible' - - uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v4 + - uses: actions/download-artifact@70fc10c6e5e1ce46ad2ea6f2b72d43f7d47b13c3 # v4 if: ${{ steps.ctf.outputs.CTF_OUTPUT_SIZE != '0' }} with: name: ${{ env.DATASTREAM }} @@ -151,7 +151,7 @@ jobs: continue-on-error: true - name: Upload logs in case of failure if: ${{steps.bash.outputs.prop == 'True' && steps.check_results_bash.outcome == 'success' && steps.ctf.outputs.CTF_OUTPUT_SIZE != '0' }} - uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v4 + uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v4 with: name: logs_bash path: logs_bash/ @@ -167,7 +167,7 @@ jobs: continue-on-error: true - name: Upload logs in case of failure if: ${{ steps.ansible.outputs.prop == 'True' && steps.check_results_ansible.outcome == 'success' && steps.ctf.outputs.CTF_OUTPUT_SIZE != '0' }} - uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v4 + uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v4 with: name: logs_ansible path: logs_ansible/ diff --git a/.github/workflows/automatus-debian12.yaml b/.github/workflows/automatus-debian12.yaml index 396b65549587..5632fdfba0fb 100644 --- a/.github/workflows/automatus-debian12.yaml +++ b/.github/workflows/automatus-debian12.yaml @@ -38,7 +38,7 @@ jobs: - name: Test if there are no content changes run: echo "CTF_OUTPUT_SIZE=$(stat --printf="%s" output.json)" >> $GITHUB_OUTPUT id: ctf - - uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v4 + - uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v4 if: ${{ steps.ctf.outputs.CTF_OUTPUT_SIZE != '0' }} with: name: output.json @@ -65,7 +65,7 @@ jobs: - name: Build product if: ${{ steps.ctf.outputs.CTF_OUTPUT_SIZE != '0' }} run: ./build_product debian12 - - uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v4 + - uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v4 if: ${{ steps.ctf.outputs.CTF_OUTPUT_SIZE != '0' }} with: name: ${{ env.DATASTREAM }} @@ -80,7 +80,7 @@ jobs: - name: Checkout uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v4 - name: Get cached CTF output - uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v4 + uses: actions/download-artifact@70fc10c6e5e1ce46ad2ea6f2b72d43f7d47b13c3 # v4 id: get_ctf_output with: name: output.json @@ -146,7 +146,7 @@ jobs: with: path: 'output.json' prop_path: 'ansible' - - uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v4 + - uses: actions/download-artifact@70fc10c6e5e1ce46ad2ea6f2b72d43f7d47b13c3 # v4 if: ${{ steps.ctf.outputs.CTF_OUTPUT_SIZE != '0' }} with: name: ${{ env.DATASTREAM }} @@ -167,7 +167,7 @@ jobs: continue-on-error: true - name: Upload logs in case of failure if: ${{steps.bash.outputs.prop == 'True' && steps.check_results_bash.outcome == 'success' && steps.ctf.outputs.CTF_OUTPUT_SIZE != '0' }} - uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v4 + uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v4 with: name: logs_bash path: logs_bash/ @@ -183,7 +183,7 @@ jobs: continue-on-error: true - name: Upload logs in case of failure if: ${{ steps.ansible.outputs.prop == 'True' && steps.check_results_ansible.outcome == 'success' && steps.ctf.outputs.CTF_OUTPUT_SIZE != '0' }} - uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v4 + uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v4 with: name: logs_ansible path: logs_ansible/ diff --git a/.github/workflows/automatus-sanity.yaml b/.github/workflows/automatus-sanity.yaml index c5e958fb7d5f..a54fa84f19c9 100644 --- a/.github/workflows/automatus-sanity.yaml +++ b/.github/workflows/automatus-sanity.yaml @@ -22,7 +22,7 @@ jobs: fetch-depth: 0 - name: Build product run: ./build_product fedora --debug - - uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v4 + - uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v4 with: name: ${{ env.DATASTREAM }} path: build/${{ env.DATASTREAM }} @@ -49,7 +49,7 @@ jobs: sudo chown root:root /usr/local/bin/oscap-ssh rm -f oscap-ssh - name: Get Datastream - uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v4 + uses: actions/download-artifact@70fc10c6e5e1ce46ad2ea6f2b72d43f7d47b13c3 # v4 with: name: ${{ env.DATASTREAM }} - name: Check One Rule diff --git a/.github/workflows/automatus-sle15.yaml b/.github/workflows/automatus-sle15.yaml index a0d833cec24b..d9b4a40e2bd5 100644 --- a/.github/workflows/automatus-sle15.yaml +++ b/.github/workflows/automatus-sle15.yaml @@ -48,7 +48,7 @@ jobs: - name: Test if there are no content changes run: echo "CTF_OUTPUT_SIZE=$(stat --printf="%s" output.json)" >> $GITHUB_OUTPUT id: ctf - - uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v4 + - uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v4 if: ${{ steps.ctf.outputs.CTF_OUTPUT_SIZE != '0' }} with: name: output.json @@ -66,7 +66,7 @@ jobs: - name: Build product if: ${{ steps.ctf.outputs.CTF_OUTPUT_SIZE != '0' }} run: ./build_product sle15 - - uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v4 + - uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v4 if: ${{ steps.ctf.outputs.CTF_OUTPUT_SIZE != '0' }} with: name: ${{ env.DATASTREAM }} @@ -81,7 +81,7 @@ jobs: - name: Checkout uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v4 - name: Get cached CTF output - uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v4 + uses: actions/download-artifact@70fc10c6e5e1ce46ad2ea6f2b72d43f7d47b13c3 # v4 id: get_ctf_output with: name: output.json @@ -138,7 +138,7 @@ jobs: with: path: 'output.json' prop_path: 'ansible' - - uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v4 + - uses: actions/download-artifact@70fc10c6e5e1ce46ad2ea6f2b72d43f7d47b13c3 # v4 if: ${{ steps.ctf.outputs.CTF_OUTPUT_SIZE != '0' }} with: name: ${{ env.DATASTREAM }} @@ -159,7 +159,7 @@ jobs: continue-on-error: true - name: Upload logs in case of failure if: ${{steps.bash.outputs.prop == 'True' && steps.check_results_bash.outcome == 'success' && steps.ctf.outputs.CTF_OUTPUT_SIZE != '0' }} - uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v4 + uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v4 with: name: logs_bash path: logs_bash/ @@ -175,7 +175,7 @@ jobs: continue-on-error: true - name: Upload logs in case of failure if: ${{ steps.ansible.outputs.prop == 'True' && steps.check_results_ansible.outcome == 'success' && steps.ctf.outputs.CTF_OUTPUT_SIZE != '0' }} - uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v4 + uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v4 with: name: logs_ansible path: logs_ansible/ diff --git a/.github/workflows/automatus-ubi8.yaml b/.github/workflows/automatus-ubi8.yaml index 411e2ea05700..79036463cb87 100644 --- a/.github/workflows/automatus-ubi8.yaml +++ b/.github/workflows/automatus-ubi8.yaml @@ -40,7 +40,7 @@ jobs: - name: Test if there are no content changes run: echo "CTF_OUTPUT_SIZE=$(stat --printf="%s" output.json)" >> $GITHUB_OUTPUT id: ctf - - uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v4 + - uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v4 if: ${{ steps.ctf.outputs.CTF_OUTPUT_SIZE != '0' }} with: name: output.json @@ -58,7 +58,7 @@ jobs: - name: Build product if: ${{ steps.ctf.outputs.CTF_OUTPUT_SIZE != '0' }} run: ./build_product rhel8 --derivatives - - uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v4 + - uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v4 if: ${{ steps.ctf.outputs.CTF_OUTPUT_SIZE != '0' }} with: name: ${{ env.DATASTREAM }} @@ -73,7 +73,7 @@ jobs: - name: Checkout uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v4 - name: Get cached CTF output - uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v4 + uses: actions/download-artifact@70fc10c6e5e1ce46ad2ea6f2b72d43f7d47b13c3 # v4 id: get_ctf_output with: name: output.json @@ -130,7 +130,7 @@ jobs: with: path: 'output.json' prop_path: 'ansible' - - uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v4 + - uses: actions/download-artifact@70fc10c6e5e1ce46ad2ea6f2b72d43f7d47b13c3 # v4 if: ${{ steps.ctf.outputs.CTF_OUTPUT_SIZE != '0' }} with: name: ${{ env.DATASTREAM }} @@ -151,7 +151,7 @@ jobs: continue-on-error: true - name: Upload logs in case of failure if: ${{steps.bash.outputs.prop == 'True' && steps.check_results_bash.outcome == 'success' && steps.ctf.outputs.CTF_OUTPUT_SIZE != '0' }} - uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v4 + uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v4 with: name: logs_bash path: logs_bash/ @@ -167,7 +167,7 @@ jobs: continue-on-error: true - name: Upload logs in case of failure if: ${{ steps.ansible.outputs.prop == 'True' && steps.check_results_ansible.outcome == 'success' && steps.ctf.outputs.CTF_OUTPUT_SIZE != '0' }} - uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v4 + uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v4 with: name: logs_ansible path: logs_ansible/ diff --git a/.github/workflows/automatus-ubuntu2204.yaml b/.github/workflows/automatus-ubuntu2204.yaml index e43f19b9b6b0..08edc1f8b6de 100644 --- a/.github/workflows/automatus-ubuntu2204.yaml +++ b/.github/workflows/automatus-ubuntu2204.yaml @@ -38,7 +38,7 @@ jobs: - name: Test if there are no content changes run: echo "CTF_OUTPUT_SIZE=$(stat --printf="%s" output.json)" >> $GITHUB_OUTPUT id: ctf - - uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v4 + - uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v4 if: ${{ steps.ctf.outputs.CTF_OUTPUT_SIZE != '0' }} with: name: output.json @@ -65,7 +65,7 @@ jobs: - name: Build product if: ${{ steps.ctf.outputs.CTF_OUTPUT_SIZE != '0' }} run: ./build_product ubuntu2204 - - uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v4 + - uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v4 if: ${{ steps.ctf.outputs.CTF_OUTPUT_SIZE != '0' }} with: name: ${{ env.DATASTREAM }} @@ -80,7 +80,7 @@ jobs: - name: Checkout uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v4 - name: Get cached CTF output - uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v4 + uses: actions/download-artifact@70fc10c6e5e1ce46ad2ea6f2b72d43f7d47b13c3 # v4 id: get_ctf_output with: name: output.json @@ -146,7 +146,7 @@ jobs: with: path: 'output.json' prop_path: 'ansible' - - uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v4 + - uses: actions/download-artifact@70fc10c6e5e1ce46ad2ea6f2b72d43f7d47b13c3 # v4 if: ${{ steps.ctf.outputs.CTF_OUTPUT_SIZE != '0' }} with: name: ${{ env.DATASTREAM }} @@ -167,7 +167,7 @@ jobs: continue-on-error: true - name: Upload logs in case of failure if: ${{steps.bash.outputs.prop == 'True' && steps.check_results_bash.outcome == 'success' && steps.ctf.outputs.CTF_OUTPUT_SIZE != '0' }} - uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v4 + uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v4 with: name: logs_bash path: logs_bash/ @@ -183,7 +183,7 @@ jobs: continue-on-error: true - name: Upload logs in case of failure if: ${{ steps.ansible.outputs.prop == 'True' && steps.check_results_ansible.outcome == 'success' && steps.ctf.outputs.CTF_OUTPUT_SIZE != '0' }} - uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v4 + uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v4 with: name: logs_ansible path: logs_ansible/ diff --git a/.github/workflows/automatus-ubuntu2404.yml b/.github/workflows/automatus-ubuntu2404.yml index 95a264ffb007..c671289ba934 100644 --- a/.github/workflows/automatus-ubuntu2404.yml +++ b/.github/workflows/automatus-ubuntu2404.yml @@ -40,7 +40,7 @@ jobs: - name: Test if there are no content changes run: echo "CTF_OUTPUT_SIZE=$(stat --printf="%s" output.json)" >> $GITHUB_OUTPUT id: ctf - - uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v4 + - uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v4 if: ${{ steps.ctf.outputs.CTF_OUTPUT_SIZE != '0' }} with: name: output.json @@ -58,7 +58,7 @@ jobs: - name: Build product if: ${{ steps.ctf.outputs.CTF_OUTPUT_SIZE != '0' }} run: ./build_product ubuntu2404 --datastream-only - - uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v4 + - uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v4 if: ${{ steps.ctf.outputs.CTF_OUTPUT_SIZE != '0' }} with: name: ${{ env.DATASTREAM }} @@ -73,7 +73,7 @@ jobs: - name: Checkout uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v4 - name: Get cached CTF output - uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v4 + uses: actions/download-artifact@70fc10c6e5e1ce46ad2ea6f2b72d43f7d47b13c3 # v4 id: get_ctf_output with: name: output.json @@ -122,7 +122,7 @@ jobs: with: path: 'output.json' prop_path: 'ansible' - - uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v4 + - uses: actions/download-artifact@70fc10c6e5e1ce46ad2ea6f2b72d43f7d47b13c3 # v4 if: ${{ steps.ctf.outputs.CTF_OUTPUT_SIZE != '0' }} with: name: ${{ env.DATASTREAM }} @@ -143,7 +143,7 @@ jobs: continue-on-error: true - name: Upload logs in case of failure if: ${{steps.bash.outputs.prop == 'True' && steps.check_results_bash.outcome == 'success' && steps.ctf.outputs.CTF_OUTPUT_SIZE != '0' }} - uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v4 + uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v4 with: name: logs_bash path: logs_bash/ @@ -159,7 +159,7 @@ jobs: continue-on-error: true - name: Upload logs in case of failure if: ${{ steps.ansible.outputs.prop == 'True' && steps.check_results_ansible.outcome == 'success' && steps.ctf.outputs.CTF_OUTPUT_SIZE != '0' }} - uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v4 + uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v4 with: name: logs_ansible path: logs_ansible/ diff --git a/.github/workflows/automatus.yaml b/.github/workflows/automatus.yaml index ad3c7dcc319b..883604aa1f77 100644 --- a/.github/workflows/automatus.yaml +++ b/.github/workflows/automatus.yaml @@ -38,7 +38,7 @@ jobs: - name: Test if there are no content changes run: echo "CTF_OUTPUT_SIZE=$(stat --printf="%s" output.json)" >> $GITHUB_OUTPUT id: ctf - - uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v4 + - uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v4 if: ${{ steps.ctf.outputs.CTF_OUTPUT_SIZE != '0' }} with: name: output.json @@ -56,7 +56,7 @@ jobs: - name: Build product if: ${{ steps.ctf.outputs.CTF_OUTPUT_SIZE != '0' }} run: ./build_product ${{steps.product.outputs.prop}} --datastream-only - - uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v4 + - uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v4 if: ${{ steps.ctf.outputs.CTF_OUTPUT_SIZE != '0' }} with: name: ssg-${{steps.product.outputs.prop}}-ds.xml @@ -73,7 +73,7 @@ jobs: - name: Checkout uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v4 - name: Get cached CTF output - uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v4 + uses: actions/download-artifact@70fc10c6e5e1ce46ad2ea6f2b72d43f7d47b13c3 # v4 id: get_ctf_output with: name: output.json @@ -130,7 +130,7 @@ jobs: with: path: 'output.json' prop_path: 'ansible' - - uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v4 + - uses: actions/download-artifact@70fc10c6e5e1ce46ad2ea6f2b72d43f7d47b13c3 # v4 if: ${{ steps.ctf.outputs.CTF_OUTPUT_SIZE != '0' }} with: name: ssg-${{steps.product.outputs.prop}}-ds.xml @@ -151,7 +151,7 @@ jobs: continue-on-error: true - name: Upload logs in case of failure if: ${{steps.bash.outputs.prop == 'True' && steps.check_results_bash.outcome == 'success' && steps.ctf.outputs.CTF_OUTPUT_SIZE != '0' }} - uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v4 + uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v4 with: name: logs_bash path: logs_bash/ @@ -167,7 +167,7 @@ jobs: continue-on-error: true - name: Upload logs in case of failure if: ${{ steps.ansible.outputs.prop == 'True' && steps.check_results_ansible.outcome == 'success' && steps.ctf.outputs.CTF_OUTPUT_SIZE != '0' }} - uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v4 + uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v4 with: name: logs_ansible path: logs_ansible/ diff --git a/.github/workflows/compare-ds-build.yml b/.github/workflows/compare-ds-build.yml index 55eafa329eca..a57473e1bf4d 100644 --- a/.github/workflows/compare-ds-build.yml +++ b/.github/workflows/compare-ds-build.yml @@ -61,7 +61,7 @@ jobs: tar -czvf artifacts.tar.gz artifacts - name: Upload artifacts if: ${{ steps.ctf.outputs.CTF_OUTPUT_SIZE != '0' }} - uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v4 + uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v4 with: name: pr-artifacts-${{ github.event.pull_request.head.sha }} retention-days: 1 @@ -74,7 +74,7 @@ jobs: echo "${{ github.base_ref }}" > pr-info/base-branch.txt echo "${{ steps.fork_point.outputs.FORK_POINT }}" > pr-info/fork-point.txt - name: Upload PR info - uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v4 + uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v4 with: name: pr-info retention-days: 1 diff --git a/.github/workflows/compare-ds.yaml b/.github/workflows/compare-ds.yaml index bb4b4041b990..dc30f49ffc4d 100644 --- a/.github/workflows/compare-ds.yaml +++ b/.github/workflows/compare-ds.yaml @@ -20,7 +20,7 @@ jobs: - name: Install deps python run: pip install gitpython xmldiff - name: Download PR info - uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7 + uses: actions/download-artifact@70fc10c6e5e1ce46ad2ea6f2b72d43f7d47b13c3 # v8.0.0 with: github-token: ${{ secrets.GITHUB_TOKEN }} run-id: ${{ github.event.workflow_run.id }} @@ -72,7 +72,7 @@ jobs: prop_path: 'product' - name: Download built product ${{ steps.pr_info.outputs.base_branch }} (${{ steps.pr_info.outputs.fork_point }}) if: ${{ steps.ctf.outputs.CTF_OUTPUT_SIZE != '0' }} - uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7 + uses: actions/download-artifact@70fc10c6e5e1ce46ad2ea6f2b72d43f7d47b13c3 # v8.0.0 with: github-token: ${{ secrets.GITHUB_TOKEN }} name: pr-artifacts-${{ github.event.workflow_run.head_sha }} @@ -86,7 +86,7 @@ jobs: run: ./build_product ${{steps.product.outputs.prop}} --datastream-only - name: Compare datastreams if: ${{ steps.ctf.outputs.CTF_OUTPUT_SIZE != '0' }} - run: utils/compare_ds.py pr_artifacts/artifacts/ssg-${{steps.product.outputs.prop}}-ds.xml build/ssg-${{steps.product.outputs.prop}}-ds.xml | tee diff.log + run: utils/compare_ds.py build/ssg-${{steps.product.outputs.prop}}-ds.xml pr_artifacts/artifacts/ssg-${{steps.product.outputs.prop}}-ds.xml | tee diff.log env: PYTHONPATH: ${{ github.workspace }} - name: Test if there are datastream changes diff --git a/.github/workflows/gate-lint-ansible-roles.yaml b/.github/workflows/gate-lint-ansible-roles.yaml index 4677e8c16fd9..dd540cb2beed 100644 --- a/.github/workflows/gate-lint-ansible-roles.yaml +++ b/.github/workflows/gate-lint-ansible-roles.yaml @@ -20,7 +20,7 @@ jobs: run: cmake -DSSG_PRODUCT_RHEL8=ON -DSSG_PRODUCT_RHEL9=ON -DSSG_PRODUCT_RHEL10=ON -G Ninja .. working-directory: ./build - name: Build - run: ninja -j2 rhel10-profile-playbooks rhel9-profile-playbooks rhel8-profile-playbooks + run: ninja -j$(nproc) rhel10-profile-playbooks rhel9-profile-playbooks rhel8-profile-playbooks working-directory: ./build - name: Build Ansible Roles run: PYTHONPATH=. python3 utils/ansible_playbook_to_role.py --build-playbooks-dir ./build/ansible/ --dry-run ./build/ansible_roles diff --git a/.github/workflows/gate.yaml b/.github/workflows/gate.yaml index ac71f9dcd90c..ed304455555f 100644 --- a/.github/workflows/gate.yaml +++ b/.github/workflows/gate.yaml @@ -37,7 +37,7 @@ jobs: - name: Build run: ./build_product sle12 sle15 - name: Test - run: ctest -j2 --output-on-failure -E unique-stigids + run: ctest -j$(nproc) --output-on-failure -E unique-stigids working-directory: ./build validate-suse: @@ -55,7 +55,7 @@ jobs: env: ADDITIONAL_CMAKE_OPTIONS: "-DSSG_OVAL_SCHEMATRON_VALIDATION_ENABLED=OFF" - name: Test - run: ctest -j2 --output-on-failure -E unique-stigids + run: ctest -j$(nproc) --output-on-failure -E unique-stigids working-directory: ./build validate-debian: @@ -81,7 +81,7 @@ jobs: ./build_product debian11 debian12 debian13 - name: Test working-directory: ./build - run: ctest -j2 --output-on-failure -E unique-stigids + run: ctest -j$(nproc) --output-on-failure -E unique-stigids validate-ubuntu-22-04: name: Build, Test on Ubuntu 22.04 @@ -99,7 +99,7 @@ jobs: run: |- ./build_product ubuntu2204 - name: Test - run: ctest -j2 --output-on-failure -E unique-stigids + run: ctest -j$(nproc) --output-on-failure -E unique-stigids working-directory: ./build validate-ubuntu-24-04: @@ -118,7 +118,7 @@ jobs: run: |- ./build_product ubuntu2404 - name: Test - run: ctest -j2 --output-on-failure -E unique-stigids + run: ctest -j$(nproc) --output-on-failure -E unique-stigids working-directory: ./build validate-fedora-rawhide: @@ -141,5 +141,5 @@ jobs: env: ADDITIONAL_CMAKE_OPTIONS: "-DSSG_OVAL_SCHEMATRON_VALIDATION_ENABLED=OFF" - name: Test - run: ctest -j2 --output-on-failure -E unique-stigids + run: ctest -j$(nproc) --output-on-failure -E unique-stigids working-directory: ./build diff --git a/.github/workflows/gate_fedora.yml b/.github/workflows/gate_fedora.yml index 22c686c8f9d4..27ddc8cdf3d0 100644 --- a/.github/workflows/gate_fedora.yml +++ b/.github/workflows/gate_fedora.yml @@ -24,7 +24,7 @@ jobs: run: pip install pcre2==0.4.0 -r requirements.txt -r test-requirements.txt - name: Build run: |- - ./build_product -j2 \ + ./build_product -j$(nproc) \ al2023 \ alinux2 \ alinux3 \ @@ -69,16 +69,9 @@ jobs: unzip /__w/content/content/old_release.zip -d /__w/content/content/old_release mv /__w/content/content/old_release/*/* /__w/content/content/old_release/ - name: Test - run: ctest -j2 --output-on-failure -E unique-stigids + run: ctest -j$(nproc) --output-on-failure -E unique-stigids working-directory: ./build - name: "Set git safe directory, ref: https://github.com/actions/checkout/issues/760" run: git config --global --add safe.directory "$GITHUB_WORKSPACE" - - name: Upload coverage to Qlty # Requires: git package - if: ${{ github.repository == 'ComplianceAsCode/content' }} - uses: qltysh/qlty-action/coverage@a19242102d17e497f437d7466aa01b528537e899 # v2.2.0 - with: - token: qltcp_kdIPsqNZzW5rYoxq - files: build/tests/coverage.xml - strip-prefix: /__w/content/content - name: Validate gitmailmap run: grep -E "\S" .mailmap | grep -Ev '^#' | git check-mailmap --stdin diff --git a/.github/workflows/gh-pages.yaml b/.github/workflows/gh-pages.yaml index b18fbe5a6814..145ef3168fe9 100644 --- a/.github/workflows/gh-pages.yaml +++ b/.github/workflows/gh-pages.yaml @@ -30,13 +30,13 @@ jobs: run: cmake .. -G Ninja -DCMAKE_BUILD_TYPE=Debug working-directory: ./build - name: Build Guides and Mapping Tables - run: ninja -j2 + run: ninja -j$(nproc) working-directory: ./build - name: Build Statistics - run: ninja html-stats html-profile-stats -j2 + run: ninja html-stats html-profile-stats -j$(nproc) working-directory: ./build - name: Render Policies (Using control files) - run: ninja render-policies -j2 + run: ninja render-policies -j$(nproc) working-directory: ./build - name: Generate Prometheus Metrics run: utils/controleval_metrics.py prometheus -p fedora ocp4 rhcos4 rhel10 rhel9 rhel8 sle12 sle15 -f ./build/policies_metrics @@ -63,7 +63,7 @@ jobs: git-config-name: openscap-ci git-config-email: openscap-ci@gmail.com - name: Upload artifact if the event is pull request - uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v4 + uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v4 if: ${{ github.event_name == 'pull_request' }} with: name: built-content diff --git a/.github/workflows/nightly_build.yml b/.github/workflows/nightly_build.yml index be4ec6457e5f..26b58412d74a 100644 --- a/.github/workflows/nightly_build.yml +++ b/.github/workflows/nightly_build.yml @@ -20,19 +20,19 @@ jobs: run: cmake -G Ninja .. working-directory: ./build - name: Build All - run: ninja -j2 all + run: ninja -j$(nproc) all working-directory: ./build - name: Build ZIP - run: ninja -j2 zipfile + run: ninja -j$(nproc) zipfile working-directory: ./build - name: Test - run: ctest -j2 --output-on-failure -E linkchecker + run: ctest -j$(nproc) --output-on-failure -E linkchecker working-directory: ./build - name: Build Package Source - run: ninja -j2 package_source + run: ninja -j$(nproc) package_source working-directory: ./build - name: 'Upload Artifact' - uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v4 + uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v4 with: name: Nightly Build path: | diff --git a/.github/workflows/ocp-test-profiles.yaml b/.github/workflows/ocp-test-profiles.yaml index d294af997921..5da0a67da393 100644 --- a/.github/workflows/ocp-test-profiles.yaml +++ b/.github/workflows/ocp-test-profiles.yaml @@ -40,7 +40,7 @@ jobs: - name: Test if there are no content changes run: echo "CTF_OUTPUT_SIZE=$(stat --printf="%s" ctf-output.json)" >> $GITHUB_OUTPUT id: ctf - - uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v4 + - uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v4 if: ${{ steps.ctf.outputs.CTF_OUTPUT_SIZE != '0' }} with: name: ctf-output diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index 71bec17c9275..c42b14e96f7d 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -19,16 +19,16 @@ jobs: run: cmake .. working-directory: ./build - name: Build All - run: make -j2 all + run: make -j$(nproc) all working-directory: ./build - name: Build ZIP - run: make -j2 zipfile + run: make -j$(nproc) zipfile working-directory: ./build - name: Test - run: ctest -j2 --output-on-failure -E linkchecker + run: ctest -j$(nproc) --output-on-failure -E linkchecker working-directory: ./build - name: Build Package Source - run: make -j2 package_source + run: make -j$(nproc) package_source working-directory: ./build - name: Set Version id: set_version @@ -39,7 +39,7 @@ jobs: GITHUB_REF: ${{ github.ref }} - name: Build Changelog id: build_changelog - uses: mikepenz/release-changelog-builder-action@6faf020194b7c8853f9e55c4fd92e40b02122a04 # v4 + uses: mikepenz/release-changelog-builder-action@a34a8009a9588bb86b02a873cf592440e96a5da8 # v4 with: configuration: .github/workflows/release-changelog.json env: diff --git a/.github/workflows/srg-mapping-table.yaml b/.github/workflows/srg-mapping-table.yaml index 9a53ef550953..a61ee372cbb1 100644 --- a/.github/workflows/srg-mapping-table.yaml +++ b/.github/workflows/srg-mapping-table.yaml @@ -30,7 +30,7 @@ jobs: run: cmake .. -G Ninja working-directory: ./build - name: Build - run: ninja -j2 rhel10 rhel9 ocp4 + run: ninja -j$(nproc) rhel10 rhel9 ocp4 working-directory: ./build - name: Build rule dir json run: python3 utils/rule_dir_json.py @@ -62,33 +62,33 @@ jobs: run: python3 utils/create_srg_export.py -c controls/srg_gpos.yml -p rhel10 -m shared/references/disa-os-srg-v3r2.xml --out-format html --output $PAGES_DIR/srg-mapping-rhel10.html env: PYTHONPATH: ${{ github.workspace }} - - uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v4 + - uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v4 if: ${{ github.event_name == 'pull_request' }} with: name: srg-mapping-rhel9.xlsx path: ${{ env.PAGES_DIR }}/srg-mapping-rhel9.xlsx - - uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v4 + - uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v4 if: ${{ github.event_name == 'pull_request' }} with: name: srg-mapping-rhel9.html path: ${{ env.PAGES_DIR }}/srg-mapping-rhel9.html - - uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v4 + - uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v4 if: ${{ github.event_name == 'pull_request' }} with: name: srg-mapping-rhel10.xlsx path: ${{ env.PAGES_DIR }}/srg-mapping-rhel10.xlsx - - uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v4 + - uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v4 if: ${{ github.event_name == 'pull_request' }} with: name: srg-mapping-rhel10.html path: ${{ env.PAGES_DIR }}/srg-mapping-rhel10.html - - uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v4 + - uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v4 if: ${{ github.event_name == 'pull_request' }} with: name: srg-mapping-ocp4.xlsx path: ${{ env.PAGES_DIR }}/srg-mapping-ocp4.xlsx - - uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v4 + - uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v4 if: ${{ github.event_name == 'pull_request' }} with: name: srg-mapping-ocp4.html diff --git a/.github/workflows/stabilize.yaml b/.github/workflows/stabilize.yaml index ca18e3a388c4..57a80b63e741 100644 --- a/.github/workflows/stabilize.yaml +++ b/.github/workflows/stabilize.yaml @@ -24,7 +24,7 @@ jobs: run: cmake -DSSG_OVAL_SCHEMATRON_VALIDATION_ENABLED=OFF -DANSIBLE_CHECKS=ON -DENABLE_SCAPVAL13=ON -DSCAPVAL_PATH='/opt/scapval/SCAP-Content-Validation-Tool-1.3.5/scapval-1.3.5.jar' .. working-directory: ./build - name: Build All - run: make -j2 all + run: make -j$(nproc) all working-directory: ./build - name: Get SCAPVAL run: wget $SCAPVAL_URL/$SCAPVAL_FILENAME.zip @@ -32,12 +32,12 @@ jobs: run: mkdir -p /opt/scapval/ && unar $SCAPVAL_FILENAME.zip -o /opt/scapval/ - name: Run SCAPVal # Runs SCAPVal on all built datastream - run: ctest -j2 -R scapval --output-on-failure + run: ctest -j$(nproc) -R scapval --output-on-failure - name: Lint Check # Performs ansible-lint and yamllint checks on generated ansible playbooks - run: ctest -j2 -R ansible-playbook --output-on-failure + run: ctest -j$(nproc) -R ansible-playbook --output-on-failure working-directory: ./build - name: Link Check # Performs linkcheck across all build tables and html guides to ensure there are no broken references. - run: ctest -j2 -R linkchecker --output-on-failure + run: ctest -j$(nproc) -R linkchecker --output-on-failure working-directory: ./build diff --git a/.github/workflows/sync-cac-oscal.yml b/.github/workflows/sync-cac-oscal.yml index d1b03ec3167a..b79b752ccb68 100644 --- a/.github/workflows/sync-cac-oscal.yml +++ b/.github/workflows/sync-cac-oscal.yml @@ -73,7 +73,7 @@ jobs: # Step 6: Get changed files and detect updates - name: Get changed files if: ${{ env.SKIP == 'false' }} - uses: tj-actions/changed-files@8cba46e29c11878d930bca7870bb54394d3e8b21 # v47.0.2 + uses: tj-actions/changed-files@22103cc46bda19c2b464ffe86db46df6922fd323 # v47.0.5 id: changed-files with: path: "cac-content" diff --git a/.gitignore b/.gitignore index cafff35ee5ea..14087bb896ca 100644 --- a/.gitignore +++ b/.gitignore @@ -82,3 +82,9 @@ coverage.xml # Trestle specfic shared/references/oscal/.trestle/cache + +# Ignore user-specific CLAUDE preferences +CLAUDE.local.md + +# Ignore BAS CMakeFiles +products/bascontrol22d4/CMakeFiles/ diff --git a/.packit.yaml b/.packit.yaml index 8d456d18d276..9b9987caac16 100644 --- a/.packit.yaml +++ b/.packit.yaml @@ -23,138 +23,32 @@ jobs: trigger: commit branch: "gh-readonly-queue/.*" -- &test-static-checks +- &contest-oscap job: tests trigger: pull_request - fmf_path: tests/tmt - identifier: /static-checks - tmt_plan: /plans/contest/static-checks$ + fmf_url: https://github.com/RHSecurityCompliance/contest.git + fmf_ref: main + tmt_plan: /plans/upstream-parallel/oscap + identifier: contest-oscap targets: centos-stream-8: {} centos-stream-9: {} centos-stream-10: {} + tf_extra_params: + settings: + pipeline: + parallel-limit: 32 -# when modifying this, modify also tests/tmt-plans/ - -- <<: *test-static-checks - identifier: /rpmbuild-ctest-fedora - tmt_plan: /plans/contest/rpmbuild-ctest-fedora$ - targets: - fedora-all: {} -- <<: *test-static-checks - identifier: /hardening/host-os/ansible/anssi_bp28_high - tmt_plan: /plans/contest/hardening/host-os/ansible/anssi_bp28_high$ -- <<: *test-static-checks - identifier: /hardening/host-os/ansible/bsi - tmt_plan: /plans/contest/hardening/host-os/ansible/bsi$ - targets: - centos-stream-9: {} - centos-stream-10: {} -- <<: *test-static-checks - identifier: /hardening/host-os/ansible/ccn_advanced - tmt_plan: /plans/contest/hardening/host-os/ansible/ccn_advanced$ - targets: - centos-stream-9: {} -- <<: *test-static-checks - identifier: /hardening/host-os/ansible/cis - tmt_plan: /plans/contest/hardening/host-os/ansible/cis$ -- <<: *test-static-checks - identifier: /hardening/host-os/ansible/cis_server_l1 - tmt_plan: /plans/contest/hardening/host-os/ansible/cis_server_l1$ -- <<: *test-static-checks - identifier: /hardening/host-os/ansible/cis_workstation_l1 - tmt_plan: /plans/contest/hardening/host-os/ansible/cis_workstation_l1$ -- <<: *test-static-checks - identifier: /hardening/host-os/ansible/cis_workstation_l2 - tmt_plan: /plans/contest/hardening/host-os/ansible/cis_workstation_l2$ -- <<: *test-static-checks - identifier: /hardening/host-os/ansible/cui - tmt_plan: /plans/contest/hardening/host-os/ansible/cui$ - targets: - centos-stream-8: {} - centos-stream-9: {} -- <<: *test-static-checks - identifier: /hardening/host-os/ansible/e8 - tmt_plan: /plans/contest/hardening/host-os/ansible/e8$ -- <<: *test-static-checks - identifier: /hardening/host-os/ansible/hipaa - tmt_plan: /plans/contest/hardening/host-os/ansible/hipaa$ -- <<: *test-static-checks - identifier: /hardening/host-os/ansible/ism_o - tmt_plan: /plans/contest/hardening/host-os/ansible/ism_o$ -- <<: *test-static-checks - identifier: /hardening/host-os/ansible/ism_o_top_secret - tmt_plan: /plans/contest/hardening/host-os/ansible/ism_o_top_secret$ - targets: - centos-stream-10: {} -- <<: *test-static-checks - identifier: /hardening/host-os/ansible/ospp - tmt_plan: /plans/contest/hardening/host-os/ansible/ospp$ -- <<: *test-static-checks - identifier: /hardening/host-os/ansible/pci-dss - tmt_plan: /plans/contest/hardening/host-os/ansible/pci-dss$ -- <<: *test-static-checks - identifier: /hardening/host-os/ansible/stig - tmt_plan: /plans/contest/hardening/host-os/ansible/stig$ +- <<: *contest-oscap + tmt_plan: /plans/upstream-parallel/ansible + identifier: contest-ansible -- <<: *test-static-checks - identifier: /hardening/host-os/oscap/anssi_bp28_high - tmt_plan: /plans/contest/hardening/host-os/oscap/anssi_bp28_high$ -- <<: *test-static-checks - identifier: /hardening/host-os/oscap/bsi - tmt_plan: /plans/contest/hardening/host-os/oscap/bsi$ - targets: - centos-stream-9: {} - centos-stream-10: {} -- <<: *test-static-checks - identifier: /hardening/host-os/oscap/ccn_advanced - tmt_plan: /plans/contest/hardening/host-os/oscap/ccn_advanced$ - targets: - centos-stream-9: {} -- <<: *test-static-checks - identifier: /hardening/host-os/oscap/cis - tmt_plan: /plans/contest/hardening/host-os/oscap/cis$ -- <<: *test-static-checks - identifier: /hardening/host-os/oscap/cis_server_l1 - tmt_plan: /plans/contest/hardening/host-os/oscap/cis_server_l1$ -- <<: *test-static-checks - identifier: /hardening/host-os/oscap/cis_workstation_l1 - tmt_plan: /plans/contest/hardening/host-os/oscap/cis_workstation_l1$ -- <<: *test-static-checks - identifier: /hardening/host-os/oscap/cis_workstation_l2 - tmt_plan: /plans/contest/hardening/host-os/oscap/cis_workstation_l2$ -- <<: *test-static-checks - identifier: /hardening/host-os/oscap/cui - tmt_plan: /plans/contest/hardening/host-os/oscap/cui$ - targets: - centos-stream-8: {} - centos-stream-9: {} -- <<: *test-static-checks - identifier: /hardening/host-os/oscap/e8 - tmt_plan: /plans/contest/hardening/host-os/oscap/e8$ -- <<: *test-static-checks - identifier: /hardening/host-os/oscap/hipaa - tmt_plan: /plans/contest/hardening/host-os/oscap/hipaa$ -- <<: *test-static-checks - identifier: /hardening/host-os/oscap/ism_o - tmt_plan: /plans/contest/hardening/host-os/oscap/ism_o$ -- <<: *test-static-checks - identifier: /hardening/host-os/oscap/ism_o_top_secret - tmt_plan: /plans/contest/hardening/host-os/oscap/ism_o_top_secret$ - targets: - centos-stream-10: {} -- <<: *test-static-checks - identifier: /hardening/host-os/oscap/ospp - tmt_plan: /plans/contest/hardening/host-os/oscap/ospp$ -- <<: *test-static-checks - identifier: /hardening/host-os/oscap/pci-dss - tmt_plan: /plans/contest/hardening/host-os/oscap/pci-dss$ -- <<: *test-static-checks - identifier: /hardening/host-os/oscap/stig - tmt_plan: /plans/contest/hardening/host-os/oscap/stig$ +# when modifying anything below, modify also tests/tmt/ -- <<: *test-static-checks +- job: tests + trigger: pull_request + fmf_path: tests/tmt + tmt_plan: /fedora-cis/plan$ identifier: fedora-cis - tmt_plan: /plans/fedora-cis$ targets: fedora-all: {} diff --git a/CMakeLists.txt b/CMakeLists.txt index 48b206911bb3..4f66e2c03277 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -33,7 +33,7 @@ include(SSGCommon) # Define Version values set(SSG_MAJOR_VERSION 0) set(SSG_MINOR_VERSION 1) -set(SSG_PATCH_VERSION 80) +set(SSG_PATCH_VERSION 81) set(SSG_VERSION "${SSG_MAJOR_VERSION}.${SSG_MINOR_VERSION}.${SSG_PATCH_VERSION}") set(SSG_VENDOR "ssgproject" CACHE STRING "Specify the XCCDF 1.2 vendor string.") @@ -89,6 +89,7 @@ option(SSG_PRODUCT_ALINUX3 "If enabled, the Alibaba Cloud Linux 3 SCAP content w option(SSG_PRODUCT_ALMALINUX9 "If enabled, the AlmaLinux OS 9 SCAP content will be built" ${SSG_PRODUCT_DEFAULT}) option(SSG_PRODUCT_ANOLIS8 "If enabled, the Anolis OS 8 SCAP content will be built" ${SSG_PRODUCT_DEFAULT}) option(SSG_PRODUCT_ANOLIS23 "If enabled, the Anolis OS 23 SCAP content will be built" ${SSG_PRODUCT_DEFAULT}) +option(SSG_PRODUCT_BASCONTROL22D4 "If enabled, the Contemporary Controls BAScontrol22D 4 SCAP content will be built" ${SSG_PRODUCT_DEFAULT}) option(SSG_PRODUCT_DEBIAN11 "If enabled, the Debian 11 SCAP content will be built" ${SSG_PRODUCT_DEFAULT}) option(SSG_PRODUCT_DEBIAN12 "If enabled, the Debian 12 SCAP content will be built" ${SSG_PRODUCT_DEFAULT}) option(SSG_PRODUCT_DEBIAN13 "If enabled, the Debian 13 SCAP content will be built" ${SSG_PRODUCT_DEFAULT}) @@ -326,6 +327,7 @@ message(STATUS "Alibaba Cloud Linux 3: ${SSG_PRODUCT_ALINUX3}") message(STATUS "AlmaLinux OS 9: ${SSG_PRODUCT_ALMALINUX9}") message(STATUS "Anolis OS 8: ${SSG_PRODUCT_ANOLIS8}") message(STATUS "Anolis OS 23: ${SSG_PRODUCT_ANOLIS23}") +message(STATUS "Contemporary Controls BAScontrol22D 4: ${SSG_PRODUCT_BASCONTROL22D4}") message(STATUS "Debian 11: ${SSG_PRODUCT_DEBIAN11}") message(STATUS "Debian 12: ${SSG_PRODUCT_DEBIAN12}") message(STATUS "Debian 13: ${SSG_PRODUCT_DEBIAN13}") @@ -347,9 +349,9 @@ message(STATUS "RHEL 8: ${SSG_PRODUCT_RHEL8}") message(STATUS "RHEL 9: ${SSG_PRODUCT_RHEL9}") message(STATUS "RHEL 10: ${SSG_PRODUCT_RHEL10}") message(STATUS "RHV 4: ${SSG_PRODUCT_RHV4}") -message(STATUS "SUSE 12: ${SSG_PRODUCT_SLE12}") -message(STATUS "SUSE 15: ${SSG_PRODUCT_SLE15}") -message(STATUS "SUSE 16: ${SSG_PRODUCT_SLE16}") +message(STATUS "SLES 12: ${SSG_PRODUCT_SLE12}") +message(STATUS "SLES 15: ${SSG_PRODUCT_SLE15}") +message(STATUS "SLES 16: ${SSG_PRODUCT_SLE16}") message(STATUS "SLE Micro 5: ${SSG_PRODUCT_SLMICRO5}") message(STATUS "SLE Micro 6: ${SSG_PRODUCT_SLMICRO6}") message(STATUS "TencentOS Server 4: ${SSG_PRODUCT_TENCENTOS4}") @@ -397,6 +399,9 @@ endif() if(SSG_PRODUCT_ANOLIS23) add_subdirectory("products/anolis23" "anolis23") endif() +#if(SSG_PRODUCT_BASCONTROL22D4) +# add_subdirectory("products/bascontrol22d4" "bascontrol22d4") +#endif() if(SSG_PRODUCT_DEBIAN11) add_subdirectory("products/debian11" "debian11") endif() diff --git a/Contributors.md b/Contributors.md index 55250d73f1a4..101b83176b2f 100644 --- a/Contributors.md +++ b/Contributors.md @@ -1,5 +1,5 @@ <!---This file is generated using the contributors.py script. DO NOT MANUALLY EDIT!!!! -Last Modified: 2025-11-20 08:44 UTC +Last Modified: 2026-02-16 16:01 UTC ---> The following people have contributed to the SCAP Security Guide project @@ -73,6 +73,7 @@ The following people have contributed to the SCAP Security Guide project * cyarbrough76 <42849651+cyarbrough76@users.noreply.github.com> * Maura Dailey <maura@eclipse.ncsc.mil> * Benjamin Deering <ben_deering@jeepingben.net> +* Shane Dell <shanedell100@gmail.com> * Klaas Demter <demter@atix.de> * denknorr <dennis.knorr@suse.com> * dhanushkar-wso2 <dhanushkar@wso2.com> @@ -82,6 +83,7 @@ The following people have contributed to the SCAP Security Guide project * Marco De Donno <mdedonno1337@gmail.com> * dperrone <dperrone@redhat.com> * drax <applezip@gmail.com> +* Qingmin Duanmu <qduanmu@redhat.com> * Sebastian Dunne <sdunne@redhat.com> * François Duthilleul <francoisduthilleul@gmail.com> * Greg Elin <gregelin@gitmachines.com> @@ -91,6 +93,8 @@ The following people have contributed to the SCAP Security Guide project * Evelyn <evansvevelyn@gmail.com> * Alexis Facques <alexis.facques@mythalesgroup.io> * Jan Fader <jan.fader@web.de> +* felixmarch <felixmarch@users.noreply.github.com> +* Asser Schrøder Femø <asser@asser.org> * Henry Finucane <hfinucane@zscaler.com> * Leah Fisher <lfisher047@gmail.com> * Marco Fortina <marco_fortina@hotmail.it> @@ -135,6 +139,7 @@ The following people have contributed to the SCAP Security Guide project * Simon John <sjohn@tuxcare.com> * Hunter Jones <hjones2199@gmail.com> * Jono <jono@ubuntu-18.localdomain> +* julius.ish <julius.ish@zetier.com> * justchris1 <justchris1@justchris1.email> * Kacper <kacper@kacper.se> * Kai Kang <kai.kang@windriver.com> @@ -303,6 +308,7 @@ The following people have contributed to the SCAP Security Guide project * Nico Truzzolino <nico.truzzolino@gmx.de> * Brian Turek <brian.turek@gmail.com> * Matěj Týč <matyc@redhat.com> +* Jörgen Uhr <jorgen.uhr@sitevision.se> * VadimDor <29509093+VadimDor@users.noreply.github.com> * Trevor Vaughan <tvaughan@onyxpoint.com> * vtrubovics <82443408+vtrubovics@users.noreply.github.com> diff --git a/Contributors.xml b/Contributors.xml index edbff6a8b209..4ddf06841137 100644 --- a/Contributors.xml +++ b/Contributors.xml @@ -1,5 +1,5 @@ <!--This file is generated using the contributors.py script. DO NOT MANUALLY EDIT!!!! -Last Modified: 2025-11-20 08:44 UTC +Last Modified: 2026-02-16 16:01 UTC --> <text> @@ -71,6 +71,7 @@ Last Modified: 2025-11-20 08:44 UTC <contributor>cyarbrough76 <42849651+cyarbrough76@users.noreply.github.com></contributor> <contributor>Maura Dailey <maura@eclipse.ncsc.mil></contributor> <contributor>Benjamin Deering <ben_deering@jeepingben.net></contributor> +<contributor>Shane Dell <shanedell100@gmail.com></contributor> <contributor>Klaas Demter <demter@atix.de></contributor> <contributor>denknorr <dennis.knorr@suse.com></contributor> <contributor>dhanushkar-wso2 <dhanushkar@wso2.com></contributor> @@ -80,6 +81,7 @@ Last Modified: 2025-11-20 08:44 UTC <contributor>Marco De Donno <mdedonno1337@gmail.com></contributor> <contributor>dperrone <dperrone@redhat.com></contributor> <contributor>drax <applezip@gmail.com></contributor> +<contributor>Qingmin Duanmu <qduanmu@redhat.com></contributor> <contributor>Sebastian Dunne <sdunne@redhat.com></contributor> <contributor>François Duthilleul <francoisduthilleul@gmail.com></contributor> <contributor>Greg Elin <gregelin@gitmachines.com></contributor> @@ -89,6 +91,8 @@ Last Modified: 2025-11-20 08:44 UTC <contributor>Evelyn <evansvevelyn@gmail.com></contributor> <contributor>Alexis Facques <alexis.facques@mythalesgroup.io></contributor> <contributor>Jan Fader <jan.fader@web.de></contributor> +<contributor>felixmarch <felixmarch@users.noreply.github.com></contributor> +<contributor>Asser Schrøder Femø <asser@asser.org></contributor> <contributor>Henry Finucane <hfinucane@zscaler.com></contributor> <contributor>Leah Fisher <lfisher047@gmail.com></contributor> <contributor>Marco Fortina <marco_fortina@hotmail.it></contributor> @@ -133,6 +137,7 @@ Last Modified: 2025-11-20 08:44 UTC <contributor>Simon John <sjohn@tuxcare.com></contributor> <contributor>Hunter Jones <hjones2199@gmail.com></contributor> <contributor>Jono <jono@ubuntu-18.localdomain></contributor> +<contributor>julius.ish <julius.ish@zetier.com></contributor> <contributor>justchris1 <justchris1@justchris1.email></contributor> <contributor>Kacper <kacper@kacper.se></contributor> <contributor>Kai Kang <kai.kang@windriver.com></contributor> @@ -301,6 +306,7 @@ Last Modified: 2025-11-20 08:44 UTC <contributor>Nico Truzzolino <nico.truzzolino@gmx.de></contributor> <contributor>Brian Turek <brian.turek@gmail.com></contributor> <contributor>Matěj Týč <matyc@redhat.com></contributor> +<contributor>Jörgen Uhr <jorgen.uhr@sitevision.se></contributor> <contributor>VadimDor <29509093+VadimDor@users.noreply.github.com></contributor> <contributor>Trevor Vaughan <tvaughan@onyxpoint.com></contributor> <contributor>vtrubovics <82443408+vtrubovics@users.noreply.github.com></contributor> diff --git a/Dockerfiles/test_suite-ubuntu2204 b/Dockerfiles/test_suite-ubuntu2204 index 1aab55c4e4fa..bd312a61a3c3 100644 --- a/Dockerfiles/test_suite-ubuntu2204 +++ b/Dockerfiles/test_suite-ubuntu2204 @@ -26,11 +26,9 @@ RUN true \ RUN true \ && ssh-keygen -A \ && mkdir -p /root/.ssh \ + && mkdir /run/sshd && chmod 0755 /run/sshd \ && printf "%s\n" "$CLIENT_PUBLIC_KEY" >> "$AUTH_KEYS" \ && chmod og-rw /root/.ssh "$AUTH_KEYS" \ && sed -i '/session\s\+required\s\+pam_loginuid.so/d' /etc/pam.d/sshd \ && echo CPE_NAME="cpe:/o:canonical:ubuntu_linux:22.04" >> /etc/os-release \ && true - -RUN mkdir /run/sshd -CMD ["/usr/sbin/sshd", "-D"] diff --git a/Dockerfiles/test_suite-ubuntu2404 b/Dockerfiles/test_suite-ubuntu2404 index 8b922eaa1828..8186af8740ca 100644 --- a/Dockerfiles/test_suite-ubuntu2404 +++ b/Dockerfiles/test_suite-ubuntu2404 @@ -19,10 +19,9 @@ RUN true \ RUN true \ && ssh-keygen -A \ && mkdir -p /root/.ssh \ + && mkdir /run/sshd && chmod 0755 /run/sshd \ && printf "%s\n" "$CLIENT_PUBLIC_KEY" >> "$AUTH_KEYS" \ && chmod og-rw /root/.ssh "$AUTH_KEYS" \ && sed -i '/session\s\+required\s\+pam_loginuid.so/d' /etc/pam.d/sshd \ - && echo CPE_NAME="cpe:/o:canonical:ubuntu_linux:24.04" >> /etc/os-release - -RUN mkdir /run/sshd -CMD ["/usr/sbin/sshd", "-D"] + && echo CPE_NAME="cpe:/o:canonical:ubuntu_linux:24.04" >> /etc/os-release \ +&& true diff --git a/applications/openshift/networking/configure_network_policies/rule.yml b/applications/openshift/networking/configure_network_policies/rule.yml index e30efa56270b..d01c98935abb 100644 --- a/applications/openshift/networking/configure_network_policies/rule.yml +++ b/applications/openshift/networking/configure_network_policies/rule.yml @@ -50,6 +50,5 @@ template: yamlpath: "[:]" check_existence: "any_exist" entity_check: "all" - values: - - value: "OpenShiftSDN|OVN|Calico" - operation: "pattern match" + regex_data: "true" + xccdf_variable: var_configure_network_policies_regex diff --git a/applications/openshift/networking/var_configure_network_policies_regex.var b/applications/openshift/networking/var_configure_network_policies_regex.var new file mode 100644 index 000000000000..d899bd0c4527 --- /dev/null +++ b/applications/openshift/networking/var_configure_network_policies_regex.var @@ -0,0 +1,20 @@ +documentation_complete: true + +title: 'Network Provider which provide Support for Network Policies' + +description: |- + Regular expression explicitly describing + which CNI plugins provide the cluster with the + network policies feature/capability + You can chose to either allow multiple providers + by adding them like "Provider1|Provider2" or only + allow one, by overwriting the value + +type: string + +operator: equals + +interactive: true + +options: + default: "OpenShiftSDN|OVN|Calico|Cilium" diff --git a/build-scripts/collect_remediations.py b/build-scripts/collect_remediations.py index ecf3e867f00d..93eeb7b24f38 100755 --- a/build-scripts/collect_remediations.py +++ b/build-scripts/collect_remediations.py @@ -118,7 +118,7 @@ def collect_remediations( msg = ( "Failed to dispatch {lang} remediation for {rule_id}: {error}" .format(lang=lang, rule_id=rule.id_, error=str(exc))) - raise RuntimeError(msg) + raise RuntimeError(msg) from exc def main(): diff --git a/build/.gitkeep b/build/.gitkeep deleted file mode 100644 index e69de29bb2d1..000000000000 diff --git a/build_product b/build_product index 76e3d3a69854..003e9a356d7f 100755 --- a/build_product +++ b/build_product @@ -333,6 +333,7 @@ all_cmake_products=( ALMALINUX9 ANOLIS23 ANOLIS8 + BASCONTROL22D4 DEBIAN11 DEBIAN12 DEBIAN13 diff --git a/components/audit.yml b/components/audit.yml index bd1807988a47..018ead72842e 100644 --- a/components/audit.yml +++ b/components/audit.yml @@ -131,6 +131,7 @@ rules: - audit_rules_mac_modification_etc_apparmor_d - audit_rules_mac_modification_etc_selinux - audit_rules_mac_modification_usr_share +- audit_rules_mac_modification_var_lib_selinux - audit_rules_media_export - audit_rules_networkconfig_modification - audit_rules_networkconfig_modification_etc_hosts diff --git a/components/nfs-common.yml b/components/nfs-common.yml new file mode 100644 index 000000000000..31b0f2666976 --- /dev/null +++ b/components/nfs-common.yml @@ -0,0 +1,5 @@ +name: nfs-common +packages: +- nfs-common +rules: +- package_nfs-common_removed diff --git a/components/operating-system.yml b/components/operating-system.yml index 45d050bf1724..d8a27adbd67f 100644 --- a/components/operating-system.yml +++ b/components/operating-system.yml @@ -6,6 +6,7 @@ rules: - accounts_user_home_paths_only - accounts_user_interactive_home_directory_defined - accounts_user_interactive_home_directory_exists +- accounts_user_interactive_home_directory_on_separate_partition - bios_assign_password - bios_disable_usb_boot - bios_enable_execution_restrictions diff --git a/controls/ccn_ol9.yml b/controls/ccn_ol9.yml index 9c0756c3efa1..c065f65c5eb2 100644 --- a/controls/ccn_ol9.yml +++ b/controls/ccn_ol9.yml @@ -623,10 +623,15 @@ controls: - banner_etc_motd - dconf_gnome_banner_enabled - dconf_gnome_login_banner_text + - dconf_login_banner_text=cis_default + - dconf_login_banner_contents=cis_default - sshd_enable_warning_banner_net - login_banner_text=cis_default + - login_banner_contents=cis_default - motd_banner_text=cis_default + - motd_banner_contents=cis_default - remote_login_banner_text=cis_default + - remote_login_banner_contents=cis_default - id: A.11.SEC-OL5 title: Network Acess to the System is Controlled diff --git a/controls/cis_al2023.yml b/controls/cis_al2023.yml index 666a5322499e..ffb74aa0621b 100644 --- a/controls/cis_al2023.yml +++ b/controls/cis_al2023.yml @@ -468,6 +468,7 @@ controls: rules: - banner_etc_motd - motd_banner_text=cis_banners + - motd_banner_contents=cis_default - id: 1.7.2 title: Ensure local login warning banner is configured properly (Automated) @@ -477,6 +478,7 @@ controls: rules: - banner_etc_issue - login_banner_text=cis_banners + - login_banner_contents=cis_default - id: 1.7.3 title: Ensure remote login warning banner is configured properly (Automated) @@ -486,6 +488,7 @@ controls: rules: - banner_etc_issue_net - remote_login_banner_text=cis_banners + - remote_login_banner_contents=cis_default - id: 1.7.4 title: Ensure permissions on /etc/motd are configured (Automated) diff --git a/controls/cis_almalinux9.yml b/controls/cis_almalinux9.yml index 29fa4bd9b124..6d7189ce2877 100644 --- a/controls/cis_almalinux9.yml +++ b/controls/cis_almalinux9.yml @@ -691,7 +691,8 @@ controls: rules: - dconf_gnome_banner_enabled - dconf_gnome_login_banner_text - - login_banner_text=cis_banners + - dconf_login_banner_text=cis_banners + - dconf_login_banner_contents=cis_default - id: 1.8.3 title: Ensure GDM disable-user-list option is enabled (Automated) diff --git a/controls/cis_debian12.yml b/controls/cis_debian12.yml index 8e0208f77309..6ffb09b7dda3 100644 --- a/controls/cis_debian12.yml +++ b/controls/cis_debian12.yml @@ -540,7 +540,8 @@ controls: - l1_server - l1_workstation rules: - - login_banner_text=cis_default + - dconf_login_banner_text=cis_default + - dconf_login_banner_contents=cis_default - dconf_gnome_banner_enabled - dconf_gnome_login_banner_text status: automated diff --git a/controls/cis_fedora.yml b/controls/cis_fedora.yml index 031e276bc3d5..b22ccfbd7f1c 100644 --- a/controls/cis_fedora.yml +++ b/controls/cis_fedora.yml @@ -369,9 +369,14 @@ controls: levels: - l1_server - l1_workstation - status: manual - related_rules: + status: partial + rules: - ensure_fedora_gpgkey_installed + notes: > + In CIS Benchmark, the requirement is manual, because of GPG keys for 3rd party repositories. + But, add the rule ensure_fedora_gpgkey_installed to the profile because the requirement 1.2.1.2 + adds ensure_gpgcheck_globally_activated which requires GPG key checking. If the Fedora + GPG key wouldn't be installed, people won't be able to install any RPM package using dnf. - id: 1.2.1.2 title: Ensure gpgcheck is configured (Automated) @@ -710,7 +715,8 @@ controls: rules: - dconf_gnome_banner_enabled - dconf_gnome_login_banner_text - - login_banner_text=cis_banners + - dconf_login_banner_text=cis_banners + - dconf_login_banner_contents=cis_default - id: 1.8.2 title: Ensure GDM disable-user-list is configured (Automated) @@ -2957,6 +2963,7 @@ controls: rules: - audit_rules_mac_modification_etc_selinux - audit_rules_mac_modification_usr_share + - audit_rules_mac_modification_var_lib_selinux - id: 6.3.3.24 title: Ensure successful and unsuccessful attempts to use the chcon command are collected (Automated) diff --git a/controls/cis_ocp_190.yml b/controls/cis_ocp_190.yml new file mode 100644 index 000000000000..67106b1b5a9e --- /dev/null +++ b/controls/cis_ocp_190.yml @@ -0,0 +1,11 @@ +--- +policy: CIS Red Hat OpenShift Container Platform 4 Benchmark +title: CIS Red Hat OpenShift Container Platform 4 Benchmark +id: cis_ocp_190 +source: https://www.cisecurity.org/benchmark/kubernetes + +levels: + - id: level_1 + - id: level_2 + inherits_from: + - level_1 diff --git a/controls/cis_ocp_190/section-1.yml b/controls/cis_ocp_190/section-1.yml new file mode 100644 index 000000000000..62fadd96bc76 --- /dev/null +++ b/controls/cis_ocp_190/section-1.yml @@ -0,0 +1,506 @@ +--- +controls: + - id: '1' + title: Control Plane Components + status: pending + rules: [] + controls: + - id: '1.1' + title: Master Node Configuration Files + status: automated + rules: [] + controls: + - id: 1.1.1 + title: Ensure that the API server pod specification file permissions are set to 600 + or more restrictive + status: automated + rules: + - file_permissions_kube_apiserver + levels: + - level_1 + - id: 1.1.2 + title: Ensure that the API server pod specification file ownership is set to root:root + status: automated + rules: + - file_owner_kube_apiserver + - file_groupowner_kube_apiserver + levels: + - level_1 + - id: 1.1.3 + title: Ensure that the controller manager pod specification file permissions are set + to 600 or more restrictive + status: automated + rules: + - file_permissions_kube_controller_manager + levels: + - level_1 + - id: 1.1.4 + title: Ensure that the controller manager pod specification file ownership is set to + root:root + status: automated + rules: + - file_owner_kube_controller_manager + - file_groupowner_kube_controller_manager + levels: + - level_1 + - id: 1.1.5 + title: Ensure that the scheduler pod specification file permissions are set to 600 + or more restrictive + status: automated + rules: + - file_permissions_scheduler + levels: + - level_1 + - id: 1.1.6 + title: Ensure that the scheduler pod specification file ownership is set to root:root + status: automated + rules: + - file_owner_kube_scheduler + - file_groupowner_kube_scheduler + levels: + - level_1 + - id: 1.1.7 + title: Ensure that the etcd pod specification file permissions are set to 600 or more + restrictive + status: automated + rules: + - file_permissions_etcd_member + levels: + - level_1 + - id: 1.1.8 + title: Ensure that the etcd pod specification file ownership is set to root:root + status: automated + rules: + - file_groupowner_etcd_member + - file_owner_etcd_member + levels: + - level_1 + - id: 1.1.9 + title: Ensure that the Container Network Interface file permissions are set to 600 + or more restrictive + status: automated + rules: + - file_permissions_cni_conf + - file_permissions_multus_conf + - file_permissions_ip_allocations + - file_perms_openshift_sdn_cniserver_config + - file_permissions_ovs_pid + - file_permissions_ovs_conf_db + - file_permissions_ovs_sys_id_conf + - file_permissions_ovs_conf_db_lock + - file_permissions_ovs_vswitchd_pid + - file_permissions_ovsdb_server_pid + - file_permissions_ovn_cni_server_sock + - file_permissions_ovn_db_files + levels: + - level_1 + - id: 1.1.10 + title: Ensure that the Container Network Interface file ownership is set to root:root + status: automated + rules: + - file_owner_cni_conf + - file_groupowner_cni_conf + - file_owner_multus_conf + - file_groupowner_multus_conf + - file_owner_ip_allocations + - file_groupowner_ip_allocations + - file_owner_openshift_sdn_cniserver_config + - file_groupowner_openshift_sdn_cniserver_config + - file_owner_ovs_pid + - file_groupowner_ovs_pid + - file_owner_ovs_conf_db + - file_groupowner_ovs_conf_db_openvswitch + - file_groupowner_ovs_conf_db_hugetlbfs + - file_owner_ovs_sys_id_conf + - file_groupowner_ovs_sys_id_conf_openvswitch + - file_groupowner_ovs_sys_id_conf_hugetlbfs + - file_owner_ovs_conf_db_lock + - file_groupowner_ovs_conf_db_lock_openvswitch + - file_groupowner_ovs_conf_db_lock_hugetlbfs + - file_owner_ovs_vswitchd_pid + - file_groupowner_ovs_vswitchd_pid + - file_owner_ovsdb_server_pid + - file_groupowner_ovsdb_server_pid + - file_groupowner_ovn_cni_server_sock + - file_owner_ovn_cni_server_sock + - file_owner_ovn_db_files + - file_groupowner_ovn_db_files + levels: + - level_1 + - id: 1.1.11 + title: Ensure that the etcd data directory permissions are set to 700 or more restrictive + status: automated + rules: + - file_permissions_etcd_data_dir + - file_permissions_etcd_data_files + levels: + - level_1 + - id: 1.1.12 + title: Ensure that the etcd data directory ownership is set to root:root + status: automated + rules: + - file_owner_etcd_data_dir + - file_groupowner_etcd_data_dir + - file_owner_etcd_data_files + - file_groupowner_etcd_data_files + levels: + - level_1 + - id: 1.1.13 + title: Ensure that the kubeconfig file permissions are set to 600 or more restrictive + status: automated + rules: + - file_permissions_master_admin_kubeconfigs + levels: + - level_1 + - id: 1.1.14 + title: Ensure that the kubeconfig file ownership is set to root:root + status: automated + rules: + - file_owner_master_admin_kubeconfigs + - file_groupowner_master_admin_kubeconfigs + levels: + - level_1 + - id: 1.1.15 + title: Ensure that the Scheduler kubeconfig file permissions are set to 600 or more + restrictive + status: automated + rules: + - file_permissions_scheduler_kubeconfig + levels: + - level_1 + - id: 1.1.16 + title: Ensure that the Scheduler kubeconfig file ownership is set to root:root + status: automated + rules: + - file_owner_scheduler_kubeconfig + - file_groupowner_scheduler_kubeconfig + levels: + - level_1 + - id: 1.1.17 + title: Ensure that the Controller Manager kubeconfig file permissions are set to 600 + or more restrictive + status: automated + rules: + - file_permissions_controller_manager_kubeconfig + levels: + - level_1 + - id: 1.1.18 + title: Ensure that the Controller Manager kubeconfig file ownership is set to root:root + status: automated + rules: + - file_owner_controller_manager_kubeconfig + - file_groupowner_controller_manager_kubeconfig + levels: + - level_1 + - id: 1.1.19 + title: Ensure that the OpenShift PKI directory and file ownership is set to root:root + status: automated + rules: + - file_owner_openshift_pki_key_files + - file_groupowner_openshift_pki_key_files + - file_owner_openshift_pki_cert_files + - file_groupowner_openshift_pki_cert_files + - file_owner_etcd_pki_cert_files + - file_groupowner_etcd_pki_cert_files + levels: + - level_1 + - id: 1.1.20 + title: Ensure that the OpenShift PKI certificate file permissions are set to 600 or + more restrictive + status: automated + rules: + - file_permissions_openshift_pki_cert_files + - file_permissions_etcd_pki_cert_files + levels: + - level_1 + - id: 1.1.21 + title: Ensure that the OpenShift PKI key file permissions are set to 600 + status: automated + rules: + - file_permissions_openshift_pki_key_files + levels: + - level_1 + - id: '1.2' + title: API Server + status: pending + rules: [] + controls: + - id: 1.2.1 + title: Ensure that anonymous requests are authorized + status: automated + rules: + - api_server_anonymous_auth + levels: + - level_1 + - id: 1.2.2 + title: Use https for kubelet connections + status: automated + rules: + - api_server_https_for_kubelet_conn + - api_server_openshift_https_serving_cert + - api_server_oauth_https_serving_cert + levels: + - level_1 + - id: 1.2.3 + title: Ensure that the kubelet uses certificates to authenticate + status: automated + rules: + - api_server_kubelet_client_cert + - api_server_kubelet_client_key + levels: + - level_1 + - id: 1.2.4 + title: Verify that the kubelet certificate authority is set as appropriate + status: automated + rules: + - api_server_kubelet_certificate_authority + levels: + - level_1 + - id: 1.2.5 + title: Ensure that the --authorization-mode argument is not set to AlwaysAllow + status: automated + rules: + - api_server_auth_mode_no_aa + levels: + - level_1 + - id: 1.2.6 + title: Verify that RBAC is enabled + status: automated + rules: + - api_server_auth_mode_rbac + levels: + - level_1 + - id: 1.2.7 + title: Ensure that the APIPriorityAndFairness feature gate is enabled + status: inherently met + rules: [] + levels: + - level_1 + - id: 1.2.8 + title: Ensure that the admission control plugin AlwaysAdmit is not set + status: automated + rules: + - api_server_admission_control_plugin_alwaysadmit + levels: + - level_1 + - id: 1.2.9 + title: Ensure that the admission control plugin AlwaysPullImages is not set + status: automated + rules: + - api_server_admission_control_plugin_alwayspullimages + levels: + - level_1 + - id: 1.2.10 + title: Ensure that the admission control plugin ServiceAccount is set + status: automated + rules: + - api_server_admission_control_plugin_service_account + levels: + - level_1 + - id: 1.2.11 + title: Ensure that the admission control plugin NamespaceLifecycle is set + status: automated + rules: + - api_server_admission_control_plugin_namespacelifecycle + levels: + - level_1 + - id: 1.2.12 + title: Ensure that the admission control plugin SecurityContextConstraint is set + status: automated + rules: + - api_server_admission_control_plugin_scc + levels: + - level_1 + - id: 1.2.13 + title: Ensure that the admission control plugin NodeRestriction is set + status: automated + rules: + - api_server_admission_control_plugin_noderestriction + levels: + - level_1 + - id: 1.2.14 + title: Ensure that the --insecure-bind-address argument is not set + status: automated + rules: + - api_server_insecure_bind_address + levels: + - level_1 + - id: 1.2.15 + title: Ensure that the --insecure-port argument is set to 0 + status: inherently met + rules: [] + levels: + - level_1 + - id: 1.2.16 + title: Ensure that the --secure-port argument is not set to 0 + status: automated + rules: + - api_server_bind_address + levels: + - level_1 + - id: 1.2.17 + title: Ensure that the healthz endpoint is protected by RBAC + status: automated + rules: + - api_server_profiling_protected_by_rbac + levels: + - level_1 + - id: 1.2.18 + title: Ensure that the --audit-log-path argument is set + status: automated + rules: + - api_server_audit_log_path + - openshift_api_server_audit_log_path + levels: + - level_1 + - id: 1.2.19 + title: Ensure that the audit logs are forwarded off the cluster for retention + status: automated + rules: + - audit_log_forwarding_enabled + - audit_log_forwarding_webhook + levels: + - level_1 + - id: 1.2.20 + title: Ensure that the maximumRetainedFiles argument is set to 10 or as appropriate + status: automated + rules: + - api_server_audit_log_maxbackup + - ocp_api_server_audit_log_maxbackup + levels: + - level_1 + - id: 1.2.21 + title: Configure Kubernetes API Server Maximum Audit Log Size + status: automated + rules: + - api_server_audit_log_maxsize + - ocp_api_server_audit_log_maxsize + levels: + - level_1 + - id: 1.2.22 + title: Ensure that the --request-timeout argument is set + status: automated + rules: + - api_server_request_timeout + levels: + - level_1 + - id: 1.2.23 + title: Ensure that the --service-account-lookup argument is set to true + status: automated + rules: + - api_server_service_account_lookup + levels: + - level_1 + - id: 1.2.24 + title: Ensure that the --service-account-key-file argument is set as appropriate + status: automated + rules: + - api_server_service_account_public_key + levels: + - level_1 + - id: 1.2.25 + title: Ensure that the --etcd-certfile and --etcd-keyfile arguments are set as appropriate + status: automated + rules: + - api_server_etcd_cert + - api_server_etcd_key + levels: + - level_1 + - id: 1.2.26 + title: Ensure that the --tls-cert-file and --tls-private-key-file arguments are set + as appropriate + status: automated + rules: + - api_server_tls_cert + - api_server_tls_private_key + levels: + - level_1 + - id: 1.2.27 + title: Ensure that the --client-ca-file argument is set as appropriate + status: automated + rules: + - api_server_client_ca + levels: + - level_1 + - id: 1.2.28 + title: Ensure that the --etcd-cafile argument is set as appropriate + status: automated + rules: + - api_server_etcd_ca + levels: + - level_1 + - id: 1.2.29 + title: Ensure that encryption providers are appropriately configured + status: automated + rules: + - api_server_encryption_provider_cipher + levels: + - level_1 + - id: 1.2.30 + title: Ensure that the API Server only makes use of Strong Cryptographic Ciphers + status: automated + rules: + - api_server_tls_security_profile_not_old + - api_server_tls_security_profile_custom_min_tls_version + levels: + - level_1 + - id: 1.2.31 + title: Ensure unsupported configuration overrides are not used + status: pending + rules: + - api_server_no_unsupported_config_overrides + - api_server_kube_no_unsupported_config_overrides + levels: + - level_1 + - id: '1.3' + title: Controller Manager + status: pending + rules: [] + controls: + - id: 1.3.1 + title: Ensure that controller manager healthz endpoints are protected by RBAC + status: automated + rules: + - rbac_debug_role_protects_pprof + levels: + - level_1 + - id: 1.3.2 + title: Ensure that the --use-service-account-credentials argument is set to true + status: automated + rules: + - controller_use_service_account + levels: + - level_1 + - id: 1.3.3 + title: Ensure that the --service-account-private-key-file argument is set as appropriate + status: automated + rules: + - controller_service_account_private_key + levels: + - level_1 + - id: 1.3.4 + title: Ensure that the --root-ca-file argument is set as appropriate + status: automated + rules: + - controller_service_account_ca + levels: + - level_1 + - id: '1.4' + title: Scheduler + status: automated + rules: [] + controls: + - id: 1.4.1 + title: Ensure that the healthz endpoints for the scheduler are protected by RBAC + status: automated + rules: + - scheduler_profiling_protected_by_rbac + levels: + - level_1 + - id: 1.4.2 + title: Verify that the scheduler API service is protected by RBAC + status: automated + rules: + - scheduler_service_protected_by_rbac + levels: + - level_1 diff --git a/controls/cis_ocp_190/section-2.yml b/controls/cis_ocp_190/section-2.yml new file mode 100644 index 000000000000..d42cc9d46111 --- /dev/null +++ b/controls/cis_ocp_190/section-2.yml @@ -0,0 +1,58 @@ +--- +controls: + - id: '2' + title: etcd + status: pending + rules: [] + controls: + - id: '2.1' + title: Ensure that the --cert-file and --key-file arguments are set as appropriate + status: automated + rules: + - etcd_cert_file + - etcd_key_file + levels: + - level_1 + - id: '2.2' + title: Ensure that the --client-cert-auth argument is set to true + status: automated + rules: + - etcd_client_cert_auth + levels: + - level_1 + - id: '2.3' + title: Ensure that the --auto-tls argument is not set to true + status: automated + rules: + - etcd_auto_tls + levels: + - level_1 + - id: '2.4' + title: Ensure that the --peer-cert-file and --peer-key-file arguments are set as appropriate + status: automated + rules: + - etcd_peer_cert_file + - etcd_peer_key_file + levels: + - level_1 + - id: '2.5' + title: Ensure that the --peer-client-cert-auth argument is set to true + status: automated + rules: + - etcd_peer_client_cert_auth + levels: + - level_1 + - id: '2.6' + title: Ensure that the --peer-auto-tls argument is not set to true + status: automated + rules: + - etcd_peer_auto_tls + levels: + - level_1 + - id: '2.7' + title: Ensure that a unique Certificate Authority is used for etcd + status: automated + rules: + - etcd_unique_ca + levels: + - level_2 diff --git a/controls/cis_ocp_190/section-3.yml b/controls/cis_ocp_190/section-3.yml new file mode 100644 index 000000000000..3c5dbdc4c0e5 --- /dev/null +++ b/controls/cis_ocp_190/section-3.yml @@ -0,0 +1,39 @@ +--- +controls: + - id: '3' + title: Control Plane Configuration + status: pending + rules: [] + controls: + - id: '3.1' + title: Authentication and Authorization + status: automated + rules: [] + controls: + - id: 3.1.1 + title: Client certificate authentication should not be used for users + status: automated + rules: + - idp_is_configured + - kubeadmin_removed + levels: + - level_2 + - id: '3.2' + title: Logging + status: automated + rules: [] + controls: + - id: 3.2.1 + title: Ensure that a minimal audit policy is created + status: automated + rules: + - audit_logging_enabled + levels: + - level_1 + - id: 3.2.2 + title: Ensure that the audit policy covers key security concerns + status: automated + rules: + - audit_profile_set + levels: + - level_2 diff --git a/controls/cis_ocp_190/section-4.yml b/controls/cis_ocp_190/section-4.yml new file mode 100644 index 000000000000..4343034dbc67 --- /dev/null +++ b/controls/cis_ocp_190/section-4.yml @@ -0,0 +1,191 @@ +--- +controls: + - id: '4' + title: Worker Nodes + status: pending + rules: [] + controls: + - id: '4.1' + title: Worker Node Configuration Files + status: pending + rules: [] + controls: + - id: 4.1.1 + title: Ensure that the kubelet service file permissions are set to 644 or more restrictive + status: automated + rules: + - file_permissions_worker_service + levels: + - level_1 + - id: 4.1.2 + title: Ensure that the kubelet service file ownership is set to root:root + status: automated + rules: + - file_owner_worker_service + - file_groupowner_worker_service + levels: + - level_1 + - id: 4.1.3 + title: If proxy kube proxy configuration file exists ensure permissions are set to + 644 or more restrictive + status: automated + rules: + - file_permissions_proxy_kubeconfig + levels: + - level_1 + - id: 4.1.4 + title: If proxy kubeconfig file exists ensure ownership is set to root:root + status: automated + rules: + - file_owner_proxy_kubeconfig + - file_groupowner_proxy_kubeconfig + levels: + - level_1 + - id: 4.1.5 + title: Ensure that the --kubeconfig kubelet.conf file permissions are set to 644 or + more restrictive + status: automated + rules: + - file_permissions_kubelet_conf + levels: + - level_1 + - id: 4.1.6 + title: Ensure that the --kubeconfig kubelet.conf file ownership is set to root:root + status: automated + rules: + - file_groupowner_kubelet_conf + - file_owner_kubelet_conf + #- file_groupowner_kubelet + - file_owner_kubelet + levels: + - level_1 + - id: 4.1.7 + title: Ensure that the certificate authorities file permissions are set to 644 or more + restrictive + status: automated + rules: + - file_permissions_worker_ca + levels: + - level_1 + - id: 4.1.8 + title: Ensure that the client certificate authorities file ownership is set to root:root + status: automated + rules: + - file_owner_worker_ca + - file_groupowner_worker_ca + levels: + - level_1 + - id: 4.1.9 + title: Ensure that the kubelet --config configuration file has permissions set to 600 + or more restrictive + status: automated + rules: + - file_permissions_worker_kubeconfig + levels: + - level_1 + - id: 4.1.10 + title: Ensure that the kubelet configuration file ownership is set to root:root + status: automated + rules: + - file_owner_worker_kubeconfig + - file_groupowner_worker_kubeconfig + levels: + - level_1 + - id: '4.2' + title: Kubelet + status: pending + rules: [] + controls: + - id: 4.2.1 + title: Activate Garbage collection in OpenShift Container Platform 4, as appropriate + status: automated + rules: + - kubelet_eviction_thresholds_set_hard_memory_available + - kubelet_eviction_thresholds_set_hard_nodefs_available + - kubelet_eviction_thresholds_set_hard_nodefs_inodesfree + - kubelet_eviction_thresholds_set_hard_imagefs_available + levels: + - level_1 + - id: 4.2.2 + title: Ensure that the --anonymous-auth argument is set to false + status: automated + rules: + - kubelet_anonymous_auth + levels: + - level_1 + - id: 4.2.3 + title: Ensure that the --authorization-mode argument is not set to AlwaysAllow + status: automated + rules: + - kubelet_authorization_mode + levels: + - level_1 + - id: 4.2.4 + title: Ensure that the --client-ca-file argument is set as appropriate + status: automated + rules: + - kubelet_configure_client_ca + levels: + - level_1 + - id: 4.2.5 + title: Verify that the read only port is not used or is set to 0 + status: automated + rules: + - kubelet_disable_readonly_port + levels: + - level_1 + - id: 4.2.6 + title: Ensure that the --streaming-connection-idle-timeout argument is not set to 0 + status: automated + rules: + - kubelet_enable_streaming_connections + levels: + - level_1 + - id: 4.2.7 + title: Ensure that the --make-iptables-util-chains argument is set to true + status: automated + rules: + - kubelet_enable_iptables_util_chains + levels: + - level_1 + - id: 4.2.8 + title: Ensure that the kubeAPIQPS [--event-qps] argument is set to a level which + ensures appropriate event capture + status: automated + rules: + - kubelet_configure_event_creation + - var_event_record_qps=50 + levels: + - level_2 + - id: 4.2.9 + title: Ensure that the --tls-cert-file and --tls-private-key-file arguments are set + as appropriate + status: automated + rules: + - kubelet_configure_tls_cert + - kubelet_configure_tls_key + levels: + - level_1 + - id: 4.2.10 + title: Ensure that the --rotate-certificates argument is not set to false + status: automated + rules: + - kubelet_enable_client_cert_rotation + - kubelet_enable_cert_rotation + levels: + - level_1 + - id: 4.2.11 + title: Verify that the RotateKubeletServerCertificate argument is set to true + status: automated + rules: + - kubelet_enable_server_cert_rotation + levels: + - level_1 + - id: 4.2.12 + title: Ensure that the Kubelet only makes use of Strong Cryptographic Ciphers + status: automated + rules: + - kubelet_configure_tls_cipher_suites + - ingress_controller_tls_cipher_suites + levels: + - level_1 diff --git a/controls/cis_ocp_190/section-5.yml b/controls/cis_ocp_190/section-5.yml new file mode 100644 index 000000000000..2e8312954f91 --- /dev/null +++ b/controls/cis_ocp_190/section-5.yml @@ -0,0 +1,216 @@ +--- +controls: + - id: '5' + title: Policies + status: partial + rules: [] + controls: + - id: '5.1' + title: RBAC and Service Accounts + status: manual + rules: [] + controls: + - id: 5.1.1 + title: Ensure that the cluster-admin role is only used where required + status: manual + rules: + - rbac_limit_cluster_admin + levels: + - level_1 + - id: 5.1.2 + title: Minimize access to secrets + status: manual + rules: + - rbac_limit_secrets_access + levels: + - level_1 + - id: 5.1.3 + title: Minimize wildcard use in Roles and ClusterRoles + status: manual + rules: + - rbac_wildcard_use + levels: + - level_1 + - id: 5.1.4 + title: Minimize access to create pods + status: manual + rules: + - rbac_pod_creation_access + levels: + - level_1 + - id: 5.1.5 + title: Ensure that default service accounts are not actively used. + status: manual + rules: + - accounts_unique_service_account + levels: + - level_1 + - id: 5.1.6 + title: Ensure that Service Account Tokens are only mounted where necessary + status: manual + rules: + - accounts_restrict_service_account_tokens + levels: + - level_1 + - id: '5.2' + title: Security Context Constraints + status: partial + rules: [] + controls: + - id: 5.2.1 + title: Minimize the admission of privileged containers + status: manual + rules: + - scc_limit_privileged_containers + levels: + - level_1 + - id: 5.2.2 + title: Minimize the admission of containers wishing to share the host process ID namespace + status: manual + rules: + - scc_limit_process_id_namespace + levels: + - level_1 + - id: 5.2.3 + title: Minimize the admission of containers wishing to share the host IPC namespace + status: manual + rules: + - scc_limit_ipc_namespace + levels: + - level_1 + - id: 5.2.4 + title: Minimize the admission of containers wishing to share the host network namespace + status: manual + rules: + - scc_limit_network_namespace + levels: + - level_1 + - id: 5.2.5 + title: Minimize the admission of containers with allowPrivilegeEscalation + status: manual + rules: + - scc_limit_privilege_escalation + levels: + - level_1 + - id: 5.2.6 + title: Minimize the admission of root containers + status: manual + rules: + - scc_limit_root_containers + levels: + - level_2 + - id: 5.2.7 + title: Minimize the admission of containers with the NET_RAW capability + status: manual + rules: + - scc_limit_net_raw_capability + levels: + - level_1 + - id: 5.2.8 + title: Minimize the admission of containers with added capabilities + status: automated + rules: + - scc_limit_container_allowed_capabilities + levels: + - level_1 + - id: 5.2.9 + title: Minimize the admission of containers with capabilities assigned + status: manual + rules: + - scc_drop_container_capabilities + levels: + - level_2 + - id: 5.2.10 + title: Minimize access to privileged Security Context Constraints + status: manual + rules: + - rbac_least_privilege + levels: + - level_2 + - id: '5.3' + title: Network Policies and CNI + status: partial + rules: [] + controls: + - id: 5.3.1 + title: Ensure that the CNI in use supports Network Policies + status: automated + rules: + - configure_network_policies + levels: + - level_1 + - id: 5.3.2 + title: Ensure that all Namespaces have Network Policies defined + status: partial + rules: + - configure_network_policies_namespaces + - configure_network_policies_hypershift_hosted + levels: + - level_2 + - id: '5.4' + title: Secrets Management + status: manual + rules: [] + controls: + - id: 5.4.1 + title: Prefer using secrets as files over secrets as environment variables + status: manual + rules: + - secrets_no_environment_variables + levels: + - level_1 + - id: 5.4.2 + title: Consider external secret storage + status: manual + rules: + - secrets_consider_external_storage + levels: + - level_2 + - id: '5.5' + title: Extensible Admission Control + status: automated + rules: [] + controls: + - id: 5.5.1 + title: Configure Image Provenance using image controller configuration parameters + status: automated + rules: + - ocp_allowed_registries + - ocp_allowed_registries_for_import + - ocp_insecure_registries + - ocp_insecure_allowed_registries_for_import + levels: + - level_2 + - id: '5.7' + title: General Policies + status: manual + rules: [] + controls: + - id: 5.7.1 + title: Create administrative boundaries between resources using namespaces + status: manual + rules: + - general_namespaces_in_use + levels: + - level_1 + - id: 5.7.2 + title: Ensure that the seccomp profile is set to docker/default in your pod definitions + status: manual + rules: + - general_default_seccomp_profile + levels: + - level_2 + - id: 5.7.3 + title: Apply Security Context to Your Pods and Containers + status: manual + rules: + - general_apply_scc + levels: + - level_2 + - id: 5.7.4 + title: The default namespace should not be used + status: manual + rules: + - general_default_namespace_use + levels: + - level_2 diff --git a/controls/cis_sle12.yml b/controls/cis_sle12.yml index d842d6e6c3c6..3e4d682ce3e6 100644 --- a/controls/cis_sle12.yml +++ b/controls/cis_sle12.yml @@ -457,6 +457,7 @@ controls: rules: - banner_etc_motd - motd_banner_text=cis_banners + - motd_banner_contents=cis_default - id: 1.8.1.2 title: Ensure local login warning banner is configured properly (Automated) @@ -467,6 +468,7 @@ controls: rules: - banner_etc_issue - login_banner_text=cis_banners + - login_banner_contents=cis_default - id: 1.8.1.3 title: Ensure remote login warning banner is configured properly (Automated) @@ -477,6 +479,7 @@ controls: rules: - banner_etc_issue_net - remote_login_banner_text=cis_banners + - remote_login_banner_contents=cis_default - id: 1.8.1.4 title: Ensure permissions on /etc/motd are configured (Automated) @@ -535,7 +538,8 @@ controls: - dconf_gnome_disable_user_list - dconf_gnome_banner_enabled - dconf_gnome_login_banner_text - - login_banner_text=cis_default + - dconf_login_banner_text=cis_default + - dconf_login_banner_contents=cis_default - id: 2.1.1 title: Ensure xinetd is not installed (Automated) diff --git a/controls/cis_sle15.yml b/controls/cis_sle15.yml index 97c61f63374e..bf92b28d52f3 100644 --- a/controls/cis_sle15.yml +++ b/controls/cis_sle15.yml @@ -455,6 +455,7 @@ controls: rules: - banner_etc_motd - motd_banner_text=cis_banners + - motd_banner_contents=cis_default - id: 1.8.1.2 title: Ensure local login warning banner is configured properly (Automated) @@ -465,6 +466,7 @@ controls: rules: - banner_etc_issue - login_banner_text=cis_banners + - login_banner_contents=cis_default - id: 1.8.1.3 title: Ensure remote login warning banner is configured properly (Automated) @@ -475,6 +477,7 @@ controls: rules: - banner_etc_issue_net - remote_login_banner_text=cis_banners + - remote_login_banner_contents=cis_default - id: 1.8.1.4 title: Ensure permissions on /etc/motd are configured (Automated) @@ -532,7 +535,8 @@ controls: - enable_dconf_user_profile - dconf_gnome_banner_enabled - dconf_gnome_login_banner_text - - login_banner_text=cis_default + - dconf_login_banner_text=cis_default + - dconf_login_banner_contents=cis_default - id: 2.1.1 title: Ensure xinetd is not installed (Automated) diff --git a/controls/cis_ubuntu2204.yml b/controls/cis_ubuntu2204.yml index 84f3287f32ee..997016fd1e97 100644 --- a/controls/cis_ubuntu2204.yml +++ b/controls/cis_ubuntu2204.yml @@ -528,7 +528,8 @@ controls: - l1_server - l1_workstation rules: - - login_banner_text=cis_default + - dconf_login_banner_text=cis_default + - dconf_login_banner_contents=cis_default - dconf_gnome_banner_enabled - dconf_gnome_login_banner_text status: automated diff --git a/controls/cis_ubuntu2404.yml b/controls/cis_ubuntu2404.yml index 58c756c81c9d..d4e1dfde39c3 100644 --- a/controls/cis_ubuntu2404.yml +++ b/controls/cis_ubuntu2404.yml @@ -561,7 +561,8 @@ controls: - l1_server - l1_workstation rules: - - login_banner_text=cis_default + - dconf_login_banner_text=cis_default + - dconf_login_banner_contents=cis_default - dconf_gnome_banner_enabled - dconf_gnome_login_banner_text status: automated diff --git a/controls/general_sle15.yml b/controls/general_sle15.yml index 73dca83f3e70..f637cbbd87d4 100644 --- a/controls/general_sle15.yml +++ b/controls/general_sle15.yml @@ -470,6 +470,7 @@ controls: rules: - banner_etc_motd - motd_banner_text=cis_banners + - motd_banner_contents=cis_default - id: SLES-15-151050030 title: Modify the System Login Banner @@ -479,6 +480,7 @@ controls: rules: - banner_etc_issue - login_banner_text=cis_banners + - login_banner_contents=cis_default - id: SLES-15-151050045 title: Modify the System Login Banner for Remote Connections @@ -488,6 +490,7 @@ controls: rules: - banner_etc_issue_net - remote_login_banner_text=cis_banners + - remote_login_banner_contents=cis_default - id: SLES-15-151050060 title: Configure access to the Message of the Day Banner @@ -535,7 +538,8 @@ controls: rules: - dconf_gnome_banner_enabled - dconf_gnome_login_banner_text - - login_banner_text=cis_default + - dconf_login_banner_text=cis_default + - dconf_login_banner_contents=cis_default - id: SLES-15-151200135 title: Disable the GDM Login User List diff --git a/controls/general_slmicro5.yml b/controls/general_slmicro5.yml index 8a83a0b428fb..ac887def5ee4 100644 --- a/controls/general_slmicro5.yml +++ b/controls/general_slmicro5.yml @@ -269,6 +269,7 @@ controls: rules: - banner_etc_motd - motd_banner_text=cis_banners + - motd_banner_contents=cis_default - id: SLEM-5-SET-08010200 title: Modify the System Login Banner @@ -278,6 +279,7 @@ controls: rules: - banner_etc_issue - login_banner_text=cis_banners + - login_banner_contents=cis_default - id: SLEM-5-SET-08010300 title: Modify the System Login Banner for Remote Connections @@ -287,6 +289,7 @@ controls: rules: - banner_etc_issue_net - remote_login_banner_text=cis_banners + - remote_login_banner_contents=cis_default - id: SLEM-5-SET-08010400 title: Verify Ownership and Permissions of/on Message of the Day Banner @@ -1021,6 +1024,7 @@ controls: rules: - banner_etc_issue - login_banner_text=dod_banners + - login_banner_contents=dod_default - sshd_enable_warning_banner status: automated diff --git a/controls/nist_rhcos4.yml b/controls/nist_rhcos4.yml index 02690cb34dc1..6bee855d39fa 100644 --- a/controls/nist_rhcos4.yml +++ b/controls/nist_rhcos4.yml @@ -1228,6 +1228,7 @@ controls: rules: - banner_etc_issue - login_banner_text=dod_banners + - login_banner_contents=dod_default description: "The information system:\n a. Displays to users [Assignment: organization-defined\ \ system use notification message or banner] before granting access to the system that provides\ \ privacy and security notices consistent with applicable federal laws, Executive Orders, directives,\ diff --git a/controls/srg_gpos.yml b/controls/srg_gpos.yml index 5be978311df7..c44f13af6f94 100644 --- a/controls/srg_gpos.yml +++ b/controls/srg_gpos.yml @@ -26,5 +26,6 @@ controls: - var_accounts_authorized_local_users_regex=rhel9 - var_account_disable_post_pw_expiration=35 - login_banner_text=dod_banners + - login_banner_contents=dod_default - var_authselect_profile=sssd - var_auditd_name_format=stig diff --git a/controls/std_kylinserver10.yml b/controls/std_kylinserver10.yml index 8e101a908189..785c64550d9e 100644 --- a/controls/std_kylinserver10.yml +++ b/controls/std_kylinserver10.yml @@ -119,6 +119,7 @@ controls: rules: - banner_etc_issue - login_banner_text=cis_banners + - login_banner_contents=cis_default - id: 1.14 title: ensure-message-of-the-day-is-configured-properly @@ -127,7 +128,8 @@ controls: status: automated rules: - banner_etc_motd - - login_banner_text=cis_banners + - motd_banner_text=cis_banners + - motd_banner_contents=cis_default - id: 1.15 title: Ensure sshd PermitRootLogin is disabled (Automated) diff --git a/controls/std_tencentos4.yml b/controls/std_tencentos4.yml index 06aa7e4656de..b08775cbce91 100644 --- a/controls/std_tencentos4.yml +++ b/controls/std_tencentos4.yml @@ -114,6 +114,7 @@ controls: rules: - banner_etc_motd - motd_banner_text=cis_banners + - motd_banner_contents=cis_default - id: 1.4.2 title: Ensure local login warning banner is configured properly @@ -123,6 +124,7 @@ controls: rules: - banner_etc_issue - login_banner_text=cis_banners + - login_banner_contents=cis_default - id: 1.4.3 title: Ensure remote login warning banner is configured properly @@ -132,6 +134,7 @@ controls: rules: - banner_etc_issue_net - remote_login_banner_text=cis_banners + - remote_login_banner_contents=cis_default - id: 1.4.4 title: Ensure permissions on /etc/motd are configured diff --git a/controls/stig_ol9.yml b/controls/stig_ol9.yml index bc1370b1b5a4..1e0f2d1511f8 100644 --- a/controls/stig_ol9.yml +++ b/controls/stig_ol9.yml @@ -53,6 +53,7 @@ controls: rules: - banner_etc_issue - login_banner_text=dod_default + - login_banner_contents=dod_default status: automated - id: OL09-00-000020 @@ -621,14 +622,6 @@ controls: - mount_option_home_noexec status: automated - - id: OL09-00-002010 - levels: - - medium - title: OL 9 must be configured so that the Network File System (NFS) is configured to use RPCSEC_GSS. - rules: - - mount_option_krb_sec_remote_filesystems - status: automated - - id: OL09-00-002011 levels: - medium @@ -1262,7 +1255,7 @@ controls: - medium title: OL 9 world-writable directories must be owned by root, sys, bin, or an application user. rules: - - dir_perms_world_writable_root_owned + - dir_perms_world_writable_system_owned status: automated - id: OL09-00-002510 @@ -1980,7 +1973,8 @@ controls: or remote access to the system via a graphical user logon. rules: - dconf_gnome_login_banner_text - - login_banner_text=dod_default + - dconf_login_banner_text=dod_default + - dconf_login_banner_contents=dod_default - id: OL09-00-002122 levels: @@ -2063,9 +2057,10 @@ controls: - id: OL09-00-002104 levels: - medium - title: OL 9 must automatically lock graphical user sessions after 15 minutes of inactivity. + title: OL 9 must automatically lock graphical user sessions after 10 minutes of inactivity. rules: - dconf_gnome_screensaver_idle_delay + - inactivity_timeout_value=10_minutes status: automated - id: OL09-00-002124 @@ -2410,14 +2405,6 @@ controls: - sysctl_kernel_exec_shield status: automated - - id: OL09-00-002427 - levels: - - medium - title: Local OL 9 initialization files must not execute world-writable programs. - rules: - - accounts_user_dot_no_world_writable_programs - status: automated - - id: OL09-00-002411 levels: - medium @@ -3837,16 +3824,6 @@ controls: - fips_crypto_policy_symlinks status: automated - - id: OL09-00-002424 - levels: - - medium - title: OL 9 must use mechanisms meeting the requirements of applicable federal laws, executive - orders, directives, policies, regulations, standards, and guidance for authentication to a - cryptographic module. - rules: - - configure_kerberos_crypto_policy - status: automated - - id: OL09-00-000241 levels: - medium diff --git a/controls/stig_slmicro5.yml b/controls/stig_slmicro5.yml index d39b265fff84..7a5790f3310b 100644 --- a/controls/stig_slmicro5.yml +++ b/controls/stig_slmicro5.yml @@ -3,7 +3,7 @@ policy: SUSE Linux Enterprise Micro (SLEM) 5 Security Technical Implementation G title: SUSE Linux Enterprise Micro (SLEM) 5 Security Technical Implementation Guide id: stig_slmicro5 source: https://www.cyber.mil/stigs/downloads/ -version: V1R2 +version: V1R3 reference_type: stigid product: slmicro5 @@ -36,6 +36,7 @@ controls: rules: - banner_etc_issue - login_banner_text=dod_banners + - login_banner_contents=dod_default status: automated - id: SLEM-05-211025 @@ -855,14 +856,6 @@ controls: - account_unique_id status: automated - - id: SLEM-05-412010 - levels: - - medium - title: SLEM 5 must display the date and time of the last successful account logon upon logon. - rules: - - display_login_attempts - status: automated - - id: SLEM-05-412015 levels: - medium diff --git a/controls/stig_ubuntu2204.yml b/controls/stig_ubuntu2204.yml index db8a53a9bcca..094121dd0981 100644 --- a/controls/stig_ubuntu2204.yml +++ b/controls/stig_ubuntu2204.yml @@ -2,7 +2,7 @@ policy: Canonical Ubuntu 22.04 LTS Security Technical Implementation Guide (STIG) title: Canonical Ubuntu 22.04 LTS Security Technical Implementation Guide (STIG) id: stig_ubuntu2204 -version: V2R3 +version: V2R7 source: https://www.cyber.mil/stigs/downloads/ levels: @@ -14,6 +14,14 @@ reference_type: stigid product: ubuntu2204 controls: + - id: UBTU-22-211000 + title: Ubuntu 22.04 LTS must be a vendor-supported release. + levels: + - high + rules: + - installed_OS_is_vendor_supported + status: automated + - id: UBTU-22-211015 title: Ubuntu 22.04 LTS must disable the x86 Ctrl-Alt-Delete key sequence. levels: @@ -143,6 +151,15 @@ controls: - package_telnetd_removed status: automated + - id: UBTU-22-215040 + title: Ubuntu 22.04 LTS must not have the "nfs-kernel-server" package installed. + levels: + - medium + rules: + - package_nfs-common_removed + - package_nfs-kernel-server_removed + status: automated + - id: UBTU-22-231010 title: Ubuntu 22.04 LTS must implement cryptographic mechanisms to prevent unauthorized disclosure and modification of all information that requires protection at rest. @@ -474,6 +491,42 @@ controls: - sysctl_net_ipv4_tcp_syncookies status: automated + - id: UBTU-22-254010 + title: Ubuntu 22.04 LTS must have the "SSSD" package installed. + levels: + - medium + rules: + - package_nss_sss_installed + - package_pam_sss_installed + - package_sssd_installed + status: automated + + - id: UBTU-22-254015 + title: Ubuntu 22.04 LTS must use the "SSSD" package for multifactor authentication services. + levels: + - medium + rules: + - service_sssd_enabled + status: automated + + - id: UBTU-22-254020 + title: Ubuntu 22.04 LTS must ensure SSSD performs certificate path validation, including revocation checking, against a trusted anchor for PKI-based authentication. + levels: + - medium + rules: + - sssd_enable_pam_services + - sssd_enable_smartcards + - sssd_certification_path_trust_anchor + status: automated + + - id: UBTU-22-254030 + title: Ubuntu 22.04 LTS must map the authenticated identity to the user or group account for PKI-based authentication. + levels: + - medium + rules: + - sssd_enable_user_cert + status: automated + - id: UBTU-22-255010 title: Ubuntu 22.04 LTS must have SSH installed. levels: @@ -498,6 +551,7 @@ controls: - medium rules: - remote_login_banner_text=dod_banners + - remote_login_banner_contents=dod_default - sshd_enable_warning_banner_net - banner_etc_issue_net status: automated @@ -600,7 +654,8 @@ controls: levels: - medium rules: - - login_banner_text=dod_banners + - dconf_login_banner_text=dod_banners + - dconf_login_banner_contents=dod_default - dconf_gnome_login_banner_text status: automated @@ -790,7 +845,15 @@ controls: levels: - medium rules: - - sudo_require_authentication + - sudo_remove_no_authenticate + status: automated + + - id: UBTU-22-432011 + title: Ubuntu 22.04 LTS must require users to provide a password for privilege escalation. + levels: + - medium + rules: + - sudo_remove_nopasswd status: automated - id: UBTU-22-432015 @@ -886,7 +949,9 @@ controls: levels: - medium rules: - - set_password_hashing_algorithm_systemauth + - var_password_pam_unix_rounds=100000 + - set_password_hashing_algorithm_auth_stig + - accounts_password_pam_unix_rounds_password_auth status: automated - id: UBTU-22-611060 @@ -1260,6 +1325,15 @@ controls: - audit_rules_privileged_commands_crontab status: automated + - id: UBTU-22-654041 + title: Ubuntu 22.04 LTS must audit any script or executable called by cron as root or by any privileged user. + levels: + - medium + rules: + - audit_rules_etc_cron_d + - audit_rules_var_spool_cron + status: automated + - id: UBTU-22-654045 title: Ubuntu 22.04 LTS must generate audit records for successful/unsuccessful attempts to use the fdisk command. @@ -1600,6 +1674,14 @@ controls: - audit_rules_sudoers status: automated + - id: UBTU-22-654224 + title: The operating system must restrict privilege elevation to authorized personnel. + levels: + - medium + rules: + - sudo_restrict_privilege_elevation_to_authorized + status: automated + - id: UBTU-22-654225 title: Ubuntu 22.04 LTS must generate audit records when successful/unsuccessful attempts to modify the /etc/sudoers.d directory occur. diff --git a/controls/stig_ubuntu2404.yml b/controls/stig_ubuntu2404.yml index cb85dc34866e..8165b529b844 100644 --- a/controls/stig_ubuntu2404.yml +++ b/controls/stig_ubuntu2404.yml @@ -363,6 +363,15 @@ controls: - account_disable_post_pw_expiration status: automated + - id: UBTU-24-200270 + title: Ubuntu 24.04 LTS must audit any script or executable called by cron as root or by any privileged user. + levels: + - medium + rules: + - audit_rules_etc_cron_d + - audit_rules_var_spool_cron + status: automated + - id: UBTU-24-200280 title: Ubuntu 24.04 LTS must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/passwd. @@ -441,6 +450,7 @@ controls: - medium rules: - remote_login_banner_text=dod_banners + - remote_login_banner_contents=dod_default - sshd_enable_warning_banner_net - banner_etc_issue_net status: automated @@ -461,7 +471,8 @@ controls: levels: - medium rules: - - login_banner_text=dod_banners + - dconf_login_banner_text=dod_banners + - dconf_login_banner_contents=dod_default - dconf_gnome_login_banner_text status: automated @@ -580,6 +591,22 @@ controls: - accounts_passwords_pam_faildelay_delay status: automated + - id: UBTU-24-300019 + title: Ubuntu 24.04 LTS must restrict privilege elevation to authorized personnel. + levels: + - medium + rules: + - sudo_restrict_privilege_elevation_to_authorized + status: automated + + - id: UBTU-24-300020 + title: Ubuntu 24.04 LTS must require users to provide a password for privilege escalation. + levels: + - medium + rules: + - sudo_remove_nopasswd + status: automated + - id: UBTU-24-300021 title: Ubuntu 24.04 LTS must require users to reauthenticate for privilege escalation or when changing roles. diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_umount2/rule.yml b/linux_os/guide/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_umount2/rule.yml index 8664f8c4bc7d..6d3821a97db7 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_umount2/rule.yml +++ b/linux_os/guide/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_umount2/rule.yml @@ -32,6 +32,7 @@ identifiers: cce@rhel10: CCE-89822-1 cce@sle12: CCE-83219-6 cce@sle15: CCE-91250-1 + cce@sle16: CCE-96470-0 cce@slmicro5: CCE-93655-9 cce@slmicro6: CCE-94636-8 diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/rule.yml b/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/rule.yml index 7baee897f2ee..efef98acc465 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/rule.yml +++ b/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/rule.yml @@ -53,6 +53,7 @@ identifiers: cce@rhel10: CCE-88170-6 cce@sle12: CCE-91611-4 cce@sle15: CCE-91251-9 + cce@sle16: CCE-96363-7 references: cis-csc: 1,11,12,13,14,15,16,19,2,3,4,5,6,7,8,9 diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_insmod/rule.yml b/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_insmod/rule.yml index be642d92f573..6b2f502687d1 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_insmod/rule.yml +++ b/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_insmod/rule.yml @@ -30,6 +30,7 @@ identifiers: cce@rhel10: CCE-90738-6 cce@sle12: CCE-92258-3 cce@sle15: CCE-85744-1 + cce@sle16: CCE-96174-8 cce@slmicro5: CCE-93612-0 cce@slmicro6: CCE-94650-9 diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_kmod/rule.yml b/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_kmod/rule.yml index c4a37ca44434..4d321ba3a10a 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_kmod/rule.yml +++ b/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_kmod/rule.yml @@ -22,6 +22,7 @@ identifiers: cce@rhel10: CCE-86727-5 cce@sle12: CCE-83207-1 cce@sle15: CCE-85591-6 + cce@sle16: CCE-95909-8 cce@slmicro5: CCE-93615-3 cce@slmicro6: CCE-94616-0 diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_modprobe/rule.yml b/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_modprobe/rule.yml index 288f0d033b4b..4ccc58df4968 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_modprobe/rule.yml +++ b/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_modprobe/rule.yml @@ -34,6 +34,7 @@ identifiers: cce@rhel10: CCE-89893-2 cce@sle12: CCE-92257-5 cce@sle15: CCE-85731-8 + cce@sle16: CCE-96256-3 cce@slmicro5: CCE-93614-6 cce@slmicro6: CCE-94652-5 diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_rmmod/rule.yml b/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_rmmod/rule.yml index c2c798c0c6e7..40f76e0fcbea 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_rmmod/rule.yml +++ b/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_rmmod/rule.yml @@ -30,6 +30,7 @@ identifiers: cce@rhel10: CCE-88804-0 cce@sle12: CCE-92256-7 cce@sle15: CCE-85732-6 + cce@sle16: CCE-96358-7 cce@slmicro5: CCE-93613-8 cce@slmicro6: CCE-94651-7 diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_rules_mac_modification_var_lib_selinux/rule.yml b/linux_os/guide/auditing/auditd_configure_rules/audit_rules_mac_modification_var_lib_selinux/rule.yml new file mode 100644 index 000000000000..096b2fa83e8b --- /dev/null +++ b/linux_os/guide/auditing/auditd_configure_rules/audit_rules_mac_modification_var_lib_selinux/rule.yml @@ -0,0 +1,36 @@ +documentation_complete: true + +title: 'Record Events that Modify the System''s Mandatory Access Controls in /var/lib/selinux' + +description: |- + {{{ describe_audit_rules_watch("/var/lib/selinux/", "MAC-policy") }}} + Note that monitoring /var/lib/selinux/ will generate a significant burst of audit events + during both selinux-policy* package upgrade and policy rebuild. + +rationale: |- + The system's mandatory access policy (SELinux) should not be + arbitrarily changed by anything other than administrator action. All changes to + MAC policy should be audited. + +severity: medium + +identifiers: + cce@rhel8: CCE-86459-5 + cce@rhel9: CCE-86461-1 + cce@rhel10: CCE-86465-2 + +ocil_clause: 'the system is not configured to audit attempts to change the MAC policy' + +ocil: |- + To determine if the system is configured to audit changes to its SELinux + configuration files, run the following command: + <pre>$ sudo auditctl -l | grep "dir=/var/lib/selinux"</pre> + If the system is configured to watch for changes to its SELinux + configuration, a line should be returned (including + <tt>perm=wa</tt> indicating permissions that are watched). + +template: + name: audit_rules_watch + vars: + path: "/var/lib/selinux/" + key: MAC-policy diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/ansible/shared.yml b/linux_os/guide/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/ansible/shared.yml index 623eafd2c929..c36b2ad25617 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/ansible/shared.yml +++ b/linux_os/guide/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/ansible/shared.yml @@ -4,22 +4,15 @@ # complexity = low # disruption = low -{{% if product not in ["ol8"] %}} {{% set egid_arg = " -F egid=0" %}} {{% set euid_arg = " -F euid=0" %}} -{{% endif %}} {{% set rx_beg = "^[\s]*-a[\s]+always,exit[\s]+" %}} {{% set rx_b32 = "-F[\s]+arch=b32[\s]+" %}} {{% set rx_b64 = "-F[\s]+arch=b64[\s]+" %}} -{{% if product in ["ol8"] %}} -{{% set rx_uid = "-S[\s]+execve[\s]+-C[\s]+uid!=euid[\s]+" %}} -{{% set rx_gid = "-S[\s]+execve[\s]+-C[\s]+gid!=egid[\s]+" %}} -{{% else %}} {{% set rx_uid = "-S[\s]+execve[\s]+-C[\s]+uid!=euid[\s]+-F[\s]+euid=0[\s]+" %}} {{% set rx_gid = "-S[\s]+execve[\s]+-C[\s]+gid!=egid[\s]+-F[\s]+egid=0[\s]+" %}} -{{% endif %}} {{% set rx_end = "(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$" %}} diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/bash/shared.sh b/linux_os/guide/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/bash/shared.sh index b452adbc65b1..a3f1129f160c 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/bash/shared.sh +++ b/linux_os/guide/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/bash/shared.sh @@ -7,11 +7,7 @@ for ARCH in "${RULE_ARCHS[@]}" do ACTION_ARCH_FILTERS="-a always,exit -F arch=$ARCH" - {{% if product in ["ol8"] %}} - OTHER_FILTERS="-C uid!=euid" - {{% else %}} OTHER_FILTERS="-C uid!=euid -F euid=0" - {{% endif %}} AUID_FILTERS="" SYSCALL="execve" {{% if product in ["ubuntu2404"] %}} @@ -28,11 +24,7 @@ done for ARCH in "${RULE_ARCHS[@]}" do ACTION_ARCH_FILTERS="-a always,exit -F arch=$ARCH" - {{% if product in ["ol8"] %}} - OTHER_FILTERS="-C gid!=egid" - {{% else %}} OTHER_FILTERS="-C gid!=egid -F egid=0" - {{% endif %}} AUID_FILTERS="" SYSCALL="execve" {{% if product in ["ubuntu2404"] %}} diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/oval/shared.xml b/linux_os/guide/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/oval/shared.xml index 8d56b6df6f8a..41b28f5823dd 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/oval/shared.xml +++ b/linux_os/guide/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/oval/shared.xml @@ -1,13 +1,8 @@ {{% set rx_beg = "^[\s]*-a[\s]+always,exit[\s]+" %}} {{% set rx_b32 = "-F[\s]+arch=b32[\s]+" %}} {{% set rx_b64 = "-F[\s]+arch=b64[\s]+" %}} -{{% if product in ["ol8"] %}} -{{% set rx_uid = "-S[\s]+execve[\s]+-C[\s]+uid!=euid[\s]+" %}} -{{% set rx_gid = "-S[\s]+execve[\s]+-C[\s]+gid!=egid[\s]+" %}} -{{% else %}} {{% set rx_uid = "-S[\s]+execve[\s]+-C[\s]+uid!=euid[\s]+-F[\s]+euid=0[\s]+" %}} {{% set rx_gid = "-S[\s]+execve[\s]+-C[\s]+gid!=egid[\s]+-F[\s]+egid=0[\s]+" %}} -{{% endif %}} {{% set rx_end = "(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$" %}} <def-group> <definition class="compliance" id="audit_rules_suid_privilege_function" version="1"> diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/correct_value.pass.sh b/linux_os/guide/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/correct_value.pass.sh index e766ae3325d1..b88b869bbf03 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/correct_value.pass.sh +++ b/linux_os/guide/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/correct_value.pass.sh @@ -1,13 +1,8 @@ #!/bin/bash # packages = audit -{{% if product in ["ol8"] %}} -OTHER_FILTERS_EUID=" -C uid!=euid" -OTHER_FILTERS_EGID=" -C gid!=egid" -{{% else %}} OTHER_FILTERS_EUID=" -C uid!=euid -F euid=0" OTHER_FILTERS_EGID=" -C gid!=egid -F egid=0" -{{% endif %}} echo "-a always,exit -F arch=b32 -S execve${OTHER_FILTERS_EGID} -k setgid" > /etc/audit/rules.d/privileged.rules echo "-a always,exit -F arch=b64 -S execve${OTHER_FILTERS_EGID} -k setgid" >> /etc/audit/rules.d/privileged.rules diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/miss_arch.fail.sh b/linux_os/guide/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/miss_arch.fail.sh index 9c2c5255a03e..98ee49c06892 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/miss_arch.fail.sh +++ b/linux_os/guide/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/miss_arch.fail.sh @@ -1,13 +1,8 @@ #!/bin/bash # packages = audit -{{% if product in ["ol8"] %}} -OTHER_FILTERS_EUID=" -C uid!=euid" -OTHER_FILTERS_EGID=" -C gid!=egid" -{{% else %}} OTHER_FILTERS_EUID=" -C uid!=euid -F euid=0" OTHER_FILTERS_EGID=" -C gid!=egid -F egid=0" -{{% endif %}} echo "-a always,exit -F arch=b64 -S execve${OTHER_FILTERS_EGID} -k setgid" > /etc/audit/rules.d/privileged.rules echo "-a always,exit -F arch=b32 -S execve${OTHER_FILTERS_EUID} -k setuid" >> /etc/audit/rules.d/privileged.rules diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/miss_c.fail.sh b/linux_os/guide/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/miss_c.fail.sh index 2cec8e81404c..b8d987c0bb93 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/miss_c.fail.sh +++ b/linux_os/guide/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/miss_c.fail.sh @@ -1,11 +1,6 @@ #!/bin/bash # packages = audit -{{% if product not in ["ol8"] %}} -OTHER_FILTERS_EUID=" -F euid=0" -OTHER_FILTERS_EGID=" -F egid=0" -{{% endif %}} - echo "-a always,exit -F arch=b32 -S execve -C gid!=guid${OTHER_FILTERS_EGID} -k setgid" > /etc/audit/rules.d/privileged.rules echo "-a always,exit -F arch=b64 -S execve${OTHER_FILTERS_EGID} -k setgid" >> /etc/audit/rules.d/privileged.rules echo "-a always,exit -F arch=b32 -S execve${OTHER_FILTERS_EUID} -k setuid" >> /etc/audit/rules.d/privileged.rules diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/other_key.pass.sh b/linux_os/guide/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/other_key.pass.sh index 09dfcb5076a6..1266ad33742d 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/other_key.pass.sh +++ b/linux_os/guide/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/other_key.pass.sh @@ -3,13 +3,8 @@ # This tests situation where key value is not std. And also situation where there is extra spaces in rules. -{{% if product in ["ol8"] %}} -OTHER_FILTERS_EUID=" -C uid!=euid" -OTHER_FILTERS_EGID=" -C gid!=egid" -{{% else %}} OTHER_FILTERS_EUID=" -C uid!=euid -F euid=0" OTHER_FILTERS_EGID=" -C gid!=egid -F egid=0" -{{% endif %}} echo " -a always,exit -F arch=b32 -S execve ${OTHER_FILTERS_EGID} -F key=my_setgid-audit-rule " > /etc/audit/rules.d/privileged.rules echo " -a always,exit -F arch=b64 -S execve ${OTHER_FILTERS_EGID} -k my_setgid-audit-rule " >> /etc/audit/rules.d/privileged.rules diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/use_f_key.pass.sh b/linux_os/guide/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/use_f_key.pass.sh index b0ce8f934bb9..4844f44f4e5e 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/use_f_key.pass.sh +++ b/linux_os/guide/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/use_f_key.pass.sh @@ -1,14 +1,8 @@ #!/bin/bash # packages = audit - -{{% if product in ["ol8"] %}} -OTHER_FILTERS_EUID=" -C uid!=euid" -OTHER_FILTERS_EGID=" -C gid!=egid" -{{% else %}} OTHER_FILTERS_EUID=" -C uid!=euid -F euid=0" OTHER_FILTERS_EGID=" -C gid!=egid -F egid=0" -{{% endif %}} echo "-a always,exit -F arch=b32 -S execve${OTHER_FILTERS_EGID} -F key=setgid" > /etc/audit/rules.d/privileged.rules echo "-a always,exit -F arch=b64 -S execve${OTHER_FILTERS_EGID} -F key=setgid" >> /etc/audit/rules.d/privileged.rules diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/wrong_a.fail.sh b/linux_os/guide/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/wrong_a.fail.sh index be0f1b541f00..499dfdb22ee7 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/wrong_a.fail.sh +++ b/linux_os/guide/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/wrong_a.fail.sh @@ -1,13 +1,8 @@ #!/bin/bash # packages = audit -{{% if product in ["ol8"] %}} -OTHER_FILTERS_EUID=" -C uid!=euid" -OTHER_FILTERS_EGID=" -C gid!=egid" -{{% else %}} OTHER_FILTERS_EUID=" -C uid!=euid -F euid=0" OTHER_FILTERS_EGID=" -C gid!=egid -F egid=0" -{{% endif %}} echo "-a never,exit -F arch=b32 -S execve${OTHER_FILTERS_EGID} -k setgid" > /etc/audit/rules.d/privileged.rules echo "-a never,exit -F arch=b64 -S execve${OTHER_FILTERS_EGID} -k setgid" >> /etc/audit/rules.d/privileged.rules diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/wrong_c_egid.fail.sh b/linux_os/guide/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/wrong_c_egid.fail.sh index a7b757311f41..f9078e64672b 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/wrong_c_egid.fail.sh +++ b/linux_os/guide/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/wrong_c_egid.fail.sh @@ -1,13 +1,8 @@ #!/bin/bash # packages = audit -{{% if product in ["ol8"] %}} -OTHER_FILTERS_EUID=" -C uid!=egid" -OTHER_FILTERS_EGID=" -C gid!=egid" -{{% else %}} OTHER_FILTERS_EUID=" -C uid!=egid -F euid=0" OTHER_FILTERS_EGID=" -C gid!=egid -F egid=0" -{{% endif %}} echo '-a always,exit -F arch=b32 -S execve${OTHER_FILTERS_EGID} -k setgid' > /etc/audit/rules.d/privileged.rules echo '-a always,exit -F arch=b64 -S execve${OTHER_FILTERS_EGID} -k setgid' >> /etc/audit/rules.d/privileged.rules diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/wrong_c_euid.fail.sh b/linux_os/guide/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/wrong_c_euid.fail.sh index 91c8e3521c0d..3f61e25013ae 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/wrong_c_euid.fail.sh +++ b/linux_os/guide/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/wrong_c_euid.fail.sh @@ -1,13 +1,8 @@ #!/bin/bash # packages = audit -{{% if product in ["ol8"] %}} -OTHER_FILTERS_EUID=" -C uid!=euid" -OTHER_FILTERS_EGID=" -C gid!=euid" -{{% else %}} OTHER_FILTERS_EUID=" -C uid!=euid -F euid=0" OTHER_FILTERS_EGID=" -C gid!=euid -F egid=0" -{{% endif %}} echo '-a always,exit -F arch=b32 -S execve${OTHER_FILTERS_EGID} -k setgid' > /etc/audit/rules.d/privileged.rules echo '-a always,exit -F arch=b64 -S execve${OTHER_FILTERS_EGID} -k setgid' >> /etc/audit/rules.d/privileged.rules diff --git a/linux_os/guide/services/dhcp/disabling_dhcp_server/package_kea_removed/rule.yml b/linux_os/guide/services/dhcp/disabling_dhcp_server/package_kea_removed/rule.yml index 6acdf95eb38f..8311aa5ce764 100644 --- a/linux_os/guide/services/dhcp/disabling_dhcp_server/package_kea_removed/rule.yml +++ b/linux_os/guide/services/dhcp/disabling_dhcp_server/package_kea_removed/rule.yml @@ -16,6 +16,7 @@ severity: medium identifiers: cce@rhel8: CCE-87348-9 cce@rhel10: CCE-86596-4 + cce@sle16: CCE-96693-7 {{{ complete_ocil_entry_package(package="kea") }}} diff --git a/linux_os/guide/services/dns/service_dnsmasq_disabled/rule.yml b/linux_os/guide/services/dns/service_dnsmasq_disabled/rule.yml index b030a645a893..51fe990a7a8f 100644 --- a/linux_os/guide/services/dns/service_dnsmasq_disabled/rule.yml +++ b/linux_os/guide/services/dns/service_dnsmasq_disabled/rule.yml @@ -13,6 +13,9 @@ rationale: |- severity: medium identifiers: + cce@rhel8: CCE-90720-4 + cce@rhel9: CCE-90721-2 + cce@rhel10: CCE-90722-0 cce@sle15: CCE-92602-2 platform: system_with_kernel diff --git a/linux_os/guide/services/mail/postfix_client/postfix_client_configure_mail_alias/rule.yml b/linux_os/guide/services/mail/postfix_client/postfix_client_configure_mail_alias/rule.yml index da2b9e7fd6f6..721e16e03d13 100644 --- a/linux_os/guide/services/mail/postfix_client/postfix_client_configure_mail_alias/rule.yml +++ b/linux_os/guide/services/mail/postfix_client/postfix_client_configure_mail_alias/rule.yml @@ -24,6 +24,7 @@ identifiers: cce@rhel10: CCE-87937-9 cce@sle12: CCE-83031-5 cce@sle15: CCE-85605-4 + cce@sle16: CCE-95842-1 cce@slmicro5: CCE-93678-1 cce@slmicro6: CCE-94656-6 diff --git a/linux_os/guide/services/nfs_and_rpc/package_nfs-common_removed/rule.yml b/linux_os/guide/services/nfs_and_rpc/package_nfs-common_removed/rule.yml new file mode 100644 index 000000000000..fd114321b115 --- /dev/null +++ b/linux_os/guide/services/nfs_and_rpc/package_nfs-common_removed/rule.yml @@ -0,0 +1,22 @@ +documentation_complete: true + +title: 'Uninstall nfs-common Package' + +description: |- + {{{ describe_package_remove(package="nfs-common") }}} + +rationale: |- + If the system does not export NFS shares or act as an NFS client, it is + recommended that these services be removed to reduce the remote attack + surface. + +severity: low + +{{{ complete_ocil_entry_package(package="nfs-common") }}} + +fixtext: '{{{ fixtext_package_removed("nfs-common") }}}' + +template: + name: package_removed + vars: + pkgname: nfs-common diff --git a/linux_os/guide/services/ntp/chronyd_configure_pool_and_server/bash/shared.sh b/linux_os/guide/services/ntp/chronyd_configure_pool_and_server/bash/shared.sh index b4a1687cde49..144cf95c553a 100644 --- a/linux_os/guide/services/ntp/chronyd_configure_pool_and_server/bash/shared.sh +++ b/linux_os/guide/services/ntp/chronyd_configure_pool_and_server/bash/shared.sh @@ -5,6 +5,8 @@ config_file="{{{ chrony_conf_path }}}" +sed -i -e '$a\' "$config_file" + # Check and configigure servers in {{{ chrony_conf_path }}} IFS="," read -a SERVERS <<< $var_multiple_time_servers for srv in "${SERVERS[@]}" diff --git a/linux_os/guide/services/ntp/chronyd_configure_pool_and_server/rule.yml b/linux_os/guide/services/ntp/chronyd_configure_pool_and_server/rule.yml index 28c845c74a92..c58abf32c154 100644 --- a/linux_os/guide/services/ntp/chronyd_configure_pool_and_server/rule.yml +++ b/linux_os/guide/services/ntp/chronyd_configure_pool_and_server/rule.yml @@ -25,6 +25,7 @@ identifiers: cce@rhel10: CCE-89285-1 cce@sle12: CCE-92394-6 cce@sle15: CCE-92526-3 + cce@sle16: CCE-96189-6 cce@slmicro5: CCE-93908-2 references: diff --git a/linux_os/guide/services/ntp/file_owner_etc_chrony_keys/rule.yml b/linux_os/guide/services/ntp/file_owner_etc_chrony_keys/rule.yml index 683af7223c1f..6fb1a9fea13f 100644 --- a/linux_os/guide/services/ntp/file_owner_etc_chrony_keys/rule.yml +++ b/linux_os/guide/services/ntp/file_owner_etc_chrony_keys/rule.yml @@ -16,6 +16,7 @@ identifiers: cce@rhel8: CCE-86379-5 cce@rhel9: CCE-86380-3 cce@rhel10: CCE-88848-7 + cce@sle16: CCE-96618-4 ocil_clause: '{{{ ocil_clause_file_owner(file="/etc/chrony.keys", owner="root") }}}' diff --git a/linux_os/guide/services/ntp/file_permissions_etc_chrony_keys/rule.yml b/linux_os/guide/services/ntp/file_permissions_etc_chrony_keys/rule.yml index 94d5ed71807b..01c82c5f51a1 100644 --- a/linux_os/guide/services/ntp/file_permissions_etc_chrony_keys/rule.yml +++ b/linux_os/guide/services/ntp/file_permissions_etc_chrony_keys/rule.yml @@ -16,6 +16,7 @@ identifiers: cce@rhel8: CCE-86383-7 cce@rhel9: CCE-86384-5 cce@rhel10: CCE-88155-7 + cce@sle16: CCE-96085-6 ocil_clause: '{{{ ocil_clause_file_permissions(file="/etc/chrony.keys", perms="0640") }}}' diff --git a/linux_os/guide/services/ntp/service_chronyd_enabled/rule.yml b/linux_os/guide/services/ntp/service_chronyd_enabled/rule.yml index 754b1bf3d189..af8540441c24 100644 --- a/linux_os/guide/services/ntp/service_chronyd_enabled/rule.yml +++ b/linux_os/guide/services/ntp/service_chronyd_enabled/rule.yml @@ -25,6 +25,7 @@ identifiers: cce@rhel9: CCE-84217-9 cce@rhel10: CCE-90511-7 cce@sle15: CCE-92601-4 + cce@sle16: CCE-96684-6 references: srg: SRG-OS-000355-GPOS-00143 diff --git a/linux_os/guide/services/obsolete/service_rsyncd_disabled/rule.yml b/linux_os/guide/services/obsolete/service_rsyncd_disabled/rule.yml index 1db77bb04a7a..d4ed1fb801e0 100644 --- a/linux_os/guide/services/obsolete/service_rsyncd_disabled/rule.yml +++ b/linux_os/guide/services/obsolete/service_rsyncd_disabled/rule.yml @@ -41,6 +41,7 @@ template: packagename@ol7: rsync packagename@sle12: rsync packagename@sle15: rsync + packagename@sle16: rsync packagename@slmicro5: rsync packagename@openeuler2203: rsync servicename@ubuntu2404: rsync diff --git a/linux_os/guide/services/obsolete/tftp/package_tftp-server_removed/rule.yml b/linux_os/guide/services/obsolete/tftp/package_tftp-server_removed/rule.yml index bba598123a34..1d6fbf388c10 100644 --- a/linux_os/guide/services/obsolete/tftp/package_tftp-server_removed/rule.yml +++ b/linux_os/guide/services/obsolete/tftp/package_tftp-server_removed/rule.yml @@ -2,6 +2,8 @@ documentation_complete: true {{% if 'ubuntu' in product %}} {{% set package_name = "tftpd-hpa" %}} +{{% elif 'sle' in product %}} +{{% set package_name = "tftp" %}} {{% else %}} {{% set package_name = "tftp-server" %}} {{% endif %}} diff --git a/linux_os/guide/services/ssh/directory_groupowner_sshd_config_d/rule.yml b/linux_os/guide/services/ssh/directory_groupowner_sshd_config_d/rule.yml index 9dd2ecc766b5..7c990240df3e 100644 --- a/linux_os/guide/services/ssh/directory_groupowner_sshd_config_d/rule.yml +++ b/linux_os/guide/services/ssh/directory_groupowner_sshd_config_d/rule.yml @@ -3,7 +3,7 @@ documentation_complete: true title: 'Verify Group Who Owns SSH Server Configuration Files' description: |- - {{{ describe_directory_group_owner(directory="/etc/ssh/sshd_config.d", group="root") }}} + {{{ describe_directory_group_owner(directory=sshd_config_dir, group="root") }}} rationale: |- Service configuration files enable or disable features of their respective @@ -28,19 +28,19 @@ references: nist-csf: PR.AC-4,PR.DS-5 srg: SRG-OS-000480-GPOS-00227 -ocil_clause: '{{{ ocil_clause_directory_group_owner(directory="/etc/ssh/sshd_config.d", group="root") }}}' +ocil_clause: '{{{ ocil_clause_directory_group_owner(directory=sshd_config_dir, group="root") }}}' ocil: |- - {{{ ocil_directory_group_owner(directory="/etc/ssh/sshd_config.d", group="root") }}} + {{{ ocil_directory_group_owner(directory=sshd_config_dir, group="root") }}} -fixtext: '{{{ fixtext_directory_group_owner(file="/etc/ssh/sshd_config.d", group="root") }}}' +fixtext: '{{{ fixtext_directory_group_owner(file=sshd_config_dir, group="root") }}}' -srg_requirement: '{{{ srg_requirement_directory_group_owner(file="/etc/ssh/sshd_config.d", group="root") }}}' +srg_requirement: '{{{ srg_requirement_directory_group_owner(file=sshd_config_dir, group="root") }}}' template: name: file_groupowner vars: - filepath: '/etc/ssh/sshd_config.d/' + filepath: '{{{ sshd_config_dir }}}/' gid_or_name: '0' platform: system_with_kernel diff --git a/linux_os/guide/services/ssh/directory_owner_sshd_config_d/rule.yml b/linux_os/guide/services/ssh/directory_owner_sshd_config_d/rule.yml index 73713872c946..0d4dcc611827 100644 --- a/linux_os/guide/services/ssh/directory_owner_sshd_config_d/rule.yml +++ b/linux_os/guide/services/ssh/directory_owner_sshd_config_d/rule.yml @@ -3,7 +3,7 @@ documentation_complete: true title: 'Verify Owner on SSH Server Configuration Files' description: |- - {{{ describe_directory_owner(directory="/etc/ssh/sshd_config.d", owner="root") }}} + {{{ describe_directory_owner(directory=sshd_config_dir, owner="root") }}} rationale: |- Service configuration files enable or disable features of their respective @@ -28,19 +28,19 @@ references: nist-csf: PR.AC-4,PR.DS-5 srg: SRG-OS-000480-GPOS-00227 -ocil_clause: '{{{ ocil_clause_directory_owner(directory="/etc/ssh/sshd_config.d", owner="root") }}}' +ocil_clause: '{{{ ocil_clause_directory_owner(directory=sshd_config_dir, owner="root") }}}' ocil: |- - {{{ ocil_directory_owner(directory="/etc/ssh/sshd_config.d", owner="root") }}} + {{{ ocil_directory_owner(directory=sshd_config_dir, owner="root") }}} -fixtext: '{{{ fixtext_directory_owner(file="/etc/ssh/sshd_config.d", owner="root") }}}' +fixtext: '{{{ fixtext_directory_owner(file=sshd_config_dir, owner="root") }}}' -srg_requirement: '{{{ srg_requirement_directory_owner(file="/etc/ssh/sshd_config.d", owner="root") }}}' +srg_requirement: '{{{ srg_requirement_directory_owner(file=sshd_config_dir, owner="root") }}}' template: name: file_owner vars: - filepath: '/etc/ssh/sshd_config.d/' + filepath: '{{{ sshd_config_dir }}}/' uid_or_name: '0' platform: system_with_kernel diff --git a/linux_os/guide/services/ssh/directory_permissions_sshd_config_d/rule.yml b/linux_os/guide/services/ssh/directory_permissions_sshd_config_d/rule.yml index 6a50abb97e99..9496c6c0efc3 100644 --- a/linux_os/guide/services/ssh/directory_permissions_sshd_config_d/rule.yml +++ b/linux_os/guide/services/ssh/directory_permissions_sshd_config_d/rule.yml @@ -3,7 +3,7 @@ documentation_complete: true title: 'Verify Permissions on SSH Server Config File' description: |- - {{{ describe_directory_permissions(directory="/etc/ssh/sshd_config.d", perms="0700") }}} + {{{ describe_directory_permissions(directory=sshd_config_dir, perms="0700") }}} rationale: |- Service configuration files enable or disable features of their respective @@ -28,19 +28,19 @@ references: nist-csf: PR.AC-4,PR.DS-5 srg: SRG-OS-000480-GPOS-00227 -ocil_clause: '{{{ ocil_clause_directory_permissions(directory="/etc/ssh/sshd_config.d", perms="-rwx------") }}}' +ocil_clause: '{{{ ocil_clause_directory_permissions(directory=sshd_config_dir, perms="-rwx------") }}}' ocil: |- - {{{ ocil_directory_permissions(directory="/etc/ssh/sshd_config.d", perms="-rwx------") }}} + {{{ ocil_directory_permissions(directory=sshd_config_dir, perms="-rwx------") }}} -fixtext: '{{{ fixtext_directory_permissions(file="/etc/ssh/sshd_config.d", mode="0700") }}}' +fixtext: '{{{ fixtext_directory_permissions(file=sshd_config_dir, mode="0700") }}}' -srg_requirement: '{{{ srg_requirement_directory_permission(file="/etc/ssh/sshd_config.d", mode="0700") }}}' +srg_requirement: '{{{ srg_requirement_directory_permission(file=sshd_config_dir, mode="0700") }}}' template: name: file_permissions vars: - filepath: /etc/ssh/sshd_config.d/ + filepath: '{{{ sshd_config_dir }}}/' filemode: '0700' platform: system_with_kernel diff --git a/linux_os/guide/services/ssh/file_groupowner_sshd_config/rule.yml b/linux_os/guide/services/ssh/file_groupowner_sshd_config/rule.yml index f0ea9c5cf13d..8d6c5cef73e9 100644 --- a/linux_os/guide/services/ssh/file_groupowner_sshd_config/rule.yml +++ b/linux_os/guide/services/ssh/file_groupowner_sshd_config/rule.yml @@ -4,7 +4,7 @@ documentation_complete: true title: 'Verify Group Who Owns SSH Server config file' description: |- - {{{ describe_file_group_owner(file="/etc/ssh/sshd_config", group="root") }}} + {{{ describe_file_group_owner(file=sshd_main_config_file, group="root") }}} rationale: |- Service configuration files enable or disable features of their respective @@ -20,6 +20,7 @@ identifiers: cce@rhel10: CCE-86992-5 cce@sle12: CCE-92276-5 cce@sle15: CCE-91392-1 + cce@sle16: CCE-96595-4 cce@slmicro5: CCE-93889-4 references: @@ -35,19 +36,19 @@ references: nist-csf: PR.AC-4,PR.DS-5 srg: SRG-OS-000480-GPOS-00227 -ocil_clause: '{{{ ocil_clause_file_group_owner(file="/etc/ssh/sshd_config", group="root") }}}' +ocil_clause: '{{{ ocil_clause_file_group_owner(file=sshd_main_config_file, group="root") }}}' ocil: |- - {{{ ocil_file_group_owner(file="/etc/ssh/sshd_config", group="root") }}} + {{{ ocil_file_group_owner(file=sshd_main_config_file, group="root") }}} -fixtext: '{{{ fixtext_file_group_owner(file="/etc/ssh/sshd_config", group="root") }}}' +fixtext: '{{{ fixtext_file_group_owner(file=sshd_main_config_file, group="root") }}}' -srg_requirement: '{{{ srg_requirement_file_group_owner(file="/etc/ssh/sshd_config", group="root") }}}' +srg_requirement: '{{{ srg_requirement_file_group_owner(file=sshd_main_config_file, group="root") }}}' template: name: file_groupowner vars: - filepath: /etc/ssh/sshd_config + filepath: '{{{ sshd_main_config_file }}}' gid_or_name: '0' platform: system_with_kernel diff --git a/linux_os/guide/services/ssh/file_groupowner_sshd_drop_in_config/rule.yml b/linux_os/guide/services/ssh/file_groupowner_sshd_drop_in_config/rule.yml index 5f1728ab2a8b..3fd050bca108 100644 --- a/linux_os/guide/services/ssh/file_groupowner_sshd_drop_in_config/rule.yml +++ b/linux_os/guide/services/ssh/file_groupowner_sshd_drop_in_config/rule.yml @@ -3,7 +3,7 @@ documentation_complete: true title: 'Verify Group Who Owns SSH Server Configuration Files' description: |- - {{{ describe_files_in_directory_group_owner(directory="/etc/ssh/sshd_config.d", group="root") }}} + {{{ describe_files_in_directory_group_owner(directory=sshd_config_dir, group="root") }}} rationale: |- Service configuration files enable or disable features of their respective @@ -28,19 +28,19 @@ references: nist-csf: PR.AC-4,PR.DS-5 srg: SRG-OS-000480-GPOS-00227 -ocil_clause: '{{{ ocil_clause_files_in_directory_group_owner(directory="/etc/ssh/sshd_config.d", group="root") }}}' +ocil_clause: '{{{ ocil_clause_files_in_directory_group_owner(directory=sshd_config_dir, group="root") }}}' ocil: |- - {{{ ocil_files_in_directory_group_owner(directory="/etc/ssh/sshd_config.d", group="root") }}} + {{{ ocil_files_in_directory_group_owner(directory=sshd_config_dir, group="root") }}} -fixtext: '{{{ fixtext_files_in_directory_group_owner(directory="/etc/ssh/sshd_config.d", group="root") }}}' +fixtext: '{{{ fixtext_files_in_directory_group_owner(directory=sshd_config_dir, group="root") }}}' -srg_requirement: '{{{ srg_requirement_files_in_directory_group_owner(directory="/etc/ssh/sshd_config.d", group="root") }}}' +srg_requirement: '{{{ srg_requirement_files_in_directory_group_owner(directory=sshd_config_dir, group="root") }}}' template: name: file_groupowner vars: - filepath: '/etc/ssh/sshd_config.d/' + filepath: '{{{ sshd_config_dir }}}/' file_regex: '^.*$' gid_or_name: '0' diff --git a/linux_os/guide/services/ssh/file_groupownership_sshd_private_key/rule.yml b/linux_os/guide/services/ssh/file_groupownership_sshd_private_key/rule.yml index 755283fde798..fd5b56034bd8 100644 --- a/linux_os/guide/services/ssh/file_groupownership_sshd_private_key/rule.yml +++ b/linux_os/guide/services/ssh/file_groupownership_sshd_private_key/rule.yml @@ -17,6 +17,7 @@ identifiers: cce@rhel8: CCE-86126-0 cce@rhel9: CCE-86127-8 cce@rhel10: CCE-90288-2 + cce@sle16: CCE-96366-0 ocil_clause: '{{{ ocil_clause_file_group_owner(file="/etc/ssh/*_key", group="root") }}}' diff --git a/linux_os/guide/services/ssh/file_groupownership_sshd_pub_key/rule.yml b/linux_os/guide/services/ssh/file_groupownership_sshd_pub_key/rule.yml index d25a28e32dc2..3e235d9d6e8e 100644 --- a/linux_os/guide/services/ssh/file_groupownership_sshd_pub_key/rule.yml +++ b/linux_os/guide/services/ssh/file_groupownership_sshd_pub_key/rule.yml @@ -16,6 +16,7 @@ identifiers: cce@rhel8: CCE-86133-6 cce@rhel9: CCE-86136-9 cce@rhel10: CCE-90469-8 + cce@sle16: CCE-96361-1 ocil_clause: '{{{ ocil_clause_file_group_owner(file="/etc/ssh/*.pub", group="root") }}}' diff --git a/linux_os/guide/services/ssh/file_owner_sshd_config/rule.yml b/linux_os/guide/services/ssh/file_owner_sshd_config/rule.yml index 4fefa1a5a591..528ebf4553b9 100644 --- a/linux_os/guide/services/ssh/file_owner_sshd_config/rule.yml +++ b/linux_os/guide/services/ssh/file_owner_sshd_config/rule.yml @@ -4,7 +4,7 @@ documentation_complete: true title: 'Verify Owner on SSH Server config file' description: |- - {{{ describe_file_owner(file="/etc/ssh/sshd_config", owner="root") }}} + {{{ describe_file_owner(file=sshd_main_config_file, owner="root") }}} rationale: |- Service configuration files enable or disable features of their respective @@ -20,6 +20,7 @@ identifiers: cce@rhel10: CCE-89829-6 cce@sle12: CCE-92277-3 cce@sle15: CCE-91393-9 + cce@sle16: CCE-96194-6 cce@slmicro5: CCE-93888-6 references: @@ -35,19 +36,19 @@ references: nist-csf: PR.AC-4,PR.DS-5 srg: SRG-OS-000480-GPOS-00227 -ocil_clause: '{{{ ocil_clause_file_owner(file="/etc/ssh/sshd_config", owner="root") }}}' +ocil_clause: '{{{ ocil_clause_file_owner(file=sshd_main_config_file, owner="root") }}}' ocil: |- - {{{ ocil_file_owner(file="/etc/ssh/sshd_config", owner="root") }}} + {{{ ocil_file_owner(file=sshd_main_config_file, owner="root") }}} -fixtext: '{{{ fixtext_file_owner(file="/etc/ssh/sshd_config", owner="root") }}}' +fixtext: '{{{ fixtext_file_owner(file=sshd_main_config_file, owner="root") }}}' -srg_requirement: '{{{ srg_requirement_file_owner(file="/etc/ssh/sshd_config", owner="root") }}}' +srg_requirement: '{{{ srg_requirement_file_owner(file=sshd_main_config_file, owner="root") }}}' template: name: file_owner vars: - filepath: /etc/ssh/sshd_config + filepath: '{{{ sshd_main_config_file }}}' uid_or_name: '0' platform: system_with_kernel diff --git a/linux_os/guide/services/ssh/file_owner_sshd_drop_in_config/rule.yml b/linux_os/guide/services/ssh/file_owner_sshd_drop_in_config/rule.yml index f0832ad73e6b..bb0cf97aa84a 100644 --- a/linux_os/guide/services/ssh/file_owner_sshd_drop_in_config/rule.yml +++ b/linux_os/guide/services/ssh/file_owner_sshd_drop_in_config/rule.yml @@ -3,7 +3,7 @@ documentation_complete: true title: 'Verify Owner on SSH Server Configuration Files' description: |- - {{{ describe_files_in_directory_owner(directory="/etc/ssh/sshd_config.d", owner="root") }}} + {{{ describe_files_in_directory_owner(directory=sshd_config_dir, owner="root") }}} rationale: |- Service configuration files enable or disable features of their respective @@ -29,19 +29,19 @@ references: nist-csf: PR.AC-4,PR.DS-5 srg: SRG-OS-000480-GPOS-00227 -ocil_clause: '{{{ ocil_clause_files_in_directory_owner(directory="/etc/ssh/sshd_config.d", owner="root") }}}' +ocil_clause: '{{{ ocil_clause_files_in_directory_owner(directory=sshd_config_dir, owner="root") }}}' ocil: |- - {{{ ocil_files_in_directory_owner(directory="/etc/ssh/sshd_config.d", owner="root") }}} + {{{ ocil_files_in_directory_owner(directory=sshd_config_dir, owner="root") }}} -fixtext: '{{{ fixtext_files_in_directory_owner(directory="/etc/ssh/sshd_config.d", owner="root") }}}' +fixtext: '{{{ fixtext_files_in_directory_owner(directory=sshd_config_dir, owner="root") }}}' -srg_requirement: '{{{ srg_requirement_files_in_directory_owner(directory="/etc/ssh/sshd_config.d", owner="root") }}}' +srg_requirement: '{{{ srg_requirement_files_in_directory_owner(directory=sshd_config_dir, owner="root") }}}' template: name: file_owner vars: - filepath: '/etc/ssh/sshd_config.d/' + filepath: '{{{ sshd_config_dir }}}/' file_regex: '^.*$' uid_or_name: '0' diff --git a/linux_os/guide/services/ssh/file_ownership_sshd_private_key/rule.yml b/linux_os/guide/services/ssh/file_ownership_sshd_private_key/rule.yml index ccb71fb9ae85..8bae6479baf1 100644 --- a/linux_os/guide/services/ssh/file_ownership_sshd_private_key/rule.yml +++ b/linux_os/guide/services/ssh/file_ownership_sshd_private_key/rule.yml @@ -15,6 +15,7 @@ identifiers: cce@rhel8: CCE-86118-7 cce@rhel9: CCE-86119-5 cce@rhel10: CCE-90624-8 + cce@sle16: CCE-95879-3 ocil_clause: '{{{ ocil_clause_file_owner(file="/etc/ssh/*_key", owner="root") }}}' diff --git a/linux_os/guide/services/ssh/file_ownership_sshd_pub_key/rule.yml b/linux_os/guide/services/ssh/file_ownership_sshd_pub_key/rule.yml index 4239d6724a9b..0e77032acb79 100644 --- a/linux_os/guide/services/ssh/file_ownership_sshd_pub_key/rule.yml +++ b/linux_os/guide/services/ssh/file_ownership_sshd_pub_key/rule.yml @@ -16,6 +16,7 @@ identifiers: cce@rhel8: CCE-86129-4 cce@rhel9: CCE-86130-2 cce@rhel10: CCE-87297-8 + cce@sle16: CCE-95980-9 ocil_clause: '{{{ ocil_clause_file_owner(file="/etc/ssh/*.pub", owner="root") }}}' diff --git a/linux_os/guide/services/ssh/file_permissions_sshd_config/rule.yml b/linux_os/guide/services/ssh/file_permissions_sshd_config/rule.yml index f36678bf6753..d9d311f83a97 100644 --- a/linux_os/guide/services/ssh/file_permissions_sshd_config/rule.yml +++ b/linux_os/guide/services/ssh/file_permissions_sshd_config/rule.yml @@ -4,7 +4,7 @@ documentation_complete: true title: 'Verify Permissions on SSH Server config file' description: |- - {{{ describe_file_permissions(file="/etc/ssh/sshd_config", perms="0600") }}} + {{{ describe_file_permissions(file=sshd_main_config_file, perms="0600") }}} rationale: |- Service configuration files enable or disable features of their respective @@ -36,20 +36,20 @@ references: nist-csf: PR.AC-4,PR.DS-5 srg: SRG-OS-000480-GPOS-00227 -ocil_clause: '{{{ ocil_clause_file_permissions(file="/etc/ssh/sshd_config", perms="-rw-------") }}}' +ocil_clause: '{{{ ocil_clause_file_permissions(file=sshd_main_config_file, perms="-rw-------") }}}' ocil: |- - {{{ ocil_file_permissions(file="/etc/ssh/sshd_config", perms="-rw-------") }}} + {{{ ocil_file_permissions(file=sshd_main_config_file, perms="-rw-------") }}} -fixtext: '{{{ fixtext_file_permissions(file="/etc/ssh/sshd_config", mode="0600") }}}' +fixtext: '{{{ fixtext_file_permissions(file=sshd_main_config_file, mode="0600") }}}' -srg_requirement: '{{{ srg_requirement_file_permission(file="/etc/ssh/sshd_config", mode="0600") }}}' +srg_requirement: '{{{ srg_requirement_file_permission(file=sshd_main_config_file, mode="0600") }}}' template: name: file_permissions vars: filepath: - - /etc/ssh/sshd_config + - '{{{ sshd_main_config_file }}}' filemode: '0600' platform: system_with_kernel diff --git a/linux_os/guide/services/ssh/file_permissions_sshd_drop_in_config/rule.yml b/linux_os/guide/services/ssh/file_permissions_sshd_drop_in_config/rule.yml index 26a1815bce4d..0cfaa9f10f6b 100644 --- a/linux_os/guide/services/ssh/file_permissions_sshd_drop_in_config/rule.yml +++ b/linux_os/guide/services/ssh/file_permissions_sshd_drop_in_config/rule.yml @@ -3,7 +3,7 @@ documentation_complete: true title: 'Verify Permissions on SSH Server Config File' description: |- - {{{ describe_files_in_directory_permissions(directory="/etc/ssh/sshd_config.d", perms="0600") }}} + {{{ describe_files_in_directory_permissions(directory=sshd_config_dir, perms="0600") }}} rationale: |- Service configuration files enable or disable features of their respective @@ -28,19 +28,19 @@ references: nist-csf: PR.AC-4,PR.DS-5 srg: SRG-OS-000480-GPOS-00227 -ocil_clause: '{{{ ocil_clause_files_in_directory_permissions(directory="/etc/ssh/sshd_config.d", perms="-rw-------") }}}' +ocil_clause: '{{{ ocil_clause_files_in_directory_permissions(directory=sshd_config_dir, perms="-rw-------") }}}' ocil: |- - {{{ ocil_files_in_directory_permissions(directory="/etc/ssh/sshd_config.d", perms="-rw-------") }}} + {{{ ocil_files_in_directory_permissions(directory=sshd_config_dir, perms="-rw-------") }}} -fixtext: '{{{ fixtext_files_in_directory_permissions(directory="/etc/ssh/sshd_config.d", mode="0600") }}}' +fixtext: '{{{ fixtext_files_in_directory_permissions(directory=sshd_config_dir, mode="0600") }}}' -srg_requirement: '{{{ srg_requirement_files_in_directory_permissions(directory="/etc/ssh/sshd_config.d", mode="0600") }}}' +srg_requirement: '{{{ srg_requirement_files_in_directory_permissions(directory=sshd_config_dir, mode="0600") }}}' template: name: file_permissions vars: - filepath: '/etc/ssh/sshd_config.d/' + filepath: '{{{ sshd_config_dir }}}/' file_regex: '^.*$' filemode: '0600' diff --git a/linux_os/guide/services/ssh/file_sshd_50_redhat_exists/rule.yml b/linux_os/guide/services/ssh/file_sshd_50_redhat_exists/rule.yml index ffa34166c034..db813093f611 100644 --- a/linux_os/guide/services/ssh/file_sshd_50_redhat_exists/rule.yml +++ b/linux_os/guide/services/ssh/file_sshd_50_redhat_exists/rule.yml @@ -1,9 +1,10 @@ +{{% set sshd_redhat_drop_in_file = sshd_config_dir ~ "/50-redhat.conf" %}} documentation_complete: true -title: 'The File /etc/ssh/sshd_config.d/50-redhat.conf Must Exist' +title: 'The File {{{ sshd_redhat_drop_in_file }}} Must Exist' description: |- - The <tt>/etc/ssh/sshd_config.d/50-redhat.conf</tt> file must exist as it contains important + The <tt>{{{ sshd_redhat_drop_in_file }}}</tt> file must exist as it contains important settings to secure SSH. @@ -29,7 +30,7 @@ warnings: template: name: 'file_existence' vars: - filepath: '/etc/ssh/sshd_config.d/50-redhat.conf' + filepath: '{{{ sshd_redhat_drop_in_file }}}' exists: true backends: ansible: off diff --git a/linux_os/guide/services/ssh/ssh_client/ssh_client_rekey_limit/ansible/shared.yml b/linux_os/guide/services/ssh/ssh_client/ssh_client_rekey_limit/ansible/shared.yml index 81968afeebea..7b5a91c274e7 100644 --- a/linux_os/guide/services/ssh/ssh_client/ssh_client_rekey_limit/ansible/shared.yml +++ b/linux_os/guide/services/ssh/ssh_client/ssh_client_rekey_limit/ansible/shared.yml @@ -4,12 +4,15 @@ # complexity = low # disruption = low {{{ ansible_instantiate_variables("var_ssh_client_rekey_limit_size", "var_ssh_client_rekey_limit_time") }}} +{{%- set sshc_main_config = ssh_client_main_config_file -%}} +{{%- set sshc_config_dir = ssh_client_config_dir -%}} +{{%- set sshc_rekey_config = ssh_client_config_dir ~ "/02-rekey-limit.conf" -%}} -{{{ ansible_lineinfile(msg='Ensure RekeyLimit is not configured in /etc/ssh/ssh_config', path='/etc/ssh/ssh_config', regex='^\s*RekeyLimit.*$', insensitive=false, create='no', state='absent', rule_title=rule_title) }}} +{{{ ansible_lineinfile(msg='Ensure RekeyLimit is not configured in ' ~ sshc_main_config, path=sshc_main_config, regex='^\s*RekeyLimit.*$', insensitive=false, create='no', state='absent', rule_title=rule_title) }}} - name: Collect all include config files for ssh client which configure RekeyLimit ansible.builtin.find: - paths: "/etc/ssh/ssh_config.d/" + paths: "{{{ sshc_config_dir }}}" contains: '^[\s]*RekeyLimit.*$' patterns: "*.config" register: ssh_config_include_files @@ -21,4 +24,4 @@ state: "absent" loop: "{{ ssh_config_include_files.files }}" -{{{ ansible_lineinfile(msg='Ensure that rekey limit is set to {{ var_ssh_client_rekey_limit_size }} {{ var_ssh_client_rekey_limit_time }} in /etc/ssh/ssh_config.d/02-rekey-limit.conf', path='/etc/ssh/ssh_config.d/02-rekey-limit.conf', regex='^\s*RekeyLimit.*$', insensitive=false, new_line='RekeyLimit {{ var_ssh_client_rekey_limit_size }} {{ var_ssh_client_rekey_limit_time }}', create='yes', state='present', rule_title=rule_title) }}} +{{{ ansible_lineinfile(msg='Ensure that rekey limit is set to {{ var_ssh_client_rekey_limit_size }} {{ var_ssh_client_rekey_limit_time }} in ' ~ sshc_rekey_config, path=sshc_rekey_config, regex='^\s*RekeyLimit.*$', insensitive=false, new_line='RekeyLimit {{ var_ssh_client_rekey_limit_size }} {{ var_ssh_client_rekey_limit_time }}', create='yes', state='present', rule_title=rule_title) }}} diff --git a/linux_os/guide/services/ssh/ssh_client/ssh_client_rekey_limit/bash/shared.sh b/linux_os/guide/services/ssh/ssh_client/ssh_client_rekey_limit/bash/shared.sh index 9662e8d55e4c..c50d21ab5242 100644 --- a/linux_os/guide/services/ssh/ssh_client/ssh_client_rekey_limit/bash/shared.sh +++ b/linux_os/guide/services/ssh/ssh_client/ssh_client_rekey_limit/bash/shared.sh @@ -1,9 +1,10 @@ # platform = multi_platform_all {{{ bash_instantiate_variables("var_ssh_client_rekey_limit_size", "var_ssh_client_rekey_limit_time") }}} +{{%- set sshc_rekey_config = ssh_client_config_dir ~ "/02-rekey-limit.conf" -%}} -main_config="/etc/ssh/ssh_config" -include_directory="/etc/ssh/ssh_config.d" +main_config="{{{ ssh_client_main_config_file }}}" +include_directory="{{{ ssh_client_config_dir }}}" if grep -q '^[\s]*RekeyLimit.*$' "$main_config"; then sed -i '/^[\s]*RekeyLimit.*/d' "$main_config" @@ -15,4 +16,4 @@ for file in "$include_directory"/*.conf; do fi done -{{{ set_config_file(path="/etc/ssh/ssh_config.d/02-rekey-limit.conf", parameter="RekeyLimit", value='$var_ssh_client_rekey_limit_size $var_ssh_client_rekey_limit_time', create=true, insert_before="", insert_after="", insensitive=false, separator=" ", separator_regex="\s\+", prefix_regex="^\s*", rule_id=rule_id) }}} +{{{ set_config_file(path=sshc_rekey_config, parameter="RekeyLimit", value='$var_ssh_client_rekey_limit_size $var_ssh_client_rekey_limit_time', create=true, insert_before="", insert_after="", insensitive=false, separator=" ", separator_regex="\s\+", prefix_regex="^\s*", rule_id=rule_id) }}} diff --git a/linux_os/guide/services/ssh/ssh_client/ssh_client_rekey_limit/oval/shared.xml b/linux_os/guide/services/ssh/ssh_client/ssh_client_rekey_limit/oval/shared.xml index 83c8433fb153..01f49eb6842f 100644 --- a/linux_os/guide/services/ssh/ssh_client/ssh_client_rekey_limit/oval/shared.xml +++ b/linux_os/guide/services/ssh/ssh_client/ssh_client_rekey_limit/oval/shared.xml @@ -1,10 +1,13 @@ +{{%- set sshc_main_config = ssh_client_main_config_file -%}} +{{%- set sshc_config_dir = ssh_client_config_dir -%}} + <def-group> <definition class="compliance" id="{{{ rule_id }}}" version="1"> - {{{ oval_metadata("Ensure 'RekeyLimit' is configured with the correct value in /etc/ssh/ssh_config and /etc/ssh/ssh_config.d/*.conf", rule_title=rule_title) }}} + {{{ oval_metadata("Ensure 'RekeyLimit' is configured with the correct value in " ~ sshc_main_config ~ " and " ~ sshc_config_dir ~ "/*.conf", rule_title=rule_title) }}} <criteria comment="RekeyLimit is correctly configured for ssh client" operator="AND"> - <criterion comment="check that RekeyLimit is not configured in /etc/ssh/ssh_config" test_ref="test_ssh_client_rekey_limit_main_config" negate="true" /> - <criterion comment="check correct RekeyLimit configuration in /etc/ssh/ssh_config.d/*.conf" test_ref="test_ssh_client_rekey_limit_include_configs" /> + <criterion comment="check that RekeyLimit is not configured in {{{ sshc_main_config }}}" test_ref="test_ssh_client_rekey_limit_main_config" negate="true" /> + <criterion comment="check correct RekeyLimit configuration in {{{ sshc_config_dir }}}/*.conf" test_ref="test_ssh_client_rekey_limit_include_configs" /> </criteria> </definition> @@ -22,22 +25,23 @@ <external_variable comment="Time component of the rekey limit" datatype="string" id="var_ssh_client_rekey_limit_time" version="1" /> - <ind:textfilecontent54_test check="all" check_existence="all_exist" comment="tests the value of RekeyLimit setting in /etc/ssh/ssh_config file" id="test_ssh_client_rekey_limit_main_config" version="1"> + <ind:textfilecontent54_test check="all" check_existence="all_exist" comment="tests the value of RekeyLimit setting in {{{ sshc_main_config }}}" id="test_ssh_client_rekey_limit_main_config" version="1"> <ind:object object_ref="obj_ssh_client_rekey_limit_main_config"/> </ind:textfilecontent54_test> <ind:textfilecontent54_object id="obj_ssh_client_rekey_limit_main_config" version="1"> - <ind:filepath>/etc/ssh/ssh_config</ind:filepath> + <ind:filepath>{{{ sshc_main_config }}}</ind:filepath> <ind:pattern operation="pattern match">^[\s]*RekeyLimit.*$</ind:pattern> <ind:instance datatype="int" operation="greater than or equal">1</ind:instance> </ind:textfilecontent54_object> - <ind:textfilecontent54_test check="all" check_existence="all_exist" comment="tests the value of RekeyLimit setting in /etc/ssh/ssh_config.d/*.conf" id="test_ssh_client_rekey_limit_include_configs" version="1"> + <ind:textfilecontent54_test check="all" check_existence="all_exist" comment="tests the value of RekeyLimit setting in {{{ sshc_config_dir }}}/*.conf" id="test_ssh_client_rekey_limit_include_configs" version="1"> <ind:object object_ref="obj_ssh_client_rekey_limit_include_configs"/> </ind:textfilecontent54_test> <ind:textfilecontent54_object id="obj_ssh_client_rekey_limit_include_configs" version="1"> - <ind:filepath operation="pattern match">^/etc/ssh/ssh_config\.d/.*\.conf$</ind:filepath> + <ind:path>{{{ sshc_config_dir }}}</ind:path> + <ind:filename operation="pattern match">.*\.conf$</ind:filename> <ind:pattern var_ref="ssh_client_line_regex" operation="pattern match"></ind:pattern> <ind:instance datatype="int" operation="greater than or equal">1</ind:instance> </ind:textfilecontent54_object> diff --git a/linux_os/guide/services/ssh/ssh_client/ssh_client_rekey_limit/rule.yml b/linux_os/guide/services/ssh/ssh_client/ssh_client_rekey_limit/rule.yml index d9b564e17a4d..018a48cca00c 100644 --- a/linux_os/guide/services/ssh/ssh_client/ssh_client_rekey_limit/rule.yml +++ b/linux_os/guide/services/ssh/ssh_client/ssh_client_rekey_limit/rule.yml @@ -1,5 +1,8 @@ documentation_complete: true +{{% set sshc_main_config = ssh_client_main_config_file %}} +{{% set sshc_config_dir = ssh_client_config_dir %}} +{{% set sshc_rekey_config = ssh_client_config_dir ~ "/02-rekey-limit.conf" %}} title: 'Configure session renegotiation for SSH client' @@ -8,11 +11,11 @@ description: |- the session key is renegotiated, both in terms of amount of data that may be transmitted and the time elapsed. To decrease the default limits, put line - <tt>RekeyLimit {{{ xccdf_value("var_ssh_client_rekey_limit_size") }}} {{{ xccdf_value("var_ssh_client_rekey_limit_time") }}}</tt> to file <tt>/etc/ssh/ssh_config.d/02-rekey-limit.conf</tt>. + <tt>RekeyLimit {{{ xccdf_value("var_ssh_client_rekey_limit_size") }}} {{{ xccdf_value("var_ssh_client_rekey_limit_time") }}}</tt> to file <tt>{{{ sshc_rekey_config }}}</tt>. Make sure that there is no other <tt>RekeyLimit</tt> configuration preceding the <tt>include</tt> directive in the main config file - <tt>/etc/ssh/ssh_config</tt>. Check also other files in - <tt>/etc/ssh/ssh_config.d</tt> directory. Files are processed according to + <tt>{{{ sshc_main_config }}}</tt>. Check also other files in + <tt>{{{ sshc_config_dir }}}</tt> directory. Files are processed according to lexicographical order of file names. Make sure that there is no file processed before <tt>02-rekey-limit.conf</tt> containing definition of <tt>RekeyLimit</tt>. @@ -37,12 +40,12 @@ ocil_clause: 'it is commented out or is not set' ocil: |- To check if RekeyLimit is set correctly, run the following command: - <pre>$ sudo grep RekeyLimit /etc/ssh/ssh_config.d/*.conf</pre> + <pre>$ sudo grep RekeyLimit {{{ sshc_config_dir }}}/*.conf</pre> If configured properly, output should be - <pre>/etc/ssh/ssh_config.d/02-rekey-limit.conf: + <pre>{{{ sshc_rekey_config }}}: RekeyLimit {{{ xccdf_value("var_ssh_client_rekey_limit_size") }}} {{{ xccdf_value("var_ssh_client_rekey_limit_time") }}}</pre> Check also the main configuration file with the following command: - <pre>$ sudo grep RekeyLimit /etc/ssh/ssh_config</pre> + <pre>$ sudo grep RekeyLimit {{{ sshc_main_config }}}</pre> The command should not return any output. fixtext: |- @@ -53,4 +56,3 @@ fixtext: |- Restart the SSH daemon for the settings to take effect. $ sudo systemctl restart sshd.service - diff --git a/linux_os/guide/services/ssh/ssh_client/ssh_client_use_approved_ciphers_ordered_stig/bash/shared.sh b/linux_os/guide/services/ssh/ssh_client/ssh_client_use_approved_ciphers_ordered_stig/bash/shared.sh index c90bd144ef7d..01445b652b99 100644 --- a/linux_os/guide/services/ssh/ssh_client/ssh_client_use_approved_ciphers_ordered_stig/bash/shared.sh +++ b/linux_os/guide/services/ssh/ssh_client/ssh_client_use_approved_ciphers_ordered_stig/bash/shared.sh @@ -1,14 +1,16 @@ # platform = multi_platform_ubuntu ssh_approved_ciphers="aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes128-ctr" +{{% set sshc_cipher_list_config = ssh_client_config_dir ~ "/00-cipher-list.conf" %}} -main_config="/etc/ssh/ssh_config" -include_directory="/etc/ssh/ssh_config.d" +main_config="{{{ ssh_client_main_config_file }}}" +include_directory="{{{ ssh_client_config_dir }}}" +cipher_list_config="$include_directory/00-cipher-list.conf" sed -i '/^\s*[Cc]iphers.*/d' "$main_config" "$include_directory"/*.conf || true -if ! grep -qE '^[Hh]ost\s+\*$' /etc/ssh/ssh_config.d/00-cipher-list.conf; then - echo 'Host *' >> /etc/ssh/ssh_config.d/00-cipher-list.conf +if ! grep -qE '^[Hh]ost\s+\*$' "$cipher_list_config"; then + echo 'Host *' >> "$cipher_list_config" fi -{{{ set_config_file(path="/etc/ssh/ssh_config.d/00-cipher-list.conf", parameter="Ciphers", value='$ssh_approved_ciphers', create=true, insert_before="", insert_after="^Host\s+\*$", insensitive=false, separator=" ", separator_regex="\s\+", prefix_regex="^\s*", rule_id=rule_id) }}} +{{{ set_config_file(path=sshc_cipher_list_config, parameter="Ciphers", value='$ssh_approved_ciphers', create=true, insert_before="", insert_after="^Host\s+\*$", insensitive=false, separator=" ", separator_regex="\s\+", prefix_regex="^\s*", rule_id=rule_id) }}} diff --git a/linux_os/guide/services/ssh/ssh_client/ssh_client_use_approved_ciphers_ordered_stig/oval/shared.xml b/linux_os/guide/services/ssh/ssh_client/ssh_client_use_approved_ciphers_ordered_stig/oval/shared.xml index 3d6471f483cd..6a17966e11de 100644 --- a/linux_os/guide/services/ssh/ssh_client/ssh_client_use_approved_ciphers_ordered_stig/oval/shared.xml +++ b/linux_os/guide/services/ssh/ssh_client/ssh_client_use_approved_ciphers_ordered_stig/oval/shared.xml @@ -1,40 +1,42 @@ {{%- if product == 'ubuntu2404' %}} {{%- set ssh_approved_ciphers="aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes128-ctr" %}} {{%- endif %}} +{{%- set sshc_main_config = ssh_client_main_config_file -%}} +{{%- set sshc_config_dir = ssh_client_config_dir -%}} <def-group> <definition class="compliance" id="{{{ rule_id }}}" version="1"> {{{ oval_metadata("Limit the ciphers to those which are FIPS-approved.", rule_title=rule_title) }}} <criteria comment="the configuration is correct if it exists" operator="AND"> - <criterion comment="Check the ciphers in /etc/ssh/ssh_config if any" + <criterion comment="Check the ciphers in {{{ sshc_main_config }}} if any" test_ref="test_{{{ rule_id }}}" /> - <criterion comment="Check the ciphers in /etc/ssh/ssh_config.d if any" + <criterion comment="Check the ciphers in {{{ sshc_config_dir }}} if any" test_ref="test_{{{ rule_id }}}_config_dir" /> <criterion comment="the configuration exists" test_ref="test_ciphers_present_{{{ rule_id }}}" /> </criteria> </definition> <ind:textfilecontent54_test check="all" check_existence="any_exist" - comment="tests the value of ciphers setting in the /etc/ssh/ssh_config file" + comment="tests the value of ciphers setting in {{{ sshc_main_config }}}" id="test_{{{ rule_id }}}" version="1"> <ind:object object_ref="obj_{{{ rule_id }}}" /> <ind:state state_ref="state_{{{ rule_id }}}" /> </ind:textfilecontent54_test> <ind:textfilecontent54_object id="obj_{{{ rule_id }}}" version="1"> - <ind:filepath>/etc/ssh/ssh_config</ind:filepath> + <ind:filepath>{{{ sshc_main_config }}}</ind:filepath> <ind:pattern operation="pattern match">^[ \t]*(?i)ciphers(?-i)[ \t]+(.+?)[ \t]*(?:$|#)</ind:pattern> <ind:instance operation="greater than or equal" datatype="int">1</ind:instance> </ind:textfilecontent54_object> <ind:textfilecontent54_test check="all" check_existence="any_exist" - comment="tests the value of ciphers setting in the /etc/ssh/ssh_config.d file" + comment="tests the value of ciphers setting in {{{ sshc_config_dir }}}" id="test_{{{ rule_id }}}_config_dir" version="1"> <ind:object object_ref="obj_{{{ rule_id }}}_config_dir" /> <ind:state state_ref="state_{{{ rule_id }}}" /> </ind:textfilecontent54_test> <ind:textfilecontent54_object id="obj_{{{ rule_id }}}_config_dir" version="1"> - <ind:path>/etc/ssh/ssh_config.d</ind:path> + <ind:path>{{{ sshc_config_dir }}}</ind:path> <ind:filename operation="pattern match">.*\.conf$</ind:filename> <ind:pattern operation="pattern match">^[ \t]*(?i)ciphers(?-i)[ \t]+(.+?)[ \t]*(?:$|#)</ind:pattern> <ind:instance operation="greater than or equal" datatype="int">1</ind:instance> diff --git a/linux_os/guide/services/ssh/ssh_client/ssh_client_use_approved_ciphers_ordered_stig/rule.yml b/linux_os/guide/services/ssh/ssh_client/ssh_client_use_approved_ciphers_ordered_stig/rule.yml index b390b8e81328..bc8f65cd23a0 100644 --- a/linux_os/guide/services/ssh/ssh_client/ssh_client_use_approved_ciphers_ordered_stig/rule.yml +++ b/linux_os/guide/services/ssh/ssh_client/ssh_client_use_approved_ciphers_ordered_stig/rule.yml @@ -1,13 +1,14 @@ {{%- if product == 'ubuntu2404' %}} {{%- set ssh_approved_ciphers = "aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes128-ctr" %}} {{%- endif %}} +{{%- set sshc_main_config = ssh_client_main_config_file -%}} documentation_complete: true title: 'Use Only FIPS 140-3 Validated Ciphers in SSH Client Configuration' description: |- Limit the ciphers to those algorithms which are FIPS-approved. - The following line in <tt>/etc/ssh/ssh_config</tt> + The following line in <tt>{{{ sshc_main_config }}}</tt> demonstrates use of FIPS-approved ciphers: {{%- if 'ubuntu' in product %}} <pre>Ciphers {{{ ssh_approved_ciphers }}}</pre> diff --git a/linux_os/guide/services/ssh/ssh_client/ssh_use_approved_macs_ordered_stig/bash/shared.sh b/linux_os/guide/services/ssh/ssh_client/ssh_use_approved_macs_ordered_stig/bash/shared.sh index 8c4fa3715f4b..c5bef9fd205b 100644 --- a/linux_os/guide/services/ssh/ssh_client/ssh_use_approved_macs_ordered_stig/bash/shared.sh +++ b/linux_os/guide/services/ssh/ssh_client/ssh_use_approved_macs_ordered_stig/bash/shared.sh @@ -1,14 +1,16 @@ # platform = multi_platform_ubuntu {{{ bash_instantiate_variables("ssh_approved_macs") }}} +{{%- set sshc_mac_list_config = ssh_client_config_dir ~ "/00-mac-list.conf" -%}} -main_config="/etc/ssh/ssh_config" -include_directory="/etc/ssh/ssh_config.d" +main_config="{{{ ssh_client_main_config_file }}}" +include_directory="{{{ ssh_client_config_dir }}}" +mac_list_config="$include_directory/00-mac-list.conf" sed -i '/^\s*MACs.*/d' "$main_config" "$include_directory"/*.conf || true -if ! grep -qE '^[Hh]ost\s+\*$' /etc/ssh/ssh_config.d/00-mac-list.conf; then - echo 'Host *' >> /etc/ssh/ssh_config.d/00-mac-list.conf +if ! grep -qE '^[Hh]ost\s+\*$' "$mac_list_config"; then + echo 'Host *' >> "$mac_list_config" fi -{{{ set_config_file(path="/etc/ssh/ssh_config.d/00-mac-list.conf", parameter="MACs", value='$ssh_approved_macs', create=true, insert_before="", insert_after="^Host\s+\*$", insensitive=false, separator=" ", separator_regex="\s\+", prefix_regex="^\s*", rule_id=rule_id) }}} +{{{ set_config_file(path=sshc_mac_list_config, parameter="MACs", value='$ssh_approved_macs', create=true, insert_before="", insert_after="^Host\s+\*$", insensitive=false, separator=" ", separator_regex="\s\+", prefix_regex="^\s*", rule_id=rule_id) }}} diff --git a/linux_os/guide/services/ssh/ssh_client/ssh_use_approved_macs_ordered_stig/oval/shared.xml b/linux_os/guide/services/ssh/ssh_client/ssh_use_approved_macs_ordered_stig/oval/shared.xml index be209a2537b6..a7dbbe5edee9 100644 --- a/linux_os/guide/services/ssh/ssh_client/ssh_use_approved_macs_ordered_stig/oval/shared.xml +++ b/linux_os/guide/services/ssh/ssh_client/ssh_use_approved_macs_ordered_stig/oval/shared.xml @@ -1,11 +1,14 @@ +{{%- set sshc_main_config = ssh_client_main_config_file -%}} +{{%- set sshc_config_dir = ssh_client_config_dir -%}} + <def-group> <definition class="compliance" id="{{{ rule_id }}}" version="1"> {{{ oval_metadata("Limit the Message Authentication Codes (MACs) to those which are FIPS-approved.", rule_title=rule_title) }}} <criteria comment="ssh is configured correctly" operator="AND"> <criteria comment="the configuration is correct if it exists" operator="AND"> - <criterion comment="Check the MACs in /etc/ssh/ssh_config if any" + <criterion comment="Check the MACs in {{{ sshc_main_config }}} if any" test_ref="test_{{{ rule_id }}}" /> - <criterion comment="Check the MACs in /etc/ssh/ssh_config.d if any" + <criterion comment="Check the MACs in {{{ sshc_config_dir }}} if any" test_ref="test_{{{ rule_id }}}_config_dir" /> </criteria> <criterion comment="the configuration exists" test_ref="test_MACs_present_{{{ rule_id }}}" /> @@ -13,27 +16,27 @@ </definition> <ind:textfilecontent54_test check="all" check_existence="any_exist" - comment="tests the value of MACs setting in the /etc/ssh/ssh_config file" + comment="tests the value of MACs setting in {{{ sshc_main_config }}}" id="test_{{{ rule_id }}}" version="1"> <ind:object object_ref="obj_{{{ rule_id }}}" /> <ind:state state_ref="state_{{{ rule_id }}}" /> </ind:textfilecontent54_test> <ind:textfilecontent54_object id="obj_{{{ rule_id }}}" version="1"> - <ind:filepath>/etc/ssh/ssh_config</ind:filepath> + <ind:filepath>{{{ sshc_main_config }}}</ind:filepath> <ind:pattern operation="pattern match">^[ \t]*(?i)MACs(?-i)[ \t]+(.+?)[ \t]*(?:$|#)</ind:pattern> <ind:instance operation="greater than or equal" datatype="int">1</ind:instance> </ind:textfilecontent54_object> <ind:textfilecontent54_test check="all" check_existence="any_exist" - comment="tests the value of MACs setting in the /etc/ssh/ssh_config.d file" + comment="tests the value of MACs setting in {{{ sshc_config_dir }}}" id="test_{{{ rule_id }}}_config_dir" version="1"> <ind:object object_ref="obj_{{{ rule_id }}}_config_dir" /> <ind:state state_ref="state_{{{ rule_id }}}" /> </ind:textfilecontent54_test> <ind:textfilecontent54_object id="obj_{{{ rule_id }}}_config_dir" version="1"> - <ind:path>/etc/ssh/ssh_config.d</ind:path> + <ind:path>{{{ sshc_config_dir }}}</ind:path> <ind:filename operation="pattern match">.*\.conf$</ind:filename> <ind:pattern operation="pattern match">^[ \t]*(?i)MACs(?-i)[ \t]+(.+?)[ \t]*(?:$|#)</ind:pattern> <ind:instance operation="greater than or equal" datatype="int">1</ind:instance> diff --git a/linux_os/guide/services/ssh/ssh_client/ssh_use_approved_macs_ordered_stig/rule.yml b/linux_os/guide/services/ssh/ssh_client/ssh_use_approved_macs_ordered_stig/rule.yml index 45de2c107a32..a3b143a1e57f 100644 --- a/linux_os/guide/services/ssh/ssh_client/ssh_use_approved_macs_ordered_stig/rule.yml +++ b/linux_os/guide/services/ssh/ssh_client/ssh_use_approved_macs_ordered_stig/rule.yml @@ -1,10 +1,12 @@ documentation_complete: true +{{% set sshc_main_config = ssh_client_main_config_file %}} +{{%- set sshc_config_dir = ssh_client_config_dir -%}} title: 'Use Only FIPS 140-3 Validated MACs' description: |- Limit the MACs to those hash algorithms which are FIPS-approved. - The following line in <tt>/etc/ssh/ssh_config</tt> + The following line in <tt>{{{ sshc_main_config }}}</tt> demonstrates use of FIPS-approved MACs: <pre>MACs {{{ ssh_approved_macs }}}</pre> @@ -22,11 +24,10 @@ ocil_clause: 'MACs option is commented out or not using FIPS-approved hash algor ocil: |- Only FIPS-approved MACs should be used. To verify that only FIPS-approved MACs are in use, run the following command: - <pre>$ sudo grep -ir macs /etc/ssh/ssh_config*</pre> + <pre>$ sudo grep -ir macs {{{ sshc_main_config }}} {{{ sshc_config_dir }}}</pre> The output should contain only following MACs: <pre>MACs {{{ xccdf_value("ssh_approved_macs") }}}</pre> warnings: - general: |- The system needs to be rebooted for these changes to take effect. - diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_include_crypto_policy/oval/shared.xml b/linux_os/guide/services/ssh/ssh_server/sshd_include_crypto_policy/oval/shared.xml index 0370a61865c4..4f652f5c1c22 100644 --- a/linux_os/guide/services/ssh/ssh_server/sshd_include_crypto_policy/oval/shared.xml +++ b/linux_os/guide/services/ssh/ssh_server/sshd_include_crypto_policy/oval/shared.xml @@ -1,3 +1,9 @@ +{{%- set sshd_main_config = sshd_main_config_file -%}} +{{%- set sshd_drop_in_dir = sshd_config_dir -%}} +{{%- set sshd_drop_in_include_regex = (sshd_drop_in_dir | replace(".", "\\.")) ~ "/\\*\\.conf" -%}} +{{%- set sshd_main_config_regex = sshd_main_config | replace(".", "\\.") -%}} +{{%- set sshd_drop_in_dir_regex = sshd_drop_in_dir | replace(".", "\\.") -%}} +{{%- set sshd_config_locations_regex = "^(" ~ sshd_main_config_regex ~ "|" ~ sshd_drop_in_dir_regex ~ "/.*\\.conf)$" -%}} <def-group> <definition class="compliance" id="{{{ rule_id }}}" version="1"> {{{ oval_metadata("Ensure SSHD to include the system crypto policy", rule_title=rule_title) }}} @@ -13,8 +19,8 @@ </ind:textfilecontent54_test> <ind:textfilecontent54_object id="obj_{{{ rule_id }}}_include_sshd_drop_in" version="1"> - <ind:filepath operation="pattern match">/etc/ssh/sshd_config</ind:filepath> - <ind:pattern operation="pattern match">^[ \t]*(?i)Include(?-i)[ \t]+/etc/ssh/sshd_config\.d/\*.conf$</ind:pattern> + <ind:filepath>{{{ sshd_main_config }}}</ind:filepath> + <ind:pattern operation="pattern match">^[ \t]*(?i)Include(?-i)[ \t]+{{{ sshd_drop_in_include_regex }}}$</ind:pattern> <ind:instance operation="greater than or equal" datatype="int">1</ind:instance> </ind:textfilecontent54_object> @@ -25,7 +31,7 @@ </ind:textfilecontent54_test> <ind:textfilecontent54_object id="obj_{{{ rule_id }}}_include_sshd_include_system_crypto" version="1"> - <ind:filepath operation="pattern match">/etc/ssh/(sshd_config|sshd_config\.d/.*\.conf)</ind:filepath> + <ind:filepath operation="pattern match">{{{ sshd_config_locations_regex }}}</ind:filepath> <ind:pattern operation="pattern match">^[ \t]*(?i)Include(?-i)[ \t]+/etc/crypto-policies/back-ends/opensshserver\.config$</ind:pattern> <ind:instance operation="greater than or equal" datatype="int">1</ind:instance> </ind:textfilecontent54_object> diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_limit_user_access/oval/shared.xml b/linux_os/guide/services/ssh/ssh_server/sshd_limit_user_access/oval/shared.xml index aff4c3172b75..64801d0bb571 100644 --- a/linux_os/guide/services/ssh/ssh_server/sshd_limit_user_access/oval/shared.xml +++ b/linux_os/guide/services/ssh/ssh_server/sshd_limit_user_access/oval/shared.xml @@ -1,3 +1,8 @@ +{{%- set sshd_main_config = sshd_main_config_file -%}} +{{%- set sshd_drop_in_dir = sshd_config_dir -%}} +{{%- set sshd_main_config_regex = sshd_main_config | replace(".", "\\.") -%}} +{{%- set sshd_drop_in_dir_regex = sshd_drop_in_dir | replace(".", "\\.") -%}} +{{%- set sshd_any_config_regex = "^(" ~ sshd_main_config_regex ~ "|" ~ sshd_drop_in_dir_regex ~ "/.*\\.conf)$" -%}} <def-group> <definition class="compliance" id="{{{ rule_id }}}" version="1"> {{{ oval_metadata("One of the following parameters of the sshd configuration file is set: AllowUsers, DenyUsers, AllowGroups, DenyGroups.", rule_title=rule_title) }}} @@ -27,22 +32,22 @@ </ind:textfilecontent54_test> <ind:textfilecontent54_object id="obj_allow_user" version="1"> - <ind:filepath operation="pattern match">^\/etc\/ssh\/sshd_config.*$</ind:filepath> + <ind:filepath operation="pattern match">{{{ sshd_any_config_regex }}}</ind:filepath> <ind:pattern operation="pattern match" datatype="string">(?i)^[ ]*AllowUsers[ ]+((?:[^ \n]+[ ]*)+)$</ind:pattern> <ind:instance operation="greater than or equal" datatype="int">1</ind:instance> </ind:textfilecontent54_object> <ind:textfilecontent54_object id="obj_allow_group" version="1"> - <ind:filepath operation="pattern match">^/etc/ssh/sshd_config.*$</ind:filepath> + <ind:filepath operation="pattern match">{{{ sshd_any_config_regex }}}</ind:filepath> <ind:pattern operation="pattern match" datatype="string">(?i)^[ ]*AllowGroups[ ]+((?:[^ \n]+[ ]*)+)$</ind:pattern> <ind:instance operation="greater than or equal" datatype="int">1</ind:instance> </ind:textfilecontent54_object> <ind:textfilecontent54_object id="obj_deny_user" version="1"> - <ind:filepath operation="pattern match">^/etc/ssh/sshd_config.*$</ind:filepath> + <ind:filepath operation="pattern match">{{{ sshd_any_config_regex }}}</ind:filepath> <ind:pattern operation="pattern match" datatype="string">(?i)^[ ]*DenyUsers[ ]+((?:[^ \n]+[ ]*)+)$</ind:pattern> <ind:instance operation="greater than or equal" datatype="int">1</ind:instance> </ind:textfilecontent54_object> <ind:textfilecontent54_object id="obj_deny_group" version="1"> - <ind:filepath operation="pattern match">^/etc/ssh/sshd_config.*$</ind:filepath> + <ind:filepath operation="pattern match">{{{ sshd_any_config_regex }}}</ind:filepath> <ind:pattern operation="pattern match" datatype="string">(?i)^[ ]*DenyGroups[ ]+((?:[^ \n]+[ ]*)+)$</ind:pattern> <ind:instance operation="greater than or equal" datatype="int">1</ind:instance> </ind:textfilecontent54_object> diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_limit_user_access/oval/sle16.xml b/linux_os/guide/services/ssh/ssh_server/sshd_limit_user_access/oval/sle16.xml new file mode 100644 index 000000000000..8dce53384a11 --- /dev/null +++ b/linux_os/guide/services/ssh/ssh_server/sshd_limit_user_access/oval/sle16.xml @@ -0,0 +1,100 @@ +{{% macro test_sshd_lineinfile(filepath, param, id) %}} +{{%- set object_id = filepath | replace("/", "_") | replace("-", "_") | replace(".", "_") -%}} + <ind:textfilecontent54_test id="{{{ id }}}" version="1" check="all" + check_existence="only_one_exists" comment="Check if there is an {{{ param }}} entry in {{{ filepath }}}"> + <ind:object object_ref="object_{{{ param }}}{{{ object_id }}}" /> + </ind:textfilecontent54_test> + <ind:textfilecontent54_object id="object_{{{ param }}}{{{ object_id }}}" version="1"> + <ind:filepath operation="pattern match">^{{{ filepath }}}</ind:filepath> + <ind:pattern operation="pattern match" datatype="string">(?i)^[ ]*{{{ param }}}[ ]+((?:[^ \n]+[ ]*)+)$</ind:pattern> + <ind:instance operation="greater than or equal" datatype="int">1</ind:instance> + </ind:textfilecontent54_object> +{{% endmacro %}} + +{{% macro test_sshd_lineindir(filepath, param, id) %}} +{{%- set object_id = filepath | replace("/", "_") | replace("-", "_") | replace(".", "_") -%}} + <ind:textfilecontent54_test id="{{{ id }}}" version="1" check="all" + check_existence="only_one_exists" comment="Check if there is an {{{ param }}} entry in {{{ filepath }}}"> + <ind:object object_ref="object_{{{ param }}}{{{ object_id }}}" /> + </ind:textfilecontent54_test> + <ind:textfilecontent54_object id="object_{{{ param }}}{{{ object_id }}}" version="1"> + <ind:path>{{{ filepath }}}</ind:path> + <ind:filename operation="pattern match">.*\.conf$</ind:filename> + <ind:pattern operation="pattern match" datatype="string">(?i)^[ ]*{{{ param }}}[ ]+((?:[^ \n]+[ ]*)+)$</ind:pattern> + <ind:instance operation="greater than or equal" datatype="int">1</ind:instance> + </ind:textfilecontent54_object> +{{% endmacro %}} + +<def-group> + <definition class="compliance" id="{{{ rule_id }}}" version="1"> + {{{ oval_metadata("One of the following parameters of the sshd configuration file is set: AllowUsers, DenyUsers, AllowGroups, DenyGroups.", rule_title=rule_title) }}} + <criteria operator="OR" comment="sshd limits the users who can log in"> + <criteria comment="AllowUsers, DenyUsers, AllowGroups, DenyGroups when using /etc/ssh/sshd_config" operator="AND"> + <criterion comment="SSH configuration /etc/ssh/sshd_config exists" test_ref="test_etc_ssh_sshd_config_exist"/> + <criteria operator="OR"> + <criterion test_ref="test_allow_user_is_configured_etc_ssh_sshdconfig" /> + <criterion test_ref="test_allow_groups_is_configured_etc_ssh_sshdconfig" /> + <criterion test_ref="test_deny_users_is_configured_etc_ssh_sshdconfig" /> + <criterion test_ref="test_deny_groups_is_configured_etc_ssh_sshdconfig" /> + <criterion test_ref="test_allow_user_is_configured_etc_ssh_sshdconfig_dir" /> + <criterion test_ref="test_allow_groups_is_configured_etc_ssh_sshdconfig_dir" /> + <criterion test_ref="test_deny_users_is_configured_etc_ssh_sshdconfig_dir" /> + <criterion test_ref="test_deny_groups_is_configured_etc_ssh_sshdconfig_dir" /> + <criterion test_ref="test_allow_user_is_configured_usr_etc_ssh_sshdconfig_dir" /> + <criterion test_ref="test_allow_groups_is_configured_usr_etc_ssh_sshdconfig_dir" /> + <criterion test_ref="test_deny_users_is_configured_usr_etc_ssh_sshdconfig_dir" /> + <criterion test_ref="test_deny_groups_is_configured_usr_etc_ssh_sshdconfig_dir" /> + </criteria> + </criteria> + <criteria comment="AllowUsers, DenyUsers, AllowGroups, DenyGroups when using /usr/etc/ssh/sshd_config" operator="AND"> + <criterion comment="SSH configuration /etc/ssh/sshd_config does not exists" test_ref="test_etc_ssh_sshd_config_exist" negate="true"/> + <criteria operator="OR"> + <criterion test_ref="test_allow_user_is_configured_usr_etc_ssh_sshdconfig" /> + <criterion test_ref="test_allow_groups_is_configured_usr_etc_ssh_sshdconfig" /> + <criterion test_ref="test_deny_users_is_configured_usr_etc_ssh_sshdconfig" /> + <criterion test_ref="test_deny_groups_is_configured_usr_etc_ssh_sshdconfig" /> + <criterion test_ref="test_allow_user_is_configured_etc_ssh_sshdconfig_dir" /> + <criterion test_ref="test_allow_groups_is_configured_etc_ssh_sshdconfig_dir" /> + <criterion test_ref="test_deny_users_is_configured_etc_ssh_sshdconfig_dir" /> + <criterion test_ref="test_deny_groups_is_configured_etc_ssh_sshdconfig_dir" /> + <criterion test_ref="test_allow_user_is_configured_usr_etc_ssh_sshdconfig_dir" /> + <criterion test_ref="test_allow_groups_is_configured_usr_etc_ssh_sshdconfig_dir" /> + <criterion test_ref="test_deny_users_is_configured_usr_etc_ssh_sshdconfig_dir" /> + <criterion test_ref="test_deny_groups_is_configured_usr_etc_ssh_sshdconfig_dir" /> + </criteria> + </criteria> + </criteria> + </definition> + + <unix:file_test check="all" check_existence="all_exist" + comment="SSH configuration /etc/ssh/sshd_config exists" + id="test_etc_ssh_sshd_config_exist" + state_operator="AND" version="1"> + <unix:object object_ref="obj_etc_ssh_sshd_config_exist"/> + </unix:file_test> + <unix:file_object + comment="SSH configuration /etc/ssh/sshd_config exists" + id="obj_etc_ssh_sshd_config_exist" version="1"> + <unix:filepath operation="pattern match">^/etc/ssh/sshd_config</unix:filepath> + </unix:file_object> + + {{{ test_sshd_lineinfile("/etc/ssh/sshd_config", "AllowUsers", "test_allow_user_is_configured_etc_ssh_sshdconfig") }}} + {{{ test_sshd_lineinfile("/etc/ssh/sshd_config", "AllowGroups", "test_allow_groups_is_configured_etc_ssh_sshdconfig") }}} + {{{ test_sshd_lineinfile("/etc/ssh/sshd_config", "DenyUsers", "test_deny_users_is_configured_etc_ssh_sshdconfig") }}} + {{{ test_sshd_lineinfile("/etc/ssh/sshd_config", "DenyGroups", "test_deny_groups_is_configured_etc_ssh_sshdconfig") }}} + + {{{ test_sshd_lineinfile("/usr/etc/ssh/sshd_config", "AllowUsers", "test_allow_user_is_configured_usr_etc_ssh_sshdconfig") }}} + {{{ test_sshd_lineinfile("/usr/etc/ssh/sshd_config", "AllowGroups", "test_allow_groups_is_configured_usr_etc_ssh_sshdconfig") }}} + {{{ test_sshd_lineinfile("/usr/etc/ssh/sshd_config", "DenyUsers", "test_deny_users_is_configured_usr_etc_ssh_sshdconfig") }}} + {{{ test_sshd_lineinfile("/usr/etc/ssh/sshd_config", "DenyGroups", "test_deny_groups_is_configured_usr_etc_ssh_sshdconfig") }}} + + {{{ test_sshd_lineindir("/etc/ssh/sshd_config.d", "AllowUsers", "test_allow_user_is_configured_etc_ssh_sshdconfig_dir") }}} + {{{ test_sshd_lineindir("/etc/ssh/sshd_config.d", "AllowGroups", "test_allow_groups_is_configured_etc_ssh_sshdconfig_dir") }}} + {{{ test_sshd_lineindir("/etc/ssh/sshd_config.d", "DenyUsers", "test_deny_users_is_configured_etc_ssh_sshdconfig_dir") }}} + {{{ test_sshd_lineindir("/etc/ssh/sshd_config.d", "DenyGroups", "test_deny_groups_is_configured_etc_ssh_sshdconfig_dir") }}} + + {{{ test_sshd_lineindir("/usr/etc/ssh/sshd_config.d", "AllowUsers", "test_allow_user_is_configured_usr_etc_ssh_sshdconfig_dir") }}} + {{{ test_sshd_lineindir("/usr/etc/ssh/sshd_config.d", "AllowGroups", "test_allow_groups_is_configured_usr_etc_ssh_sshdconfig_dir") }}} + {{{ test_sshd_lineindir("/usr/etc/ssh/sshd_config.d", "DenyUsers", "test_deny_users_is_configured_usr_etc_ssh_sshdconfig_dir") }}} + {{{ test_sshd_lineindir("/usr/etc/ssh/sshd_config.d", "DenyGroups", "test_deny_groups_is_configured_usr_etc_ssh_sshdconfig_dir") }}} +</def-group> diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_limit_user_access/tests/allow_groups.pass.sh b/linux_os/guide/services/ssh/ssh_server/sshd_limit_user_access/tests/allow_groups.pass.sh index 4a5255dc3c9f..0794a24e80a7 100644 --- a/linux_os/guide/services/ssh/ssh_server/sshd_limit_user_access/tests/allow_groups.pass.sh +++ b/linux_os/guide/services/ssh/ssh_server/sshd_limit_user_access/tests/allow_groups.pass.sh @@ -1,4 +1,4 @@ #!/bin/bash -find /etc/ssh/sshd_config* -type f -print0 | xargs -0 sed -i '/^(Allow|Deny)(Users|Groups).*/d' +source common.sh echo "AllowGroups testgroup1 testgroup2 testgroup3" >> /etc/ssh/sshd_config diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_limit_user_access/tests/allow_groups_etc_ssh_sshd_config_dir.pass.sh b/linux_os/guide/services/ssh/ssh_server/sshd_limit_user_access/tests/allow_groups_etc_ssh_sshd_config_dir.pass.sh new file mode 100644 index 000000000000..2f5b763698b1 --- /dev/null +++ b/linux_os/guide/services/ssh/ssh_server/sshd_limit_user_access/tests/allow_groups_etc_ssh_sshd_config_dir.pass.sh @@ -0,0 +1,4 @@ +#!/bin/bash +# platform = SUSE Linux Enterprise 16 +source common.sh +echo "AllowGroups group" >> /etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_limit_user_access/tests/allow_users.pass.sh b/linux_os/guide/services/ssh/ssh_server/sshd_limit_user_access/tests/allow_users.pass.sh index 9bde6d56cd92..520d0a048faa 100644 --- a/linux_os/guide/services/ssh/ssh_server/sshd_limit_user_access/tests/allow_users.pass.sh +++ b/linux_os/guide/services/ssh/ssh_server/sshd_limit_user_access/tests/allow_users.pass.sh @@ -1,4 +1,4 @@ #!/bin/bash -find /etc/ssh/sshd_config* -type f -print0 | xargs -0 sed -i '/^(Allow|Deny)(Users|Groups).*/d' +source common.sh echo "AllowUsers testuser1 testuser2 testuser3" >> /etc/ssh/sshd_config diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_limit_user_access/tests/allow_users_groups.pass.sh b/linux_os/guide/services/ssh/ssh_server/sshd_limit_user_access/tests/allow_users_groups.pass.sh index 0b35e7039585..6d6bd04f37b6 100644 --- a/linux_os/guide/services/ssh/ssh_server/sshd_limit_user_access/tests/allow_users_groups.pass.sh +++ b/linux_os/guide/services/ssh/ssh_server/sshd_limit_user_access/tests/allow_users_groups.pass.sh @@ -1,5 +1,5 @@ #!/bin/bash -find /etc/ssh/sshd_config* -type f -print0 | xargs -0 sed -i '/^(Allow|Deny)(Users|Groups).*/d' +source common.sh echo "AllowUsers testuser1 testuser2 testuser3" >> /etc/ssh/sshd_config echo "AllowGroups testgroup1 testgroup2 testgroup3" >> /etc/ssh/sshd_config diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_limit_user_access/tests/allow_users_usr_etc_ssh_sshd_config.pass.sh b/linux_os/guide/services/ssh/ssh_server/sshd_limit_user_access/tests/allow_users_usr_etc_ssh_sshd_config.pass.sh new file mode 100644 index 000000000000..04b090c1a148 --- /dev/null +++ b/linux_os/guide/services/ssh/ssh_server/sshd_limit_user_access/tests/allow_users_usr_etc_ssh_sshd_config.pass.sh @@ -0,0 +1,5 @@ +#!/bin/bash +# platform = SUSE Linux Enterprise 16 +source common.sh + +echo "AllowUsers testuser1 testuser2 testuser3" >> /usr/etc/ssh/sshd_config diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_limit_user_access/tests/common.sh b/linux_os/guide/services/ssh/ssh_server/sshd_limit_user_access/tests/common.sh new file mode 100644 index 000000000000..3c936c2321ce --- /dev/null +++ b/linux_os/guide/services/ssh/ssh_server/sshd_limit_user_access/tests/common.sh @@ -0,0 +1,15 @@ +#!/bin/bash + +declare -a SSHD_PATHS=("/etc/ssh/sshd_config") +{{% if product == 'sle16' %}} +SSHD_PATHS+=("/usr/etc/ssh/sshd_config" /usr/etc/ssh/sshd_config.d/* /etc/ssh/sshd_config.d/*) +{{% endif %}} +# clean up configurations +sed -i '/^(Allow|Deny)(Users|Groups).*/d' "${SSHD_PATHS[@]}" + +# restore to defaults for sle16 +{{% if product == 'sle16' %}} +if [ -e "/etc/ssh/sshd_config" ] ; then + rm /etc/ssh/sshd_config +fi +{{% endif %}} diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_limit_user_access/tests/deny_group_in_usr_etc_missing.fail.sh b/linux_os/guide/services/ssh/ssh_server/sshd_limit_user_access/tests/deny_group_in_usr_etc_missing.fail.sh new file mode 100644 index 000000000000..6d23da947c9d --- /dev/null +++ b/linux_os/guide/services/ssh/ssh_server/sshd_limit_user_access/tests/deny_group_in_usr_etc_missing.fail.sh @@ -0,0 +1,7 @@ +#!/bin/bash +# remediation = none +# platform = SUSE Linux Enterprise 16 +source common.sh + +touch /etc/ssh/sshd_config +echo "DenyGroups testgroup" >> /usr/etc/ssh/sshd_config diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_limit_user_access/tests/deny_groups.pass.sh b/linux_os/guide/services/ssh/ssh_server/sshd_limit_user_access/tests/deny_groups.pass.sh index a324d89e397d..16f6e9d3d58f 100644 --- a/linux_os/guide/services/ssh/ssh_server/sshd_limit_user_access/tests/deny_groups.pass.sh +++ b/linux_os/guide/services/ssh/ssh_server/sshd_limit_user_access/tests/deny_groups.pass.sh @@ -1,4 +1,4 @@ #!/bin/bash -find /etc/ssh/sshd_config* -type f -print0 | xargs -0 sed -i '/^(Allow|Deny)(Users|Groups).*/d' +source common.sh echo "DenyGroups testgroup1 testgroup2 testgroup3" >> /etc/ssh/sshd_config diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_limit_user_access/tests/deny_users.pass.sh b/linux_os/guide/services/ssh/ssh_server/sshd_limit_user_access/tests/deny_users.pass.sh index 35c7f65d7514..adb157baddd2 100644 --- a/linux_os/guide/services/ssh/ssh_server/sshd_limit_user_access/tests/deny_users.pass.sh +++ b/linux_os/guide/services/ssh/ssh_server/sshd_limit_user_access/tests/deny_users.pass.sh @@ -1,4 +1,4 @@ #!/bin/bash -find /etc/ssh/sshd_config* -type f -print0 | xargs -0 sed -i '/^(Allow|Deny)(Users|Groups).*/d' +source common.sh echo "DenyUsers testuser1 testuser2 testuser3" >> /etc/ssh/sshd_config diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_limit_user_access/tests/deny_users_groups.pass.sh b/linux_os/guide/services/ssh/ssh_server/sshd_limit_user_access/tests/deny_users_groups.pass.sh index fc55098614a0..ebe08fb81dea 100644 --- a/linux_os/guide/services/ssh/ssh_server/sshd_limit_user_access/tests/deny_users_groups.pass.sh +++ b/linux_os/guide/services/ssh/ssh_server/sshd_limit_user_access/tests/deny_users_groups.pass.sh @@ -1,5 +1,5 @@ #!/bin/bash -find /etc/ssh/sshd_config* -type f -print0 | xargs -0 sed -i '/^(Allow|Deny)(Users|Groups).*/d' +source common.sh echo "DenyUsers testuser1 testuser2 testuser3" >> /etc/ssh/sshd_config echo "DenyGroups testgroup1 testgroup2 testgroup3" >> /etc/ssh/sshd_config diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_limit_user_access/tests/deny_users_usr_etc_ssh_sshd_config_dir.pass.sh b/linux_os/guide/services/ssh/ssh_server/sshd_limit_user_access/tests/deny_users_usr_etc_ssh_sshd_config_dir.pass.sh new file mode 100644 index 000000000000..bee5f9991a7c --- /dev/null +++ b/linux_os/guide/services/ssh/ssh_server/sshd_limit_user_access/tests/deny_users_usr_etc_ssh_sshd_config_dir.pass.sh @@ -0,0 +1,5 @@ +#!/bin/bash +# platform = SUSE Linux Enterprise 16 +source common.sh + +echo "DenyUsers user" >> /usr/etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_limit_user_access/tests/empty_groups.fail.sh b/linux_os/guide/services/ssh/ssh_server/sshd_limit_user_access/tests/empty_groups.fail.sh index 2f735305d2c5..1f6c11f7a4d1 100644 --- a/linux_os/guide/services/ssh/ssh_server/sshd_limit_user_access/tests/empty_groups.fail.sh +++ b/linux_os/guide/services/ssh/ssh_server/sshd_limit_user_access/tests/empty_groups.fail.sh @@ -1,6 +1,6 @@ #!/bin/bash # remediation = none -find /etc/ssh/sshd_config* -type f -print0 | xargs -0 sed -i '/^(Allow|Deny)(Users|Groups).*/d' +source common.sh echo "AllowGroups " >> /etc/ssh/sshd_config echo "DenyGroups " >> /etc/ssh/sshd_config diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_limit_user_access/tests/empty_users.fail.sh b/linux_os/guide/services/ssh/ssh_server/sshd_limit_user_access/tests/empty_users.fail.sh index 4affe4b4d598..55ea7d01cde3 100644 --- a/linux_os/guide/services/ssh/ssh_server/sshd_limit_user_access/tests/empty_users.fail.sh +++ b/linux_os/guide/services/ssh/ssh_server/sshd_limit_user_access/tests/empty_users.fail.sh @@ -1,6 +1,6 @@ #!/bin/bash # remediation = none -find /etc/ssh/sshd_config* -type f -print0 | xargs -0 sed -i '/^(Allow|Deny)(Users|Groups).*/d' +source common.sh echo "AllowUsers " >> /etc/ssh/sshd_config echo "DenyUsers " >> /etc/ssh/sshd_config diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_limit_user_access/tests/no_entry.fail.sh b/linux_os/guide/services/ssh/ssh_server/sshd_limit_user_access/tests/no_entry.fail.sh index bc8a67e7fbad..8ab213a16a18 100644 --- a/linux_os/guide/services/ssh/ssh_server/sshd_limit_user_access/tests/no_entry.fail.sh +++ b/linux_os/guide/services/ssh/ssh_server/sshd_limit_user_access/tests/no_entry.fail.sh @@ -1,4 +1,4 @@ #!/bin/bash # remediation = none -find /etc/ssh/sshd_config* -type f -print0 | xargs -0 sed -i '/^(Allow|Deny)(Users|Groups).*/d' +source common.sh diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/oval/shared.xml b/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/oval/shared.xml index 918c6c789006..f8056fa2f5fc 100644 --- a/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/oval/shared.xml +++ b/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/oval/shared.xml @@ -1,9 +1,9 @@ {{%- set parameter = "RekeyLimit" %}} -{{%- set sshd_config_path = "/etc/ssh/sshd_config" %}} -{{%- set sshd_config_dir = "/etc/ssh/sshd_config.d" -%}} -{{%- set description = "Ensure " ~ parameter ~ " is configured with the appropriate value in " ~ sshd_config_path %}} +{{%- set sshd_main_config = sshd_main_config_file %}} +{{%- set sshd_drop_in_dir = sshd_config_dir -%}} +{{%- set description = "Ensure " ~ parameter ~ " is configured with the appropriate value in " ~ sshd_main_config %}} {{%- if sshd_distributed_config == "true" %}} -{{%- set description = description ~ " or in " ~ sshd_config_dir -%}} +{{%- set description = description ~ " or in " ~ sshd_drop_in_dir -%}} {{%- endif %}} <def-group> @@ -14,15 +14,15 @@ {{{- application_required_or_requirement_unset() }}} <criteria comment="sshd is configured correctly" operator="OR"> {{%- if sshd_distributed_config == "true" %}} - {{{- oval_line_in_directory_criterion(sshd_config_dir, parameter, rule_id=rule_id) | indent(8) }}} + {{{- oval_line_in_directory_criterion(sshd_drop_in_dir, parameter, rule_id=rule_id) | indent(8) }}} <!-- Configuration in directory has precedence --> <criteria comment="sshd is configured correctly in main file"> - {{{- oval_line_in_file_criterion(sshd_config_path, parameter, rule_id=rule_id) }}} + {{{- oval_line_in_file_criterion(sshd_main_config, parameter, rule_id=rule_id) }}} <criterion test_ref="test_sshd_rekey_limit_config_dir_absent" comment="{{{ parameter }}} is not defined in the directory" /> </criteria> {{%- else %}} - {{{- oval_line_in_file_criterion(sshd_config_path, parameter, rule_id=rule_id) }}} + {{{- oval_line_in_file_criterion(sshd_main_config, parameter, rule_id=rule_id) }}} {{%- endif %}} </criteria> </criteria><!-- macro application_required_or_requirement_unset() leaves an open criteria element--> @@ -35,7 +35,7 @@ </ind:textfilecontent54_test> <ind:textfilecontent54_object id="obj_sshd_rekey_limit" version="1"> - <ind:filepath>{{{ sshd_config_path }}}</ind:filepath> + <ind:filepath>{{{ sshd_main_config }}}</ind:filepath> <ind:pattern operation="pattern match">^[\s]*{{{ parameter }}}[\s]+(.*)$</ind:pattern> <ind:instance datatype="int" operation="greater than or equal">1</ind:instance> </ind:textfilecontent54_object> @@ -54,7 +54,7 @@ <ind:textfilecontent54_object id="obj_sshd_rekey_limit_config_dir" version="1"> - <ind:path>{{{ sshd_config_dir}}}</ind:path> + <ind:path>{{{ sshd_drop_in_dir }}}</ind:path> <ind:filename operation="pattern match">.*\.conf$</ind:filename> <ind:pattern operation="pattern match">^[\s]*{{{ parameter }}}[\s]+(.*)$</ind:pattern> <ind:instance datatype="int" operation="greater than or equal">1</ind:instance> diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/rule.yml index d9d64b684db5..70d69a882e6c 100644 --- a/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/rule.yml +++ b/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/rule.yml @@ -1,3 +1,5 @@ +{{% set sshd_main_config = sshd_main_config_file %}} +{{% set sshd_drop_in_glob = sshd_config_dir ~ "/*" %}} documentation_complete: true title: 'Force frequent session key renegotiation' @@ -34,24 +36,17 @@ ocil: |- To check if RekeyLimit is set correctly, run the following command: {{% if sshd_distributed_config == "true" %}} - <pre>$ sudo grep RekeyLimit /etc/ssh/sshd_config /etc/ssh/sshd_config.d/*</pre> + <pre>$ sudo grep RekeyLimit {{{ sshd_main_config }}} {{{ sshd_drop_in_glob }}}</pre> {{% else %}} - <pre>$ sudo grep RekeyLimit /etc/ssh/sshd_config</pre> + <pre>$ sudo grep RekeyLimit {{{ sshd_main_config }}}</pre> {{% endif %}} If configured properly, output should be <pre>RekeyLimit {{{ xccdf_value("var_rekey_limit_size") }}} {{{ xccdf_value("var_rekey_limit_time") }}}</pre> fixtext: |- - {{% if sshd_distributed_config == "true" %}} - Configure {{{ full_name }}} to force a frequent session key renegotiation for SSH connections to the server by adding or modifying the following line in the "/etc/ssh/sshd_config.d/00-complianceascode-hardening.conf" file: - {{% else %}} - Configure {{{ full_name }}} to force a frequent session key renegotiation for SSH connections to the server by adding or modifying the following line in the "/etc/ssh/sshd_config" file: - {{% endif %}} - - RekeyLimit {{{ xccdf_value("var_rekey_limit_size") }}} {{{ xccdf_value("var_rekey_limit_time") }}} - - Restart the SSH daemon for the settings to take effect. - - $ sudo systemctl restart sshd.service + {{{ fixtext_sshd_lineinfile( + parameter="RekeyLimit", + value=xccdf_value("var_rekey_limit_size") ~ " " ~ xccdf_value("var_rekey_limit_time"), + config_is_distributed=(sshd_distributed_config == "true")) }}} srg_requirement: '{{{ full_name }}} must force a frequent session key renegotiation for SSH connections to the server.' diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_idle_timeout/oval/shared.xml b/linux_os/guide/services/ssh/ssh_server/sshd_set_idle_timeout/oval/shared.xml index c4f7f309a530..d5a4b06fe916 100644 --- a/linux_os/guide/services/ssh/ssh_server/sshd_set_idle_timeout/oval/shared.xml +++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_idle_timeout/oval/shared.xml @@ -1,3 +1,6 @@ +{{%- set sshd_main_config = sshd_main_config_file -%}} +{{%- set sshd_drop_in_dir = sshd_config_dir -%}} +{{%- set sshd_base_dir = sshd_config_base_dir -%}} <def-group> <definition class="compliance" id="sshd_set_idle_timeout" version="1"> {{{ oval_metadata("The SSH idle timeout interval should be set to an @@ -53,7 +56,7 @@ </ind:textfilecontent54_test> <ind:textfilecontent54_object id="object_sshd_idle_timeout" version="2"> - <ind:filepath>/etc/ssh/sshd_config</ind:filepath> + <ind:filepath>{{{ sshd_main_config }}}</ind:filepath> <ind:pattern operation="pattern match">^[\s]*(?i)ClientAliveInterval[\s]+(\d+)[\s]*(?:#.*)?$</ind:pattern> <ind:instance operation="greater than or equal" datatype="int">1</ind:instance> </ind:textfilecontent54_object> @@ -67,7 +70,7 @@ </ind:textfilecontent54_test> <ind:textfilecontent54_object id="object_sshd_idle_timeout_config_dir" version="2"> - <ind:path>/etc/ssh/sshd_config.d</ind:path> + <ind:path>{{{ sshd_drop_in_dir }}}</ind:path> <ind:filename operation="pattern match">.*\.conf$</ind:filename> <ind:pattern operation="pattern match">^[\s]*(?i)ClientAliveInterval[\s]+(\d+)[\s]*(?:#.*)?$</ind:pattern> <ind:instance datatype="int">1</ind:instance> @@ -76,7 +79,7 @@ {{%- if product in ["ol8", "ol9"] %}} <ind:textfilecontent54_object id="obj_sshd_include_value_sshd_idle_timeout" version="1"> - <ind:filepath>/etc/ssh/sshd_config</ind:filepath> + <ind:filepath>{{{ sshd_main_config }}}</ind:filepath> <ind:pattern operation="pattern match">(?i)^\s*Include\s+(.*)$</ind:pattern> <ind:instance operation="greater than or equal" datatype="int">1</ind:instance> </ind:textfilecontent54_object> @@ -84,7 +87,7 @@ <local_variable id="var_sshd_config_included_files_sshd_idle_timeout" datatype="string" version="1" comment="Include value converted to regex"> <concat> - <literal_component>^(/etc/ssh/(?!/))?</literal_component> + <literal_component>^({{{ sshd_base_dir }}}/(?!/))?</literal_component> <substring substring_start="2" substring_length="-1"> <unique> <glob_to_regex> diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_idle_timeout/oval/sle16.xml b/linux_os/guide/services/ssh/ssh_server/sshd_set_idle_timeout/oval/sle16.xml new file mode 100644 index 000000000000..9c2ae2f9a78a --- /dev/null +++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_idle_timeout/oval/sle16.xml @@ -0,0 +1,153 @@ +<def-group> + <definition class="compliance" id="sshd_set_idle_timeout" version="1"> + {{{ oval_metadata("The SSH idle timeout interval should be set to an appropriate value.", rule_title=rule_title) }}} + <criteria comment="SSH is configured correctly or is not installed" operator="OR"> + <criteria comment="sshd is not installed" operator="AND"> + <extend_definition comment="sshd is not required or requirement is unset" definition_ref="sshd_not_required_or_unset"/> + <extend_definition comment="rpm package openssh-server removed" definition_ref="package_openssh-server_removed"/> + </criteria> + <criteria comment="sshd is installed and configured using /etc/ssh/sshd_config" operator="AND"> + <extend_definition comment="sshd is required or requirement is unset" definition_ref="sshd_required_or_unset"/> + <extend_definition comment="rpm package openssh-server installed" definition_ref="package_openssh-server_installed"/> + <criteria comment="ClientAliveInterval is configured correctly in /etc/ssh/sshd_config" operator="AND"> + <criterion comment="SSH configuration /etc/ssh/sshd_config exists" test_ref="test_etc_ssh_sshd_config_exist"/> + <criterion comment="Check ClientAliveInterval in /usr/etc/ssh/sshd_config" test_ref="test_sshd_idle_timeout_etc" /> + <criterion comment="Check ClientAliveInterval in /etc/ssh/sshd_config.d/" test_ref="test_sshd_idle_timeout_config_dir"/> + <criterion comment="Check ClientAliveInterval in /usr/etc/ssh/sshd_config.d/" test_ref="test_sshd_idle_timeout_usr_config_dir"/> + <criterion comment="the configuration exists" test_ref="test_clientaliveinterval_present_etc" /> + </criteria> + </criteria> + <criteria comment="sshd is installed and configured using /usr/etc/ssh/sshd_config" operator="AND"> + <extend_definition comment="sshd is required or requirement is unset" definition_ref="sshd_required_or_unset" /> + <extend_definition comment="rpm package openssh-server installed" definition_ref="package_openssh-server_installed" /> + <criteria comment="ClientAliveInterval is configured correctly in /usr/etc/ssh/sshd_config" operator="AND"> + <criterion comment="SSH configuration /etc/ssh/sshd_config does not exists" test_ref="test_etc_ssh_sshd_config_exist" negate="true"/> + <criterion comment="Check ClientAliveInterval in /usr/etc/ssh/sshd_config" test_ref="test_sshd_idle_timeout_usr" /> + <criterion comment="Check ClientAliveInterval in /etc/ssh/sshd_config.d/" test_ref="test_sshd_idle_timeout_config_dir"/> + <criterion comment="Check ClientAliveInterval in /usr/etc/ssh/sshd_config.d/" test_ref="test_sshd_idle_timeout_usr_config_dir"/> + <criterion comment="the configuration exists" test_ref="test_clientaliveinterval_present_usr" /> + </criteria> + </criteria> + </criteria> + </definition> + + <unix:file_test check="all" check_existence="all_exist" + comment="SSH configuration /etc/ssh/sshd_config exists" + id="test_etc_ssh_sshd_config_exist" + state_operator="AND" version="1"> + <unix:object object_ref="obj_etc_ssh_sshd_config_exist"/> + </unix:file_test> + <unix:file_object + comment="SSH configuration /etc/ssh/sshd_config exists" + id="obj_etc_ssh_sshd_config_exist" version="1"> + <unix:filepath operation="pattern match">^/etc/ssh/sshd_config</unix:filepath> + </unix:file_object> + + <ind:textfilecontent54_test check="all" check_existence="any_exist" + comment="timeout is configured in /etc/ssh/sshd_config" + id="test_sshd_idle_timeout_etc" version="1"> + <ind:object object_ref="object_sshd_idle_timeout_etc" /> + <ind:state state_ref="state_timeout_value_upper_bound" /> + <ind:state state_ref="state_timeout_value_lower_bound" /> + </ind:textfilecontent54_test> + + <ind:textfilecontent54_object id="object_sshd_idle_timeout_etc" version="2"> + <ind:filepath>/etc/ssh/sshd_config</ind:filepath> + <ind:pattern operation="pattern match">^[\s]*(?i)ClientAliveInterval[\s]+(\d+)[\s]*(?:#.*)?$</ind:pattern> + <ind:instance operation="greater than or equal" datatype="int">1</ind:instance> + </ind:textfilecontent54_object> + + <ind:textfilecontent54_test check="all" check_existence="any_exist" + comment="timeout is configured in /usr/etc/ssh/sshd_config" + id="test_sshd_idle_timeout_usr" version="1"> + <ind:object object_ref="object_sshd_idle_timeout_usr" /> + <ind:state state_ref="state_timeout_value_upper_bound" /> + <ind:state state_ref="state_timeout_value_lower_bound" /> + </ind:textfilecontent54_test> + + <ind:textfilecontent54_object id="object_sshd_idle_timeout_usr" version="2"> + <ind:filepath>/usr/etc/ssh/sshd_config</ind:filepath> + <ind:pattern operation="pattern match">^[\s]*(?i)ClientAliveInterval[\s]+(\d+)[\s]*(?:#.*)?$</ind:pattern> + <ind:instance operation="greater than or equal" datatype="int">1</ind:instance> + </ind:textfilecontent54_object> + + <ind:textfilecontent54_test check="all" check_existence="any_exist" + comment="timeout is configured in config directory /etc/ssh/sshd_config.d" + id="test_sshd_idle_timeout_config_dir" version="1"> + <ind:object object_ref="object_sshd_idle_timeout_config_dir" /> + <ind:state state_ref="state_timeout_value_upper_bound" /> + <ind:state state_ref="state_timeout_value_lower_bound" /> + </ind:textfilecontent54_test> + + <ind:textfilecontent54_object id="object_sshd_idle_timeout_config_dir" version="2"> + <ind:path>/etc/ssh/sshd_config.d</ind:path> + <ind:filename operation="pattern match">.*\.conf$</ind:filename> + <ind:pattern operation="pattern match">^[\s]*(?i)ClientAliveInterval[\s]+(\d+)[\s]*(?:#.*)?$</ind:pattern> + <ind:instance datatype="int">1</ind:instance> + </ind:textfilecontent54_object> + + <ind:textfilecontent54_test check="all" check_existence="any_exist" + comment="timeout is configured in config directory /usr/etc/ssh/sshd_config.d" + id="test_sshd_idle_timeout_usr_config_dir" version="1"> + <ind:object object_ref="object_sshd_idle_timeout_usr_config_dir" /> + <ind:state state_ref="state_timeout_value_upper_bound" /> + <ind:state state_ref="state_timeout_value_lower_bound" /> + </ind:textfilecontent54_test> + + <ind:textfilecontent54_object id="object_sshd_idle_timeout_usr_config_dir" version="2"> + <ind:path>/usr/etc/ssh/sshd_config.d</ind:path> + <ind:filename operation="pattern match">.*\.conf$</ind:filename> + <ind:pattern operation="pattern match">^[\s]*(?i)ClientAliveInterval[\s]+(\d+)[\s]*(?:#.*)?$</ind:pattern> + <ind:instance datatype="int">1</ind:instance> + </ind:textfilecontent54_object> + + <ind:textfilecontent54_state comment="upper bound of ClientAliveInterval in seconds" + id="state_timeout_value_upper_bound" version="1"> + <ind:subexpression datatype="int" operation="less than or equal" var_check="all" + var_ref="sshd_idle_timeout_value" /> + </ind:textfilecontent54_state> + + <ind:textfilecontent54_state comment="lower bound of ClientAliveInterval in seconds" + id="state_timeout_value_lower_bound" version="1"> + <ind:subexpression datatype="int" operation="greater than">0</ind:subexpression> + </ind:textfilecontent54_state> + + <ind:textfilecontent54_test id="test_clientaliveinterval_present_etc" version="1" + check="all" check_existence="at_least_one_exists" + comment="Verify that the value of ClientAliveInterval is present"> + <ind:object object_ref="obj_collection_obj_sshd_set_idle_timeout" /> + </ind:textfilecontent54_test> + + <ind:textfilecontent54_object comment="All confs collection" id="obj_collection_obj_sshd_set_idle_timeout" version="1"> + <set set_operator="UNION"> + <set set_operator="UNION"> + <object_reference>object_sshd_idle_timeout_etc</object_reference> + </set> + <set set_operator="UNION"> + <object_reference>object_sshd_idle_timeout_config_dir</object_reference> + <object_reference>object_sshd_idle_timeout_usr_config_dir</object_reference> + </set> + </set> + </ind:textfilecontent54_object> + + <ind:textfilecontent54_test id="test_clientaliveinterval_present_usr" version="1" + check="all" check_existence="at_least_one_exists" + comment="Verify that the value of ClientAliveInterval is present"> + <ind:object object_ref="obj_collection_obj_sshd_set_idle_timeout_usr" /> + </ind:textfilecontent54_test> + + <ind:textfilecontent54_object comment="All confs collection" id="obj_collection_obj_sshd_set_idle_timeout_usr" version="1"> + <set set_operator="UNION"> + <set set_operator="UNION"> + <object_reference>object_sshd_idle_timeout_usr</object_reference> + </set> + <set set_operator="UNION"> + <object_reference>object_sshd_idle_timeout_config_dir</object_reference> + <object_reference>object_sshd_idle_timeout_usr_config_dir</object_reference> + </set> + </set> + </ind:textfilecontent54_object> + + <external_variable comment="timeout value" datatype="int" id="sshd_idle_timeout_value" version="1" /> + +</def-group> diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_login_grace_time/oval/shared.xml b/linux_os/guide/services/ssh/ssh_server/sshd_set_login_grace_time/oval/shared.xml index f1c5911ebcc0..53d51f2abb17 100644 --- a/linux_os/guide/services/ssh/ssh_server/sshd_set_login_grace_time/oval/shared.xml +++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_login_grace_time/oval/shared.xml @@ -1,3 +1,5 @@ +{{%- set sshd_main_config = sshd_main_config_file -%}} +{{%- set sshd_drop_in_dir = sshd_config_dir -%}} <def-group> <definition class="compliance" id="{{{rule_id}}}" version="1"> {{{ oval_metadata("The SSH number seconds for login grace time should be set to an @@ -44,7 +46,7 @@ </ind:textfilecontent54_test> <ind:textfilecontent54_object id="object_sshd_login_grace_time" version="2"> - <ind:filepath>/etc/ssh/sshd_config</ind:filepath> + <ind:filepath>{{{ sshd_main_config }}}</ind:filepath> <ind:pattern operation="pattern match">^[\s]*(?i)LoginGraceTime[\s]+(\d+)[\s]*(?:#.*)?$</ind:pattern> <ind:instance operation="greater than or equal" datatype="int">1</ind:instance> </ind:textfilecontent54_object> @@ -59,7 +61,7 @@ </ind:textfilecontent54_test> <ind:textfilecontent54_object id="obj_sshd_set_login_grace_time_config_dir" version="1"> - <ind:path>/etc/ssh/sshd_config.d</ind:path> + <ind:path>{{{ sshd_drop_in_dir }}}</ind:path> <ind:filename operation="pattern match">.*\.conf$</ind:filename> <ind:pattern operation="pattern match">^[ \t]*(?i)LoginGraceTime(?-i)[ \t]+(.+?)[ \t]*(?:$|#)</ind:pattern> <ind:instance operation="greater than or equal" datatype="int">1</ind:instance> diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_login_grace_time/oval/sle16.xml b/linux_os/guide/services/ssh/ssh_server/sshd_set_login_grace_time/oval/sle16.xml new file mode 100644 index 000000000000..23137efd78b8 --- /dev/null +++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_login_grace_time/oval/sle16.xml @@ -0,0 +1,153 @@ +<def-group> + <definition class="compliance" id="{{{rule_id}}}" version="1"> + {{{ oval_metadata("The SSH number seconds for login grace time should be set to an appropriate value.", rule_title=rule_title) }}} + <criteria comment="SSH is configured correctly or is not installed" operator="OR"> + <criteria comment="sshd is not installed" operator="AND"> + <extend_definition comment="sshd is not required or requirement is unset" definition_ref="sshd_not_required_or_unset"/> + <extend_definition comment="rpm package openssh-server removed" definition_ref="package_openssh-server_removed"/> + </criteria> + <criteria comment="sshd is installed and configured using /etc/ssh/sshd_config" operator="AND"> + <extend_definition comment="sshd is required or requirement is unset" definition_ref="sshd_required_or_unset"/> + <extend_definition comment="rpm package openssh-server installed" definition_ref="package_openssh-server_installed"/> + <criteria comment="LoginGraceTime is configured correctly in /etc/ssh/sshd_config" operator="AND"> + <criterion comment="SSH configuration /etc/ssh/sshd_config exists" test_ref="test_etc_ssh_sshd_config_exist"/> + <criterion comment="Check LoginGraceTime in /usr/etc/ssh/sshd_config" test_ref="test_sshd_login_grace_time_etc" /> + <criterion comment="Check LoginGraceTime in /etc/ssh/sshd_config.d/" test_ref="test_sshd_login_grace_time_config_dir"/> + <criterion comment="Check LoginGraceTime in /usr/etc/ssh/sshd_config.d/" test_ref="test_sshd_login_grace_time_usr_config_dir"/> + <criterion comment="the configuration exists" test_ref="test_login_grace_time_present_etc" /> + </criteria> + </criteria> + <criteria comment="sshd is installed and configured using /usr/etc/ssh/sshd_config" operator="AND"> + <extend_definition comment="sshd is required or requirement is unset" definition_ref="sshd_required_or_unset" /> + <extend_definition comment="rpm package openssh-server installed" definition_ref="package_openssh-server_installed" /> + <criteria comment="LoginGraceTime is configured correctly in /usr/etc/ssh/sshd_config" operator="AND"> + <criterion comment="SSH configuration /etc/ssh/sshd_config does not exists" test_ref="test_etc_ssh_sshd_config_exist" negate="true"/> + <criterion comment="Check LoginGraceTime in /usr/etc/ssh/sshd_config" test_ref="test_sshd_login_grace_time_usr" /> + <criterion comment="Check LoginGraceTime in /etc/ssh/sshd_config.d/" test_ref="test_sshd_login_grace_time_config_dir"/> + <criterion comment="Check LoginGraceTime in /usr/etc/ssh/sshd_config.d/" test_ref="test_sshd_login_grace_time_usr_config_dir"/> + <criterion comment="the configuration exists" test_ref="test_login_grace_time_present_usr" /> + </criteria> + </criteria> + </criteria> + </definition> + + <unix:file_test check="all" check_existence="all_exist" + comment="SSH configuration /etc/ssh/sshd_config exists" + id="test_etc_ssh_sshd_config_exist" + state_operator="AND" version="1"> + <unix:object object_ref="obj_etc_ssh_sshd_config_exist"/> + </unix:file_test> + <unix:file_object + comment="SSH configuration /etc/ssh/sshd_config exists" + id="obj_etc_ssh_sshd_config_exist" version="1"> + <unix:filepath operation="pattern match">^/etc/ssh/sshd_config</unix:filepath> + </unix:file_object> + + <ind:textfilecontent54_test check="all" check_existence="any_exist" + comment="LoginGraceTime is configured in /etc/ssh/sshd_config" + id="test_sshd_login_grace_time_etc" version="1"> + <ind:object object_ref="object_sshd_login_grace_time_etc" /> + <ind:state state_ref="state_login_grace_time_value_upper_bound" /> + <ind:state state_ref="state_login_grace_time_value_lower_bound" /> + </ind:textfilecontent54_test> + + <ind:textfilecontent54_object id="object_sshd_login_grace_time_etc" version="2"> + <ind:filepath>/etc/ssh/sshd_config</ind:filepath> + <ind:pattern operation="pattern match">^[\s]*(?i)LoginGraceTime[\s]+(\d+)[\s]*(?:#.*)?$</ind:pattern> + <ind:instance operation="greater than or equal" datatype="int">1</ind:instance> + </ind:textfilecontent54_object> + + <ind:textfilecontent54_test check="all" check_existence="any_exist" + comment="LoginGraceTime is configured in /usr/etc/ssh/sshd_config" + id="test_sshd_login_grace_time_usr" version="1"> + <ind:object object_ref="object_sshd_login_grace_time_usr" /> + <ind:state state_ref="state_login_grace_time_value_upper_bound" /> + <ind:state state_ref="state_login_grace_time_value_lower_bound" /> + </ind:textfilecontent54_test> + + <ind:textfilecontent54_object id="object_sshd_login_grace_time_usr" version="2"> + <ind:filepath>/usr/etc/ssh/sshd_config</ind:filepath> + <ind:pattern operation="pattern match">^[\s]*(?i)LoginGraceTime[\s]+(\d+)[\s]*(?:#.*)?$</ind:pattern> + <ind:instance operation="greater than or equal" datatype="int">1</ind:instance> + </ind:textfilecontent54_object> + + <ind:textfilecontent54_test check="all" check_existence="any_exist" + comment="LoginGraceTime is configured in drop-in directory /etc/ssh/sshd_config.d" + id="test_sshd_login_grace_time_config_dir" version="1"> + <ind:object object_ref="object_sshd_login_grace_time_config_dir" /> + <ind:state state_ref="state_login_grace_time_value_upper_bound" /> + <ind:state state_ref="state_login_grace_time_value_lower_bound" /> + </ind:textfilecontent54_test> + + <ind:textfilecontent54_object id="object_sshd_login_grace_time_config_dir" version="2"> + <ind:path>/etc/ssh/sshd_config.d</ind:path> + <ind:filename operation="pattern match">.*\.conf$</ind:filename> + <ind:pattern operation="pattern match">^[\s]*(?i)LoginGraceTime[\s]+(\d+)[\s]*(?:#.*)?$</ind:pattern> + <ind:instance datatype="int">1</ind:instance> + </ind:textfilecontent54_object> + + <ind:textfilecontent54_test check="all" check_existence="any_exist" + comment="LoginGraceTime is configured in included directory /usr/etc/ssh/sshd_config.d" + id="test_sshd_login_grace_time_usr_config_dir" version="1"> + <ind:object object_ref="object_sshd_login_grace_time_usr_config_dir" /> + <ind:state state_ref="state_login_grace_time_value_upper_bound" /> + <ind:state state_ref="state_login_grace_time_value_lower_bound" /> + </ind:textfilecontent54_test> + + <ind:textfilecontent54_object id="object_sshd_login_grace_time_usr_config_dir" version="2"> + <ind:path>/usr/etc/ssh/sshd_config.d</ind:path> + <ind:filename operation="pattern match">.*\.conf$</ind:filename> + <ind:pattern operation="pattern match">^[\s]*(?i)LoginGraceTime[\s]+(\d+)[\s]*(?:#.*)?$</ind:pattern> + <ind:instance datatype="int">1</ind:instance> + </ind:textfilecontent54_object> + + <ind:textfilecontent54_state comment="upper bound of LoginGraceTime in seconds" + id="state_login_grace_time_value_upper_bound" version="1"> + <ind:subexpression datatype="int" operation="less than or equal" var_check="all" + var_ref="var_sshd_set_login_grace_time" /> + </ind:textfilecontent54_state> + + <ind:textfilecontent54_state comment="lower bound of LoginGraceTime in seconds" + id="state_login_grace_time_value_lower_bound" version="1"> + <ind:subexpression datatype="int" operation="greater than">0</ind:subexpression> + </ind:textfilecontent54_state> + + <ind:textfilecontent54_test id="test_login_grace_time_present_etc" version="1" + check="all" check_existence="at_least_one_exists" + comment="Verify that the value of LoginGraceTime is present"> + <ind:object object_ref="obj_collection_obj_sshd_set_login_grace_time" /> + </ind:textfilecontent54_test> + + <ind:textfilecontent54_object comment="All confs collection" id="obj_collection_obj_sshd_set_login_grace_time" version="1"> + <set set_operator="UNION"> + <set set_operator="UNION"> + <object_reference>object_sshd_login_grace_time_etc</object_reference> + </set> + <set set_operator="UNION"> + <object_reference>object_sshd_login_grace_time_config_dir</object_reference> + <object_reference>object_sshd_login_grace_time_usr_config_dir</object_reference> + </set> + </set> + </ind:textfilecontent54_object> + + <ind:textfilecontent54_test id="test_login_grace_time_present_usr" version="1" + check="all" check_existence="at_least_one_exists" + comment="Verify that the value of LoginGraceTime is present"> + <ind:object object_ref="obj_collection_obj_sshd_set_login_grace_time_usr" /> + </ind:textfilecontent54_test> + + <ind:textfilecontent54_object comment="All confs collection" id="obj_collection_obj_sshd_set_login_grace_time_usr" version="1"> + <set set_operator="UNION"> + <set set_operator="UNION"> + <object_reference>object_sshd_login_grace_time_usr</object_reference> + </set> + <set set_operator="UNION"> + <object_reference>object_sshd_login_grace_time_config_dir</object_reference> + <object_reference>object_sshd_login_grace_time_usr_config_dir</object_reference> + </set> + </set> + </ind:textfilecontent54_object> + + <external_variable comment="logingracetime value" datatype="int" id="var_sshd_set_login_grace_time" version="1" /> + +</def-group> diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_login_grace_time/tests/correct_value_etc_sshd_config_drop_in.pass.sh b/linux_os/guide/services/ssh/ssh_server/sshd_set_login_grace_time/tests/correct_value_etc_sshd_config_drop_in.pass.sh new file mode 100644 index 000000000000..a0f68b4a5ccb --- /dev/null +++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_login_grace_time/tests/correct_value_etc_sshd_config_drop_in.pass.sh @@ -0,0 +1,5 @@ +#!/bin/bash +# platform = SUSE Linux Enterprise 16 +source include.sh + +echo "LoginGraceTime 60" >> /etc/ssh/sshd_config.d/01-complianceascode.conf diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_login_grace_time/tests/correct_value_in_usr_etc_sshd_config_present.fail.sh b/linux_os/guide/services/ssh/ssh_server/sshd_set_login_grace_time/tests/correct_value_in_usr_etc_sshd_config_present.fail.sh new file mode 100644 index 000000000000..b80e3832b591 --- /dev/null +++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_login_grace_time/tests/correct_value_in_usr_etc_sshd_config_present.fail.sh @@ -0,0 +1,6 @@ +#!/bin/bash +# platform = SUSE Linux Enterprise 16 +source include.sh + +touch /etc/ssh/sshd_config +echo "LoginGraceTime 1" >> /usr/etc/ssh/sshd_config diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_login_grace_time/tests/correct_value_usr_etc_sshd_config.pass.sh b/linux_os/guide/services/ssh/ssh_server/sshd_set_login_grace_time/tests/correct_value_usr_etc_sshd_config.pass.sh new file mode 100644 index 000000000000..3ed15582de0b --- /dev/null +++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_login_grace_time/tests/correct_value_usr_etc_sshd_config.pass.sh @@ -0,0 +1,5 @@ +#!/bin/bash +# platform = SUSE Linux Enterprise 16 +source include.sh + +echo "LoginGraceTime 1" >> /usr/etc/ssh/sshd_config diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_login_grace_time/tests/correct_value_usr_etc_sshd_config_drop_in.pass.sh b/linux_os/guide/services/ssh/ssh_server/sshd_set_login_grace_time/tests/correct_value_usr_etc_sshd_config_drop_in.pass.sh new file mode 100644 index 000000000000..1e72b109d85e --- /dev/null +++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_login_grace_time/tests/correct_value_usr_etc_sshd_config_drop_in.pass.sh @@ -0,0 +1,5 @@ +#!/bin/bash +# platform = SUSE Linux Enterprise 16 +source include.sh + +echo "LoginGraceTime 60" >> /usr/etc/ssh/sshd_config.d/01-complianceascode.conf diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_login_grace_time/tests/include.sh b/linux_os/guide/services/ssh/ssh_server/sshd_set_login_grace_time/tests/include.sh new file mode 100644 index 000000000000..aee5eb2d0bec --- /dev/null +++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_login_grace_time/tests/include.sh @@ -0,0 +1,15 @@ +#!/bin/bash + +declare -a SSHD_PATHS=("/etc/ssh/sshd_config") +{{% if product == 'sle16' %}} +SSHD_PATHS+=("/usr/etc/ssh/sshd_config" /usr/etc/ssh/sshd_config.d/* /etc/ssh/sshd_config.d/*) +{{% endif %}} +# clean up configurations +sed -i '/^LoginGraceTime.*/d' "${SSHD_PATHS[@]}" + +# restore to defaults for sle16 +{{% if product == 'sle16' %}} +if [ -e "/etc/ssh/sshd_config" ] ; then + rm /etc/ssh/sshd_config +fi +{{% endif %}} diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_login_grace_time/tests/lower_bound.pass.sh b/linux_os/guide/services/ssh/ssh_server/sshd_set_login_grace_time/tests/lower_bound.pass.sh index f5236501ca01..809d3c1f4659 100644 --- a/linux_os/guide/services/ssh/ssh_server/sshd_set_login_grace_time/tests/lower_bound.pass.sh +++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_login_grace_time/tests/lower_bound.pass.sh @@ -1,5 +1,5 @@ #!/bin/bash -# profiles = xccdf_org.ssgproject.content_profile_cis +# profiles = xccdf_org.ssgproject.content_profile_cis,xccdf_org.ssgproject.content_profile_pci-dss-4 # platform = multi_platform_all SSHD_CONFIG="/etc/ssh/sshd_config" diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_login_grace_time/tests/no_limit.fail.sh b/linux_os/guide/services/ssh/ssh_server/sshd_set_login_grace_time/tests/no_limit.fail.sh index 63a0aee97f7d..738969589112 100644 --- a/linux_os/guide/services/ssh/ssh_server/sshd_set_login_grace_time/tests/no_limit.fail.sh +++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_login_grace_time/tests/no_limit.fail.sh @@ -1,5 +1,5 @@ #!/bin/bash -# profiles = xccdf_org.ssgproject.content_profile_cis +# profiles = xccdf_org.ssgproject.content_profile_cis,xccdf_org.ssgproject.content_profile_pci-dss-4 # platform = multi_platform_all SSHD_CONFIG="/etc/ssh/sshd_config" diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_login_grace_time/tests/too_high.fail.sh b/linux_os/guide/services/ssh/ssh_server/sshd_set_login_grace_time/tests/too_high.fail.sh index 6d109091b8b9..959f7d699345 100644 --- a/linux_os/guide/services/ssh/ssh_server/sshd_set_login_grace_time/tests/too_high.fail.sh +++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_login_grace_time/tests/too_high.fail.sh @@ -1,5 +1,5 @@ #!/bin/bash -# profiles = xccdf_org.ssgproject.content_profile_cis +# profiles = xccdf_org.ssgproject.content_profile_cis,xccdf_org.ssgproject.content_profile_pci-dss-4 # platform = multi_platform_all SSHD_CONFIG="/etc/ssh/sshd_config" diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_login_grace_time/tests/too_high_etc_sshd_config_drop_in.fail.sh b/linux_os/guide/services/ssh/ssh_server/sshd_set_login_grace_time/tests/too_high_etc_sshd_config_drop_in.fail.sh new file mode 100644 index 000000000000..35ea7b48f5f4 --- /dev/null +++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_login_grace_time/tests/too_high_etc_sshd_config_drop_in.fail.sh @@ -0,0 +1,5 @@ +#!/bin/bash +# platform = SUSE Linux Enterprise 16 +source include.sh + +echo "LoginGraceTime 61" >> /etc/ssh/sshd_config.d/01-complianceascode.conf diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_login_grace_time/tests/too_high_usr_etc_sshd_config.fail.sh b/linux_os/guide/services/ssh/ssh_server/sshd_set_login_grace_time/tests/too_high_usr_etc_sshd_config.fail.sh new file mode 100644 index 000000000000..7010af0181bd --- /dev/null +++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_login_grace_time/tests/too_high_usr_etc_sshd_config.fail.sh @@ -0,0 +1,5 @@ +#!/bin/bash +# platform = SUSE Linux Enterprise 16 +source include.sh + +echo "LoginGraceTime 61" >> /usr/etc/ssh/sshd_config diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_login_grace_time/tests/too_high_usr_etc_sshd_config_drop_in.fail.sh b/linux_os/guide/services/ssh/ssh_server/sshd_set_login_grace_time/tests/too_high_usr_etc_sshd_config_drop_in.fail.sh new file mode 100644 index 000000000000..1cdd63bb777a --- /dev/null +++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_login_grace_time/tests/too_high_usr_etc_sshd_config_drop_in.fail.sh @@ -0,0 +1,5 @@ +#!/bin/bash +# platform = SUSE Linux Enterprise 16 +source include.sh + +echo "LoginGraceTime 61" >> /usr/etc/ssh/sshd_config.d/01-complianceascode.conf diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_max_auth_tries/oval/shared.xml b/linux_os/guide/services/ssh/ssh_server/sshd_set_max_auth_tries/oval/shared.xml index 117054f7f9eb..ce045e925251 100644 --- a/linux_os/guide/services/ssh/ssh_server/sshd_set_max_auth_tries/oval/shared.xml +++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_max_auth_tries/oval/shared.xml @@ -1,3 +1,5 @@ +{{%- set sshd_main_config = sshd_main_config_file -%}} +{{%- set sshd_drop_in_dir = sshd_config_dir -%}} <def-group> <definition class="compliance" id="{{{rule_id}}}" version="1"> {{{ oval_metadata("The SSH MaxAuthTries should be set to an @@ -44,7 +46,7 @@ </ind:textfilecontent54_test> <ind:textfilecontent54_object id="object_sshd_max_auth_tries" version="2"> - <ind:filepath>/etc/ssh/sshd_config</ind:filepath> + <ind:filepath>{{{ sshd_main_config }}}</ind:filepath> <ind:pattern operation="pattern match">^[\s]*(?i)MaxAuthTries[\s]+(\d+)[\s]*(?:#.*)?$</ind:pattern> <ind:instance operation="greater than or equal" datatype="int">1</ind:instance> </ind:textfilecontent54_object> @@ -59,7 +61,7 @@ </ind:textfilecontent54_test> <ind:textfilecontent54_object id="obj_sshd_set_max_auth_tries_config_dir" version="1"> - <ind:path>/etc/ssh/sshd_config.d</ind:path> + <ind:path>{{{ sshd_drop_in_dir }}}</ind:path> <ind:filename operation="pattern match">.*\.conf$</ind:filename> <ind:pattern operation="pattern match">^[ \t]*(?i)MaxAuthTries(?-i)[ \t]+(.+?)[ \t]*(?:$|#)</ind:pattern> <ind:instance operation="greater than or equal" datatype="int">1</ind:instance> diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_max_auth_tries/oval/sle16.xml b/linux_os/guide/services/ssh/ssh_server/sshd_set_max_auth_tries/oval/sle16.xml new file mode 100644 index 000000000000..a9452bfb71aa --- /dev/null +++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_max_auth_tries/oval/sle16.xml @@ -0,0 +1,153 @@ +<def-group> + <definition class="compliance" id="{{{rule_id}}}" version="1"> + {{{ oval_metadata("The SSH MaxAuthTries should be set to an appropriate value.", rule_title=rule_title) }}} + <criteria comment="SSH is configured correctly or is not installed" operator="OR"> + <criteria comment="sshd is not installed" operator="AND"> + <extend_definition comment="sshd is not required or requirement is unset" definition_ref="sshd_not_required_or_unset"/> + <extend_definition comment="rpm package openssh-server removed" definition_ref="package_openssh-server_removed"/> + </criteria> + <criteria comment="sshd is installed and configured using /etc/ssh/sshd_config" operator="AND"> + <extend_definition comment="sshd is required or requirement is unset" definition_ref="sshd_required_or_unset"/> + <extend_definition comment="rpm package openssh-server installed" definition_ref="package_openssh-server_installed"/> + <criteria comment="MaxAuthTries is configured correctly in /etc/ssh/sshd_config" operator="AND"> + <criterion comment="SSH configuration /etc/ssh/sshd_config exists" test_ref="test_etc_ssh_sshd_config_exist"/> + <criterion comment="Check MaxAuthTries in /usr/etc/ssh/sshd_config" test_ref="test_sshd_max_auth_tries_etc" /> + <criterion comment="Check MaxAuthTries in /etc/ssh/sshd_config.d/" test_ref="test_sshd_max_auth_tries_config_dir"/> + <criterion comment="Check MaxAuthTries in /usr/etc/ssh/sshd_config.d/" test_ref="test_sshd_max_auth_tries_usr_config_dir"/> + <criterion comment="the configuration exists" test_ref="test_max_auth_tries_present_etc" /> + </criteria> + </criteria> + <criteria comment="sshd is installed and configured using /usr/etc/ssh/sshd_config" operator="AND"> + <extend_definition comment="sshd is required or requirement is unset" definition_ref="sshd_required_or_unset" /> + <extend_definition comment="rpm package openssh-server installed" definition_ref="package_openssh-server_installed" /> + <criteria comment="MaxAuthTries is configured correctly in /usr/etc/ssh/sshd_config" operator="AND"> + <criterion comment="SSH configuration /etc/ssh/sshd_config does not exists" test_ref="test_etc_ssh_sshd_config_exist" negate="true"/> + <criterion comment="Check MaxAuthTries in /usr/etc/ssh/sshd_config" test_ref="test_sshd_max_auth_tries_usr" /> + <criterion comment="Check MaxAuthTries in /etc/ssh/sshd_config.d/" test_ref="test_sshd_max_auth_tries_config_dir"/> + <criterion comment="Check MaxAuthTries in /usr/etc/ssh/sshd_config.d/" test_ref="test_sshd_max_auth_tries_usr_config_dir"/> + <criterion comment="the configuration exists" test_ref="test_max_auth_tries_present_usr" /> + </criteria> + </criteria> + </criteria> + </definition> + + <unix:file_test check="all" check_existence="all_exist" + comment="SSH configuration /etc/ssh/sshd_config exists" + id="test_etc_ssh_sshd_config_exist" + state_operator="AND" version="1"> + <unix:object object_ref="obj_etc_ssh_sshd_config_exist"/> + </unix:file_test> + <unix:file_object + comment="SSH configuration /etc/ssh/sshd_config exists" + id="obj_etc_ssh_sshd_config_exist" version="1"> + <unix:filepath operation="pattern match">^/etc/ssh/sshd_config</unix:filepath> + </unix:file_object> + + <ind:textfilecontent54_test check="all" check_existence="any_exist" + comment="MaxAuthTries is configured in /etc/ssh/sshd_config" + id="test_sshd_max_auth_tries_etc" version="1"> + <ind:object object_ref="object_sshd_max_auth_tries_etc" /> + <ind:state state_ref="state_max_auth_tries_value_upper_bound" /> + <ind:state state_ref="state_max_auth_tries_value_lower_bound" /> + </ind:textfilecontent54_test> + + <ind:textfilecontent54_object id="object_sshd_max_auth_tries_etc" version="2"> + <ind:filepath>/etc/ssh/sshd_config</ind:filepath> + <ind:pattern operation="pattern match">^[\s]*(?i)MaxAuthTries[\s]+(\d+)[\s]*(?:#.*)?$</ind:pattern> + <ind:instance operation="greater than or equal" datatype="int">1</ind:instance> + </ind:textfilecontent54_object> + + <ind:textfilecontent54_test check="all" check_existence="any_exist" + comment="MaxAuthTries is configured in /usr/etc/ssh/sshd_config" + id="test_sshd_max_auth_tries_usr" version="1"> + <ind:object object_ref="object_sshd_max_auth_tries_usr" /> + <ind:state state_ref="state_max_auth_tries_value_upper_bound" /> + <ind:state state_ref="state_max_auth_tries_value_lower_bound" /> + </ind:textfilecontent54_test> + + <ind:textfilecontent54_object id="object_sshd_max_auth_tries_usr" version="2"> + <ind:filepath>/usr/etc/ssh/sshd_config</ind:filepath> + <ind:pattern operation="pattern match">^[\s]*(?i)MaxAuthTries[\s]+(\d+)[\s]*(?:#.*)?$</ind:pattern> + <ind:instance operation="greater than or equal" datatype="int">1</ind:instance> + </ind:textfilecontent54_object> + + <ind:textfilecontent54_test check="all" check_existence="any_exist" + comment="MaxAuthTries is configured in drop-in directory /etc/ssh/sshd_config.d" + id="test_sshd_max_auth_tries_config_dir" version="1"> + <ind:object object_ref="object_sshd_max_auth_tries_config_dir" /> + <ind:state state_ref="state_max_auth_tries_value_upper_bound" /> + <ind:state state_ref="state_max_auth_tries_value_lower_bound" /> + </ind:textfilecontent54_test> + + <ind:textfilecontent54_object id="object_sshd_max_auth_tries_config_dir" version="2"> + <ind:path>/etc/ssh/sshd_config.d</ind:path> + <ind:filename operation="pattern match">.*\.conf$</ind:filename> + <ind:pattern operation="pattern match">^[\s]*(?i)MaxAuthTries[\s]+(\d+)[\s]*(?:#.*)?$</ind:pattern> + <ind:instance datatype="int">1</ind:instance> + </ind:textfilecontent54_object> + + <ind:textfilecontent54_test check="all" check_existence="any_exist" + comment="MaxAuthTries is configured in included directory /usr/etc/ssh/sshd_config.d" + id="test_sshd_max_auth_tries_usr_config_dir" version="1"> + <ind:object object_ref="object_sshd_max_auth_tries_usr_config_dir" /> + <ind:state state_ref="state_max_auth_tries_value_upper_bound" /> + <ind:state state_ref="state_max_auth_tries_value_lower_bound" /> + </ind:textfilecontent54_test> + + <ind:textfilecontent54_object id="object_sshd_max_auth_tries_usr_config_dir" version="2"> + <ind:path>/usr/etc/ssh/sshd_config.d</ind:path> + <ind:filename operation="pattern match">.*\.conf$</ind:filename> + <ind:pattern operation="pattern match">^[\s]*(?i)MaxAuthTries[\s]+(\d+)[\s]*(?:#.*)?$</ind:pattern> + <ind:instance datatype="int">1</ind:instance> + </ind:textfilecontent54_object> + + <ind:textfilecontent54_state comment="upper bound of MaxAuthTries in number of sessions" + id="state_max_auth_tries_value_upper_bound" version="1"> + <ind:subexpression datatype="int" operation="less than or equal" var_check="all" + var_ref="sshd_max_auth_tries_value" /> + </ind:textfilecontent54_state> + + <ind:textfilecontent54_state comment="lower bound of MaxAuthTries in number of sessions" + id="state_max_auth_tries_value_lower_bound" version="1"> + <ind:subexpression datatype="int" operation="greater than">0</ind:subexpression> + </ind:textfilecontent54_state> + + <ind:textfilecontent54_test id="test_max_auth_tries_present_etc" version="1" + check="all" check_existence="at_least_one_exists" + comment="Verify that the value of MaxAuthTries is present"> + <ind:object object_ref="obj_collection_obj_sshd_set_max_auth_tries" /> + </ind:textfilecontent54_test> + + <ind:textfilecontent54_object comment="All confs collection" id="obj_collection_obj_sshd_set_max_auth_tries" version="1"> + <set set_operator="UNION"> + <set set_operator="UNION"> + <object_reference>object_sshd_max_auth_tries_etc</object_reference> + </set> + <set set_operator="UNION"> + <object_reference>object_sshd_max_auth_tries_config_dir</object_reference> + <object_reference>object_sshd_max_auth_tries_usr_config_dir</object_reference> + </set> + </set> + </ind:textfilecontent54_object> + + <ind:textfilecontent54_test id="test_max_auth_tries_present_usr" version="1" + check="all" check_existence="at_least_one_exists" + comment="Verify that the value of MaxAuthTries is present"> + <ind:object object_ref="obj_collection_obj_sshd_set_max_auth_tries_usr" /> + </ind:textfilecontent54_test> + + <ind:textfilecontent54_object comment="All confs collection" id="obj_collection_obj_sshd_set_max_auth_tries_usr" version="1"> + <set set_operator="UNION"> + <set set_operator="UNION"> + <object_reference>object_sshd_max_auth_tries_usr</object_reference> + </set> + <set set_operator="UNION"> + <object_reference>object_sshd_max_auth_tries_config_dir</object_reference> + <object_reference>object_sshd_max_auth_tries_usr_config_dir</object_reference> + </set> + </set> + </ind:textfilecontent54_object> + + <external_variable comment="MaxAuthTries value" datatype="int" id="sshd_max_auth_tries_value" version="1" /> + +</def-group> diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_max_auth_tries/tests/correct_value_etc_sshd_config_drop_in.pass.sh b/linux_os/guide/services/ssh/ssh_server/sshd_set_max_auth_tries/tests/correct_value_etc_sshd_config_drop_in.pass.sh new file mode 100644 index 000000000000..4262a6713622 --- /dev/null +++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_max_auth_tries/tests/correct_value_etc_sshd_config_drop_in.pass.sh @@ -0,0 +1,6 @@ +#!/bin/bash +# platform = SUSE Linux Enterprise 16 +# variables = sshd_max_auth_tries_value=4 +source include.sh + +echo "MaxAuthTries 4" >> /etc/ssh/sshd_config.d/01-complianceascode.conf diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_max_auth_tries/tests/correct_value_in_usr_etc_sshd_config_present.fail.sh b/linux_os/guide/services/ssh/ssh_server/sshd_set_max_auth_tries/tests/correct_value_in_usr_etc_sshd_config_present.fail.sh new file mode 100644 index 000000000000..7b327ed220ce --- /dev/null +++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_max_auth_tries/tests/correct_value_in_usr_etc_sshd_config_present.fail.sh @@ -0,0 +1,7 @@ +#!/bin/bash +# platform = SUSE Linux Enterprise 16 +# variables = sshd_max_auth_tries_value=4 +source include.sh + +touch /etc/ssh/sshd_config +echo "MaxAuthTries 4" >> /usr/etc/ssh/sshd_config diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_max_auth_tries/tests/correct_value_usr_etc_sshd_config.pass.sh b/linux_os/guide/services/ssh/ssh_server/sshd_set_max_auth_tries/tests/correct_value_usr_etc_sshd_config.pass.sh new file mode 100644 index 000000000000..d902aa806c16 --- /dev/null +++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_max_auth_tries/tests/correct_value_usr_etc_sshd_config.pass.sh @@ -0,0 +1,6 @@ +#!/bin/bash +# platform = SUSE Linux Enterprise 16 +# variables = sshd_max_auth_tries_value=4 +source include.sh + +echo "MaxAuthTries 4" >> /usr/etc/ssh/sshd_config diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_max_auth_tries/tests/correct_value_usr_etc_sshd_config_drop_in.pass.sh b/linux_os/guide/services/ssh/ssh_server/sshd_set_max_auth_tries/tests/correct_value_usr_etc_sshd_config_drop_in.pass.sh new file mode 100644 index 000000000000..0c0ad79ef4fe --- /dev/null +++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_max_auth_tries/tests/correct_value_usr_etc_sshd_config_drop_in.pass.sh @@ -0,0 +1,6 @@ +#!/bin/bash +# platform = SUSE Linux Enterprise 16 +# variables = sshd_max_auth_tries_value=4 +source include.sh + +echo "MaxAuthTries 4" >> /usr/etc/ssh/sshd_config.d/01-complianceascode.conf diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_max_auth_tries/tests/include.sh b/linux_os/guide/services/ssh/ssh_server/sshd_set_max_auth_tries/tests/include.sh new file mode 100644 index 000000000000..9790bbcd68d0 --- /dev/null +++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_max_auth_tries/tests/include.sh @@ -0,0 +1,15 @@ +#!/bin/bash + +declare -a SSHD_PATHS=("/etc/ssh/sshd_config") +{{% if product == 'sle16' %}} +SSHD_PATHS+=("/usr/etc/ssh/sshd_config" /usr/etc/ssh/sshd_config.d/* /etc/ssh/sshd_config.d/*) +{{% endif %}} +# clean up configurations +sed -i '/^MaxAuthTries.*/d' "${SSHD_PATHS[@]}" + +# restore to defaults for sle16 +{{% if product == 'sle16' %}} +if [ -e "/etc/ssh/sshd_config" ] ; then + rm /etc/ssh/sshd_config +fi +{{% endif %}} diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_max_auth_tries/tests/wrong_value_etc_sshd_config_drop_in.fail.sh b/linux_os/guide/services/ssh/ssh_server/sshd_set_max_auth_tries/tests/wrong_value_etc_sshd_config_drop_in.fail.sh new file mode 100644 index 000000000000..41136d9eb40b --- /dev/null +++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_max_auth_tries/tests/wrong_value_etc_sshd_config_drop_in.fail.sh @@ -0,0 +1,6 @@ +#!/bin/bash +# platform = SUSE Linux Enterprise 16 +# variables = sshd_max_auth_tries_value=4 +source include.sh + +echo "MaxAuthTries 20" >> /etc/ssh/sshd_config.d/01-complianceascode.conf diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_max_auth_tries/tests/wrong_value_usr_etc_sshd_config.fail.sh b/linux_os/guide/services/ssh/ssh_server/sshd_set_max_auth_tries/tests/wrong_value_usr_etc_sshd_config.fail.sh new file mode 100644 index 000000000000..218e4deb2407 --- /dev/null +++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_max_auth_tries/tests/wrong_value_usr_etc_sshd_config.fail.sh @@ -0,0 +1,6 @@ +#!/bin/bash +# platform = SUSE Linux Enterprise 16 +# variables = sshd_max_auth_tries_value=4 +source include.sh + +echo "MaxAuthTries 5" >> /usr/etc/ssh/sshd_config diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_max_auth_tries/tests/wrong_value_usr_etc_sshd_config_drop_in.fail.sh b/linux_os/guide/services/ssh/ssh_server/sshd_set_max_auth_tries/tests/wrong_value_usr_etc_sshd_config_drop_in.fail.sh new file mode 100644 index 000000000000..753e15c14404 --- /dev/null +++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_max_auth_tries/tests/wrong_value_usr_etc_sshd_config_drop_in.fail.sh @@ -0,0 +1,6 @@ +#!/bin/bash +# platform = SUSE Linux Enterprise 16 +# variables = sshd_max_auth_tries_value=4 +source include.sh + +echo "MaxAuthTries 0" >> /usr/etc/ssh/sshd_config.d/01-complianceascode.conf diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/oval/shared.xml b/linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/oval/shared.xml index 0eff641eb037..207e84401ee0 100644 --- a/linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/oval/shared.xml +++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/oval/shared.xml @@ -1,3 +1,5 @@ +{{%- set sshd_main_config = sshd_main_config_file -%}} +{{%- set sshd_drop_in_dir = sshd_config_dir -%}} <def-group> <definition class="compliance" id="{{{rule_id}}}" version="1"> {{{ oval_metadata("The SSH number of max sessions should be set to an @@ -44,7 +46,7 @@ </ind:textfilecontent54_test> <ind:textfilecontent54_object id="object_sshd_max_sessions" version="2"> - <ind:filepath>/etc/ssh/sshd_config</ind:filepath> + <ind:filepath>{{{ sshd_main_config }}}</ind:filepath> <ind:pattern operation="pattern match">^[\s]*(?i)MaxSessions[\s]+(\d+)[\s]*(?:#.*)?$</ind:pattern> <ind:instance operation="greater than or equal" datatype="int">1</ind:instance> </ind:textfilecontent54_object> @@ -59,7 +61,7 @@ </ind:textfilecontent54_test> <ind:textfilecontent54_object id="obj_sshd_set_max_sessions_config_dir" version="1"> - <ind:path>/etc/ssh/sshd_config.d</ind:path> + <ind:path>{{{ sshd_drop_in_dir }}}</ind:path> <ind:filename operation="pattern match">.*\.conf$</ind:filename> <ind:pattern operation="pattern match">^[ \t]*(?i)MaxSessions(?-i)[ \t]+(.+?)[ \t]*(?:$|#)</ind:pattern> <ind:instance operation="greater than or equal" datatype="int">1</ind:instance> diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/oval/sle16.xml b/linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/oval/sle16.xml new file mode 100644 index 000000000000..3acd7b75327d --- /dev/null +++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/oval/sle16.xml @@ -0,0 +1,153 @@ +<def-group> + <definition class="compliance" id="{{{rule_id}}}" version="1"> + {{{ oval_metadata("The SSH MaxSessions should be set to an appropriate value.", rule_title=rule_title) }}} + <criteria comment="SSH is configured correctly or is not installed" operator="OR"> + <criteria comment="sshd is not installed" operator="AND"> + <extend_definition comment="sshd is not required or requirement is unset" definition_ref="sshd_not_required_or_unset"/> + <extend_definition comment="rpm package openssh-server removed" definition_ref="package_openssh-server_removed"/> + </criteria> + <criteria comment="sshd is installed and configured using /etc/ssh/sshd_config" operator="AND"> + <extend_definition comment="sshd is required or requirement is unset" definition_ref="sshd_required_or_unset"/> + <extend_definition comment="rpm package openssh-server installed" definition_ref="package_openssh-server_installed"/> + <criteria comment="MaxSessions is configured correctly in /etc/ssh/sshd_config" operator="AND"> + <criterion comment="SSH configuration /etc/ssh/sshd_config exists" test_ref="test_etc_ssh_sshd_config_exist"/> + <criterion comment="Check MaxSessions in /usr/etc/ssh/sshd_config" test_ref="test_sshd_max_session_etc" /> + <criterion comment="Check MaxSessions in /etc/ssh/sshd_config.d/" test_ref="test_sshd_max_session_config_dir"/> + <criterion comment="Check MaxSessions in /usr/etc/ssh/sshd_config.d/" test_ref="test_sshd_max_session_usr_config_dir"/> + <criterion comment="the configuration exists" test_ref="test_max_session_present_etc" /> + </criteria> + </criteria> + <criteria comment="sshd is installed and configured using /usr/etc/ssh/sshd_config" operator="AND"> + <extend_definition comment="sshd is required or requirement is unset" definition_ref="sshd_required_or_unset" /> + <extend_definition comment="rpm package openssh-server installed" definition_ref="package_openssh-server_installed" /> + <criteria comment="MaxSessions is configured correctly in /usr/etc/ssh/sshd_config" operator="AND"> + <criterion comment="SSH configuration /etc/ssh/sshd_config does not exists" test_ref="test_etc_ssh_sshd_config_exist" negate="true"/> + <criterion comment="Check MaxSessions in /usr/etc/ssh/sshd_config" test_ref="test_sshd_max_session_usr" /> + <criterion comment="Check MaxSessions in /etc/ssh/sshd_config.d/" test_ref="test_sshd_max_session_config_dir"/> + <criterion comment="Check MaxSessions in /usr/etc/ssh/sshd_config.d/" test_ref="test_sshd_max_session_usr_config_dir"/> + <criterion comment="the configuration exists" test_ref="test_max_session_present_usr" /> + </criteria> + </criteria> + </criteria> + </definition> + + <unix:file_test check="all" check_existence="all_exist" + comment="SSH configuration /etc/ssh/sshd_config exists" + id="test_etc_ssh_sshd_config_exist" + state_operator="AND" version="1"> + <unix:object object_ref="obj_etc_ssh_sshd_config_exist"/> + </unix:file_test> + <unix:file_object + comment="SSH configuration /etc/ssh/sshd_config exists" + id="obj_etc_ssh_sshd_config_exist" version="1"> + <unix:filepath operation="pattern match">^/etc/ssh/sshd_config</unix:filepath> + </unix:file_object> + + <ind:textfilecontent54_test check="all" check_existence="any_exist" + comment="MaxSessions is configured in /etc/ssh/sshd_config" + id="test_sshd_max_session_etc" version="1"> + <ind:object object_ref="object_sshd_max_session_etc" /> + <ind:state state_ref="state_max_session_value_upper_bound" /> + <ind:state state_ref="state_max_session_value_lower_bound" /> + </ind:textfilecontent54_test> + + <ind:textfilecontent54_object id="object_sshd_max_session_etc" version="2"> + <ind:filepath>/etc/ssh/sshd_config</ind:filepath> + <ind:pattern operation="pattern match">^[\s]*(?i)MaxSessions[\s]+(\d+)[\s]*(?:#.*)?$</ind:pattern> + <ind:instance operation="greater than or equal" datatype="int">1</ind:instance> + </ind:textfilecontent54_object> + + <ind:textfilecontent54_test check="all" check_existence="any_exist" + comment="MaxSessions is configured in /usr/etc/ssh/sshd_config" + id="test_sshd_max_session_usr" version="1"> + <ind:object object_ref="object_sshd_max_session_usr" /> + <ind:state state_ref="state_max_session_value_upper_bound" /> + <ind:state state_ref="state_max_session_value_lower_bound" /> + </ind:textfilecontent54_test> + + <ind:textfilecontent54_object id="object_sshd_max_session_usr" version="2"> + <ind:filepath>/usr/etc/ssh/sshd_config</ind:filepath> + <ind:pattern operation="pattern match">^[\s]*(?i)MaxSessions[\s]+(\d+)[\s]*(?:#.*)?$</ind:pattern> + <ind:instance operation="greater than or equal" datatype="int">1</ind:instance> + </ind:textfilecontent54_object> + + <ind:textfilecontent54_test check="all" check_existence="any_exist" + comment="MaxSessions is configured in drop-in directory /etc/ssh/sshd_config.d" + id="test_sshd_max_session_config_dir" version="1"> + <ind:object object_ref="object_sshd_max_session_config_dir" /> + <ind:state state_ref="state_max_session_value_upper_bound" /> + <ind:state state_ref="state_max_session_value_lower_bound" /> + </ind:textfilecontent54_test> + + <ind:textfilecontent54_object id="object_sshd_max_session_config_dir" version="2"> + <ind:path>/etc/ssh/sshd_config.d</ind:path> + <ind:filename operation="pattern match">.*\.conf$</ind:filename> + <ind:pattern operation="pattern match">^[\s]*(?i)MaxSessions[\s]+(\d+)[\s]*(?:#.*)?$</ind:pattern> + <ind:instance datatype="int">1</ind:instance> + </ind:textfilecontent54_object> + + <ind:textfilecontent54_test check="all" check_existence="any_exist" + comment="MaxSessions is configured in included directory /usr/etc/ssh/sshd_config.d" + id="test_sshd_max_session_usr_config_dir" version="1"> + <ind:object object_ref="object_sshd_max_session_usr_config_dir" /> + <ind:state state_ref="state_max_session_value_upper_bound" /> + <ind:state state_ref="state_max_session_value_lower_bound" /> + </ind:textfilecontent54_test> + + <ind:textfilecontent54_object id="object_sshd_max_session_usr_config_dir" version="2"> + <ind:path>/usr/etc/ssh/sshd_config.d</ind:path> + <ind:filename operation="pattern match">.*\.conf$</ind:filename> + <ind:pattern operation="pattern match">^[\s]*(?i)MaxSessions[\s]+(\d+)[\s]*(?:#.*)?$</ind:pattern> + <ind:instance datatype="int">1</ind:instance> + </ind:textfilecontent54_object> + + <ind:textfilecontent54_state comment="upper bound of MaxSessions in number of sessions" + id="state_max_session_value_upper_bound" version="1"> + <ind:subexpression datatype="int" operation="less than or equal" var_check="all" + var_ref="var_sshd_max_sessions" /> + </ind:textfilecontent54_state> + + <ind:textfilecontent54_state comment="lower bound of MaxSessions in number of sessions" + id="state_max_session_value_lower_bound" version="1"> + <ind:subexpression datatype="int" operation="greater than">0</ind:subexpression> + </ind:textfilecontent54_state> + + <ind:textfilecontent54_test id="test_max_session_present_etc" version="1" + check="all" check_existence="at_least_one_exists" + comment="Verify that the value of MaxSessions is present"> + <ind:object object_ref="obj_collection_obj_sshd_set_max_session" /> + </ind:textfilecontent54_test> + + <ind:textfilecontent54_object comment="All confs collection" id="obj_collection_obj_sshd_set_max_session" version="1"> + <set set_operator="UNION"> + <set set_operator="UNION"> + <object_reference>object_sshd_max_session_etc</object_reference> + </set> + <set set_operator="UNION"> + <object_reference>object_sshd_max_session_config_dir</object_reference> + <object_reference>object_sshd_max_session_usr_config_dir</object_reference> + </set> + </set> + </ind:textfilecontent54_object> + + <ind:textfilecontent54_test id="test_max_session_present_usr" version="1" + check="all" check_existence="at_least_one_exists" + comment="Verify that the value of MaxSessions is present"> + <ind:object object_ref="obj_collection_obj_sshd_set_max_session_usr" /> + </ind:textfilecontent54_test> + + <ind:textfilecontent54_object comment="All confs collection" id="obj_collection_obj_sshd_set_max_session_usr" version="1"> + <set set_operator="UNION"> + <set set_operator="UNION"> + <object_reference>object_sshd_max_session_usr</object_reference> + </set> + <set set_operator="UNION"> + <object_reference>object_sshd_max_session_config_dir</object_reference> + <object_reference>object_sshd_max_session_usr_config_dir</object_reference> + </set> + </set> + </ind:textfilecontent54_object> + + <external_variable comment="MaxSessions value" datatype="int" id="var_sshd_max_sessions" version="1" /> + +</def-group> diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/tests/correct_value_etc_sshd_config_drop_in.pass.sh b/linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/tests/correct_value_etc_sshd_config_drop_in.pass.sh new file mode 100644 index 000000000000..7fdb6123803b --- /dev/null +++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/tests/correct_value_etc_sshd_config_drop_in.pass.sh @@ -0,0 +1,6 @@ +#!/bin/bash +# platform = SUSE Linux Enterprise 16 +# variables = var_sshd_max_sessions=4 +source include.sh + +echo "MaxSessions 4" >> /etc/ssh/sshd_config.d/01-complianceascode.conf diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/tests/correct_value_in_usr_etc_sshd_config_present.fail.sh b/linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/tests/correct_value_in_usr_etc_sshd_config_present.fail.sh new file mode 100644 index 000000000000..7f19908dcaea --- /dev/null +++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/tests/correct_value_in_usr_etc_sshd_config_present.fail.sh @@ -0,0 +1,7 @@ +#!/bin/bash +# platform = SUSE Linux Enterprise 16 +# variables = var_sshd_max_sessions=4 +source include.sh + +touch /etc/ssh/sshd_config +echo "MaxSessions 4" >> /usr/etc/ssh/sshd_config diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/tests/correct_value_usr_etc_sshd_config.pass.sh b/linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/tests/correct_value_usr_etc_sshd_config.pass.sh new file mode 100644 index 000000000000..180bd49bed98 --- /dev/null +++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/tests/correct_value_usr_etc_sshd_config.pass.sh @@ -0,0 +1,6 @@ +#!/bin/bash +# platform = SUSE Linux Enterprise 16 +# variables = var_sshd_max_sessions=4 +source include.sh + +echo "MaxSessions 4" >> /usr/etc/ssh/sshd_config diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/tests/correct_value_usr_etc_sshd_config_drop_in.pass.sh b/linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/tests/correct_value_usr_etc_sshd_config_drop_in.pass.sh new file mode 100644 index 000000000000..622d36446727 --- /dev/null +++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/tests/correct_value_usr_etc_sshd_config_drop_in.pass.sh @@ -0,0 +1,6 @@ +#!/bin/bash +# platform = SUSE Linux Enterprise 16 +# variables = var_sshd_max_sessions=4 +source include.sh + +echo "MaxSessions 4" >> /usr/etc/ssh/sshd_config.d/01-complianceascode.conf diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/tests/include.sh b/linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/tests/include.sh new file mode 100644 index 000000000000..4c8d058295d8 --- /dev/null +++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/tests/include.sh @@ -0,0 +1,15 @@ +#!/bin/bash + +declare -a SSHD_PATHS=("/etc/ssh/sshd_config") +{{% if product == 'sle16' %}} +SSHD_PATHS+=("/usr/etc/ssh/sshd_config" /usr/etc/ssh/sshd_config.d/* /etc/ssh/sshd_config.d/*) +{{% endif %}} +# clean up configurations +sed -i '/^MaxSessions.*/d' "${SSHD_PATHS[@]}" + +# restore to defaults for sle16 +{{% if product == 'sle16' %}} +if [ -e "/etc/ssh/sshd_config" ] ; then + rm /etc/ssh/sshd_config +fi +{{% endif %}} diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/tests/wrong_value_etc_sshd_config_drop_in.fail.sh b/linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/tests/wrong_value_etc_sshd_config_drop_in.fail.sh new file mode 100644 index 000000000000..606d55099420 --- /dev/null +++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/tests/wrong_value_etc_sshd_config_drop_in.fail.sh @@ -0,0 +1,6 @@ +#!/bin/bash +# platform = SUSE Linux Enterprise 16 +# variables = var_sshd_max_sessions=4 +source include.sh + +echo "MaxSessions 20" >> /etc/ssh/sshd_config.d/01-complianceascode.conf diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/tests/wrong_value_usr_etc_sshd_config.fail.sh b/linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/tests/wrong_value_usr_etc_sshd_config.fail.sh new file mode 100644 index 000000000000..fe6f5a820988 --- /dev/null +++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/tests/wrong_value_usr_etc_sshd_config.fail.sh @@ -0,0 +1,6 @@ +#!/bin/bash +# platform = SUSE Linux Enterprise 16 +# variables = var_sshd_max_sessions=4 +source include.sh + +echo "MaxSessions 5" >> /usr/etc/ssh/sshd_config diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/tests/wrong_value_usr_etc_sshd_config_drop_in.fail.sh b/linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/tests/wrong_value_usr_etc_sshd_config_drop_in.fail.sh new file mode 100644 index 000000000000..0c07b9608d42 --- /dev/null +++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/tests/wrong_value_usr_etc_sshd_config_drop_in.fail.sh @@ -0,0 +1,6 @@ +#!/bin/bash +# platform = SUSE Linux Enterprise 16 +# variables = var_sshd_max_sessions=4 +source include.sh + +echo "MaxSessions 10" >> /usr/etc/ssh/sshd_config.d/01-complianceascode.conf diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_maxstartups/oval/sle16.xml b/linux_os/guide/services/ssh/ssh_server/sshd_set_maxstartups/oval/sle16.xml new file mode 100644 index 000000000000..5ca10680c2a8 --- /dev/null +++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_maxstartups/oval/sle16.xml @@ -0,0 +1,151 @@ +<def-group> + <definition class="compliance" id="{{{ rule_id }}}" version="2"> + {{{ oval_metadata("Ensure 'MaxStartups' is properly configured in SSH configuration files.", rule_title=rule_title) }}} + <criteria operator="OR" comment="sshd MaxStartups parameter is properly configured if sshd is installed"> + <criteria operator="AND" comment="sshd is not installed"> + <extend_definition definition_ref="sshd_not_required_or_unset" + comment="sshd is not required or requirement is unset"/> + <extend_definition definition_ref="package_openssh-server_removed" + comment="rpm package openssh-server is removed"/> + </criteria> + <criteria operator="OR"> + <criteria comment="MaxStartups is configured correctly in /etc/ssh/sshd_config" operator="AND"> + <criterion comment="SSH configuration /etc/ssh/sshd_config exists" test_ref="test_etc_ssh_sshd_config_exist"/> + <criterion test_ref="tst_maxstartups_start_parameter" comment="SSH MaxStartups start parameter is less than or equal to 10"/> + <criterion test_ref="tst_maxstartups_rate_parameter" comment="SSH MaxStartups rate parameter is greater than or equal to 30"/> + <criterion test_ref="tst_maxstartups_full_parameter" comment="SSH MaxStartups full parameter is less than or equal to 100"/> + </criteria> + <criteria comment="MaxStartups is configured correctly in /usr/etc/ssh/sshd_config" operator="AND"> + <criterion comment="SSH configuration /etc/ssh/sshd_config does not exists" test_ref="test_etc_ssh_sshd_config_exist" negate="true"/> + <criterion test_ref="tst_maxstartups_start_parameter_usr" comment="SSH MaxStartups start parameter is less than or equal to 10"/> + <criterion test_ref="tst_maxstartups_rate_parameter_usr" comment="SSH MaxStartups rate parameter is greater than or equal to 30"/> + <criterion test_ref="tst_maxstartups_full_parameter_usr" comment="SSH MaxStartups full parameter is less than or equal to 100"/> + </criteria> + </criteria> + </criteria> + </definition> + + <unix:file_test check="all" check_existence="all_exist" + comment="SSH configuration /etc/ssh/sshd_config exists" + id="test_etc_ssh_sshd_config_exist" + state_operator="AND" version="1"> + <unix:object object_ref="obj_etc_ssh_sshd_config_exist"/> + </unix:file_test> + <unix:file_object + comment="SSH configuration /etc/ssh/sshd_config exists" + id="obj_etc_ssh_sshd_config_exist" version="1"> + <unix:filepath operation="pattern match">^/etc/ssh/sshd_config</unix:filepath> + </unix:file_object> + + <ind:textfilecontent54_test id="tst_maxstartups_start_parameter" version="2" + check="all" check_existence="at_least_one_exists" + comment="SSH MaxStartups start parameter is less than or equal to the expected value"> + <ind:object object_ref="obj_sshd_config_maxstartups_first_parameter"/> + <ind:state state_ref="ste_sshd_config_start_parameter_valid"/> + </ind:textfilecontent54_test> + <ind:textfilecontent54_test id="tst_maxstartups_rate_parameter" version="2" + check="all" check_existence="at_least_one_exists" + comment="SSH MaxStartups rate parameter is greater than or equal to the expected value"> + <ind:object object_ref="obj_sshd_config_maxstartups_second_parameter"/> + <ind:state state_ref="ste_sshd_config_rate_parameter_valid"/> + </ind:textfilecontent54_test> + <ind:textfilecontent54_test id="tst_maxstartups_full_parameter" version="2" + check="all" check_existence="at_least_one_exists" + comment="SSH MaxStartups full parameter is less than or equal to the expected value"> + <ind:object object_ref="obj_sshd_config_maxstartups_third_parameter"/> + <ind:state state_ref="ste_sshd_config_full_parameter_valid"/> + </ind:textfilecontent54_test> + + <ind:textfilecontent54_object id="obj_sshd_config_maxstartups_first_parameter" version="2"> + <ind:path operation="pattern match">^(/etc/ssh|/etc/ssh/sshd_config.d|/usr/etc/ssh/sshd_config.d)</ind:path> + <ind:filename operation="pattern match">(sshd_config|.*\.conf)$</ind:filename> + <ind:pattern operation="pattern match" datatype="string">(?i)^\s*MaxStartups\s+(\d+):\d+:\d+\s*$</ind:pattern> + <ind:instance operation="greater than or equal" datatype="int">1</ind:instance> + </ind:textfilecontent54_object> + <ind:textfilecontent54_object id="obj_sshd_config_maxstartups_second_parameter" version="2"> + <ind:path operation="pattern match">^(/etc/ssh|/etc/ssh/sshd_config.d|/usr/etc/ssh/sshd_config.d)</ind:path> + <ind:filename operation="pattern match">(sshd_config|.*\.conf)$</ind:filename> + <ind:pattern operation="pattern match" datatype="string">(?i)^\s*MaxStartups\s+\d+:(\d+):\d+\s*$</ind:pattern> + <ind:instance operation="greater than or equal" datatype="int">1</ind:instance> + </ind:textfilecontent54_object> + <ind:textfilecontent54_object id="obj_sshd_config_maxstartups_third_parameter" version="2"> + <ind:path operation="pattern match">^(/etc/ssh|/etc/ssh/sshd_config.d|/usr/etc/ssh/sshd_config.d)</ind:path> + <ind:filename operation="pattern match">(sshd_config|.*\.conf)$</ind:filename> + <ind:pattern operation="pattern match" datatype="string">(?i)^\s*MaxStartups\s+\d+:\d+:(\d+)\s*$</ind:pattern> + <ind:instance operation="greater than or equal" datatype="int">1</ind:instance> + </ind:textfilecontent54_object> + + <ind:textfilecontent54_test id="tst_maxstartups_start_parameter_usr" version="2" + check="all" check_existence="at_least_one_exists" + comment="SSH MaxStartups start parameter is less than or equal to the expected value"> + <ind:object object_ref="obj_sshd_config_maxstartups_first_parameter_usr"/> + <ind:state state_ref="ste_sshd_config_start_parameter_valid"/> + </ind:textfilecontent54_test> + <ind:textfilecontent54_test id="tst_maxstartups_rate_parameter_usr" version="2" + check="all" check_existence="at_least_one_exists" + comment="SSH MaxStartups rate parameter is greater than or equal to the expected value"> + <ind:object object_ref="obj_sshd_config_maxstartups_second_parameter_usr"/> + <ind:state state_ref="ste_sshd_config_rate_parameter_valid"/> + </ind:textfilecontent54_test> + <ind:textfilecontent54_test id="tst_maxstartups_full_parameter_usr" version="2" + check="all" check_existence="at_least_one_exists" + comment="SSH MaxStartups full parameter is less than or equal to the expected value"> + <ind:object object_ref="obj_sshd_config_maxstartups_third_parameter_usr"/> + <ind:state state_ref="ste_sshd_config_full_parameter_valid"/> + </ind:textfilecontent54_test> + + <ind:textfilecontent54_object id="obj_sshd_config_maxstartups_first_parameter_usr" version="2"> + <ind:path operation="pattern match">^(/usr/etc/ssh|/etc/ssh/sshd_config.d|/usr/etc/ssh/sshd_config.d)</ind:path> + <ind:filename operation="pattern match">(sshd_config|.*\.conf)$</ind:filename> + <ind:pattern operation="pattern match" datatype="string">(?i)^\s*MaxStartups\s+(\d+):\d+:\d+\s*$</ind:pattern> + <ind:instance operation="greater than or equal" datatype="int">1</ind:instance> + </ind:textfilecontent54_object> + <ind:textfilecontent54_object id="obj_sshd_config_maxstartups_second_parameter_usr" version="2"> + <ind:path operation="pattern match">^(/usr/etc/ssh|/etc/ssh/sshd_config.d|/usr/etc/ssh/sshd_config.d)</ind:path> + <ind:filename operation="pattern match">(sshd_config|.*\.conf)$</ind:filename> + <ind:pattern operation="pattern match" datatype="string">(?i)^\s*MaxStartups\s+\d+:(\d+):\d+\s*$</ind:pattern> + <ind:instance operation="greater than or equal" datatype="int">1</ind:instance> + </ind:textfilecontent54_object> + <ind:textfilecontent54_object id="obj_sshd_config_maxstartups_third_parameter_usr" version="2"> + <ind:path operation="pattern match">^(/usr/etc/ssh|/etc/ssh/sshd_config.d|/usr/etc/ssh/sshd_config.d)</ind:path> + <ind:filename operation="pattern match">(sshd_config|.*\.conf)$</ind:filename> + <ind:pattern operation="pattern match" datatype="string">(?i)^\s*MaxStartups\s+\d+:\d+:(\d+)\s*$</ind:pattern> + <ind:instance operation="greater than or equal" datatype="int">1</ind:instance> + </ind:textfilecontent54_object> + + <external_variable id="var_sshd_set_maxstartups" version="1" + datatype="string" comment="Expected value for MaxStartups parameter"/> + + <local_variable id="var_sshd_set_maxstartups_first" version="1" datatype="int" + comment="First number from MaxStartup parameter value."> + <regex_capture pattern="(\d+):\d+:\d+"> + <variable_component var_ref="var_sshd_set_maxstartups"/> + </regex_capture> + </local_variable> + <local_variable id="var_sshd_set_maxstartups_second" version="1" datatype="int" + comment="Second number from MaxStartup parameter value."> + <regex_capture pattern="\d+:(\d+):\d+"> + <variable_component var_ref="var_sshd_set_maxstartups"/> + </regex_capture> + </local_variable> + <local_variable id="var_sshd_set_maxstartups_third" version="1" datatype="int" + comment="Third number from MaxStartup parameter value."> + <regex_capture pattern="\d+:\d+:(\d+)"> + <variable_component var_ref="var_sshd_set_maxstartups" /> + </regex_capture> + </local_variable> + + <ind:textfilecontent54_state id="ste_sshd_config_start_parameter_valid" version="2"> + <ind:subexpression datatype="int" operation="less than or equal" + var_ref="var_sshd_set_maxstartups_first"/> + </ind:textfilecontent54_state> + <ind:textfilecontent54_state id="ste_sshd_config_rate_parameter_valid" version="2"> + <ind:subexpression datatype="int" operation="greater than or equal" + var_ref="var_sshd_set_maxstartups_second"/> + </ind:textfilecontent54_state> + <ind:textfilecontent54_state id="ste_sshd_config_full_parameter_valid" version="2"> + <ind:subexpression datatype="int" operation="less than or equal" + var_ref="var_sshd_set_maxstartups_third"/> + </ind:textfilecontent54_state> + +</def-group> diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_maxstartups/tests/correct_value_etc_sshd_config_drop_in.pass.sh b/linux_os/guide/services/ssh/ssh_server/sshd_set_maxstartups/tests/correct_value_etc_sshd_config_drop_in.pass.sh new file mode 100644 index 000000000000..fc6371be73be --- /dev/null +++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_maxstartups/tests/correct_value_etc_sshd_config_drop_in.pass.sh @@ -0,0 +1,6 @@ +#!/bin/bash +# platform = SUSE Linux Enterprise 16 +# variables = var_sshd_set_maxstartups=10:30:60 +source include.sh + +echo "MaxStartups 10:30:60" >> /etc/ssh/sshd_config.d/01-complianceascode.conf diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_maxstartups/tests/correct_value_in_usr_etc_sshd_config_present.fail.sh b/linux_os/guide/services/ssh/ssh_server/sshd_set_maxstartups/tests/correct_value_in_usr_etc_sshd_config_present.fail.sh new file mode 100644 index 000000000000..6905e07c838e --- /dev/null +++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_maxstartups/tests/correct_value_in_usr_etc_sshd_config_present.fail.sh @@ -0,0 +1,7 @@ +#!/bin/bash +# platform = SUSE Linux Enterprise 16 +# variables = var_sshd_set_maxstartups=10:30:60 +source include.sh + +touch /etc/ssh/sshd_config +echo "MaxStartups 10:30:60" >> /usr/etc/ssh/sshd_config diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_maxstartups/tests/correct_value_usr_etc_sshd_config.pass.sh b/linux_os/guide/services/ssh/ssh_server/sshd_set_maxstartups/tests/correct_value_usr_etc_sshd_config.pass.sh new file mode 100644 index 000000000000..0a93fe6e32ec --- /dev/null +++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_maxstartups/tests/correct_value_usr_etc_sshd_config.pass.sh @@ -0,0 +1,6 @@ +#!/bin/bash +# platform = SUSE Linux Enterprise 16 +# variables = var_sshd_set_maxstartups=10:30:60 +source include.sh + +echo "MaxStartups 10:30:60" >> /usr/etc/ssh/sshd_config diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_maxstartups/tests/correct_value_usr_etc_sshd_config_drop_in.pass.sh b/linux_os/guide/services/ssh/ssh_server/sshd_set_maxstartups/tests/correct_value_usr_etc_sshd_config_drop_in.pass.sh new file mode 100644 index 000000000000..d2835b507b40 --- /dev/null +++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_maxstartups/tests/correct_value_usr_etc_sshd_config_drop_in.pass.sh @@ -0,0 +1,6 @@ +#!/bin/bash +# platform = SUSE Linux Enterprise 16 +# variables = var_sshd_set_maxstartups=10:30:60 +source include.sh + +echo "MaxStartups 10:30:60" >> /usr/etc/ssh/sshd_config.d/01-complianceascode.conf diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_maxstartups/tests/include.sh b/linux_os/guide/services/ssh/ssh_server/sshd_set_maxstartups/tests/include.sh new file mode 100644 index 000000000000..1f5b69d60b54 --- /dev/null +++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_maxstartups/tests/include.sh @@ -0,0 +1,15 @@ +#!/bin/bash + +declare -a SSHD_PATHS=("/etc/ssh/sshd_config") +{{% if product == 'sle16' %}} +SSHD_PATHS+=("/usr/etc/ssh/sshd_config" /usr/etc/ssh/sshd_config.d/* /etc/ssh/sshd_config.d/*) +{{% endif %}} +# clean up configurations +sed -i '/^MaxStartups.*/d' "${SSHD_PATHS[@]}" + +# restore to defaults for sle16 +{{% if product == 'sle16' %}} +if [ -e "/etc/ssh/sshd_config" ] ; then + rm /etc/ssh/sshd_config +fi +{{% endif %}} diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_maxstartups/tests/wrong_value_etc_sshd_config_drop_in.fail.sh b/linux_os/guide/services/ssh/ssh_server/sshd_set_maxstartups/tests/wrong_value_etc_sshd_config_drop_in.fail.sh new file mode 100644 index 000000000000..39d6dae3afc2 --- /dev/null +++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_maxstartups/tests/wrong_value_etc_sshd_config_drop_in.fail.sh @@ -0,0 +1,6 @@ +#!/bin/bash +# platform = SUSE Linux Enterprise 16 +# variables = var_sshd_set_maxstartups=10:30:60 +source include.sh + +echo "MaxStartups 10:30:61" >> /etc/ssh/sshd_config.d/01-complianceascode.conf diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_maxstartups/tests/wrong_value_usr_etc_sshd_config.fail.sh b/linux_os/guide/services/ssh/ssh_server/sshd_set_maxstartups/tests/wrong_value_usr_etc_sshd_config.fail.sh new file mode 100644 index 000000000000..9bfce7c33062 --- /dev/null +++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_maxstartups/tests/wrong_value_usr_etc_sshd_config.fail.sh @@ -0,0 +1,6 @@ +#!/bin/bash +# platform = SUSE Linux Enterprise 16 +# variables = var_sshd_set_maxstartups=10:30:60 +source include.sh + +echo "MaxStartups 10:29:60" >> /usr/etc/ssh/sshd_config diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_maxstartups/tests/wrong_value_usr_etc_sshd_config_drop_in.fail.sh b/linux_os/guide/services/ssh/ssh_server/sshd_set_maxstartups/tests/wrong_value_usr_etc_sshd_config_drop_in.fail.sh new file mode 100644 index 000000000000..a0781811a3a3 --- /dev/null +++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_maxstartups/tests/wrong_value_usr_etc_sshd_config_drop_in.fail.sh @@ -0,0 +1,6 @@ +#!/bin/bash +# platform = SUSE Linux Enterprise 16 +# variables = var_sshd_set_maxstartups=10:30:60 +source include.sh + +echo "MaxStartups 11:30:60">> /usr/etc/ssh/sshd_config.d/01-complianceascode.conf diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/bash/shared.sh b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/bash/shared.sh index 5163c19d87f8..0c9d1b452478 100644 --- a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/bash/shared.sh +++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/bash/shared.sh @@ -2,4 +2,8 @@ {{{ bash_instantiate_variables("sshd_approved_ciphers") }}} -{{{ bash_replace_or_append('/etc/ssh/sshd_config', '^Ciphers', "$sshd_approved_ciphers", '%s %s', cce_identifiers=cce_identifiers) }}} +{{{ bash_sshd_remediation( + parameter="Ciphers", + value="$sshd_approved_ciphers", + config_is_distributed=sshd_distributed_config, + rule_id=rule_id) }}} diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/oval/shared.xml b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/oval/shared.xml index ec798161c368..52ca8097c258 100644 --- a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/oval/shared.xml +++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/oval/shared.xml @@ -1,3 +1,4 @@ +{{%- set sshd_main_config = sshd_main_config_file -%}} <def-group> <definition class="compliance" id="sshd_use_approved_ciphers" version="1"> {{{ oval_metadata("Limit the ciphers to those which are FIPS-approved.", rule_title=rule_title) }}} @@ -36,7 +37,7 @@ </ind:variable_state> <ind:textfilecontent54_object id="obj_sshd_config_ciphers" version="1"> - <ind:filepath>/etc/ssh/sshd_config</ind:filepath> + <ind:filepath>{{{ sshd_main_config }}}</ind:filepath> <ind:pattern operation="pattern match">^[\s]*(?i)Ciphers(?-i)[\s]+([\w,-@]+)+[\s]*(?:#.*)?$</ind:pattern> <ind:instance datatype="int">1</ind:instance> </ind:textfilecontent54_object> diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers_ordered_stig/ansible/shared.yml b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers_ordered_stig/ansible/shared.yml index f6dc16cfe0cf..c642d4c55fb4 100644 --- a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers_ordered_stig/ansible/shared.yml +++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers_ordered_stig/ansible/shared.yml @@ -8,11 +8,5 @@ {{{ ansible_instantiate_variables('sshd_approved_ciphers') }}} {{{ ansible_sshd_set(parameter="Ciphers", value="{{ sshd_approved_ciphers }}", config_is_distributed=sshd_distributed_config, rule_title=rule_title) }}} {{%- else %}} -- name: "Configure sshd to use approved ciphers" - ansible.builtin.lineinfile: - path: /etc/ssh/sshd_config - line: 'Ciphers aes256-ctr,aes192-ctr,aes128-ctr' - state: present - regexp: '^[\s]*[Cc]iphers[\s]+(aes256-ctr(?=[\w,-@]+|$),?)?(aes192-ctr(?=[\w,-@]+|$),?)?(aes128-ctr(?=[\w,-@]+|$),?)?[\s]*(?:#.*)?$' - create: True +{{{ ansible_sshd_set(parameter="Ciphers", value="aes256-ctr,aes192-ctr,aes128-ctr", config_is_distributed=sshd_distributed_config, rule_title=rule_title) }}} {{%- endif %}} diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers_ordered_stig/bash/shared.sh b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers_ordered_stig/bash/shared.sh index 680c9db7adac..cedc3c42510b 100644 --- a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers_ordered_stig/bash/shared.sh +++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers_ordered_stig/bash/shared.sh @@ -1,7 +1,7 @@ # platform = Oracle Linux 7,multi_platform_sle,multi_platform_slmicro -if grep -q -P '^\s*[Cc]iphers\s+' /etc/ssh/sshd_config; then - sed -i 's/^\s*[Cc]iphers.*/Ciphers aes256-ctr,aes192-ctr,aes128-ctr/' /etc/ssh/sshd_config -else - echo "Ciphers aes256-ctr,aes192-ctr,aes128-ctr" >> /etc/ssh/sshd_config -fi +{{{ bash_sshd_remediation( + parameter="Ciphers", + value="aes256-ctr,aes192-ctr,aes128-ctr", + config_is_distributed=sshd_distributed_config, + rule_id=rule_id) }}} diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers_ordered_stig/oval/shared.xml b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers_ordered_stig/oval/shared.xml index b32003ca96ae..452e2c8e1d0f 100644 --- a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers_ordered_stig/oval/shared.xml +++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers_ordered_stig/oval/shared.xml @@ -1,3 +1,4 @@ +{{%- set sshd_main_config = sshd_main_config_file -%}} <def-group> <definition class="compliance" id="sshd_use_approved_ciphers_ordered_stig" version="1"> {{{ oval_metadata("Limit the ciphers to those which are FIPS-approved.", rule_title=rule_title) }}} @@ -27,7 +28,7 @@ </ind:textfilecontent54_test> <ind:textfilecontent54_object id="obj_sshd_use_approved_ciphers_ordered_stig" version="1"> - <ind:filepath>/etc/ssh/sshd_config</ind:filepath> + <ind:filepath>{{{ sshd_main_config }}}</ind:filepath> <ind:pattern operation="pattern match">^[\s]*(?i)Ciphers(?-i)[\s]+(?=[\w]+)(aes256-ctr(?=[\w,]+|$),?)?(aes192-ctr(?=[\w,]+|$),?)?(aes128-ctr)?[\s]*(?:#.*)?$</ind:pattern> <ind:instance datatype="int">1</ind:instance> </ind:textfilecontent54_object> diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers_ordered_stig/oval/ubuntu.xml b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers_ordered_stig/oval/ubuntu.xml index 384c5f6589fa..9301044fa185 100644 --- a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers_ordered_stig/oval/ubuntu.xml +++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers_ordered_stig/oval/ubuntu.xml @@ -5,6 +5,8 @@ {{%- else %}} {{%- set sshd_approved_ciphers = "aes256-ctr,aes192-ctr,aes128-ctr" %}} {{%- endif %}} +{{%- set sshd_main_config = sshd_main_config_file -%}} +{{%- set sshd_drop_in_dir = sshd_config_dir -%}} <def-group> <definition class="compliance" id="{{{ rule_id }}}" version="1"> {{{ oval_metadata("Limit the ciphers to those which are FIPS-approved.", rule_title=rule_title) }}} @@ -43,7 +45,7 @@ </ind:textfilecontent54_test> <ind:textfilecontent54_object id="obj_{{{ rule_id }}}" version="1"> - <ind:filepath>/etc/ssh/sshd_config</ind:filepath> + <ind:filepath>{{{ sshd_main_config }}}</ind:filepath> <ind:pattern operation="pattern match">^[ \t]*(?i)ciphers(?-i)[ \t]+(.+?)[ \t]*(?:$|#)</ind:pattern> <ind:instance operation="greater than or equal" datatype="int">1</ind:instance> </ind:textfilecontent54_object> @@ -56,7 +58,7 @@ </ind:textfilecontent54_test> <ind:textfilecontent54_object id="obj_{{{ rule_id }}}_config_dir" version="1"> - <ind:path>/etc/ssh/sshd_config.d</ind:path> + <ind:path>{{{ sshd_drop_in_dir }}}</ind:path> <ind:filename operation="pattern match">.*\.conf$</ind:filename> <ind:pattern operation="pattern match">^[ \t]*(?i)ciphers(?-i)[ \t]+(.+?)[ \t]*(?:$|#)</ind:pattern> <ind:instance operation="greater than or equal" datatype="int">1</ind:instance> diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers_ordered_stig/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers_ordered_stig/rule.yml index c04eaa8df1f4..b4be9801bb8c 100644 --- a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers_ordered_stig/rule.yml +++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers_ordered_stig/rule.yml @@ -1,5 +1,5 @@ {{%- if product == 'ubuntu2204' %}} -{{%- set sshd_approved_ciphers = "aes256-ctr,aes256-gcm@openssh.com,aes192-ctr,aes128-ctr,aes128-gcm@openssh.com" %}} +{{%- set sshd_approved_ciphers = "aes256-ctr,aes256-gcm@openssh.com,aes128-ctr,aes128-gcm@openssh.com" %}} {{%- else %}} {{%- set sshd_approved_ciphers = "aes256-ctr,aes192-ctr,aes128-ctr" %}} {{%- endif %}} diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_kex_ordered_stig/ansible/shared.yml b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_kex_ordered_stig/ansible/shared.yml index 24f56f81dea1..2ad614753576 100644 --- a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_kex_ordered_stig/ansible/shared.yml +++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_kex_ordered_stig/ansible/shared.yml @@ -4,13 +4,7 @@ # complexity = low # disruption = low -{{% set prefix_conf="^\s*KexAlgorithms\s*" %}} {{% set kex_algos=["ecdh-sha2-nistp256","ecdh-sha2-nistp384","ecdh-sha2-nistp521", "diffie-hellman-group-exchange-sha256"] %}} -- name: "Configure sshd to use FIPS 140-2 approved key exchange algorithms" - ansible.builtin.lineinfile: - path: /etc/ssh/sshd_config - line: 'KexAlgorithms {{{ kex_algos|join(",") }}}' - state: present - regexp: '{{{ prefix_conf }}}' - create: True +{{% set approved_kex_algos = kex_algos|join(",") %}} +{{{ ansible_sshd_set(parameter="KexAlgorithms", value=approved_kex_algos, config_is_distributed=sshd_distributed_config, rule_title=rule_title) }}} diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_kex_ordered_stig/bash/shared.sh b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_kex_ordered_stig/bash/shared.sh index 155d76cd8a52..eda467ef544e 100644 --- a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_kex_ordered_stig/bash/shared.sh +++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_kex_ordered_stig/bash/shared.sh @@ -9,10 +9,5 @@ KEX_ALGOS="ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellm {{%- if 'ubuntu' in product %}} {{{ bash_sshd_remediation(parameter="KexAlgorithms", value="$KEX_ALGOS", config_is_distributed=sshd_distributed_config, rule_id=rule_id) }}} {{%- else %}} - -if grep -q -P '^\s*KexAlgorithms\s+' /etc/ssh/sshd_config; then - sed -i "s/^\s*KexAlgorithms.*/KexAlgorithms ${KEX_ALGOS}/" /etc/ssh/sshd_config -else - echo "KexAlgorithms ${KEX_ALGOS}" >> /etc/ssh/sshd_config -fi +{{{ bash_sshd_remediation(parameter="KexAlgorithms", value="$KEX_ALGOS", config_is_distributed=sshd_distributed_config, rule_id=rule_id) }}} {{%- endif %}} diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_kex_ordered_stig/oval/shared.xml b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_kex_ordered_stig/oval/shared.xml index 59e39247137d..57adf654f1ca 100644 --- a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_kex_ordered_stig/oval/shared.xml +++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_kex_ordered_stig/oval/shared.xml @@ -7,7 +7,7 @@ "diffie-hellman-group18-sha512"] %}} {{% set sufix_conf="(\s.*)?'" %}} {{% elif product in ['ol7', 'sle12', 'sle15', 'slmicro5', 'slmicro6'] %}} -{{% set path='/etc/ssh/sshd_config' %}} +{{% set path=sshd_main_config_file %}} {{% set prefix_conf="^\s*KexAlgorithms\s*" %}} {{% set kex_algos=["ecdh-sha2-nistp256","ecdh-sha2-nistp384","ecdh-sha2-nistp521", "diffie-hellman-group-exchange-sha256"] %}} diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_kex_ordered_stig/oval/ubuntu.xml b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_kex_ordered_stig/oval/ubuntu.xml index ea32cfadeb56..52fbf0d0bbb3 100644 --- a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_kex_ordered_stig/oval/ubuntu.xml +++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_kex_ordered_stig/oval/ubuntu.xml @@ -3,6 +3,8 @@ {{%- else %}} {{%- set sshd_approved_kexalgorithms = "ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256" %}} {{%- endif %}} +{{%- set sshd_main_config = sshd_main_config_file -%}} +{{%- set sshd_drop_in_dir = sshd_config_dir -%}} <def-group> <definition class="compliance" id="{{{ rule_id }}}" version="1"> {{{ oval_metadata("Limit the KexAlgorithms to those which are FIPS-approved.", rule_title=rule_title) }}} @@ -41,7 +43,7 @@ </ind:textfilecontent54_test> <ind:textfilecontent54_object id="obj_{{{ rule_id }}}" version="1"> - <ind:filepath>/etc/ssh/sshd_config</ind:filepath> + <ind:filepath>{{{ sshd_main_config }}}</ind:filepath> <ind:pattern operation="pattern match">^[ \t]*(?i)KexAlgorithms(?-i)[ \t]+(.+?)[ \t]*(?:$|#)</ind:pattern> <ind:instance operation="greater than or equal" datatype="int">1</ind:instance> </ind:textfilecontent54_object> @@ -54,7 +56,7 @@ </ind:textfilecontent54_test> <ind:textfilecontent54_object id="obj_{{{ rule_id }}}_config_dir" version="1"> - <ind:path>/etc/ssh/sshd_config.d</ind:path> + <ind:path>{{{ sshd_drop_in_dir }}}</ind:path> <ind:filename operation="pattern match">.*\.conf$</ind:filename> <ind:pattern operation="pattern match">^[ \t]*(?i)KexAlgorithms(?-i)[ \t]+(.+?)[ \t]*(?:$|#)</ind:pattern> <ind:instance operation="greater than or equal" datatype="int">1</ind:instance> diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_kex_ordered_stig/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_kex_ordered_stig/rule.yml index 90e59a76e962..54265ea53bc9 100644 --- a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_kex_ordered_stig/rule.yml +++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_kex_ordered_stig/rule.yml @@ -5,11 +5,11 @@ ",diffie-hellman-group14-sha256,diffie-hellman-group16-sha512" ~ ",diffie-hellman-group18-sha512'" %}} {{% elif product in ['ol7'] %}} -{{% set path='/etc/ssh/sshd_config' %}} +{{% set path=sshd_main_config_file %}} {{% set conf="KexAlgorithms ecdh-sha1-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521" ~ ",diffie-hellman-group-exchange-sha256" %}} {{% elif product in ['sle12', 'sle15', 'slmicro5', 'slmicro6', 'ubuntu2204', 'ubuntu2404'] %}} -{{% set path='/etc/ssh/sshd_config' %}} +{{% set path=sshd_main_config_file %}} {{% set conf="KexAlgorithms ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521" ~ ",diffie-hellman-group-exchange-sha256" %}} {{% endif %}} diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs/bash/shared.sh b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs/bash/shared.sh index 34025970a52f..6eee376dbf96 100644 --- a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs/bash/shared.sh +++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs/bash/shared.sh @@ -2,4 +2,8 @@ {{{ bash_instantiate_variables("sshd_approved_macs") }}} -{{{ bash_replace_or_append('/etc/ssh/sshd_config', '^MACs', "$sshd_approved_macs", '%s %s', cce_identifiers=cce_identifiers) }}} +{{{ bash_sshd_remediation( + parameter="MACs", + value="$sshd_approved_macs", + config_is_distributed=sshd_distributed_config, + rule_id=rule_id) }}} diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs/oval/shared.xml b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs/oval/shared.xml index c87db511d054..ce8530423105 100644 --- a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs/oval/shared.xml +++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs/oval/shared.xml @@ -1,3 +1,4 @@ +{{%- set sshd_main_config = sshd_main_config_file -%}} <def-group> <definition class="compliance" id="sshd_use_approved_macs" version="1"> {{{ oval_metadata("Limit the Message Authentication Codes (MACs) to those which are FIPS-approved.", rule_title=rule_title) }}} @@ -46,7 +47,7 @@ </ind:variable_state> <ind:textfilecontent54_object id="obj_sshd_config_macs" version="1"> - <ind:filepath>/etc/ssh/sshd_config</ind:filepath> + <ind:filepath>{{{ sshd_main_config }}}</ind:filepath> <ind:pattern operation="pattern match">^[\s]*(?i)MACs(?-i)[\s]+([\w,-@]+)+[\s]*(?:#.*)?$</ind:pattern> <ind:instance datatype="int">1</ind:instance> </ind:textfilecontent54_object> diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/ansible/shared.yml b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/ansible/shared.yml index 0acefd7516c1..c3e236f2fcf6 100644 --- a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/ansible/shared.yml +++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/ansible/shared.yml @@ -8,11 +8,5 @@ {{{ ansible_instantiate_variables('sshd_approved_macs') }}} {{{ ansible_sshd_set(parameter="Macs", value="{{ sshd_approved_macs }}", config_is_distributed=sshd_distributed_config, rule_title=rule_title) }}} {{%- else %}} -- name: "Configure sshd to use approved MACs" - ansible.builtin.lineinfile: - path: /etc/ssh/sshd_config - line: 'MACs hmac-sha2-512,hmac-sha2-256' - state: present - regexp: '^[\s]*MACs[\s]+(hmac-sha2-512(?=[\w,-@]+|$),?)?(hmac-sha2-256(?=[\w,-@]+|$),?)?[\s]*(?:#.*)?$' - create: True +{{{ ansible_sshd_set(parameter="MACs", value="hmac-sha2-512,hmac-sha2-256", config_is_distributed=sshd_distributed_config, rule_title=rule_title) }}} {{%- endif %}} diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/bash/shared.sh b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/bash/shared.sh index 0e0205a98818..83cb8cb6e1c9 100644 --- a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/bash/shared.sh +++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/bash/shared.sh @@ -1,7 +1,7 @@ # platform = Oracle Linux 7,multi_platform_sle,multi_platform_slmicro -if grep -q -P '^\s*MACs\s+' /etc/ssh/sshd_config; then - sed -i 's/^\s*MACs.*/MACs hmac-sha2-512,hmac-sha2-256/' /etc/ssh/sshd_config -else - echo "MACs hmac-sha2-512,hmac-sha2-256" >> /etc/ssh/sshd_config -fi +{{{ bash_sshd_remediation( + parameter="MACs", + value="hmac-sha2-512,hmac-sha2-256", + config_is_distributed=sshd_distributed_config, + rule_id=rule_id) }}} diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/oval/shared.xml b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/oval/shared.xml index 1b4781ef43d1..158d94d30e2b 100644 --- a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/oval/shared.xml +++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/oval/shared.xml @@ -1,3 +1,4 @@ +{{%- set sshd_main_config = sshd_main_config_file -%}} <def-group> <definition class="compliance" id="sshd_use_approved_macs_ordered_stig" version="1"> {{{ oval_metadata("Limit the Message Authentication Codes (MACs) to those which are FIPS-approved.", rule_title=rule_title) }}} @@ -27,7 +28,7 @@ </ind:textfilecontent54_test> <ind:textfilecontent54_object id="obj_sshd_use_approved_macs_ordered_stig" version="1"> - <ind:filepath>/etc/ssh/sshd_config</ind:filepath> + <ind:filepath>{{{ sshd_main_config }}}</ind:filepath> <ind:pattern operation="pattern match">^[\s]*(?i)MACs(?-i)[\s]+(?=[\w]+)(hmac-sha2-512(?=[\w,]+|$),?)?(hmac-sha2-256)?[\s]*(?:#.*)?$</ind:pattern> <ind:instance datatype="int">1</ind:instance> </ind:textfilecontent54_object> diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/oval/ubuntu.xml b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/oval/ubuntu.xml index cdef6cc539a6..25c618e5ae26 100644 --- a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/oval/ubuntu.xml +++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/oval/ubuntu.xml @@ -5,6 +5,8 @@ {{%- else %}} {{%- set sshd_approved_macs = "hmac-sha2-512,hmac-sha2-256" %}} {{%- endif %}} +{{%- set sshd_main_config = sshd_main_config_file -%}} +{{%- set sshd_drop_in_dir = sshd_config_dir -%}} <def-group> <definition class="compliance" id="{{{ rule_id }}}" version="1"> {{{ oval_metadata("Limit the Message Authentication Codes (MACs) to those which are FIPS-approved.", rule_title=rule_title) }}} @@ -43,7 +45,7 @@ </ind:textfilecontent54_test> <ind:textfilecontent54_object id="obj_{{{ rule_id }}}" version="1"> - <ind:filepath>/etc/ssh/sshd_config</ind:filepath> + <ind:filepath>{{{ sshd_main_config }}}</ind:filepath> <ind:pattern operation="pattern match">^[ \t]*(?i)MACs(?-i)[ \t]+(.+?)[ \t]*(?:$|#)</ind:pattern> <ind:instance operation="greater than or equal" datatype="int">1</ind:instance> </ind:textfilecontent54_object> @@ -56,7 +58,7 @@ </ind:textfilecontent54_test> <ind:textfilecontent54_object id="obj_{{{ rule_id }}}_config_dir" version="1"> - <ind:path>/etc/ssh/sshd_config.d</ind:path> + <ind:path>{{{ sshd_drop_in_dir }}}</ind:path> <ind:filename operation="pattern match">.*\.conf$</ind:filename> <ind:pattern operation="pattern match">^[ \t]*(?i)MACs(?-i)[ \t]+(.+?)[ \t]*(?:$|#)</ind:pattern> <ind:instance operation="greater than or equal" datatype="int">1</ind:instance> diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_directory_configuration/bash/shared.sh b/linux_os/guide/services/ssh/ssh_server/sshd_use_directory_configuration/bash/shared.sh index 9317b23992dc..91548a10db65 100644 --- a/linux_os/guide/services/ssh/ssh_server/sshd_use_directory_configuration/bash/shared.sh +++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_directory_configuration/bash/shared.sh @@ -1,18 +1,21 @@ # platform = multi_platform_all -{{% set target_file = "/etc/ssh/sshd_config.d/sshd_config_original.conf" -%}} -{{% set base_config = "/etc/ssh/sshd_config" -%}} +{{% set base_config = sshd_main_config_file -%}} +{{% set config_dir = sshd_config_dir -%}} +{{% set target_file = config_dir ~ "/sshd_config_original.conf" -%}} +{{% set include_directive = "Include " ~ config_dir ~ "/*.conf" -%}} +{{% set include_regex = "^\\s*Include\\s+" ~ (config_dir | replace(".", "\\.")) ~ "/\\*\\.conf" -%}} if test -f {{{ target_file}}}; then {{{ die("Remediation probably already happened, '" ~ target_file ~ "' already exists, not doing anything.", action="false") }}} -elif grep -Eq '^\s*Include\s+/etc/ssh/sshd_config\.d/\*\.conf' {{{ base_config }}} && ! grep -Eq '^\s*Match\s' {{{ base_config }}}; then +elif grep -Eq '{{{ include_regex }}}' {{{ base_config }}} && ! grep -Eq '^\s*Match\s' {{{ base_config }}}; then {{{ die("Remediation probably already happened, '" ~ base_config ~ "' already contains the include directive.", action="false") }}} else - mkdir -p /etc/ssh/sshd_config.d + mkdir -p {{{ config_dir }}} mv {{{ base_config }}} {{{ target_file }}} cat > {{{ base_config }}} << EOF # To modify the system-wide sshd configuration, create a *.conf file under -# /etc/ssh/sshd_config.d/ which will be automatically included below +# {{{ config_dir }}}/ which will be automatically included below -Include /etc/ssh/sshd_config.d/*.conf +{{{ include_directive }}} EOF fi diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_directory_configuration/oval/shared.xml b/linux_os/guide/services/ssh/ssh_server/sshd_use_directory_configuration/oval/shared.xml index a0bf190007d0..055f63c20fd2 100644 --- a/linux_os/guide/services/ssh/ssh_server/sshd_use_directory_configuration/oval/shared.xml +++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_directory_configuration/oval/shared.xml @@ -1,4 +1,4 @@ -{{%- set config_path = "/etc/ssh/sshd_config" %}} +{{%- set config_path = sshd_main_config_file %}} <def-group> <definition class="compliance" id="{{{ rule_id }}}" version="1"> @@ -26,4 +26,3 @@ {{{ oval_line_in_file_test(config_path, "match", missing_parameter_pass=true, rule_id=rule_id) | indent (2) }}} {{{ oval_line_in_file_object(config_path, parameter="match", missing_parameter_pass=true, prefix_regex="^[ \\t]*(?i)", separator_regex="(?-i)\s+\S+", rule_id=rule_id) | indent (2) }}} </def-group> - diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_kex/ansible/shared.yml b/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_kex/ansible/shared.yml index fc2a78f3d79c..82b732e0e66b 100644 --- a/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_kex/ansible/shared.yml +++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_kex/ansible/shared.yml @@ -6,4 +6,22 @@ {{{ ansible_instantiate_variables("sshd_strong_kex") }}} -{{{ ansible_sshd_set(parameter="KexAlgorithms", value="{{ sshd_strong_kex }}", config_is_distributed=sshd_distributed_config, rule_title=rule_title) }}} +{{%- if product == 'sle16' -%}} + {{{ + ansible_sshd_set_usr( + parameter="KexAlgorithms", + value="{{ sshd_strong_kex }}", + copy_defaults='true', + rule_title=rule_title + ) + }}} +{{%- else -%}} + {{{ + ansible_sshd_set( + parameter="KexAlgorithms", + value="{{ sshd_strong_kex }}", + config_is_distributed=sshd_distributed_config, + rule_title=rule_title + ) + }}} +{{%- endif -%}} diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_kex/bash/shared.sh b/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_kex/bash/shared.sh index e5a56dbfc6ec..de205aedd670 100644 --- a/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_kex/bash/shared.sh +++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_kex/bash/shared.sh @@ -5,5 +5,22 @@ # disruption = low {{{ bash_instantiate_variables("sshd_strong_kex") }}} -{{{ bash_sshd_remediation(parameter="KexAlgorithms", value="$sshd_strong_kex", config_is_distributed=sshd_distributed_config, rule_id=rule_id) }}} - +{{%- if product == 'sle16' -%}} + {{{ + bash_sshd_remediation_usr( + parameter="KexAlgorithms", + value="$sshd_strong_kex", + copy_defaults=true, + rule_id=rule_id + ) + }}} +{{%- else -%}} + {{{ + bash_sshd_remediation( + parameter="KexAlgorithms", + value="$sshd_strong_kex", + config_is_distributed=sshd_distributed_config, + rule_id=rule_id + ) + }}} +{{%- endif -%}} diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_kex/oval/shared.xml b/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_kex/oval/shared.xml index 9e097ca403a8..b47bab42117f 100644 --- a/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_kex/oval/shared.xml +++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_kex/oval/shared.xml @@ -1,3 +1,5 @@ +{{%- set sshd_main_config = sshd_main_config_file -%}} +{{%- set sshd_drop_in_dir = sshd_config_dir -%}} <def-group> <definition class="compliance" id="sshd_use_strong_kex" version="1"> {{{ oval_metadata("Limit the Key Exchange Algorithms to those which are FIPS-approved.", rule_title=rule_title) }}} @@ -52,7 +54,7 @@ </ind:variable_state> <ind:textfilecontent54_object id="obj_sshd_config_kex" version="1"> - <ind:filepath>/etc/ssh/sshd_config</ind:filepath> + <ind:filepath>{{{ sshd_main_config }}}</ind:filepath> <ind:pattern operation="pattern match">^[\s]*(?i)KexAlgorithms(?-i)[\s]+([\w,-@]+)+[\s]*(?:#.*)?$</ind:pattern> <ind:instance datatype="int" operation="greater than or equal">1</ind:instance> </ind:textfilecontent54_object> @@ -80,7 +82,7 @@ </ind:variable_state> <ind:textfilecontent54_object id="obj_sshd_config_kex_config_dir" version="1"> - <ind:path>/etc/ssh/sshd_config.d</ind:path> + <ind:path>{{{ sshd_drop_in_dir }}}</ind:path> <ind:filename operation="pattern match">.*\.conf$</ind:filename> <ind:pattern operation="pattern match">^[\s]*(?i)KexAlgorithms(?-i)[\s]+([\w,-@]+)+[\s]*(?:#.*)?$</ind:pattern> <ind:instance datatype="int" operation="greater than or equal">1</ind:instance> diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_kex/oval/sle16.xml b/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_kex/oval/sle16.xml new file mode 100644 index 000000000000..d6c8fb2432cf --- /dev/null +++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_kex/oval/sle16.xml @@ -0,0 +1,171 @@ +<def-group> + <definition class="compliance" id="sshd_use_strong_kex" version="1"> + {{{ oval_metadata("Limit the Key Exchange Algorithms to those which are FIPS-approved.", rule_title=rule_title) }}} + <criteria comment="SSH is configured correctly or is not installed" + operator="OR"> + <criteria comment="sshd is not installed" operator="AND"> + <extend_definition comment="sshd is not required or requirement is unset" + definition_ref="sshd_not_required_or_unset" /> + <extend_definition comment="package openssh-server removed" + definition_ref="package_openssh-server_removed" /> + </criteria> + <criteria comment="SSH is using /etc/ssh/sshd_config" operator="OR"> + <criteria comment="sshd is installed and configured" operator="AND"> + <extend_definition comment="sshd is required or requirement is unset" + definition_ref="sshd_required_or_unset" /> + <extend_definition comment="package openssh-server installed" + definition_ref="package_openssh-server_installed" /> + <criterion comment="SSH configuration /etc/ssh/sshd_config exists" + test_ref="test_etc_ssh_sshd_config_exist"/> + <criterion comment="Check KexAlgorithms in /etc/ssh/sshd_config" + test_ref="test_sshd_use_strong_kex" /> + <criterion comment="Check KexAlgorithms in /etc/ssh/sshd_config.d/ and /usr/etc/ssh/sshd_config.d/" + test_ref="test_sshd_use_strong_kex_config_dir" /> + <criterion comment="the configuration exists" + test_ref="test_sshd_kexalgorithms_exists" /> + </criteria> + <criteria comment="sshd is installed and configured" operator="AND"> + <extend_definition comment="sshd is required or requirement is unset" + definition_ref="sshd_required_or_unset" /> + <extend_definition comment="package openssh-server installed" + definition_ref="package_openssh-server_installed" /> + <criterion comment="SSH configuration /etc/ssh/sshd_config does not exists" + test_ref="test_etc_ssh_sshd_config_exist" negate="true"/> + <criterion comment="Check KexAlgorithms in /usr/etc/ssh/sshd_config" + test_ref="test_sshd_use_strong_kex_usr" /> + <criterion comment="Check KexAlgorithms in /etc/ssh/sshd_config.d/ and /usr/etc/ssh/sshd_config.d/" + test_ref="test_sshd_use_strong_kex_config_dir" /> + <criterion comment="the configuration exists" + test_ref="test_sshd_kexalgorithms_exists_usr" /> + </criteria> + </criteria> + </criteria> + </definition> + + <unix:file_test check="all" check_existence="all_exist" + comment="SSH configuration /etc/ssh/sshd_config exists" + id="test_etc_ssh_sshd_config_exist" + state_operator="AND" version="1"> + <unix:object object_ref="obj_etc_ssh_sshd_config_exist"/> + </unix:file_test> + <unix:file_object + comment="SSH configuration /etc/ssh/sshd_config exists" + id="obj_etc_ssh_sshd_config_exist" version="1"> + <unix:filepath operation="pattern match">^/etc/ssh/sshd_config</unix:filepath> + </unix:file_object> + + <ind:variable_test check="all" check_existence="any_exist" + comment="tests the value of KexAlgorithms setting in the /etc/ssh/sshd_config file" + id="test_sshd_use_strong_kex" version="1"> + <ind:object object_ref="obj_sshd_use_strong_kex" /> + <ind:state state_ref="ste_sshd_use_strong_kex" /> + </ind:variable_test> + + <ind:variable_object id="obj_sshd_use_strong_kex" version="1"> + <ind:var_ref>var_sshd_config_kex</ind:var_ref> + </ind:variable_object> + + <ind:variable_state comment="approved strong kex" id="ste_sshd_use_strong_kex" version="1"> + <ind:value operation="equals" datatype="string" var_ref="var_sshd_strong_kex" var_check="at least one" /> + </ind:variable_state> + + <local_variable id="var_sshd_config_kex" datatype="string" version="1" comment="KEXs values split on comma"> + <split delimiter=","> + <object_component item_field="subexpression" object_ref="obj_sshd_config_kex" /> + </split> + </local_variable> + + <ind:textfilecontent54_object id="obj_sshd_config_kex" version="1"> + <ind:filepath>/etc/ssh/sshd_config</ind:filepath> + <ind:pattern operation="pattern match">^[\s]*(?i)KexAlgorithms(?-i)[\s]+([\w,-@]+)+[\s]*(?:#.*)?$</ind:pattern> + <ind:instance datatype="int" operation="greater than or equal">1</ind:instance> + </ind:textfilecontent54_object> + + + <ind:variable_test check="all" check_existence="any_exist" + comment="tests the value of KexAlgorithms setting in the /usr/etc/ssh/sshd_config file" + id="test_sshd_use_strong_kex_usr" version="1"> + <ind:object object_ref="obj_sshd_use_strong_kex_usr" /> + <ind:state state_ref="ste_sshd_use_strong_kex_usr" /> + </ind:variable_test> + + <ind:variable_object id="obj_sshd_use_strong_kex_usr" version="1"> + <ind:var_ref>var_sshd_config_kex_usr</ind:var_ref> + </ind:variable_object> + + <ind:variable_state comment="approved strong kex" id="ste_sshd_use_strong_kex_usr" version="1"> + <ind:value operation="equals" datatype="string" var_ref="var_sshd_strong_kex" var_check="at least one" /> + </ind:variable_state> + + <local_variable id="var_sshd_config_kex_usr" datatype="string" version="1" comment="KEXs values split on comma"> + <split delimiter=","> + <object_component item_field="subexpression" object_ref="obj_sshd_config_kex_usr" /> + </split> + </local_variable> + + <ind:textfilecontent54_object id="obj_sshd_config_kex_usr" version="1"> + <ind:filepath>/usr/etc/ssh/sshd_config</ind:filepath> + <ind:pattern operation="pattern match">^[\s]*(?i)KexAlgorithms(?-i)[\s]+([\w,-@]+)+[\s]*(?:#.*)?$</ind:pattern> + <ind:instance datatype="int" operation="greater than or equal">1</ind:instance> + </ind:textfilecontent54_object> + + <ind:variable_test check="all" check_existence="any_exist" + comment="tests the value of KexAlgorithms setting in the /etc/ssh/sshd_config.d dir" + id="test_sshd_use_strong_kex_config_dir" version="1"> + <ind:object object_ref="obj_sshd_use_strong_kex_config_dir" /> + <ind:state state_ref="ste_sshd_use_strong_kex_config_dir" /> + </ind:variable_test> + + <ind:variable_object id="obj_sshd_use_strong_kex_config_dir" version="1"> + <ind:var_ref>var_sshd_config_kex_config_dir</ind:var_ref> + </ind:variable_object> + + <ind:variable_state comment="approved strong kex" id="ste_sshd_use_strong_kex_config_dir" version="1"> + <ind:value operation="equals" datatype="string" var_ref="var_sshd_strong_kex" var_check="at least one" /> + </ind:variable_state> + + <ind:textfilecontent54_object id="obj_sshd_config_kex_config_dir" version="1"> + <ind:path operation="pattern match">^(/etc/ssh/sshd_config.d|/usr/etc/ssh/sshd_config.d)</ind:path> + <ind:filename operation="pattern match">.*\.conf$</ind:filename> + <ind:pattern operation="pattern match">^[\s]*(?i)KexAlgorithms(?-i)[\s]+([\w,-@]+)+[\s]*(?:#.*)?$</ind:pattern> + <ind:instance datatype="int" operation="greater than or equal">1</ind:instance> + </ind:textfilecontent54_object> + + <local_variable id="var_sshd_config_kex_config_dir" datatype="string" version="1" comment="KEXs values split on comma"> + <split delimiter=","> + <object_component item_field="subexpression" object_ref="obj_sshd_config_kex_config_dir" /> + </split> + </local_variable> + + <ind:textfilecontent54_test id="test_sshd_kexalgorithms_exists" version="1" check="all" check_existence="at_least_one_exists" + comment="Verify that the value of KexAlgorithms is present"> + <ind:object object_ref="obj_sshd_kex_all_configs" /> + </ind:textfilecontent54_test> + + <ind:textfilecontent54_object comment="All confs collection" id="obj_sshd_kex_all_configs" version="1"> + <set> + <object_reference>obj_sshd_config_kex</object_reference> + <object_reference>obj_sshd_config_kex_config_dir</object_reference> + </set> + </ind:textfilecontent54_object> + + <ind:textfilecontent54_test id="test_sshd_kexalgorithms_exists_usr" version="1" check="all" check_existence="at_least_one_exists" + comment="Verify that the value of KexAlgorithms is present"> + <ind:object object_ref="obj_sshd_kex_all_configs_usr" /> + </ind:textfilecontent54_test> + + <ind:textfilecontent54_object comment="All confs collection" id="obj_sshd_kex_all_configs_usr" version="1"> + <set> + <object_reference>obj_sshd_config_kex_usr</object_reference> + <object_reference>obj_sshd_config_kex_config_dir</object_reference> + </set> + </ind:textfilecontent54_object> + + <local_variable id="var_sshd_strong_kex" datatype="string" version="1" comment="approved strong KEX values split on comma"> + <split delimiter=","> + <variable_component var_ref="sshd_strong_kex" /> + </split> + </local_variable> + <external_variable comment="SSH Approved KEX by FIPS" datatype="string" id="sshd_strong_kex" version="1" /> + +</def-group> diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_kex/tests/correct_value_etc_sshd_config_drop_in.pass.sh b/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_kex/tests/correct_value_etc_sshd_config_drop_in.pass.sh new file mode 100644 index 000000000000..7a794f42a4b1 --- /dev/null +++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_kex/tests/correct_value_etc_sshd_config_drop_in.pass.sh @@ -0,0 +1,7 @@ +#!/bin/bash +# platform = SUSE Linux Enterprise 16 +# variables = sshd_strong_kex=curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256 + +source include.sh + +echo "KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256" >> /etc/ssh/sshd_config.d/01-complianceascode.conf diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_kex/tests/correct_value_in_usr_etc_sshd_config_present.fail.sh b/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_kex/tests/correct_value_in_usr_etc_sshd_config_present.fail.sh new file mode 100644 index 000000000000..9c44448054f2 --- /dev/null +++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_kex/tests/correct_value_in_usr_etc_sshd_config_present.fail.sh @@ -0,0 +1,7 @@ +#!/bin/bash +# platform = SUSE Linux Enterprise 16 +# variables = sshd_strong_kex=curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256 +source include.sh + +touch /etc/ssh/sshd_config +echo "KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256" >> /usr/etc/ssh/sshd_config diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_kex/tests/correct_value_usr_etc_sshd_config.pass.sh b/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_kex/tests/correct_value_usr_etc_sshd_config.pass.sh new file mode 100644 index 000000000000..0577aad9bd14 --- /dev/null +++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_kex/tests/correct_value_usr_etc_sshd_config.pass.sh @@ -0,0 +1,7 @@ +#!/bin/bash +# platform = SUSE Linux Enterprise 16 +# variables = sshd_strong_kex=curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256 + +source include.sh + +echo "KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256" >> /usr/etc/ssh/sshd_config diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_kex/tests/correct_value_usr_etc_sshd_config_drop_in.pass.sh b/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_kex/tests/correct_value_usr_etc_sshd_config_drop_in.pass.sh new file mode 100644 index 000000000000..ab24bed01ba1 --- /dev/null +++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_kex/tests/correct_value_usr_etc_sshd_config_drop_in.pass.sh @@ -0,0 +1,6 @@ +#!/bin/bash +# platform = SUSE Linux Enterprise 16 +# variables = sshd_strong_kex=curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256 +source include.sh + +echo "KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256" >> /usr/etc/ssh/sshd_config.d/01-complianceascode.conf diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_kex/tests/include.sh b/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_kex/tests/include.sh new file mode 100644 index 000000000000..179b7b36e808 --- /dev/null +++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_kex/tests/include.sh @@ -0,0 +1,15 @@ +#!/bin/bash + +declare -a SSHD_PATHS=("/etc/ssh/sshd_config") +{{% if product == 'sle16' %}} +SSHD_PATHS+=("/usr/etc/ssh/sshd_config" /usr/etc/ssh/sshd_config.d/* /etc/ssh/sshd_config.d/*) +{{% endif %}} +# clean up configurations +sed -i '/^KexAlgorithms.*/d' "${SSHD_PATHS[@]}" + +# restore to defaults for sle16 +{{% if product == 'sle16' %}} +if [ -e "/etc/ssh/sshd_config" ] ; then + rm /etc/ssh/sshd_config +fi +{{% endif %}} diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_kex/tests/wrong_value_etc_sshd_config_drop_in.fail.sh b/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_kex/tests/wrong_value_etc_sshd_config_drop_in.fail.sh new file mode 100644 index 000000000000..a1a7b95bafff --- /dev/null +++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_kex/tests/wrong_value_etc_sshd_config_drop_in.fail.sh @@ -0,0 +1,6 @@ +#!/bin/bash +# platform = SUSE Linux Enterprise 16 +# variables = sshd_strong_kex=curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256 +source include.sh + +echo "KexAlgorithms diffie-hellman-group-exchange-sha1" >> /etc/ssh/sshd_config.d/01-complianceascode.conf diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_kex/tests/wrong_value_usr_etc_sshd_config.fail.sh b/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_kex/tests/wrong_value_usr_etc_sshd_config.fail.sh new file mode 100644 index 000000000000..df52b52f680d --- /dev/null +++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_kex/tests/wrong_value_usr_etc_sshd_config.fail.sh @@ -0,0 +1,6 @@ +#!/bin/bash +# platform = SUSE Linux Enterprise 16 +# variables = sshd_strong_kex=curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256 +source include.sh + +echo "KexAlgorithms diffie-hellman-group-exchange-sha1" >> /usr/etc/ssh/sshd_config diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_kex/tests/wrong_value_usr_etc_sshd_config_drop_in.fail.sh b/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_kex/tests/wrong_value_usr_etc_sshd_config_drop_in.fail.sh new file mode 100644 index 000000000000..2a71c2a3bd53 --- /dev/null +++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_kex/tests/wrong_value_usr_etc_sshd_config_drop_in.fail.sh @@ -0,0 +1,6 @@ +#!/bin/bash +# platform = SUSE Linux Enterprise 16 +# variables = sshd_strong_kex=curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256 +source include.sh + +echo "KexAlgorithms diffie-hellman-group-exchange-sha1" >> /usr/etc/ssh/sshd_config.d/01-complianceascode.conf diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_macs/oval/shared.xml b/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_macs/oval/shared.xml index cefbd207730f..c50826514438 100644 --- a/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_macs/oval/shared.xml +++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_macs/oval/shared.xml @@ -1,4 +1,5 @@ -{{%- set sshd_config_dir = "/etc/ssh/sshd_config.d" -%}} +{{%- set sshd_main_config = sshd_main_config_file -%}} +{{%- set sshd_drop_in_dir = sshd_config_dir -%}} {{%- set case_insensitivity_kwargs = dict(prefix_regex="^[ \\t]*(?i)", separator_regex = "(?-i)[ \\t]+") -%}} <def-group> <definition class="compliance" id="sshd_use_strong_macs" version="1"> @@ -56,7 +57,7 @@ </ind:variable_state> <ind:textfilecontent54_object id="obj_sshd_config_strong_macs" version="1"> - <ind:filepath>/etc/ssh/sshd_config</ind:filepath> + <ind:filepath>{{{ sshd_main_config }}}</ind:filepath> <ind:pattern operation="pattern match">^[\s]*(?i)MACs(?-i)[\s]+([\w,-@]+)+[\s]*(?:#.*)?$</ind:pattern> <ind:instance datatype="int" operation="greater than or equal">1</ind:instance> </ind:textfilecontent54_object> @@ -78,7 +79,7 @@ </ind:variable_state> <ind:textfilecontent54_object id="obj_sshd_config_macs_config_dir" version="1"> - <ind:path>/etc/ssh/sshd_config.d</ind:path> + <ind:path>{{{ sshd_drop_in_dir }}}</ind:path> <ind:filename operation="pattern match">.*\.conf$</ind:filename> <ind:pattern operation="pattern match">^[\s]*(?i)MACs(?-i)[\s]+([\w,-@]+)+[\s]*(?:#.*)?$</ind:pattern> <ind:instance datatype="int" operation="greater than or equal">1</ind:instance> diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_rng/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_rng/rule.yml index b8240ae667a3..0b43a2b32b1a 100644 --- a/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_rng/rule.yml +++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_rng/rule.yml @@ -1,4 +1,5 @@ documentation_complete: true +{{% set sshd_sysconfig = sshd_sysconfig_file %}} # TODO: The plan is not to need this for RHEL>=8.4 # TODO: Compliant setting is SSH_USE_STRONG_RNG set to 32 or more @@ -6,7 +7,7 @@ documentation_complete: true title: 'SSH server uses strong entropy to seed' description: |- - To set up SSH server to use entropy from a high-quality source, edit the <tt>/etc/sysconfig/sshd</tt> file. + To set up SSH server to use entropy from a high-quality source, edit the <tt>{{{ sshd_sysconfig }}}</tt> file. The <tt>SSH_USE_STRONG_RNG</tt> configuration value determines how many bytes of entropy to use, so make sure that the file contains line <pre>SSH_USE_STRONG_RNG=32</pre> @@ -31,17 +32,17 @@ references: ocil: |- To determine whether the SSH service is configured to use strong entropy seed, - run <pre>$ sudo grep SSH_USE_STRONG_RNG /etc/sysconfig/sshd</pre> + run <pre>$ sudo grep SSH_USE_STRONG_RNG {{{ sshd_sysconfig }}}</pre> If a line indicating that SSH_USE_STRONG_RNG is set to 32 is returned, then the option is set correctly. ocil_clause: |- - the SSH_USE_STRONG_RNG is not set to 32 in /etc/sysconfig/sshd + the SSH_USE_STRONG_RNG is not set to 32 in {{{ sshd_sysconfig }}} fixtext: |- Configure the {{{ full_name }}} SSH server to use strong entropy. - Add or modify the following line in the "/etc/sysconfig/sshd" file. + Add or modify the following line in the "{{{ sshd_sysconfig }}}" file. SSH_USE_STRONG_RNG=32 @@ -55,7 +56,7 @@ warnings: template: name: shell_lineinfile vars: - path: '/etc/sysconfig/sshd' + path: '{{{ sshd_sysconfig }}}' parameter: 'SSH_USE_STRONG_RNG' value: '32' datatype: int diff --git a/linux_os/guide/services/ssh/sshd_approved_ciphers.var b/linux_os/guide/services/ssh/sshd_approved_ciphers.var index a684560c93d4..7f0dc16e9ebc 100644 --- a/linux_os/guide/services/ssh/sshd_approved_ciphers.var +++ b/linux_os/guide/services/ssh/sshd_approved_ciphers.var @@ -22,3 +22,4 @@ options: cis_ubuntu: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com stig_ubuntu2204: aes256-ctr,aes256-gcm@openssh.com,aes192-ctr,aes128-ctr,aes128-gcm@openssh.com stig_ol9: aes256-gcm@openssh.com,aes256-ctr,aes128-gcm@openssh.com,aes128-ctr + stig_ol8: aes256-gcm@openssh.com,aes256-ctr,aes128-gcm@openssh.com,aes128-ctr diff --git a/linux_os/guide/services/ssh/sshd_strong_macs.var b/linux_os/guide/services/ssh/sshd_strong_macs.var index 03f8dee10d54..a0a75f544ff8 100644 --- a/linux_os/guide/services/ssh/sshd_strong_macs.var +++ b/linux_os/guide/services/ssh/sshd_strong_macs.var @@ -15,7 +15,7 @@ options: cis_rhel8: -hmac-md5,hmac-md5-96,hmac-ripemd160,hmac-sha1-96,umac-64@openssh.com,hmac-md5-etm@openssh.com,hmac-md5-96-etm@openssh.com,hmac-ripemd160-etm@openssh.com,hmac-sha1-96-etm@openssh.com,umac-64-etm@openssh.com cis_rhel9: -hmac-md5,hmac-md5-96,hmac-ripemd160,hmac-sha1-96,umac-64@openssh.com,hmac-md5-etm@openssh.com,hmac-md5-96-etm@openssh.com,hmac-ripemd160-etm@openssh.com,hmac-sha1-96-etm@openssh.com,umac-64-etm@openssh.com cis_rhel10: -hmac-md5,hmac-md5-96,hmac-ripemd160,hmac-sha1-96,umac-64@openssh.com,hmac-md5-etm@openssh.com,hmac-md5-96-etm@openssh.com,hmac-ripemd160-etm@openssh.com,hmac-sha1-96-etm@openssh.com,umac-64-etm@openssh.com - cis_sle12: hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160 + cis_sle12: hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256 cis_sle15: hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256 cis_tencentos4: hmac-sha2-512,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha2-256-etm@openssh.com cis_ubuntu2204: hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512,hmac-sha2-256 diff --git a/linux_os/guide/services/sssd/package_sssd_installed/rule.yml b/linux_os/guide/services/sssd/package_sssd_installed/rule.yml index bcb5357c339f..d59ffbd19035 100644 --- a/linux_os/guide/services/sssd/package_sssd_installed/rule.yml +++ b/linux_os/guide/services/sssd/package_sssd_installed/rule.yml @@ -15,6 +15,7 @@ identifiers: cce@rhel8: CCE-82444-1 cce@rhel9: CCE-86083-3 cce@rhel10: CCE-88372-8 + cce@sle16: CCE-96157-3 references: cis-csc: 1,12,15,16,5 diff --git a/linux_os/guide/services/sssd/service_sssd_enabled/rule.yml b/linux_os/guide/services/sssd/service_sssd_enabled/rule.yml index e5f043748371..aca8c868e2bd 100644 --- a/linux_os/guide/services/sssd/service_sssd_enabled/rule.yml +++ b/linux_os/guide/services/sssd/service_sssd_enabled/rule.yml @@ -15,6 +15,7 @@ identifiers: cce@rhel8: CCE-82440-9 cce@rhel9: CCE-86088-2 cce@rhel10: CCE-87447-9 + cce@sle16: CCE-95787-8 platform: system_with_kernel and package[sssd] @@ -38,6 +39,7 @@ template: vars: servicename: sssd packagename: sssd-common + packagename@sle16: sssd warnings: - general: diff --git a/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_configure_tls_reqcert/ansible/shared.yml b/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_configure_tls_reqcert/ansible/shared.yml index f8f3cd3e5fff..c7e0de641d6e 100644 --- a/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_configure_tls_reqcert/ansible/shared.yml +++ b/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_configure_tls_reqcert/ansible/shared.yml @@ -1,4 +1,4 @@ -# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_almalinux +# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_almalinux,multi_platform_sle # reboot = false # strategy = unknown # complexity = low diff --git a/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_configure_tls_reqcert/bash/shared.sh b/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_configure_tls_reqcert/bash/shared.sh index d228b8cdb0e4..a55a8e9786c9 100644 --- a/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_configure_tls_reqcert/bash/shared.sh +++ b/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_configure_tls_reqcert/bash/shared.sh @@ -1,3 +1,3 @@ -# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_almalinux +# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_almalinux,multi_platform_sle {{{ bash_sssd_ldap_config(parameter="ldap_tls_reqcert", value="demand", rule_id=rule_id) }}} diff --git a/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_configure_tls_reqcert/rule.yml b/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_configure_tls_reqcert/rule.yml index f994c2d74b86..aaec9121386b 100644 --- a/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_configure_tls_reqcert/rule.yml +++ b/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_configure_tls_reqcert/rule.yml @@ -19,6 +19,7 @@ identifiers: cce@rhel8: CCE-84062-9 cce@rhel9: CCE-86081-7 cce@rhel10: CCE-87985-8 + cce@sle16: CCE-96327-2 references: nist: SC-12(3),CM-6(a) diff --git a/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_start_tls/ansible/shared.yml b/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_start_tls/ansible/shared.yml index 0a1efcabc2aa..1230b6463461 100644 --- a/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_start_tls/ansible/shared.yml +++ b/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_start_tls/ansible/shared.yml @@ -1,4 +1,4 @@ -# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_almalinux +# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_almalinux,multi_platform_sle # reboot = false # strategy = unknown # complexity = low diff --git a/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_start_tls/bash/shared.sh b/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_start_tls/bash/shared.sh index 66f05ab54493..4ca2e31d7bc0 100644 --- a/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_start_tls/bash/shared.sh +++ b/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_start_tls/bash/shared.sh @@ -1,4 +1,4 @@ -# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_almalinux +# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_almalinux,multi_platform_sle {{{ bash_sssd_ldap_config(parameter="ldap_id_use_start_tls", value="true", rule_id=rule_id) }}} diff --git a/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_start_tls/rule.yml b/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_start_tls/rule.yml index 07df8396e911..5e939e548004 100644 --- a/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_start_tls/rule.yml +++ b/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_start_tls/rule.yml @@ -26,6 +26,7 @@ identifiers: cce@rhel8: CCE-82437-5 cce@rhel9: CCE-86082-5 cce@rhel10: CCE-87817-3 + cce@sle16: CCE-96464-3 references: cis-csc: 11,12,14,15,3,8,9 diff --git a/linux_os/guide/services/sssd/sssd_enable_pam_services/rule.yml b/linux_os/guide/services/sssd/sssd_enable_pam_services/rule.yml index adc81468a3ab..2f481f735f4f 100644 --- a/linux_os/guide/services/sssd/sssd_enable_pam_services/rule.yml +++ b/linux_os/guide/services/sssd/sssd_enable_pam_services/rule.yml @@ -24,6 +24,7 @@ identifiers: cce@rhel8: CCE-82446-6 cce@rhel9: CCE-86087-4 cce@rhel10: CCE-90093-6 + cce@sle16: CCE-96039-3 references: cis-csc: 1,12,15,16,5 diff --git a/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/ansible/shared.yml b/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/ansible/shared.yml index 7b15061e7aa4..c1f5e665bf57 100644 --- a/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/ansible/shared.yml +++ b/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/ansible/shared.yml @@ -1,15 +1,15 @@ -# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_sle,multi_platform_slmicro,multi_platform_almalinux +# platform = multi_platform_all # reboot = false # strategy = unknown # complexity = low # disruption = medium -{{{ ansible_instantiate_variables("login_banner_text") }}} +{{{ ansible_instantiate_variables("login_banner_contents") }}} {{%- if product not in ['sle15', 'slmicro5', 'slmicro6'] -%}} - name: "{{{ rule_title }}} - Ensure Correct Banner" ansible.builtin.copy: dest: /etc/issue - content: '{{{ ansible_deregexify_banner_etc_issue("login_banner_text") }}}' + content: "{{ login_banner_contents | replace('\\n', '\n') }}\n" {{%- else -%}} - name: {{{ rule_title }}} Ensure issue-generator is Installed ansible.builtin.package: @@ -19,7 +19,7 @@ - name: "{{{ rule_title }}} - Ensure Correct Banner" ansible.builtin.copy: dest: /etc/issue.d/99-oscap-setting - content: '{{{ ansible_deregexify_banner_etc_issue("login_banner_text") }}}' + content: "{{ login_banner_contents | replace('\\n', '\n') }}\n" - name: "{{{ rule_title }}} - Restart issue-generator Service on Issue Configuration Change" ansible.builtin.systemd: diff --git a/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/bash/shared.sh b/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/bash/shared.sh index 177d34e2a3b7..6d0e75f418fa 100644 --- a/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/bash/shared.sh +++ b/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/bash/shared.sh @@ -1,31 +1,11 @@ -# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_sle,multi_platform_slmicro,multi_platform_ubuntu,multi_platform_almalinux +# platform = multi_platform_all -read -r -d '' login_banner_text <<'EOF' || true -(bash-populate login_banner_text) -EOF - -# Multiple regexes transform the banner regex into a usable banner -# 0 - Remove anchors around the banner text -{{{ bash_deregexify_banner_anchors("login_banner_text") }}} -# 1 - Keep only the first banners if there are multiple -# (dod_banners contains the long and short banner) -{{{ bash_deregexify_multiple_banners("login_banner_text") }}} -# 2 - Add spaces ' '. (Transforms regex for "space or newline" into a " ") -{{{ bash_deregexify_banner_space("login_banner_text") }}} -# 3 - Adds newlines. (Transforms "(?:\[\\n\]+|(?:\\n)+)" into "\n") -{{{ bash_deregexify_banner_newline("login_banner_text", "\\n") }}} -# 4 - Remove any leftover backslash. (From any parenthesis in the banner, for example). -{{{ bash_deregexify_banner_backslash("login_banner_text") }}} -formatted=$(echo "$login_banner_text" | fold -sw 80) +login_banner_contents=$(echo "(bash-populate login_banner_contents)" | sed 's/\\n/\n/g') {{%- if product not in ['sle15', 'slmicro5', 'slmicro6'] %}} -cat <<EOF >/etc/issue -$formatted -EOF +echo "$login_banner_contents" > /etc/issue {{%- else %}} {{{ bash_package_install("issue-generator") }}} -cat <<EOF >/etc/issue.d/99-oscap-setting -$formatted -EOF +echo "$login_banner_contents" > /etc/issue.d/99-oscap-setting {{{ bash_service_command("restart", "issue-generator") }}} {{%- endif -%}} diff --git a/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/tests/banner_etc_issue_cis_recommended.pass.sh b/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/tests/banner_etc_issue_cis_recommended.pass.sh index bc0f5a7a0872..ce541f31864c 100644 --- a/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/tests/banner_etc_issue_cis_recommended.pass.sh +++ b/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/tests/banner_etc_issue_cis_recommended.pass.sh @@ -2,4 +2,4 @@ # profiles = xccdf_org.ssgproject.content_profile_cis, xccdf_org.ssgproject.content_profile_cis_server_l1, xccdf_org.ssgproject.content_profile_cis_workstation_l1, xccdf_org.ssgproject.content_profile_cis_workstation_l2 # cis_default banner -echo "Authorized uses only. All activity may be monitored and reported." > /etc/issue +echo "Authorized users only. All activity may be monitored and reported." > /etc/issue diff --git a/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/tests/banner_etc_issue_disa_dod_short.fail.sh b/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/tests/banner_etc_issue_disa_dod_short.fail.sh index 2b775d15e0eb..0623faba0be8 100644 --- a/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/tests/banner_etc_issue_disa_dod_short.fail.sh +++ b/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/tests/banner_etc_issue_disa_dod_short.fail.sh @@ -1,5 +1,5 @@ #!/bin/bash -# variables = login_banner_text=^I've[\s\n]+read[\s\n]+\&[\s\n]+consent[\s\n]+to[\s\n]+terms[\s\n]+in[\s\n]+IS[\s\n]+user[\s\n]+agreem't\.$ +# variables = login_banner_text=^I've[\s\n]+read[\s\n]+\&[\s\n]+consent[\s\n]+to[\s\n]+terms[\s\n]+in[\s\n]+IS[\s\n]+user[\s\n]+agreem't\.$,login_banner_contents=I've read & consent to terms in IS user agreem't. # dod_short banner echo "Hello, how are you" > /etc/issue diff --git a/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/tests/banner_etc_issue_disa_dod_short.pass.sh b/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/tests/banner_etc_issue_disa_dod_short.pass.sh index 3b8a52eed5d8..b3ea66d844d9 100644 --- a/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/tests/banner_etc_issue_disa_dod_short.pass.sh +++ b/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/tests/banner_etc_issue_disa_dod_short.pass.sh @@ -1,5 +1,5 @@ #!/bin/bash -# variables = login_banner_text=^I've[\s\n]+read[\s\n]+\&[\s\n]+consent[\s\n]+to[\s\n]+terms[\s\n]+in[\s\n]+IS[\s\n]+user[\s\n]+agreem't\.$ +# variables = login_banner_text=^I've[\s\n]+read[\s\n]+\&[\s\n]+consent[\s\n]+to[\s\n]+terms[\s\n]+in[\s\n]+IS[\s\n]+user[\s\n]+agreem't\.$,login_banner_contents=I've read & consent to terms in IS user agreem't. # dod_short banner echo "I've read & consent to terms in IS user agreem't." > /etc/issue diff --git a/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/tests/custom_banner.fail.sh b/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/tests/custom_banner.fail.sh new file mode 100644 index 000000000000..59d30c04fdd1 --- /dev/null +++ b/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/tests/custom_banner.fail.sh @@ -0,0 +1,8 @@ +#!/bin/bash +{{% set ts_custom_banner = "This system is made available by ABCD Inc. exclusively for\nauthorized business use. Use may be monitored for technical or\nregulatory purposes. Do not use this system if you do not consent to\nsuch monitoring.\n\nCe système est mis à disposition par la Société ABCD exclusivement\npour un usage professionnel autorisé. L'utilisation peut faire l'objet\nd'une surveillance pour des raisons techniques ou réglementaires.\nN'utilisez pas ce système si vous n'acceptez pas cette surveillance." %}} +{{% set ts_custom_banner_regex="^This[\s\n]+system[\s\n]+is[\s\n]+made[\s\n]+available[\s\n]+by[\s\n]+ABCD[\s\n]+Inc\.[\s\n]+exclusively[\s\n]+for(?:[\n]+|(?:\\n)+)authorized[\s\n]+business[\s\n]+use\.[\s\n]+Use[\s\n]+may[\s\n]+be[\s\n]+monitored[\s\n]+for[\s\n]+technical[\s\n]+or(?:[\n]+|(?:\\n)+)regulatory[\s\n]+purposes\.[\s\n]+Do[\s\n]+not[\s\n]+use[\s\n]+this[\s\n]+system[\s\n]+if[\s\n]+you[\s\n]+do[\s\n]+not[\s\n]+consent[\s\n]+to(?:[\n]+|(?:\\n)+)such[\s\n]+monitoring\.(?:[\n]+|(?:\\n)+)(?:[\n]+|(?:\\n)+)Ce[\s\n]+système[\s\n]+est[\s\n]+mis[\s\n]+à[\s\n]+disposition[\s\n]+par[\s\n]+la[\s\n]+Société[\s\n]+ABCD[\s\n]+exclusivement(?:[\n]+|(?:\\n)+)pour[\s\n]+un[\s\n]+usage[\s\n]+professionnel[\s\n]+autorisé\.[\s\n]+L'utilisation[\s\n]+peut[\s\n]+faire[\s\n]+l'objet(?:[\n]+|(?:\\n)+)d'une[\s\n]+surveillance[\s\n]+pour[\s\n]+des[\s\n]+raisons[\s\n]+techniques[\s\n]+ou[\s\n]+réglementaires\.(?:[\n]+|(?:\\n)+)N'utilisez[\s\n]+pas[\s\n]+ce[\s\n]+système[\s\n]+si[\s\n]+vous[\s\n]+n'acceptez[\s\n]+pas[\s\n]+cette[\s\n]+surveillance\.$" %}} +# variables = login_banner_contents={{{ ts_custom_banner | replace("\n", "\\n") }}},login_banner_text={{{ ts_custom_banner_regex | replace("\n", "\\n") }}} + +cat > /etc/issue <<'EOF' +This is a test banner. +EOF diff --git a/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/tests/custom_banner.pass.sh b/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/tests/custom_banner.pass.sh new file mode 100644 index 000000000000..4b9bd219e47e --- /dev/null +++ b/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/tests/custom_banner.pass.sh @@ -0,0 +1,8 @@ +#!/bin/bash +{{% set ts_custom_banner = "This system is made available by ABCD Inc. exclusively for\nauthorized business use. Use may be monitored for technical or\nregulatory purposes. Do not use this system if you do not consent to\nsuch monitoring.\n\nCe système est mis à disposition par la Société ABCD exclusivement\npour un usage professionnel autorisé. L'utilisation peut faire l'objet\nd'une surveillance pour des raisons techniques ou réglementaires.\nN'utilisez pas ce système si vous n'acceptez pas cette surveillance." %}} +{{% set ts_custom_banner_regex="^This[\s\n]+system[\s\n]+is[\s\n]+made[\s\n]+available[\s\n]+by[\s\n]+ABCD[\s\n]+Inc\.[\s\n]+exclusively[\s\n]+for(?:[\n]+|(?:\\n)+)authorized[\s\n]+business[\s\n]+use\.[\s\n]+Use[\s\n]+may[\s\n]+be[\s\n]+monitored[\s\n]+for[\s\n]+technical[\s\n]+or(?:[\n]+|(?:\\n)+)regulatory[\s\n]+purposes\.[\s\n]+Do[\s\n]+not[\s\n]+use[\s\n]+this[\s\n]+system[\s\n]+if[\s\n]+you[\s\n]+do[\s\n]+not[\s\n]+consent[\s\n]+to(?:[\n]+|(?:\\n)+)such[\s\n]+monitoring\.(?:[\n]+|(?:\\n)+)(?:[\n]+|(?:\\n)+)Ce[\s\n]+système[\s\n]+est[\s\n]+mis[\s\n]+à[\s\n]+disposition[\s\n]+par[\s\n]+la[\s\n]+Société[\s\n]+ABCD[\s\n]+exclusivement(?:[\n]+|(?:\\n)+)pour[\s\n]+un[\s\n]+usage[\s\n]+professionnel[\s\n]+autorisé\.[\s\n]+L'utilisation[\s\n]+peut[\s\n]+faire[\s\n]+l'objet(?:[\n]+|(?:\\n)+)d'une[\s\n]+surveillance[\s\n]+pour[\s\n]+des[\s\n]+raisons[\s\n]+techniques[\s\n]+ou[\s\n]+réglementaires\.(?:[\n]+|(?:\\n)+)N'utilisez[\s\n]+pas[\s\n]+ce[\s\n]+système[\s\n]+si[\s\n]+vous[\s\n]+n'acceptez[\s\n]+pas[\s\n]+cette[\s\n]+surveillance\.$" %}} +# variables = login_banner_contents={{{ ts_custom_banner | replace("\n", "\\n") }}},login_banner_text={{{ ts_custom_banner_regex | replace("\n", "\\n") }}} + +cat > /etc/issue <<'EOF' +{{{ ts_custom_banner }}} +EOF diff --git a/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue_net/ansible/shared.yml b/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue_net/ansible/shared.yml index 828a9a9a0c2d..4a880dccde17 100644 --- a/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue_net/ansible/shared.yml +++ b/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue_net/ansible/shared.yml @@ -3,9 +3,9 @@ # strategy = unknown # complexity = low # disruption = medium -{{{ ansible_instantiate_variables("remote_login_banner_text") }}} +{{{ ansible_instantiate_variables("remote_login_banner_contents") }}} - name: "{{{ rule_title }}} - ensure correct banner" ansible.builtin.copy: dest: /etc/issue.net - content: '{{{ ansible_deregexify_banner_etc_issue("remote_login_banner_text") }}}' + content: "{{ remote_login_banner_contents | replace('\\n', '\n') }}\n" diff --git a/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue_net/bash/shared.sh b/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue_net/bash/shared.sh index 52eda0b4a9b6..bef6be11259b 100644 --- a/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue_net/bash/shared.sh +++ b/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue_net/bash/shared.sh @@ -1,21 +1,4 @@ # platform = multi_platform_all -{{{ bash_instantiate_variables("remote_login_banner_text") }}} - -# Multiple regexes transform the banner regex into a usable banner -# 0 - Remove anchors around the banner text -{{{ bash_deregexify_banner_anchors("remote_login_banner_text") }}} -# 1 - Keep only the first banners if there are multiple -# (dod_banners contains the long and short banner) -{{{ bash_deregexify_multiple_banners("remote_login_banner_text") }}} -# 2 - Add spaces ' '. (Transforms regex for "space or newline" into a " ") -{{{ bash_deregexify_banner_space("remote_login_banner_text") }}} -# 3 - Adds newlines. (Transforms "(?:\[\\n\]+|(?:\\n)+)" into "\n") -{{{ bash_deregexify_banner_newline("remote_login_banner_text", "\\n") }}} -# 4 - Remove any leftover backslash. (From any parenthesis in the banner, for example). -{{{ bash_deregexify_banner_backslash("remote_login_banner_text") }}} -formatted=$(echo "$remote_login_banner_text" | fold -sw 80) - -cat <<EOF >/etc/issue.net -$formatted -EOF +remote_login_banner_contents=$(echo "(bash-populate remote_login_banner_contents)" | sed 's/\\n/\n/g') +echo "$remote_login_banner_contents" > /etc/issue.net diff --git a/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue_net/tests/banner_etc_issue_net_cis_recommended.pass.sh b/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue_net/tests/banner_etc_issue_net_cis_recommended.pass.sh index a4d328e76565..5d58cbc2588e 100644 --- a/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue_net/tests/banner_etc_issue_net_cis_recommended.pass.sh +++ b/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue_net/tests/banner_etc_issue_net_cis_recommended.pass.sh @@ -2,4 +2,4 @@ # profiles = xccdf_org.ssgproject.content_profile_cis # cis_default banner -echo "Authorized uses only. All activity may be monitored and reported." > /etc/issue.net +echo "Authorized users only. All activity may be monitored and reported." > /etc/issue.net diff --git a/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue_net/tests/banner_etc_issue_net_mingetty.fail.sh b/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue_net/tests/banner_etc_issue_net_mingetty.fail.sh new file mode 100644 index 000000000000..4730f4332b42 --- /dev/null +++ b/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue_net/tests/banner_etc_issue_net_mingetty.fail.sh @@ -0,0 +1,4 @@ +#!/bin/bash +# variables = remote_login_banner_text=^Authorized[\s\n]+users[\s\n]+only\.[\s\n]+All[\s\n]+activity[\s\n]+may[\s\n]+be[\s\n]+monitored[\s\n]+and[\s\n]+reported\.$,remote_login_banner_contents=Authorized users only. All activity may be monitored and reported. + +echo "System name \s version \s " > /etc/issue.net diff --git a/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue_net/tests/banner_etc_issue_net_osid.fail.sh b/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue_net/tests/banner_etc_issue_net_osid.fail.sh new file mode 100644 index 000000000000..c579e36e5942 --- /dev/null +++ b/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue_net/tests/banner_etc_issue_net_osid.fail.sh @@ -0,0 +1,4 @@ +#!/bin/bash +# variables = remote_login_banner_text=^Authorized[\s\n]+users[\s\n]+only\.[\s\n]+All[\s\n]+activity[\s\n]+may[\s\n]+be[\s\n]+monitored[\s\n]+and[\s\n]+reported\.$,remote_login_banner_contents=Authorized users only. All activity may be monitored and reported. + +echo "This system is rhel." > /etc/issue.net diff --git a/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue_net/tests/banner_etc_issue_net_recommended.pass.sh b/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue_net/tests/banner_etc_issue_net_recommended.pass.sh new file mode 100644 index 000000000000..a78e272e8d67 --- /dev/null +++ b/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue_net/tests/banner_etc_issue_net_recommended.pass.sh @@ -0,0 +1,5 @@ +#!/bin/bash +# variables = remote_login_banner_text=^Authorized[\s\n]+users[\s\n]+only\.[\s\n]+All[\s\n]+activity[\s\n]+may[\s\n]+be[\s\n]+monitored[\s\n]+and[\s\n]+reported\.$,remote_login_banner_contents=Authorized users only. All activity may be monitored and reported. + +# cis_default banner +echo "Authorized users only. All activity may be monitored and reported." > /etc/issue.net diff --git a/linux_os/guide/system/accounts/accounts-banners/banner_etc_motd/ansible/shared.yml b/linux_os/guide/system/accounts/accounts-banners/banner_etc_motd/ansible/shared.yml index 252618dedd57..8a3cc3128262 100644 --- a/linux_os/guide/system/accounts/accounts-banners/banner_etc_motd/ansible/shared.yml +++ b/linux_os/guide/system/accounts/accounts-banners/banner_etc_motd/ansible/shared.yml @@ -3,9 +3,9 @@ # strategy = unknown # complexity = low # disruption = medium -{{{ ansible_instantiate_variables("motd_banner_text") }}} +{{{ ansible_instantiate_variables("motd_banner_contents") }}} - name: "{{{ rule_title }}} - ensure correct banner" ansible.builtin.copy: dest: /etc/motd - content: '{{{ ansible_deregexify_banner_etc_issue("motd_banner_text") }}}' + content: "{{ motd_banner_contents | replace('\\n', '\n') }}\n" diff --git a/linux_os/guide/system/accounts/accounts-banners/banner_etc_motd/bash/shared.sh b/linux_os/guide/system/accounts/accounts-banners/banner_etc_motd/bash/shared.sh index f8f5e59a2420..1f8d36fe3ce6 100644 --- a/linux_os/guide/system/accounts/accounts-banners/banner_etc_motd/bash/shared.sh +++ b/linux_os/guide/system/accounts/accounts-banners/banner_etc_motd/bash/shared.sh @@ -1,21 +1,4 @@ -# platform = multi_platform_fedora,multi_platform_ol,multi_platform_rhel,multi_platform_rhv,multi_platform_sle,multi_platform_slmicro,multi_platform_ubuntu,multi_platform_almalinux +# platform = multi_platform_all -{{{ bash_instantiate_variables("motd_banner_text") }}} - -# Multiple regexes transform the banner regex into a usable banner -# 0 - Remove anchors around the banner text -{{{ bash_deregexify_banner_anchors("motd_banner_text") }}} -# 1 - Keep only the first banners if there are multiple -# (dod_banners contains the long and short banner) -{{{ bash_deregexify_multiple_banners("motd_banner_text") }}} -# 2 - Add spaces ' '. (Transforms regex for "space or newline" into a " ") -{{{ bash_deregexify_banner_space("motd_banner_text") }}} -# 3 - Adds newlines. (Transforms "(?:\[\\n\]+|(?:\\n)+)" into "\n") -{{{ bash_deregexify_banner_newline("motd_banner_text", "\\n") }}} -# 4 - Remove any leftover backslash. (From any parenthesis in the banner, for example). -{{{ bash_deregexify_banner_backslash("motd_banner_text") }}} -formatted=$(echo "$motd_banner_text" | fold -sw 80) - -cat <<EOF >/etc/motd -$formatted -EOF +motd_banner_contents=$(echo "(bash-populate motd_banner_contents)" | sed 's/\\n/\n/g') +echo "$motd_banner_contents" > /etc/motd diff --git a/linux_os/guide/system/accounts/accounts-banners/banner_etc_motd/oval/shared.xml b/linux_os/guide/system/accounts/accounts-banners/banner_etc_motd/oval/shared.xml index be13d1d65419..dbfadc63d9ec 100644 --- a/linux_os/guide/system/accounts/accounts-banners/banner_etc_motd/oval/shared.xml +++ b/linux_os/guide/system/accounts/accounts-banners/banner_etc_motd/oval/shared.xml @@ -15,7 +15,7 @@ <unix:filepath>/etc/motd</unix:filepath> </unix:file_object> - <ind:textfilecontent54_test check="all" check_existence="all_exist" comment="correct banner in /etc/motd" id="test_banner_etc_motd" version="1"> + <ind:textfilecontent54_test check="at least one" check_existence="at_least_one_exists" comment="correct banner in /etc/motd" id="test_banner_etc_motd" version="1"> <ind:object object_ref="object_banner_etc_motd" /> <ind:state state_ref="state_banner_etc_motd" /> </ind:textfilecontent54_test> diff --git a/linux_os/guide/system/accounts/accounts-banners/banner_etc_motd/tests/banner_etc_motd_cis_recommended.pass.sh b/linux_os/guide/system/accounts/accounts-banners/banner_etc_motd/tests/banner_etc_motd_cis_recommended.pass.sh index 1cacc28d7328..049470d872e4 100644 --- a/linux_os/guide/system/accounts/accounts-banners/banner_etc_motd/tests/banner_etc_motd_cis_recommended.pass.sh +++ b/linux_os/guide/system/accounts/accounts-banners/banner_etc_motd/tests/banner_etc_motd_cis_recommended.pass.sh @@ -2,4 +2,4 @@ # profiles = xccdf_org.ssgproject.content_profile_cis, xccdf_org.ssgproject.content_profile_cis_server_l1, xccdf_org.ssgproject.content_profile_cis_workstation_l1, xccdf_org.ssgproject.content_profile_cis_workstation_l2 # cis_default banner -echo "Authorized uses only. All activity may be monitored and reported." > /etc/motd +echo "Authorized users only. All activity may be monitored and reported." > /etc/motd diff --git a/linux_os/guide/system/accounts/accounts-banners/banner_etc_motd/tests/banner_etc_motd_default.pass.sh b/linux_os/guide/system/accounts/accounts-banners/banner_etc_motd/tests/banner_etc_motd_default.pass.sh index 8aeedeb1b322..4b7e6447efc9 100644 --- a/linux_os/guide/system/accounts/accounts-banners/banner_etc_motd/tests/banner_etc_motd_default.pass.sh +++ b/linux_os/guide/system/accounts/accounts-banners/banner_etc_motd/tests/banner_etc_motd_default.pass.sh @@ -1,4 +1,4 @@ #!/bin/bash -# default banner from motd_banner_text.var -echo "Authorized uses only. All activity may be monitored and reported." > /etc/motd +# default banner from motd_banner_contents.var +echo "Authorized users only. All activity may be monitored and reported." > /etc/motd diff --git a/linux_os/guide/system/accounts/accounts-banners/dconf_login_banner_contents.var b/linux_os/guide/system/accounts/accounts-banners/dconf_login_banner_contents.var new file mode 100644 index 000000000000..bd366b4da215 --- /dev/null +++ b/linux_os/guide/system/accounts/accounts-banners/dconf_login_banner_contents.var @@ -0,0 +1,25 @@ +documentation_complete: true + +title: 'Login Banner Verbiage' + +description: >- + Enter an appropriate login banner text for your organization. + This variable is used only in remediations. + In OVAL checks a regular expression specified in the login_banner_text variable is used instead. + Using a regular expression is needed because some profiles (eg. STIG) allow multiple different banners. + +type: string + +operator: equals + +interactive: true + +options: + default: 'Authorized users only. All activity may be monitored and reported.' +# CIS doesn't enforce any specific content for login banners, but doesn't allow technical information. +# There is a generic content in case a remediation is necessary. + cis_default: 'Authorized uses only. All activity may be monitored and reported.' + dod_default: 'You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions:\n-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations.\n-At any time, the USG may inspect and seize data stored on this IS.\n-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.\n-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy.\n-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details.' + dod_short: 'I''ve read & consent to terms in IS user agreem''t.' + dss_odaa_default: 'Use of this or any other DoD interest computer system constitutes consent to monitoring at all times. This is a DoD interest computer system. All DoD interest computer systems and related equipment are intended for the communication, transmission, processing, and storage of official U.S. Government or other authorized information only. All DoD interest computer systems are subject to monitoring at all times to ensure proper functioning of equipment and systems including security devices and systems, to prevent unauthorized use and violations of statutes and security regulations, to deter criminal activity, and for other similar purposes. Any user of a DoD interest computer system should be aware that any information placed in the system is subject to monitoring and is not subject to any expectation of privacy. If monitoring of this or any other DoD interest computer system reveals possible evidence of violation of criminal statutes, this evidence and any other related information, including identification information about the user, may be provided to law enforcement officials. If monitoring of this or any other DoD interest computer systems reveals violations of security regulations or unauthorized use, employees who violate security regulations or make unauthorized use of DoD interest computer systems are subject to appropriate disciplinary action. Use of this or any other DoD interest computer system constitutes consent to monitoring at all times.' + usgcb_default: '-- WARNING -- This system is for the use of authorized users only. Individuals using this computer system without authority or in excess of their authority are subject to having all their activities on this system monitored and recorded by system personnel. Anyone using this system expressly consents to such monitoring and is advised that if such monitoring reveals possible evidence of criminal activity system personal may provide the evidence of such monitoring to law enforcement officials.' diff --git a/linux_os/guide/system/accounts/accounts-banners/dconf_login_banner_text.var b/linux_os/guide/system/accounts/accounts-banners/dconf_login_banner_text.var new file mode 100644 index 000000000000..0f838c065d56 --- /dev/null +++ b/linux_os/guide/system/accounts/accounts-banners/dconf_login_banner_text.var @@ -0,0 +1,33 @@ +documentation_complete: true + +title: Dconf GDM Login Banner Verbiage Regular Expression + +description: >- + Enter an appropriate login banner regular expression for your organization. + Using a regular expression is needed because some profiles (eg. STIG) allow multiple different banners. + This regular expression is used only in OVAL checks. + In remediations the login_banner_contents variable is used instead. + For information about how to generate banner regular expression for your tailoring files, + see: https://complianceascode.readthedocs.io/en/latest/manual/developer/05_tools_and_utilities.html#generating-login-banner-regular-expressions + +type: string + +operator: equals + +interactive: true + +options: +# CIS doesn't enforce any specific content for login banners, but doesn't allow technical information. +# There is a generic content in case a remediation is necessary. +# How to generate banner regex: https://complianceascode.readthedocs.io/en/latest/manual/developer/05_tools_and_utilities.html#generating-login-banner-regular-expressions +# CIS recommends to use "Authorized uses only" for Dconf GDM requirements which is +# different text that in other login banners where CIS recommends "Authorized users only". + cis_banners: ^(Authorized[\s\n]+uses[\s\n]+only\.[\s\n]+All[\s\n]+activity[\s\n]+may[\s\n]+be[\s\n]+monitored[\s\n]+and[\s\n]+reported\.|^(?!.*(\\|fedora|rhel|sle|ubuntu)).*)$ + cis_default: ^Authorized[\s\n]+uses[\s\n]+only\.[\s\n]+All[\s\n]+activity[\s\n]+may[\s\n]+be[\s\n]+monitored[\s\n]+and[\s\n]+reported\.$ +# First banner in 'dod_banners' must be the banner for desktop, laptop, and other devices which accommodate banners of 1300 characters + dod_banners: ^(You[\s\n]+are[\s\n]+accessing[\s\n]+a[\s\n]+U\.S\.[\s\n]+Government[\s\n]+\(USG\)[\s\n]+Information[\s\n]+System[\s\n]+\(IS\)[\s\n]+that[\s\n]+is[\s\n]+provided[\s\n]+for[\s\n]+USG\-authorized[\s\n]+use[\s\n]+only\.[\s\n]+By[\s\n]+using[\s\n]+this[\s\n]+IS[\s\n]+\(which[\s\n]+includes[\s\n]+any[\s\n]+device[\s\n]+attached[\s\n]+to[\s\n]+this[\s\n]+IS\),[\s\n]+you[\s\n]+consent[\s\n]+to[\s\n]+the[\s\n]+following[\s\n]+conditions\:(?:[\n]+|(?:\\n)+)\-The[\s\n]+USG[\s\n]+routinely[\s\n]+intercepts[\s\n]+and[\s\n]+monitors[\s\n]+communications[\s\n]+on[\s\n]+this[\s\n]+IS[\s\n]+for[\s\n]+purposes[\s\n]+including,[\s\n]+but[\s\n]+not[\s\n]+limited[\s\n]+to,[\s\n]+penetration[\s\n]+testing,[\s\n]+COMSEC[\s\n]+monitoring,[\s\n]+network[\s\n]+operations[\s\n]+and[\s\n]+defense,[\s\n]+personnel[\s\n]+misconduct[\s\n]+\(PM\),[\s\n]+law[\s\n]+enforcement[\s\n]+\(LE\),[\s\n]+and[\s\n]+counterintelligence[\s\n]+\(CI\)[\s\n]+investigations\.(?:[\n]+|(?:\\n)+)\-At[\s\n]+any[\s\n]+time,[\s\n]+the[\s\n]+USG[\s\n]+may[\s\n]+inspect[\s\n]+and[\s\n]+seize[\s\n]+data[\s\n]+stored[\s\n]+on[\s\n]+this[\s\n]+IS\.(?:[\n]+|(?:\\n)+)\-Communications[\s\n]+using,[\s\n]+or[\s\n]+data[\s\n]+stored[\s\n]+on,[\s\n]+this[\s\n]+IS[\s\n]+are[\s\n]+not[\s\n]+private,[\s\n]+are[\s\n]+subject[\s\n]+to[\s\n]+routine[\s\n]+monitoring,[\s\n]+interception,[\s\n]+and[\s\n]+search,[\s\n]+and[\s\n]+may[\s\n]+be[\s\n]+disclosed[\s\n]+or[\s\n]+used[\s\n]+for[\s\n]+any[\s\n]+USG\-authorized[\s\n]+purpose\.(?:[\n]+|(?:\\n)+)\-This[\s\n]+IS[\s\n]+includes[\s\n]+security[\s\n]+measures[\s\n]+\(e\.g\.,[\s\n]+authentication[\s\n]+and[\s\n]+access[\s\n]+controls\)[\s\n]+to[\s\n]+protect[\s\n]+USG[\s\n]+interests\-\-not[\s\n]+for[\s\n]+your[\s\n]+personal[\s\n]+benefit[\s\n]+or[\s\n]+privacy\.(?:[\n]+|(?:\\n)+)\-Notwithstanding[\s\n]+the[\s\n]+above,[\s\n]+using[\s\n]+this[\s\n]+IS[\s\n]+does[\s\n]+not[\s\n]+constitute[\s\n]+consent[\s\n]+to[\s\n]+PM,[\s\n]+LE[\s\n]+or[\s\n]+CI[\s\n]+investigative[\s\n]+searching[\s\n]+or[\s\n]+monitoring[\s\n]+of[\s\n]+the[\s\n]+content[\s\n]+of[\s\n]+privileged[\s\n]+communications,[\s\n]+or[\s\n]+work[\s\n]+product,[\s\n]+related[\s\n]+to[\s\n]+personal[\s\n]+representation[\s\n]+or[\s\n]+services[\s\n]+by[\s\n]+attorneys,[\s\n]+psychotherapists,[\s\n]+or[\s\n]+clergy,[\s\n]+and[\s\n]+their[\s\n]+assistants\.[\s\n]+Such[\s\n]+communications[\s\n]+and[\s\n]+work[\s\n]+product[\s\n]+are[\s\n]+private[\s\n]+and[\s\n]+confidential\.[\s\n]+See[\s\n]+User[\s\n]+Agreement[\s\n]+for[\s\n]+details\.|I've[\s\n]+read[\s\n]+\&[\s\n]+consent[\s\n]+to[\s\n]+terms[\s\n]+in[\s\n]+IS[\s\n]+user[\s\n]+agreem't\.)$ + dod_default: ^You[\s\n]+are[\s\n]+accessing[\s\n]+a[\s\n]+U\.S\.[\s\n]+Government[\s\n]+\(USG\)[\s\n]+Information[\s\n]+System[\s\n]+\(IS\)[\s\n]+that[\s\n]+is[\s\n]+provided[\s\n]+for[\s\n]+USG\-authorized[\s\n]+use[\s\n]+only\.[\s\n]+By[\s\n]+using[\s\n]+this[\s\n]+IS[\s\n]+\(which[\s\n]+includes[\s\n]+any[\s\n]+device[\s\n]+attached[\s\n]+to[\s\n]+this[\s\n]+IS\),[\s\n]+you[\s\n]+consent[\s\n]+to[\s\n]+the[\s\n]+following[\s\n]+conditions\:(?:[\n]+|(?:\\n)+)\-The[\s\n]+USG[\s\n]+routinely[\s\n]+intercepts[\s\n]+and[\s\n]+monitors[\s\n]+communications[\s\n]+on[\s\n]+this[\s\n]+IS[\s\n]+for[\s\n]+purposes[\s\n]+including,[\s\n]+but[\s\n]+not[\s\n]+limited[\s\n]+to,[\s\n]+penetration[\s\n]+testing,[\s\n]+COMSEC[\s\n]+monitoring,[\s\n]+network[\s\n]+operations[\s\n]+and[\s\n]+defense,[\s\n]+personnel[\s\n]+misconduct[\s\n]+\(PM\),[\s\n]+law[\s\n]+enforcement[\s\n]+\(LE\),[\s\n]+and[\s\n]+counterintelligence[\s\n]+\(CI\)[\s\n]+investigations\.(?:[\n]+|(?:\\n)+)\-At[\s\n]+any[\s\n]+time,[\s\n]+the[\s\n]+USG[\s\n]+may[\s\n]+inspect[\s\n]+and[\s\n]+seize[\s\n]+data[\s\n]+stored[\s\n]+on[\s\n]+this[\s\n]+IS\.(?:[\n]+|(?:\\n)+)\-Communications[\s\n]+using,[\s\n]+or[\s\n]+data[\s\n]+stored[\s\n]+on,[\s\n]+this[\s\n]+IS[\s\n]+are[\s\n]+not[\s\n]+private,[\s\n]+are[\s\n]+subject[\s\n]+to[\s\n]+routine[\s\n]+monitoring,[\s\n]+interception,[\s\n]+and[\s\n]+search,[\s\n]+and[\s\n]+may[\s\n]+be[\s\n]+disclosed[\s\n]+or[\s\n]+used[\s\n]+for[\s\n]+any[\s\n]+USG\-authorized[\s\n]+purpose\.(?:[\n]+|(?:\\n)+)\-This[\s\n]+IS[\s\n]+includes[\s\n]+security[\s\n]+measures[\s\n]+\(e\.g\.,[\s\n]+authentication[\s\n]+and[\s\n]+access[\s\n]+controls\)[\s\n]+to[\s\n]+protect[\s\n]+USG[\s\n]+interests\-\-not[\s\n]+for[\s\n]+your[\s\n]+personal[\s\n]+benefit[\s\n]+or[\s\n]+privacy\.(?:[\n]+|(?:\\n)+)\-Notwithstanding[\s\n]+the[\s\n]+above,[\s\n]+using[\s\n]+this[\s\n]+IS[\s\n]+does[\s\n]+not[\s\n]+constitute[\s\n]+consent[\s\n]+to[\s\n]+PM,[\s\n]+LE[\s\n]+or[\s\n]+CI[\s\n]+investigative[\s\n]+searching[\s\n]+or[\s\n]+monitoring[\s\n]+of[\s\n]+the[\s\n]+content[\s\n]+of[\s\n]+privileged[\s\n]+communications,[\s\n]+or[\s\n]+work[\s\n]+product,[\s\n]+related[\s\n]+to[\s\n]+personal[\s\n]+representation[\s\n]+or[\s\n]+services[\s\n]+by[\s\n]+attorneys,[\s\n]+psychotherapists,[\s\n]+or[\s\n]+clergy,[\s\n]+and[\s\n]+their[\s\n]+assistants\.[\s\n]+Such[\s\n]+communications[\s\n]+and[\s\n]+work[\s\n]+product[\s\n]+are[\s\n]+private[\s\n]+and[\s\n]+confidential\.[\s\n]+See[\s\n]+User[\s\n]+Agreement[\s\n]+for[\s\n]+details\.$ + dod_short: ^I've[\s\n]+read[\s\n]+\&[\s\n]+consent[\s\n]+to[\s\n]+terms[\s\n]+in[\s\n]+IS[\s\n]+user[\s\n]+agreem't\.$ + dss_odaa_default: ^Use[\s\n]+of[\s\n]+this[\s\n]+or[\s\n]+any[\s\n]+other[\s\n]+DoD[\s\n]+interest[\s\n]+computer[\s\n]+system[\s\n]+constitutes[\s\n]+consent[\s\n]+to[\s\n]+monitoring[\s\n]+at[\s\n]+all[\s\n]+times\.[\s\n]+This[\s\n]+is[\s\n]+a[\s\n]+DoD[\s\n]+interest[\s\n]+computer[\s\n]+system\.[\s\n]+All[\s\n]+DoD[\s\n]+interest[\s\n]+computer[\s\n]+systems[\s\n]+and[\s\n]+related[\s\n]+equipment[\s\n]+are[\s\n]+intended[\s\n]+for[\s\n]+the[\s\n]+communication,[\s\n]+transmission,[\s\n]+processing,[\s\n]+and[\s\n]+storage[\s\n]+of[\s\n]+official[\s\n]+U\.S\.[\s\n]+Government[\s\n]+or[\s\n]+other[\s\n]+authorized[\s\n]+information[\s\n]+only\.[\s\n]+All[\s\n]+DoD[\s\n]+interest[\s\n]+computer[\s\n]+systems[\s\n]+are[\s\n]+subject[\s\n]+to[\s\n]+monitoring[\s\n]+at[\s\n]+all[\s\n]+times[\s\n]+to[\s\n]+ensure[\s\n]+proper[\s\n]+functioning[\s\n]+of[\s\n]+equipment[\s\n]+and[\s\n]+systems[\s\n]+including[\s\n]+security[\s\n]+devices[\s\n]+and[\s\n]+systems,[\s\n]+to[\s\n]+prevent[\s\n]+unauthorized[\s\n]+use[\s\n]+and[\s\n]+violations[\s\n]+of[\s\n]+statutes[\s\n]+and[\s\n]+security[\s\n]+regulations,[\s\n]+to[\s\n]+deter[\s\n]+criminal[\s\n]+activity,[\s\n]+and[\s\n]+for[\s\n]+other[\s\n]+similar[\s\n]+purposes\.[\s\n]+Any[\s\n]+user[\s\n]+of[\s\n]+a[\s\n]+DoD[\s\n]+interest[\s\n]+computer[\s\n]+system[\s\n]+should[\s\n]+be[\s\n]+aware[\s\n]+that[\s\n]+any[\s\n]+information[\s\n]+placed[\s\n]+in[\s\n]+the[\s\n]+system[\s\n]+is[\s\n]+subject[\s\n]+to[\s\n]+monitoring[\s\n]+and[\s\n]+is[\s\n]+not[\s\n]+subject[\s\n]+to[\s\n]+any[\s\n]+expectation[\s\n]+of[\s\n]+privacy\.[\s\n]+If[\s\n]+monitoring[\s\n]+of[\s\n]+this[\s\n]+or[\s\n]+any[\s\n]+other[\s\n]+DoD[\s\n]+interest[\s\n]+computer[\s\n]+system[\s\n]+reveals[\s\n]+possible[\s\n]+evidence[\s\n]+of[\s\n]+violation[\s\n]+of[\s\n]+criminal[\s\n]+statutes,[\s\n]+this[\s\n]+evidence[\s\n]+and[\s\n]+any[\s\n]+other[\s\n]+related[\s\n]+information,[\s\n]+including[\s\n]+identification[\s\n]+information[\s\n]+about[\s\n]+the[\s\n]+user,[\s\n]+may[\s\n]+be[\s\n]+provided[\s\n]+to[\s\n]+law[\s\n]+enforcement[\s\n]+officials\.[\s\n]+If[\s\n]+monitoring[\s\n]+of[\s\n]+this[\s\n]+or[\s\n]+any[\s\n]+other[\s\n]+DoD[\s\n]+interest[\s\n]+computer[\s\n]+systems[\s\n]+reveals[\s\n]+violations[\s\n]+of[\s\n]+security[\s\n]+regulations[\s\n]+or[\s\n]+unauthorized[\s\n]+use,[\s\n]+employees[\s\n]+who[\s\n]+violate[\s\n]+security[\s\n]+regulations[\s\n]+or[\s\n]+make[\s\n]+unauthorized[\s\n]+use[\s\n]+of[\s\n]+DoD[\s\n]+interest[\s\n]+computer[\s\n]+systems[\s\n]+are[\s\n]+subject[\s\n]+to[\s\n]+appropriate[\s\n]+disciplinary[\s\n]+action\.[\s\n]+Use[\s\n]+of[\s\n]+this[\s\n]+or[\s\n]+any[\s\n]+other[\s\n]+DoD[\s\n]+interest[\s\n]+computer[\s\n]+system[\s\n]+constitutes[\s\n]+consent[\s\n]+to[\s\n]+monitoring[\s\n]+at[\s\n]+all[\s\n]+times\.$ + usgcb_default: ^\-\-[\s\n]+WARNING[\s\n]+\-\-[\s\n]+This[\s\n]+system[\s\n]+is[\s\n]+for[\s\n]+the[\s\n]+use[\s\n]+of[\s\n]+authorized[\s\n]+users[\s\n]+only\.[\s\n]+Individuals[\s\n]+using[\s\n]+this[\s\n]+computer[\s\n]+system[\s\n]+without[\s\n]+authority[\s\n]+or[\s\n]+in[\s\n]+excess[\s\n]+of[\s\n]+their[\s\n]+authority[\s\n]+are[\s\n]+subject[\s\n]+to[\s\n]+having[\s\n]+all[\s\n]+their[\s\n]+activities[\s\n]+on[\s\n]+this[\s\n]+system[\s\n]+monitored[\s\n]+and[\s\n]+recorded[\s\n]+by[\s\n]+system[\s\n]+personnel\.[\s\n]+Anyone[\s\n]+using[\s\n]+this[\s\n]+system[\s\n]+expressly[\s\n]+consents[\s\n]+to[\s\n]+such[\s\n]+monitoring[\s\n]+and[\s\n]+is[\s\n]+advised[\s\n]+that[\s\n]+if[\s\n]+such[\s\n]+monitoring[\s\n]+reveals[\s\n]+possible[\s\n]+evidence[\s\n]+of[\s\n]+criminal[\s\n]+activity[\s\n]+system[\s\n]+personal[\s\n]+may[\s\n]+provide[\s\n]+the[\s\n]+evidence[\s\n]+of[\s\n]+such[\s\n]+monitoring[\s\n]+to[\s\n]+law[\s\n]+enforcement[\s\n]+officials\.$ + default: ^Authorized[\s\n]+users[\s\n]+only\.[\s\n]+All[\s\n]+activity[\s\n]+may[\s\n]+be[\s\n]+monitored[\s\n]+and[\s\n]+reported\.$ diff --git a/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/ansible/shared.yml b/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/ansible/shared.yml index 33d95980ded9..38bd849f78c4 100644 --- a/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/ansible/shared.yml +++ b/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/ansible/shared.yml @@ -3,7 +3,7 @@ # strategy = unknown # complexity = low # disruption = medium -{{{ ansible_instantiate_variables("login_banner_text") }}} +{{{ ansible_instantiate_variables("dconf_login_banner_contents") }}} - name: "{{{ rule_title }}}" ansible.builtin.file: @@ -32,7 +32,7 @@ dest: /etc/dconf/db/{{{ dconf_gdm_dir }}}/00-security-settings section: org/gnome/login-screen option: banner-message-text - value: '{{{ ansible_deregexify_banner_dconf_gnome("login_banner_text") }}}' + value: '''{{ dconf_login_banner_contents }}''' create: yes no_extra_spaces: yes register: result_ini diff --git a/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/bash/shared.sh b/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/bash/shared.sh index 930d5fe18189..c686cbe1dbf3 100644 --- a/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/bash/shared.sh +++ b/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/bash/shared.sh @@ -1,22 +1,5 @@ # platform = multi_platform_all -login_banner_text='(bash-populate login_banner_text)' - -# Multiple regexes transform the banner regex into a usable banner -# 0 - Remove anchors around the banner text -{{{ bash_deregexify_banner_anchors("login_banner_text") }}} -# 1 - Keep only the first banners if there are multiple -# (dod_banners contains the long and short banner) -{{{ bash_deregexify_multiple_banners("login_banner_text") }}} -# 2 - Add spaces ' '. (Transforms regex for "space or newline" into a " ") -{{{ bash_deregexify_banner_space("login_banner_text") }}} -# 3 - Adds newline "tokens". (Transforms "(?:\[\\n\]+|(?:\\n)+)" into "(n)*") -{{{ bash_deregexify_banner_newline("login_banner_text", "(n)*") }}} -# 4 - Remove any leftover backslash. (From any parenthesis in the banner, for example). -{{{ bash_deregexify_banner_backslash("login_banner_text") }}} -# 5 - Removes the newline "token." (Transforms them into newline escape sequences "\n"). -# ( Needs to be done after 4, otherwise the escapce sequence will become just "n". -{{{ bash_deregexify_banner_newline_token("login_banner_text")}}} - -{{{ bash_dconf_settings("org/gnome/login-screen", "banner-message-text", "'${login_banner_text}'", dconf_gdm_dir, "00-security-settings", rule_id=rule_id) }}} +dconf_login_banner_contents=$(echo "(bash-populate dconf_login_banner_contents)" ) +{{{ bash_dconf_settings("org/gnome/login-screen", "banner-message-text", "'${dconf_login_banner_contents}'", dconf_gdm_dir, "00-security-settings", rule_id=rule_id) }}} {{{ bash_dconf_lock("org/gnome/login-screen", "banner-message-text", dconf_gdm_dir, "00-security-settings-lock") }}} diff --git a/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/bash/ubuntu.sh b/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/bash/ubuntu.sh index 57e577df79b9..4d38311e4e43 100644 --- a/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/bash/ubuntu.sh +++ b/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/bash/ubuntu.sh @@ -1,28 +1,11 @@ # platform = multi_platform_ubuntu -{{{ bash_instantiate_variables("login_banner_text") }}} - -# Multiple regexes transform the banner regex into a usable banner -# 0 - Remove anchors around the banner text -{{{ bash_deregexify_banner_anchors("login_banner_text") }}} -# 1 - Keep only the first banners if there are multiple -# (dod_banners contains the long and short banner) -{{{ bash_deregexify_multiple_banners("login_banner_text") }}} -# 2 - Add spaces ' '. (Transforms regex for "space or newline" into a " ") -{{{ bash_deregexify_banner_space("login_banner_text") }}} -# 3 - Adds newline "tokens". (Transforms "(?:\[\\n\]+|(?:\\n)+)" into "(n)*") -{{{ bash_deregexify_banner_newline("login_banner_text", "(n)*") }}} -# 4 - Remove any leftover backslash. (From any parenthesis in the banner, for example). -{{{ bash_deregexify_banner_backslash("login_banner_text") }}} -# 5 - Removes the newline "token." (Transforms them into newline escape sequences "\n"). -# ( Needs to be done after 4, otherwise the escapce sequence will become just "n". -{{{ bash_deregexify_banner_newline_token("login_banner_text")}}} - {{{ bash_enable_dconf_user_profile(profile="user", database="local") }}} {{{ bash_enable_dconf_user_profile(profile="gdm", database="gdm") }}} +dconf_login_banner_contents=$(echo "(bash-populate dconf_login_banner_contents)" ) # Will do both approach, since we plan to migrate to checks over dconf db. That way, future updates of the tool # will pass the check even if we decide to check only for the dconf db path. -{{{ set_config_file("/etc/gdm3/greeter.dconf-defaults", "banner-message-text", value="'${login_banner_text}'", create='no', insert_after="\[org/gnome/login-screen\]", insert_before="", separator="=", separator_regex="", prefix_regex="^\s*", rule_id=rule_id) }}} -{{{ bash_dconf_settings("org/gnome/login-screen", "banner-message-text", "'${login_banner_text}'", dconf_gdm_dir, "00-security-settings", rule_id=rule_id) }}} +{{{ set_config_file("/etc/gdm3/greeter.dconf-defaults", "banner-message-text", value="'${dconf_login_banner_contents}'", create='no', insert_after="\[org/gnome/login-screen\]", insert_before="", separator="=", separator_regex="", prefix_regex="^\s*", rule_id=rule_id) }}} +{{{ bash_dconf_settings("org/gnome/login-screen", "banner-message-text", "'${dconf_login_banner_contents}'", dconf_gdm_dir, "00-security-settings", rule_id=rule_id) }}} # No need to use dconf update, since bash_dconf_settings does that already diff --git a/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/oval/shared.xml b/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/oval/shared.xml index 0a6b6a9c829f..4b957be47881 100644 --- a/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/oval/shared.xml +++ b/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/oval/shared.xml @@ -39,9 +39,9 @@ </ind:textfilecontent54_object> <ind:textfilecontent54_state id="state_gdm_login_banner_text_setting" version="1"> - <ind:subexpression datatype="string" operation="pattern match" var_ref="login_banner_text" /> + <ind:subexpression datatype="string" operation="pattern match" var_ref="dconf_login_banner_text" /> </ind:textfilecontent54_state> - <external_variable comment="warning banner text variable" datatype="string" id="login_banner_text" version="1" /> + <external_variable comment="warning banner text variable" datatype="string" id="dconf_login_banner_text" version="1" /> </def-group> diff --git a/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/oval/ubuntu.xml b/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/oval/ubuntu.xml index 3baac57772f3..208572acae53 100644 --- a/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/oval/ubuntu.xml +++ b/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/oval/ubuntu.xml @@ -37,9 +37,9 @@ <ind:textfilecontent54_state id="state_gdm_login_banner_text_setting" version="1"> - <ind:subexpression datatype="string" operation="pattern match" var_ref="login_banner_text" /> + <ind:subexpression datatype="string" operation="pattern match" var_ref="dconf_login_banner_text" /> </ind:textfilecontent54_state> - <external_variable comment="warning banner text variable" datatype="string" id="login_banner_text" version="1" /> + <external_variable comment="warning banner text variable" datatype="string" id="dconf_login_banner_text" version="1" /> </def-group> diff --git a/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/tests/correct_value_stig.pass.sh b/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/tests/correct_value_stig.pass.sh index 6ff96441acd3..c2caa11732c3 100644 --- a/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/tests/correct_value_stig.pass.sh +++ b/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/tests/correct_value_stig.pass.sh @@ -7,11 +7,39 @@ source $SHARED/dconf_test_functions.sh install_dconf_and_gdm_if_needed -login_banner_text="(^You[\s\n]+are[\s\n]+accessing[\s\n]+a[\s\n]+U.S.[\s\n]+Government[\s\n]+\(USG\)[\s\n]+Information[\s\n]+System[\s\n]+\(IS\)[\s\n]+that[\s\n]+is[\s\n]+provided[\s\n]+for[\s\n]+USG-authorized[\s\n]+use[\s\n]+only.[\s\n]*By[\s\n]+using[\s\n]+this[\s\n]+IS[\s\n]+\(which[\s\n]+includes[\s\n]+any[\s\n]+device[\s\n]+attached[\s\n]+to[\s\n]+this[\s\n]+IS\),[\s\n]+you[\s\n]+consent[\s\n]+to[\s\n]+the[\s\n]+following[\s\n]+conditions\:(\\n)*(\n)*-The[\s\n]+USG[\s\n]+routinely[\s\n]+intercepts[\s\n]+and[\s\n]+monitors[\s\n]+communications[\s\n]+on[\s\n]+this[\s\n]+IS[\s\n]+for[\s\n]+purposes[\s\n]+including,[\s\n]+but[\s\n]+not[\s\n]+limited[\s\n]+to,[\s\n]+penetration[\s\n]+testing,[\s\n]+COMSEC[\s\n]+monitoring,[\s\n]+network[\s\n]+operations[\s\n]+and[\s\n]+defense,[\s\n]+personnel[\s\n]+misconduct[\s\n]+\(PM\),[\s\n]+law[\s\n]+enforcement[\s\n]+\(LE\),[\s\n]+and[\s\n]+counterintelligence[\s\n]+\(CI\)[\s\n]+investigations.(\\n)*(\n)*-At[\s\n]+any[\s\n]+time,[\s\n]+the[\s\n]+USG[\s\n]+may[\s\n]+inspect[\s\n]+and[\s\n]+seize[\s\n]+data[\s\n]+stored[\s\n]+on[\s\n]+this[\s\n]+IS.(\\n)*(\n)*-Communications[\s\n]+using,[\s\n]+or[\s\n]+data[\s\n]+stored[\s\n]+on,[\s\n]+this[\s\n]+IS[\s\n]+are[\s\n]+not[\s\n]+private,[\s\n]+are[\s\n]+subject[\s\n]+to[\s\n]+routine[\s\n]+monitoring,[\s\n]+interception,[\s\n]+and[\s\n]+search,[\s\n]+and[\s\n]+may[\s\n]+be[\s\n]+disclosed[\s\n]+or[\s\n]+used[\s\n]+for[\s\n]+any[\s\n]+USG-authorized[\s\n]+purpose.(\\n)*(\n)*-This[\s\n]+IS[\s\n]+includes[\s\n]+security[\s\n]+measures[\s\n]+\(e.g.,[\s\n]+authentication[\s\n]+and[\s\n]+access[\s\n]+controls\)[\s\n]+to[\s\n]+protect[\s\n]+USG[\s\n]+interests--not[\s\n]+for[\s\n]+your[\s\n]+personal[\s\n]+benefit[\s\n]+or[\s\n]+privacy.(\\n)*(\n)*-Notwithstanding[\s\n]+the[\s\n]+above,[\s\n]+using[\s\n]+this[\s\n]+IS[\s\n]+does[\s\n]+not[\s\n]+constitute[\s\n]+consent[\s\n]+to[\s\n]+PM,[\s\n]+LE[\s\n]+or[\s\n]+CI[\s\n]+investigative[\s\n]+searching[\s\n]+or[\s\n]+monitoring[\s\n]+of[\s\n]+the[\s\n]+content[\s\n]+of[\s\n]+privileged[\s\n]+communications,[\s\n]+or[\s\n]+work[\s\n]+product,[\s\n]+related[\s\n]+to[\s\n]+personal[\s\n]+representation[\s\n]+or[\s\n]+services[\s\n]+by[\s\n]+attorneys,[\s\n]+psychotherapists,[\s\n]+or[\s\n]+clergy,[\s\n]+and[\s\n]+their[\s\n]+assistants.[\s\n]+Such[\s\n]+communications[\s\n]+and[\s\n]+work[\s\n]+product[\s\n]+are[\s\n]+private[\s\n]+and[\s\n]+confidential.[\s\n]+See[\s\n]+User[\s\n]+Agreement[\s\n]+for[\s\n]+details.$|^I\'ve[\s\n]+read[\s\n]+\&[\s\n]+consent[\s\n]+to[\s\n]+terms[\s\n]+in[\s\n]+IS[\s\n]+user[\s\n]+agreem\'t$)" -expanded=$(echo "$login_banner_text" | sed 's/(\\\\\x27)\*/\\\x27/g;s/(\\\x27)\*//g;s/(\\\\\x27)/tamere/g;s/(\^\(.*\)\$|.*$/\1/g;s/\[\\s\\n\][+*]/ /g;s/\\//g;s/(n)\*/\\n/g;s/\x27/\\\x27/g;') +login_banner_contents=$(cat <<'EOF' +You are accessing a U.S. Government (USG) Information System (IS) that is +provided for USG-authorized use only. By using this IS (which includes any +device attached to this IS), you consent to the following conditions: + +-The USG routinely intercepts and monitors communications on this IS for +purposes including, but not limited to, penetration testing, COMSEC monitoring, +network operations and defense, personnel misconduct (PM), law enforcement +(LE), and counterintelligence (CI) investigations. + +-At any time, the USG may inspect and seize data stored on this IS. + +-Communications using, or data stored on, this IS are not private, are subject +to routine monitoring, interception, and search, and may be disclosed or used +for any USG-authorized purpose. + +-This IS includes security measures (e.g., authentication and access controls) +to protect USG interests--not for your personal benefit or privacy. + +-Notwithstanding the above, using this IS does not constitute consent to PM, LE +or CI investigative searching or monitoring of the content of privileged +communications, or work product, related to personal representation or services +by attorneys, psychotherapists, or clergy, and their assistants. Such +communications and work product are private and confidential. See User +Agreement for details. +EOF +) + +# replace two subsequent newlines with a \n\n and single newlines with a space +login_banner_text_escaped=$(printf '%s' "$login_banner_contents" | sed ':a;N;$!ba;s/\n\n/\\n\\n/g;s/\n/ /g') clean_dconf_settings -add_dconf_setting "org/gnome/login-screen" "banner-message-text" "'${expanded}'" "{{{ dconf_gdm_dir }}}" "00-security-settings" +add_dconf_setting "org/gnome/login-screen" "banner-message-text" "'${login_banner_text_escaped}'" "{{{ dconf_gdm_dir }}}" "00-security-settings" add_dconf_lock "org/gnome/login-screen" "banner-message-text" "{{{ dconf_gdm_dir }}}" "00-security-settings-lock" dconf update diff --git a/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/tests/correct_value_stig_wrong_db.fail.sh b/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/tests/correct_value_stig_wrong_db.fail.sh index 9969fcc6f0d2..c8077d767d35 100644 --- a/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/tests/correct_value_stig_wrong_db.fail.sh +++ b/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/tests/correct_value_stig_wrong_db.fail.sh @@ -7,11 +7,39 @@ source $SHARED/dconf_test_functions.sh install_dconf_and_gdm_if_needed -login_banner_text="(^You[\s\n]+are[\s\n]+accessing[\s\n]+a[\s\n]+U.S.[\s\n]+Government[\s\n]+\(USG\)[\s\n]+Information[\s\n]+System[\s\n]+\(IS\)[\s\n]+that[\s\n]+is[\s\n]+provided[\s\n]+for[\s\n]+USG-authorized[\s\n]+use[\s\n]+only.[\s\n]*By[\s\n]+using[\s\n]+this[\s\n]+IS[\s\n]+\(which[\s\n]+includes[\s\n]+any[\s\n]+device[\s\n]+attached[\s\n]+to[\s\n]+this[\s\n]+IS\),[\s\n]+you[\s\n]+consent[\s\n]+to[\s\n]+the[\s\n]+following[\s\n]+conditions\:(\\n)*(\n)*-The[\s\n]+USG[\s\n]+routinely[\s\n]+intercepts[\s\n]+and[\s\n]+monitors[\s\n]+communications[\s\n]+on[\s\n]+this[\s\n]+IS[\s\n]+for[\s\n]+purposes[\s\n]+including,[\s\n]+but[\s\n]+not[\s\n]+limited[\s\n]+to,[\s\n]+penetration[\s\n]+testing,[\s\n]+COMSEC[\s\n]+monitoring,[\s\n]+network[\s\n]+operations[\s\n]+and[\s\n]+defense,[\s\n]+personnel[\s\n]+misconduct[\s\n]+\(PM\),[\s\n]+law[\s\n]+enforcement[\s\n]+\(LE\),[\s\n]+and[\s\n]+counterintelligence[\s\n]+\(CI\)[\s\n]+investigations.(\\n)*(\n)*-At[\s\n]+any[\s\n]+time,[\s\n]+the[\s\n]+USG[\s\n]+may[\s\n]+inspect[\s\n]+and[\s\n]+seize[\s\n]+data[\s\n]+stored[\s\n]+on[\s\n]+this[\s\n]+IS.(\\n)*(\n)*-Communications[\s\n]+using,[\s\n]+or[\s\n]+data[\s\n]+stored[\s\n]+on,[\s\n]+this[\s\n]+IS[\s\n]+are[\s\n]+not[\s\n]+private,[\s\n]+are[\s\n]+subject[\s\n]+to[\s\n]+routine[\s\n]+monitoring,[\s\n]+interception,[\s\n]+and[\s\n]+search,[\s\n]+and[\s\n]+may[\s\n]+be[\s\n]+disclosed[\s\n]+or[\s\n]+used[\s\n]+for[\s\n]+any[\s\n]+USG-authorized[\s\n]+purpose.(\\n)*(\n)*-This[\s\n]+IS[\s\n]+includes[\s\n]+security[\s\n]+measures[\s\n]+\(e.g.,[\s\n]+authentication[\s\n]+and[\s\n]+access[\s\n]+controls\)[\s\n]+to[\s\n]+protect[\s\n]+USG[\s\n]+interests--not[\s\n]+for[\s\n]+your[\s\n]+personal[\s\n]+benefit[\s\n]+or[\s\n]+privacy.(\\n)*(\n)*-Notwithstanding[\s\n]+the[\s\n]+above,[\s\n]+using[\s\n]+this[\s\n]+IS[\s\n]+does[\s\n]+not[\s\n]+constitute[\s\n]+consent[\s\n]+to[\s\n]+PM,[\s\n]+LE[\s\n]+or[\s\n]+CI[\s\n]+investigative[\s\n]+searching[\s\n]+or[\s\n]+monitoring[\s\n]+of[\s\n]+the[\s\n]+content[\s\n]+of[\s\n]+privileged[\s\n]+communications,[\s\n]+or[\s\n]+work[\s\n]+product,[\s\n]+related[\s\n]+to[\s\n]+personal[\s\n]+representation[\s\n]+or[\s\n]+services[\s\n]+by[\s\n]+attorneys,[\s\n]+psychotherapists,[\s\n]+or[\s\n]+clergy,[\s\n]+and[\s\n]+their[\s\n]+assistants.[\s\n]+Such[\s\n]+communications[\s\n]+and[\s\n]+work[\s\n]+product[\s\n]+are[\s\n]+private[\s\n]+and[\s\n]+confidential.[\s\n]+See[\s\n]+User[\s\n]+Agreement[\s\n]+for[\s\n]+details.$|^I\'ve[\s\n]+read[\s\n]+\&[\s\n]+consent[\s\n]+to[\s\n]+terms[\s\n]+in[\s\n]+IS[\s\n]+user[\s\n]+agreem\'t$)" -expanded=$(echo "$login_banner_text" | sed 's/(\\\\\x27)\*/\\\x27/g;s/(\\\x27)\*//g;s/(\\\\\x27)/tamere/g;s/(\^\(.*\)\$|.*$/\1/g;s/\[\\s\\n\][+*]/ /g;s/\\//g;s/(n)\*/\\n/g;s/\x27/\\\x27/g;') +login_banner_contents=$(cat <<'EOF' +You are accessing a U.S. Government (USG) Information System (IS) that is +provided for USG-authorized use only. By using this IS (which includes any +device attached to this IS), you consent to the following conditions: + +-The USG routinely intercepts and monitors communications on this IS for +purposes including, but not limited to, penetration testing, COMSEC monitoring, +network operations and defense, personnel misconduct (PM), law enforcement +(LE), and counterintelligence (CI) investigations. + +-At any time, the USG may inspect and seize data stored on this IS. + +-Communications using, or data stored on, this IS are not private, are subject +to routine monitoring, interception, and search, and may be disclosed or used +for any USG-authorized purpose. + +-This IS includes security measures (e.g., authentication and access controls) +to protect USG interests--not for your personal benefit or privacy. + +-Notwithstanding the above, using this IS does not constitute consent to PM, LE +or CI investigative searching or monitoring of the content of privileged +communications, or work product, related to personal representation or services +by attorneys, psychotherapists, or clergy, and their assistants. Such +communications and work product are private and confidential. See User +Agreement for details. +EOF +) + +# replace two subsequent newlines with a \n\n and single newlines with a space +login_banner_text_escaped=$(printf '%s' "$login_banner_contents" | sed ':a;N;$!ba;s/\n\n/\\n\\n/g;s/\n/ /g') clean_dconf_settings -add_dconf_setting "org/gnome/login-screen" "banner-message-text" "'${expanded}'" "dummy.d" "00-security-settings" +add_dconf_setting "org/gnome/login-screen" "banner-message-text" "'${login_banner_text_escaped}'" "dummy.d" "00-security-settings" add_dconf_lock "org/gnome/login-screen" "banner-message-text" "dummy.d" "00-security-settings-lock" dconf update diff --git a/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/tests/missing_value_stig.fail.sh b/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/tests/missing_value_stig.fail.sh index c316d7c8f74b..56eb33cd1061 100644 --- a/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/tests/missing_value_stig.fail.sh +++ b/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/tests/missing_value_stig.fail.sh @@ -7,8 +7,8 @@ source $SHARED/dconf_test_functions.sh install_dconf_and_gdm_if_needed -# login_banner_text="(^You[\s\n]+are[\s\n]+accessing[\s\n]+a[\s\n]+U.S.[\s\n]+Government[\s\n]+\(USG\)[\s\n]+Information[\s\n]+System[\s\n]+\(IS\)[\s\n]+that[\s\n]+is[\s\n]+provided[\s\n]+for[\s\n]+USG-authorized[\s\n]+use[\s\n]+only.[\s\n]*By[\s\n]+using[\s\n]+this[\s\n]+IS[\s\n]+\(which[\s\n]+includes[\s\n]+any[\s\n]+device[\s\n]+attached[\s\n]+to[\s\n]+this[\s\n]+IS\),[\s\n]+you[\s\n]+consent[\s\n]+to[\s\n]+the[\s\n]+following[\s\n]+conditions\:(\\n)*(\n)*-[\s\n]*The[\s\n]+USG[\s\n]+routinely[\s\n]+intercepts[\s\n]+and[\s\n]+monitors[\s\n]+communications[\s\n]+on[\s\n]+this[\s\n]+IS[\s\n]+for[\s\n]+purposes[\s\n]+including,[\s\n]+but[\s\n]+not[\s\n]+limited[\s\n]+to,[\s\n]+penetration[\s\n]+testing,[\s\n]+COMSEC[\s\n]+monitoring,[\s\n]+network[\s\n]+operations[\s\n]+and[\s\n]+defense,[\s\n]+personnel[\s\n]+misconduct[\s\n]+\(PM\),[\s\n]+law[\s\n]+enforcement[\s\n]+\(LE\),[\s\n]+and[\s\n]+counterintelligence[\s\n]+\(CI\)[\s\n]+investigations.(\\n)*(\n)*-[\s\n]*At[\s\n]+any[\s\n]+time,[\s\n]+the[\s\n]+USG[\s\n]+may[\s\n]+inspect[\s\n]+and[\s\n]+seize[\s\n]+data[\s\n]+stored[\s\n]+on[\s\n]+this[\s\n]+IS.(\\n)*(\n)*-[\s\n]*Communications[\s\n]+using,[\s\n]+or[\s\n]+data[\s\n]+stored[\s\n]+on,[\s\n]+this[\s\n]+IS[\s\n]+are[\s\n]+not[\s\n]+private,[\s\n]+are[\s\n]+subject[\s\n]+to[\s\n]+routine[\s\n]+monitoring,[\s\n]+interception,[\s\n]+and[\s\n]+search,[\s\n]+and[\s\n]+may[\s\n]+be[\s\n]+disclosed[\s\n]+or[\s\n]+used[\s\n]+for[\s\n]+any[\s\n]+USG-authorized[\s\n]+purpose.(\\n)*(\n)*-[\s\n]*This[\s\n]+IS[\s\n]+includes[\s\n]+security[\s\n]+measures[\s\n]+\(e.g.,[\s\n]+authentication[\s\n]+and[\s\n]+access[\s\n]+controls\)[\s\n]+to[\s\n]+protect[\s\n]+USG[\s\n]+interests--not[\s\n]+for[\s\n]+your[\s\n]+personal[\s\n]+benefit[\s\n]+or[\s\n]+privacy.(\\n)*(\n)*-[\s\n]*Notwithstanding[\s\n]+the[\s\n]+above,[\s\n]+using[\s\n]+this[\s\n]+IS[\s\n]+does[\s\n]+not[\s\n]+constitute[\s\n]+consent[\s\n]+to[\s\n]+PM,[\s\n]+LE[\s\n]+or[\s\n]+CI[\s\n]+investigative[\s\n]+searching[\s\n]+or[\s\n]+monitoring[\s\n]+of[\s\n]+the[\s\n]+content[\s\n]+of[\s\n]+privileged[\s\n]+communications,[\s\n]+or[\s\n]+work[\s\n]+product,[\s\n]+related[\s\n]+to[\s\n]+personal[\s\n]+representation[\s\n]+or[\s\n]+services[\s\n]+by[\s\n]+attorneys,[\s\n]+psychotherapists,[\s\n]+or[\s\n]+clergy,[\s\n]+and[\s\n]+their[\s\n]+assistants.[\s\n]+Such[\s\n]+communications[\s\n]+and[\s\n]+work[\s\n]+product[\s\n]+are[\s\n]+private[\s\n]+and[\s\n]+confidential.[\s\n]+See[\s\n]+User[\s\n]+Agreement[\s\n]+for[\s\n]+details.$|^I\'ve[\s\n]+read[\s\n]+\&[\s\n]+consent[\s\n]+to[\s\n]+terms[\s\n]+in[\s\n]+IS[\s\n]+user[\s\n]+agreem\'t$)" -# expanded=$(echo "$login_banner_text" | sed 's/(\\\\\x27)\*/\\\x27/g;s/(\\\x27)\*//g;s/(\\\\\x27)/tamere/g;s/(\^\(.*\)\$|.*$/\1/g;s/\[\\s\\n\][+*]/ /g;s/\\//g;s/(n)\*/\\n/g;s/\x27/\\\x27/g;') +# login_banner_contents="(^You[\s\n]+are[\s\n]+accessing[\s\n]+a[\s\n]+U.S.[\s\n]+Government[\s\n]+\(USG\)[\s\n]+Information[\s\n]+System[\s\n]+\(IS\)[\s\n]+that[\s\n]+is[\s\n]+provided[\s\n]+for[\s\n]+USG-authorized[\s\n]+use[\s\n]+only.[\s\n]*By[\s\n]+using[\s\n]+this[\s\n]+IS[\s\n]+\(which[\s\n]+includes[\s\n]+any[\s\n]+device[\s\n]+attached[\s\n]+to[\s\n]+this[\s\n]+IS\),[\s\n]+you[\s\n]+consent[\s\n]+to[\s\n]+the[\s\n]+following[\s\n]+conditions\:(\\n)*(\n)*-[\s\n]*The[\s\n]+USG[\s\n]+routinely[\s\n]+intercepts[\s\n]+and[\s\n]+monitors[\s\n]+communications[\s\n]+on[\s\n]+this[\s\n]+IS[\s\n]+for[\s\n]+purposes[\s\n]+including,[\s\n]+but[\s\n]+not[\s\n]+limited[\s\n]+to,[\s\n]+penetration[\s\n]+testing,[\s\n]+COMSEC[\s\n]+monitoring,[\s\n]+network[\s\n]+operations[\s\n]+and[\s\n]+defense,[\s\n]+personnel[\s\n]+misconduct[\s\n]+\(PM\),[\s\n]+law[\s\n]+enforcement[\s\n]+\(LE\),[\s\n]+and[\s\n]+counterintelligence[\s\n]+\(CI\)[\s\n]+investigations.(\\n)*(\n)*-[\s\n]*At[\s\n]+any[\s\n]+time,[\s\n]+the[\s\n]+USG[\s\n]+may[\s\n]+inspect[\s\n]+and[\s\n]+seize[\s\n]+data[\s\n]+stored[\s\n]+on[\s\n]+this[\s\n]+IS.(\\n)*(\n)*-[\s\n]*Communications[\s\n]+using,[\s\n]+or[\s\n]+data[\s\n]+stored[\s\n]+on,[\s\n]+this[\s\n]+IS[\s\n]+are[\s\n]+not[\s\n]+private,[\s\n]+are[\s\n]+subject[\s\n]+to[\s\n]+routine[\s\n]+monitoring,[\s\n]+interception,[\s\n]+and[\s\n]+search,[\s\n]+and[\s\n]+may[\s\n]+be[\s\n]+disclosed[\s\n]+or[\s\n]+used[\s\n]+for[\s\n]+any[\s\n]+USG-authorized[\s\n]+purpose.(\\n)*(\n)*-[\s\n]*This[\s\n]+IS[\s\n]+includes[\s\n]+security[\s\n]+measures[\s\n]+\(e.g.,[\s\n]+authentication[\s\n]+and[\s\n]+access[\s\n]+controls\)[\s\n]+to[\s\n]+protect[\s\n]+USG[\s\n]+interests--not[\s\n]+for[\s\n]+your[\s\n]+personal[\s\n]+benefit[\s\n]+or[\s\n]+privacy.(\\n)*(\n)*-[\s\n]*Notwithstanding[\s\n]+the[\s\n]+above,[\s\n]+using[\s\n]+this[\s\n]+IS[\s\n]+does[\s\n]+not[\s\n]+constitute[\s\n]+consent[\s\n]+to[\s\n]+PM,[\s\n]+LE[\s\n]+or[\s\n]+CI[\s\n]+investigative[\s\n]+searching[\s\n]+or[\s\n]+monitoring[\s\n]+of[\s\n]+the[\s\n]+content[\s\n]+of[\s\n]+privileged[\s\n]+communications,[\s\n]+or[\s\n]+work[\s\n]+product,[\s\n]+related[\s\n]+to[\s\n]+personal[\s\n]+representation[\s\n]+or[\s\n]+services[\s\n]+by[\s\n]+attorneys,[\s\n]+psychotherapists,[\s\n]+or[\s\n]+clergy,[\s\n]+and[\s\n]+their[\s\n]+assistants.[\s\n]+Such[\s\n]+communications[\s\n]+and[\s\n]+work[\s\n]+product[\s\n]+are[\s\n]+private[\s\n]+and[\s\n]+confidential.[\s\n]+See[\s\n]+User[\s\n]+Agreement[\s\n]+for[\s\n]+details.$|^I\'ve[\s\n]+read[\s\n]+\&[\s\n]+consent[\s\n]+to[\s\n]+terms[\s\n]+in[\s\n]+IS[\s\n]+user[\s\n]+agreem\'t$)" +# expanded=$(echo "$login_banner_contents" | sed 's/(\\\\\x27)\*/\\\x27/g;s/(\\\x27)\*//g;s/(\\\\\x27)/tamere/g;s/(\^\(.*\)\$|.*$/\1/g;s/\[\\s\\n\][+*]/ /g;s/\\//g;s/(n)\*/\\n/g;s/\x27/\\\x27/g;') clean_dconf_settings add_dconf_setting "org/gnome/login-screen" "banner-message-enabled" "true" "{{{ dconf_gdm_dir }}}" "00-security-settings" diff --git a/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/tests/ubuntu_correct_value.pass.sh b/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/tests/ubuntu_correct_value.pass.sh index 9b0d6ebb73f3..8d3f075bdb73 100644 --- a/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/tests/ubuntu_correct_value.pass.sh +++ b/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/tests/ubuntu_correct_value.pass.sh @@ -1,7 +1,7 @@ #!/bin/bash # platform = multi_platform_ubuntu # packages = gdm3 -# variables = login_banner_text=Authorized users only. All activity may be monitored and reported. +# variables = dconf_login_banner_text=Authorized users only. All activity may be monitored and reported. source $SHARED/dconf_test_functions.sh clean_dconf_settings diff --git a/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/tests/ubuntu_correct_value_defaults.pass.sh b/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/tests/ubuntu_correct_value_defaults.pass.sh index 2ffb8ec5fb19..380397ebba55 100644 --- a/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/tests/ubuntu_correct_value_defaults.pass.sh +++ b/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/tests/ubuntu_correct_value_defaults.pass.sh @@ -1,7 +1,7 @@ #!/bin/bash # platform = multi_platform_ubuntu # packages = gdm3 -# variables = login_banner_text=Authorized users only. All activity may be monitored and reported. +# variables = dconf_login_banner_text=Authorized users only. All activity may be monitored and reported. source $SHARED/dconf_test_functions.sh clean_dconf_settings diff --git a/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/tests/ubuntu_wrong_value.fail.sh b/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/tests/ubuntu_wrong_value.fail.sh index cf9bb8d31b34..e013ae2dd447 100644 --- a/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/tests/ubuntu_wrong_value.fail.sh +++ b/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/tests/ubuntu_wrong_value.fail.sh @@ -1,7 +1,7 @@ #!/bin/bash # platform = multi_platform_ubuntu # packages = gdm3 -# variables = login_banner_text=default +# variables = dconf_login_banner_text=default source $SHARED/dconf_test_functions.sh clean_dconf_settings diff --git a/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/tests/ubuntu_wrong_value_defaults.fail.sh b/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/tests/ubuntu_wrong_value_defaults.fail.sh index 07e8cacfd78a..51ac9ff10ab7 100644 --- a/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/tests/ubuntu_wrong_value_defaults.fail.sh +++ b/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/tests/ubuntu_wrong_value_defaults.fail.sh @@ -1,7 +1,7 @@ #!/bin/bash # platform = multi_platform_ubuntu # packages = gdm3 -# variables = login_banner_text=default +# variables = dconf_login_banner_text=default source $SHARED/dconf_test_functions.sh clean_dconf_settings diff --git a/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/tests/wrapped_banner.fail.sh b/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/tests/wrapped_banner.fail.sh index 38b8ee45b0a8..28b573bc3a9a 100644 --- a/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/tests/wrapped_banner.fail.sh +++ b/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/tests/wrapped_banner.fail.sh @@ -7,8 +7,8 @@ source $SHARED/dconf_test_functions.sh install_dconf_and_gdm_if_needed -login_banner_text="Some text before --[\s\n]+WARNING[\s\n]+--[\s\n]*This[\s\n]+system[\s\n]+is[\s\n]+for[\s\n]+the[\s\n]+use[\s\n]+of[\s\n]+authorized[\s\n]+users[\s\n]+only.[\s\n]+Individuals[\s\n]*using[\s\n]+this[\s\n]+computer[\s\n]+system[\s\n]+without[\s\n]+authority[\s\n]+or[\s\n]+in[\s\n]+excess[\s\n]+of[\s\n]+their[\s\n]*authority[\s\n]+are[\s\n]+subject[\s\n]+to[\s\n]+having[\s\n]+all[\s\n]+their[\s\n]+activities[\s\n]+on[\s\n]+this[\s\n]+system[\s\n]*monitored[\s\n]+and[\s\n]+recorded[\s\n]+by[\s\n]+system[\s\n]+personnel.[\s\n]+Anyone[\s\n]+using[\s\n]+this[\s\n]*system[\s\n]+expressly[\s\n]+consents[\s\n]+to[\s\n]+such[\s\n]+monitoring[\s\n]+and[\s\n]+is[\s\n]+advised[\s\n]+that[\s\n]*if[\s\n]+such[\s\n]+monitoring[\s\n]+reveals[\s\n]+possible[\s\n]+evidence[\s\n]+of[\s\n]+criminal[\s\n]+activity[\s\n]*system[\s\n]+personal[\s\n]+may[\s\n]+provide[\s\n]+the[\s\n]+evidence[\s\n]+of[\s\n]+such[\s\n]+monitoring[\s\n]+to[\s\n]+law[\s\n]*enforcement[\s\n]+officials. And some after." -expanded=$(echo "$login_banner_text" | sed 's/(\\\\\x27)\*/\\\x27/g;s/(\\\x27)\*//g;s/(\\\\\x27)/tamere/g;s/(\^\(.*\)\$|.*$/\1/g;s/\[\\s\\n\][+*]/ /g;s/\\//g;s/(n)\*/\\n/g;s/\x27/\\\x27/g;') +dconf_login_banner_contents="Some text before --[\s\n]+WARNING[\s\n]+--[\s\n]*This[\s\n]+system[\s\n]+is[\s\n]+for[\s\n]+the[\s\n]+use[\s\n]+of[\s\n]+authorized[\s\n]+users[\s\n]+only.[\s\n]+Individuals[\s\n]*using[\s\n]+this[\s\n]+computer[\s\n]+system[\s\n]+without[\s\n]+authority[\s\n]+or[\s\n]+in[\s\n]+excess[\s\n]+of[\s\n]+their[\s\n]*authority[\s\n]+are[\s\n]+subject[\s\n]+to[\s\n]+having[\s\n]+all[\s\n]+their[\s\n]+activities[\s\n]+on[\s\n]+this[\s\n]+system[\s\n]*monitored[\s\n]+and[\s\n]+recorded[\s\n]+by[\s\n]+system[\s\n]+personnel.[\s\n]+Anyone[\s\n]+using[\s\n]+this[\s\n]*system[\s\n]+expressly[\s\n]+consents[\s\n]+to[\s\n]+such[\s\n]+monitoring[\s\n]+and[\s\n]+is[\s\n]+advised[\s\n]+that[\s\n]*if[\s\n]+such[\s\n]+monitoring[\s\n]+reveals[\s\n]+possible[\s\n]+evidence[\s\n]+of[\s\n]+criminal[\s\n]+activity[\s\n]*system[\s\n]+personal[\s\n]+may[\s\n]+provide[\s\n]+the[\s\n]+evidence[\s\n]+of[\s\n]+such[\s\n]+monitoring[\s\n]+to[\s\n]+law[\s\n]*enforcement[\s\n]+officials. And some after." +expanded=$(echo "$dconf_login_banner_contents" | sed 's/(\\\\\x27)\*/\\\x27/g;s/(\\\x27)\*//g;s/(\\\\\x27)/tamere/g;s/(\^\(.*\)\$|.*$/\1/g;s/\[\\s\\n\][+*]/ /g;s/\\//g;s/(n)\*/\\n/g;s/\x27/\\\x27/g;') clean_dconf_settings add_dconf_setting "org/gnome/login-screen" "banner-message-text" "'${expanded}'" "{{{ dconf_gdm_dir }}}" "00-security-settings" diff --git a/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/tests/wrong_value.fail.sh b/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/tests/wrong_value.fail.sh index 6a3b00b8cafa..577d3a876327 100644 --- a/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/tests/wrong_value.fail.sh +++ b/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/tests/wrong_value.fail.sh @@ -7,8 +7,8 @@ source $SHARED/dconf_test_functions.sh install_dconf_and_gdm_if_needed -login_banner_text="Wrong Banner Text" -expanded=$(echo "$login_banner_text" | sed 's/(\\\\\x27)\*/\\\x27/g;s/(\\\x27)\*//g;s/(\\\\\x27)/tamere/g;s/(\^\(.*\)\$|.*$/\1/g;s/\[\\s\\n\][+*]/ /g;s/\\//g;s/(n)\*/\\n/g;s/\x27/\\\x27/g;') +login_banner_contents="Wrong Banner Text" +expanded=$(echo "$login_banner_contents" | sed 's/(\\\\\x27)\*/\\\x27/g;s/(\\\x27)\*//g;s/(\\\\\x27)/tamere/g;s/(\^\(.*\)\$|.*$/\1/g;s/\[\\s\\n\][+*]/ /g;s/\\//g;s/(n)\*/\\n/g;s/\x27/\\\x27/g;') clean_dconf_settings add_dconf_setting "org/gnome/login-screen" "banner-message-text" "'${expanded}'" "{{{ dconf_gdm_dir }}}" "00-security-settings" diff --git a/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/tests/wrong_value_stig.fail.sh b/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/tests/wrong_value_stig.fail.sh index 7c7d4c073e3d..1c04437538a8 100644 --- a/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/tests/wrong_value_stig.fail.sh +++ b/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/tests/wrong_value_stig.fail.sh @@ -3,8 +3,8 @@ # profiles = xccdf_org.ssgproject.content_profile_stig # packages = dconf,gdm -login_banner_text="Wrong Banner Text" -expanded=$(echo "$login_banner_text" | sed 's/(\\\\\x27)\*/\\\x27/g;s/(\\\x27)\*//g;s/(\\\\\x27)/tamere/g;s/(\^\(.*\)\$|.*$/\1/g;s/\[\\s\\n\][+*]/ /g;s/\\//g;s/(n)\*/\\n/g;s/\x27/\\\x27/g;') +login_banner_contents="Wrong Banner Text" +expanded=$(echo "$login_banner_contents" | sed 's/(\\\\\x27)\*/\\\x27/g;s/(\\\x27)\*//g;s/(\\\\\x27)/tamere/g;s/(\^\(.*\)\$|.*$/\1/g;s/\[\\s\\n\][+*]/ /g;s/\\//g;s/(n)\*/\\n/g;s/\x27/\\\x27/g;') {{% if 'ubuntu' not in product %}} source $SHARED/dconf_test_functions.sh diff --git a/linux_os/guide/system/accounts/accounts-banners/login_banner_contents.var b/linux_os/guide/system/accounts/accounts-banners/login_banner_contents.var new file mode 100644 index 000000000000..d39a75fd02fd --- /dev/null +++ b/linux_os/guide/system/accounts/accounts-banners/login_banner_contents.var @@ -0,0 +1,25 @@ +documentation_complete: true + +title: 'Login Banner Verbiage' + +description: >- + Enter an appropriate login banner text for your organization. + This variable is used only in remediations. + In OVAL checks a regular expression specified in the login_banner_text variable is used instead. + Using a regular expression is needed because some profiles (eg. STIG) allow multiple different banners. + +type: string + +operator: equals + +interactive: true + +options: + default: 'Authorized users only. All activity may be monitored and reported.' +# CIS doesn't enforce any specific content for login banners, but doesn't allow technical information. +# There is a generic content in case a remediation is necessary. + cis_default: 'Authorized users only. All activity may be monitored and reported.' + dod_default: 'You are accessing a U.S. Government (USG) Information System (IS) that is\nprovided for USG-authorized use only. By using this IS (which includes any\ndevice attached to this IS), you consent to the following conditions:\n\n-The USG routinely intercepts and monitors communications on this IS for\npurposes including, but not limited to, penetration testing, COMSEC monitoring,\nnetwork operations and defense, personnel misconduct (PM), law enforcement\n(LE), and counterintelligence (CI) investigations.\n\n-At any time, the USG may inspect and seize data stored on this IS.\n\n-Communications using, or data stored on, this IS are not private, are subject\nto routine monitoring, interception, and search, and may be disclosed or used\nfor any USG-authorized purpose.\n\n-This IS includes security measures (e.g., authentication and access controls)\nto protect USG interests--not for your personal benefit or privacy.\n\n-Notwithstanding the above, using this IS does not constitute consent to PM, LE\nor CI investigative searching or monitoring of the content of privileged\ncommunications, or work product, related to personal representation or services\nby attorneys, psychotherapists, or clergy, and their assistants. Such\ncommunications and work product are private and confidential. See User\nAgreement for details.' + dod_short: 'I''ve read & consent to terms in IS user agreem''t.' + dss_odaa_default: 'Use of this or any other DoD interest computer system constitutes consent to\nmonitoring at all times. This is a DoD interest computer system. All DoD\ninterest computer systems and related equipment are intended for the\ncommunication, transmission, processing, and storage of official U.S.\nGovernment or other authorized information only. All DoD interest computer\nsystems are subject to monitoring at all times to ensure proper functioning of\nequipment and systems including security devices and systems, to prevent\nunauthorized use and violations of statutes and security regulations, to deter\ncriminal activity, and for other similar purposes. Any user of a DoD interest\ncomputer system should be aware that any information placed in the system is\nsubject to monitoring and is not subject to any expectation of privacy. If\nmonitoring of this or any other DoD interest computer system reveals possible\nevidence of violation of criminal statutes, this evidence and any other related\ninformation, including identification information about the user, may be\nprovided to law enforcement officials. If monitoring of this or any other DoD\ninterest computer systems reveals violations of security regulations or\nunauthorized use, employees who violate security regulations or make\nunauthorized use of DoD interest computer systems are subject to appropriate\ndisciplinary action. Use of this or any other DoD interest computer system\nconstitutes consent to monitoring at all times.' + usgcb_default: '-- WARNING -- This system is for the use of authorized users only. Individuals\nusing this computer system without authority or in excess of their authority\nare subject to having all their activities on this system monitored and\nrecorded by system personnel. Anyone using this system expressly consents to\nsuch monitoring and is advised that if such monitoring reveals possible\nevidence of criminal activity system personal may provide the evidence of such\nmonitoring to law enforcement officials.' diff --git a/linux_os/guide/system/accounts/accounts-banners/login_banner_text.var b/linux_os/guide/system/accounts/accounts-banners/login_banner_text.var index a8a9e9337576..6a44de843411 100644 --- a/linux_os/guide/system/accounts/accounts-banners/login_banner_text.var +++ b/linux_os/guide/system/accounts/accounts-banners/login_banner_text.var @@ -1,21 +1,25 @@ documentation_complete: true -title: 'Login Banner Verbiage' +title: Login Banner Verbiage Regular Expression -description: |- - Enter an appropriate login banner for your organization. Please note that new lines must - be expressed by the '\n' character and special characters like parentheses and quotation marks must be escaped with '\\'. +description: >- + Enter an appropriate login banner regular expression for your organization. + Using a regular expression is needed because some profiles (eg. STIG) allow multiple different banners. + This regular expression is used only in OVAL checks. + In remediations the login_banner_contents variable is used instead. + For information about how to generate banner regular expression for your tailoring files, + see: https://complianceascode.readthedocs.io/en/latest/manual/developer/05_tools_and_utilities.html#generating-login-banner-regular-expressions type: string operator: equals -interactive: false +interactive: true options: # CIS doesn't enforce any specific content for login banners, but doesn't allow technical information. # There is a generic content in case a remediation is necessary. -# How to generate banner, check https://complianceascode.readthedocs.io/en/latest/manual/developer/05_tools_and_utilities.html#generating-login-banner-regular-expressions +# How to generate banner regex: https://complianceascode.readthedocs.io/en/latest/manual/developer/05_tools_and_utilities.html#generating-login-banner-regular-expressions cis_banners: ^(Authorized[\s\n]+users[\s\n]+only\.[\s\n]+All[\s\n]+activity[\s\n]+may[\s\n]+be[\s\n]+monitored[\s\n]+and[\s\n]+reported\.|^(?!.*(\\|fedora|rhel|sle|ubuntu)).*)$ cis_default: ^Authorized[\s\n]+users[\s\n]+only\.[\s\n]+All[\s\n]+activity[\s\n]+may[\s\n]+be[\s\n]+monitored[\s\n]+and[\s\n]+reported\.$ # First banner in 'dod_banners' must be the banner for desktop, laptop, and other devices which accommodate banners of 1300 characters diff --git a/linux_os/guide/system/accounts/accounts-banners/motd_banner_contents.var b/linux_os/guide/system/accounts/accounts-banners/motd_banner_contents.var new file mode 100644 index 000000000000..07fab0040f52 --- /dev/null +++ b/linux_os/guide/system/accounts/accounts-banners/motd_banner_contents.var @@ -0,0 +1,25 @@ +documentation_complete: true + +title: 'MotD Banner Verbiage' + +description: >- + Enter an appropriate login banner text for your organization. + This variable is used only in remediations. + In OVAL checks a regular expression specified in the login_banner_text variable is used instead. + Using a regular expression is needed because some profiles (eg. STIG) allow multiple different banners. + +type: string + +operator: equals + +interactive: true + +options: + default: 'Authorized users only. All activity may be monitored and reported.' +# CIS doesn't enforce any specific content for login banners, but doesn't allow technical information. +# There is a generic content in case a remediation is necessary. + cis_default: 'Authorized users only. All activity may be monitored and reported.' + dod_default: 'You are accessing a U.S. Government (USG) Information System (IS) that is\nprovided for USG-authorized use only. By using this IS (which includes any\ndevice attached to this IS), you consent to the following conditions:\n\n-The USG routinely intercepts and monitors communications on this IS for\npurposes including, but not limited to, penetration testing, COMSEC monitoring,\nnetwork operations and defense, personnel misconduct (PM), law enforcement\n(LE), and counterintelligence (CI) investigations.\n\n-At any time, the USG may inspect and seize data stored on this IS.\n\n-Communications using, or data stored on, this IS are not private, are subject\nto routine monitoring, interception, and search, and may be disclosed or used\nfor any USG-authorized purpose.\n\n-This IS includes security measures (e.g., authentication and access controls)\nto protect USG interests--not for your personal benefit or privacy.\n\n-Notwithstanding the above, using this IS does not constitute consent to PM, LE\nor CI investigative searching or monitoring of the content of privileged\ncommunications, or work product, related to personal representation or services\nby attorneys, psychotherapists, or clergy, and their assistants. Such\ncommunications and work product are private and confidential. See User\nAgreement for details.' + dod_short: 'I''ve read & consent to terms in IS user agreem''t.' + dss_odaa_default: 'Use of this or any other DoD interest computer system constitutes consent to\nmonitoring at all times. This is a DoD interest computer system. All DoD\ninterest computer systems and related equipment are intended for the\ncommunication, transmission, processing, and storage of official U.S.\nGovernment or other authorized information only. All DoD interest computer\nsystems are subject to monitoring at all times to ensure proper functioning of\nequipment and systems including security devices and systems, to prevent\nunauthorized use and violations of statutes and security regulations, to deter\ncriminal activity, and for other similar purposes. Any user of a DoD interest\ncomputer system should be aware that any information placed in the system is\nsubject to monitoring and is not subject to any expectation of privacy. If\nmonitoring of this or any other DoD interest computer system reveals possible\nevidence of violation of criminal statutes, this evidence and any other related\ninformation, including identification information about the user, may be\nprovided to law enforcement officials. If monitoring of this or any other DoD\ninterest computer systems reveals violations of security regulations or\nunauthorized use, employees who violate security regulations or make\nunauthorized use of DoD interest computer systems are subject to appropriate\ndisciplinary action. Use of this or any other DoD interest computer system\nconstitutes consent to monitoring at all times.' + usgcb_default: '-- WARNING -- This system is for the use of authorized users only. Individuals\nusing this computer system without authority or in excess of their authority\nare subject to having all their activities on this system monitored and\nrecorded by system personnel. Anyone using this system expressly consents to\nsuch monitoring and is advised that if such monitoring reveals possible\nevidence of criminal activity system personal may provide the evidence of such\nmonitoring to law enforcement officials.' diff --git a/linux_os/guide/system/accounts/accounts-banners/motd_banner_text.var b/linux_os/guide/system/accounts/accounts-banners/motd_banner_text.var index 6c7fff79ebc7..8b6fdbfc7b2d 100644 --- a/linux_os/guide/system/accounts/accounts-banners/motd_banner_text.var +++ b/linux_os/guide/system/accounts/accounts-banners/motd_banner_text.var @@ -1,27 +1,31 @@ documentation_complete: true -title: 'MotD Banner Verbiage' +title: Motd Banner Verbiage Regular Expression -description: |- - Enter an appropriate login banner for your organization. Please note that new lines must - be expressed by the '\n' character and special characters like parentheses and quotation marks must be escaped with '\\'. +description: >- + Enter an appropriate login banner regular expression for your organization. + Using a regular expression is needed because some profiles (eg. STIG) allow multiple different banners. + This regular expression is used only in OVAL checks. + In remediations the motd_banner_contents variable is used instead. + For information about how to generate banner regular expression for your tailoring files, + see: https://complianceascode.readthedocs.io/en/latest/manual/developer/05_tools_and_utilities.html#generating-login-banner-regular-expressions type: string operator: equals -interactive: false +interactive: true options: # CIS doesn't enforce any specific content for login banners, but doesn't allow technical information. # There is a generic content in case a remediation is necessary. # How to generate banner, check https://complianceascode.readthedocs.io/en/latest/manual/developer/05_tools_and_utilities.html#generating-login-banner-regular-expressions - cis_banners: ^(Authorized[\s\n]+uses[\s\n]+only\.[\s\n]+All[\s\n]+activity[\s\n]+may[\s\n]+be[\s\n]+monitored[\s\n]+and[\s\n]+reported\.|^(?!.*(\\|fedora|rhel|sle|ubuntu)).*)$ - cis_default: ^Authorized[\s\n]+uses[\s\n]+only\.[\s\n]+All[\s\n]+activity[\s\n]+may[\s\n]+be[\s\n]+monitored[\s\n]+and[\s\n]+reported\.$ + cis_banners: ^(Authorized[\s\n]+users[\s\n]+only\.[\s\n]+All[\s\n]+activity[\s\n]+may[\s\n]+be[\s\n]+monitored[\s\n]+and[\s\n]+reported\.|^(?!.*(\\|fedora|rhel|sle|ubuntu)).*)$ + cis_default: ^Authorized[\s\n]+users[\s\n]+only\.[\s\n]+All[\s\n]+activity[\s\n]+may[\s\n]+be[\s\n]+monitored[\s\n]+and[\s\n]+reported\.$ # First banner in 'dod_banners' must be the banner for desktop, laptop, and other devices which accommodate banners of 1300 characters dod_banners: ^(You[\s\n]+are[\s\n]+accessing[\s\n]+a[\s\n]+U\.S\.[\s\n]+Government[\s\n]+\(USG\)[\s\n]+Information[\s\n]+System[\s\n]+\(IS\)[\s\n]+that[\s\n]+is[\s\n]+provided[\s\n]+for[\s\n]+USG\-authorized[\s\n]+use[\s\n]+only\.[\s\n]+By[\s\n]+using[\s\n]+this[\s\n]+IS[\s\n]+\(which[\s\n]+includes[\s\n]+any[\s\n]+device[\s\n]+attached[\s\n]+to[\s\n]+this[\s\n]+IS\),[\s\n]+you[\s\n]+consent[\s\n]+to[\s\n]+the[\s\n]+following[\s\n]+conditions\:(?:[\n]+|(?:\\n)+)\-The[\s\n]+USG[\s\n]+routinely[\s\n]+intercepts[\s\n]+and[\s\n]+monitors[\s\n]+communications[\s\n]+on[\s\n]+this[\s\n]+IS[\s\n]+for[\s\n]+purposes[\s\n]+including,[\s\n]+but[\s\n]+not[\s\n]+limited[\s\n]+to,[\s\n]+penetration[\s\n]+testing,[\s\n]+COMSEC[\s\n]+monitoring,[\s\n]+network[\s\n]+operations[\s\n]+and[\s\n]+defense,[\s\n]+personnel[\s\n]+misconduct[\s\n]+\(PM\),[\s\n]+law[\s\n]+enforcement[\s\n]+\(LE\),[\s\n]+and[\s\n]+counterintelligence[\s\n]+\(CI\)[\s\n]+investigations\.(?:[\n]+|(?:\\n)+)\-At[\s\n]+any[\s\n]+time,[\s\n]+the[\s\n]+USG[\s\n]+may[\s\n]+inspect[\s\n]+and[\s\n]+seize[\s\n]+data[\s\n]+stored[\s\n]+on[\s\n]+this[\s\n]+IS\.(?:[\n]+|(?:\\n)+)\-Communications[\s\n]+using,[\s\n]+or[\s\n]+data[\s\n]+stored[\s\n]+on,[\s\n]+this[\s\n]+IS[\s\n]+are[\s\n]+not[\s\n]+private,[\s\n]+are[\s\n]+subject[\s\n]+to[\s\n]+routine[\s\n]+monitoring,[\s\n]+interception,[\s\n]+and[\s\n]+search,[\s\n]+and[\s\n]+may[\s\n]+be[\s\n]+disclosed[\s\n]+or[\s\n]+used[\s\n]+for[\s\n]+any[\s\n]+USG\-authorized[\s\n]+purpose\.(?:[\n]+|(?:\\n)+)\-This[\s\n]+IS[\s\n]+includes[\s\n]+security[\s\n]+measures[\s\n]+\(e\.g\.,[\s\n]+authentication[\s\n]+and[\s\n]+access[\s\n]+controls\)[\s\n]+to[\s\n]+protect[\s\n]+USG[\s\n]+interests\-\-not[\s\n]+for[\s\n]+your[\s\n]+personal[\s\n]+benefit[\s\n]+or[\s\n]+privacy\.(?:[\n]+|(?:\\n)+)\-Notwithstanding[\s\n]+the[\s\n]+above,[\s\n]+using[\s\n]+this[\s\n]+IS[\s\n]+does[\s\n]+not[\s\n]+constitute[\s\n]+consent[\s\n]+to[\s\n]+PM,[\s\n]+LE[\s\n]+or[\s\n]+CI[\s\n]+investigative[\s\n]+searching[\s\n]+or[\s\n]+monitoring[\s\n]+of[\s\n]+the[\s\n]+content[\s\n]+of[\s\n]+privileged[\s\n]+communications,[\s\n]+or[\s\n]+work[\s\n]+product,[\s\n]+related[\s\n]+to[\s\n]+personal[\s\n]+representation[\s\n]+or[\s\n]+services[\s\n]+by[\s\n]+attorneys,[\s\n]+psychotherapists,[\s\n]+or[\s\n]+clergy,[\s\n]+and[\s\n]+their[\s\n]+assistants\.[\s\n]+Such[\s\n]+communications[\s\n]+and[\s\n]+work[\s\n]+product[\s\n]+are[\s\n]+private[\s\n]+and[\s\n]+confidential\.[\s\n]+See[\s\n]+User[\s\n]+Agreement[\s\n]+for[\s\n]+details\.|I've[\s\n]+read[\s\n]+\&[\s\n]+consent[\s\n]+to[\s\n]+terms[\s\n]+in[\s\n]+IS[\s\n]+user[\s\n]+agreem't\.)$ dod_default: ^You[\s\n]+are[\s\n]+accessing[\s\n]+a[\s\n]+U\.S\.[\s\n]+Government[\s\n]+\(USG\)[\s\n]+Information[\s\n]+System[\s\n]+\(IS\)[\s\n]+that[\s\n]+is[\s\n]+provided[\s\n]+for[\s\n]+USG\-authorized[\s\n]+use[\s\n]+only\.[\s\n]+By[\s\n]+using[\s\n]+this[\s\n]+IS[\s\n]+\(which[\s\n]+includes[\s\n]+any[\s\n]+device[\s\n]+attached[\s\n]+to[\s\n]+this[\s\n]+IS\),[\s\n]+you[\s\n]+consent[\s\n]+to[\s\n]+the[\s\n]+following[\s\n]+conditions\:(?:[\n]+|(?:\\n)+)\-The[\s\n]+USG[\s\n]+routinely[\s\n]+intercepts[\s\n]+and[\s\n]+monitors[\s\n]+communications[\s\n]+on[\s\n]+this[\s\n]+IS[\s\n]+for[\s\n]+purposes[\s\n]+including,[\s\n]+but[\s\n]+not[\s\n]+limited[\s\n]+to,[\s\n]+penetration[\s\n]+testing,[\s\n]+COMSEC[\s\n]+monitoring,[\s\n]+network[\s\n]+operations[\s\n]+and[\s\n]+defense,[\s\n]+personnel[\s\n]+misconduct[\s\n]+\(PM\),[\s\n]+law[\s\n]+enforcement[\s\n]+\(LE\),[\s\n]+and[\s\n]+counterintelligence[\s\n]+\(CI\)[\s\n]+investigations\.(?:[\n]+|(?:\\n)+)\-At[\s\n]+any[\s\n]+time,[\s\n]+the[\s\n]+USG[\s\n]+may[\s\n]+inspect[\s\n]+and[\s\n]+seize[\s\n]+data[\s\n]+stored[\s\n]+on[\s\n]+this[\s\n]+IS\.(?:[\n]+|(?:\\n)+)\-Communications[\s\n]+using,[\s\n]+or[\s\n]+data[\s\n]+stored[\s\n]+on,[\s\n]+this[\s\n]+IS[\s\n]+are[\s\n]+not[\s\n]+private,[\s\n]+are[\s\n]+subject[\s\n]+to[\s\n]+routine[\s\n]+monitoring,[\s\n]+interception,[\s\n]+and[\s\n]+search,[\s\n]+and[\s\n]+may[\s\n]+be[\s\n]+disclosed[\s\n]+or[\s\n]+used[\s\n]+for[\s\n]+any[\s\n]+USG\-authorized[\s\n]+purpose\.(?:[\n]+|(?:\\n)+)\-This[\s\n]+IS[\s\n]+includes[\s\n]+security[\s\n]+measures[\s\n]+\(e\.g\.,[\s\n]+authentication[\s\n]+and[\s\n]+access[\s\n]+controls\)[\s\n]+to[\s\n]+protect[\s\n]+USG[\s\n]+interests\-\-not[\s\n]+for[\s\n]+your[\s\n]+personal[\s\n]+benefit[\s\n]+or[\s\n]+privacy\.(?:[\n]+|(?:\\n)+)\-Notwithstanding[\s\n]+the[\s\n]+above,[\s\n]+using[\s\n]+this[\s\n]+IS[\s\n]+does[\s\n]+not[\s\n]+constitute[\s\n]+consent[\s\n]+to[\s\n]+PM,[\s\n]+LE[\s\n]+or[\s\n]+CI[\s\n]+investigative[\s\n]+searching[\s\n]+or[\s\n]+monitoring[\s\n]+of[\s\n]+the[\s\n]+content[\s\n]+of[\s\n]+privileged[\s\n]+communications,[\s\n]+or[\s\n]+work[\s\n]+product,[\s\n]+related[\s\n]+to[\s\n]+personal[\s\n]+representation[\s\n]+or[\s\n]+services[\s\n]+by[\s\n]+attorneys,[\s\n]+psychotherapists,[\s\n]+or[\s\n]+clergy,[\s\n]+and[\s\n]+their[\s\n]+assistants\.[\s\n]+Such[\s\n]+communications[\s\n]+and[\s\n]+work[\s\n]+product[\s\n]+are[\s\n]+private[\s\n]+and[\s\n]+confidential\.[\s\n]+See[\s\n]+User[\s\n]+Agreement[\s\n]+for[\s\n]+details\.$ dod_short: ^I've[\s\n]+read[\s\n]+\&[\s\n]+consent[\s\n]+to[\s\n]+terms[\s\n]+in[\s\n]+IS[\s\n]+user[\s\n]+agreem't\.$ dss_odaa_default: ^Use[\s\n]+of[\s\n]+this[\s\n]+or[\s\n]+any[\s\n]+other[\s\n]+DoD[\s\n]+interest[\s\n]+computer[\s\n]+system[\s\n]+constitutes[\s\n]+consent[\s\n]+to[\s\n]+monitoring[\s\n]+at[\s\n]+all[\s\n]+times\.[\s\n]+This[\s\n]+is[\s\n]+a[\s\n]+DoD[\s\n]+interest[\s\n]+computer[\s\n]+system\.[\s\n]+All[\s\n]+DoD[\s\n]+interest[\s\n]+computer[\s\n]+systems[\s\n]+and[\s\n]+related[\s\n]+equipment[\s\n]+are[\s\n]+intended[\s\n]+for[\s\n]+the[\s\n]+communication,[\s\n]+transmission,[\s\n]+processing,[\s\n]+and[\s\n]+storage[\s\n]+of[\s\n]+official[\s\n]+U\.S\.[\s\n]+Government[\s\n]+or[\s\n]+other[\s\n]+authorized[\s\n]+information[\s\n]+only\.[\s\n]+All[\s\n]+DoD[\s\n]+interest[\s\n]+computer[\s\n]+systems[\s\n]+are[\s\n]+subject[\s\n]+to[\s\n]+monitoring[\s\n]+at[\s\n]+all[\s\n]+times[\s\n]+to[\s\n]+ensure[\s\n]+proper[\s\n]+functioning[\s\n]+of[\s\n]+equipment[\s\n]+and[\s\n]+systems[\s\n]+including[\s\n]+security[\s\n]+devices[\s\n]+and[\s\n]+systems,[\s\n]+to[\s\n]+prevent[\s\n]+unauthorized[\s\n]+use[\s\n]+and[\s\n]+violations[\s\n]+of[\s\n]+statutes[\s\n]+and[\s\n]+security[\s\n]+regulations,[\s\n]+to[\s\n]+deter[\s\n]+criminal[\s\n]+activity,[\s\n]+and[\s\n]+for[\s\n]+other[\s\n]+similar[\s\n]+purposes\.[\s\n]+Any[\s\n]+user[\s\n]+of[\s\n]+a[\s\n]+DoD[\s\n]+interest[\s\n]+computer[\s\n]+system[\s\n]+should[\s\n]+be[\s\n]+aware[\s\n]+that[\s\n]+any[\s\n]+information[\s\n]+placed[\s\n]+in[\s\n]+the[\s\n]+system[\s\n]+is[\s\n]+subject[\s\n]+to[\s\n]+monitoring[\s\n]+and[\s\n]+is[\s\n]+not[\s\n]+subject[\s\n]+to[\s\n]+any[\s\n]+expectation[\s\n]+of[\s\n]+privacy\.[\s\n]+If[\s\n]+monitoring[\s\n]+of[\s\n]+this[\s\n]+or[\s\n]+any[\s\n]+other[\s\n]+DoD[\s\n]+interest[\s\n]+computer[\s\n]+system[\s\n]+reveals[\s\n]+possible[\s\n]+evidence[\s\n]+of[\s\n]+violation[\s\n]+of[\s\n]+criminal[\s\n]+statutes,[\s\n]+this[\s\n]+evidence[\s\n]+and[\s\n]+any[\s\n]+other[\s\n]+related[\s\n]+information,[\s\n]+including[\s\n]+identification[\s\n]+information[\s\n]+about[\s\n]+the[\s\n]+user,[\s\n]+may[\s\n]+be[\s\n]+provided[\s\n]+to[\s\n]+law[\s\n]+enforcement[\s\n]+officials\.[\s\n]+If[\s\n]+monitoring[\s\n]+of[\s\n]+this[\s\n]+or[\s\n]+any[\s\n]+other[\s\n]+DoD[\s\n]+interest[\s\n]+computer[\s\n]+systems[\s\n]+reveals[\s\n]+violations[\s\n]+of[\s\n]+security[\s\n]+regulations[\s\n]+or[\s\n]+unauthorized[\s\n]+use,[\s\n]+employees[\s\n]+who[\s\n]+violate[\s\n]+security[\s\n]+regulations[\s\n]+or[\s\n]+make[\s\n]+unauthorized[\s\n]+use[\s\n]+of[\s\n]+DoD[\s\n]+interest[\s\n]+computer[\s\n]+systems[\s\n]+are[\s\n]+subject[\s\n]+to[\s\n]+appropriate[\s\n]+disciplinary[\s\n]+action\.[\s\n]+Use[\s\n]+of[\s\n]+this[\s\n]+or[\s\n]+any[\s\n]+other[\s\n]+DoD[\s\n]+interest[\s\n]+computer[\s\n]+system[\s\n]+constitutes[\s\n]+consent[\s\n]+to[\s\n]+monitoring[\s\n]+at[\s\n]+all[\s\n]+times\.$ usgcb_default: ^\-\-[\s\n]+WARNING[\s\n]+\-\-[\s\n]+This[\s\n]+system[\s\n]+is[\s\n]+for[\s\n]+the[\s\n]+use[\s\n]+of[\s\n]+authorized[\s\n]+users[\s\n]+only\.[\s\n]+Individuals[\s\n]+using[\s\n]+this[\s\n]+computer[\s\n]+system[\s\n]+without[\s\n]+authority[\s\n]+or[\s\n]+in[\s\n]+excess[\s\n]+of[\s\n]+their[\s\n]+authority[\s\n]+are[\s\n]+subject[\s\n]+to[\s\n]+having[\s\n]+all[\s\n]+their[\s\n]+activities[\s\n]+on[\s\n]+this[\s\n]+system[\s\n]+monitored[\s\n]+and[\s\n]+recorded[\s\n]+by[\s\n]+system[\s\n]+personnel\.[\s\n]+Anyone[\s\n]+using[\s\n]+this[\s\n]+system[\s\n]+expressly[\s\n]+consents[\s\n]+to[\s\n]+such[\s\n]+monitoring[\s\n]+and[\s\n]+is[\s\n]+advised[\s\n]+that[\s\n]+if[\s\n]+such[\s\n]+monitoring[\s\n]+reveals[\s\n]+possible[\s\n]+evidence[\s\n]+of[\s\n]+criminal[\s\n]+activity[\s\n]+system[\s\n]+personal[\s\n]+may[\s\n]+provide[\s\n]+the[\s\n]+evidence[\s\n]+of[\s\n]+such[\s\n]+monitoring[\s\n]+to[\s\n]+law[\s\n]+enforcement[\s\n]+officials\.$ - default: ^Authorized[\s\n]+uses[\s\n]+only\.[\s\n]+All[\s\n]+activity[\s\n]+may[\s\n]+be[\s\n]+monitored[\s\n]+and[\s\n]+reported\.$ + default: ^Authorized[\s\n]+users[\s\n]+only\.[\s\n]+All[\s\n]+activity[\s\n]+may[\s\n]+be[\s\n]+monitored[\s\n]+and[\s\n]+reported\.$ diff --git a/linux_os/guide/system/accounts/accounts-banners/remote_login_banner_contents.var b/linux_os/guide/system/accounts/accounts-banners/remote_login_banner_contents.var new file mode 100644 index 000000000000..d2b77661b666 --- /dev/null +++ b/linux_os/guide/system/accounts/accounts-banners/remote_login_banner_contents.var @@ -0,0 +1,25 @@ +documentation_complete: true + +title: 'Remote Login Banner Verbiage' + +description: >- + Enter an appropriate login banner text for your organization. + This variable is used only in remediations. + In OVAL checks a regular expression specified in the remote_login_banner_text variable is used instead. + Using a regular expression is needed because some profiles (eg. STIG) allow multiple different banners. + +type: string + +operator: equals + +interactive: true + +options: + default: 'Authorized users only. All activity may be monitored and reported.' +# CIS doesn't enforce any specific content for login banners, but doesn't allow technical information. +# There is a generic content in case a remediation is necessary. + cis_default: 'Authorized users only. All activity may be monitored and reported.' + dod_default: 'You are accessing a U.S. Government (USG) Information System (IS) that is\nprovided for USG-authorized use only. By using this IS (which includes any\ndevice attached to this IS), you consent to the following conditions:\n\n-The USG routinely intercepts and monitors communications on this IS for\npurposes including, but not limited to, penetration testing, COMSEC monitoring,\nnetwork operations and defense, personnel misconduct (PM), law enforcement\n(LE), and counterintelligence (CI) investigations.\n\n-At any time, the USG may inspect and seize data stored on this IS.\n\n-Communications using, or data stored on, this IS are not private, are subject\nto routine monitoring, interception, and search, and may be disclosed or used\nfor any USG-authorized purpose.\n\n-This IS includes security measures (e.g., authentication and access controls)\nto protect USG interests--not for your personal benefit or privacy.\n\n-Notwithstanding the above, using this IS does not constitute consent to PM, LE\nor CI investigative searching or monitoring of the content of privileged\ncommunications, or work product, related to personal representation or services\nby attorneys, psychotherapists, or clergy, and their assistants. Such\ncommunications and work product are private and confidential. See User\nAgreement for details.' + dod_short: 'I''ve read & consent to terms in IS user agreem''t.' + dss_odaa_default: 'Use of this or any other DoD interest computer system constitutes consent to\nmonitoring at all times. This is a DoD interest computer system. All DoD\ninterest computer systems and related equipment are intended for the\ncommunication, transmission, processing, and storage of official U.S.\nGovernment or other authorized information only. All DoD interest computer\nsystems are subject to monitoring at all times to ensure proper functioning of\nequipment and systems including security devices and systems, to prevent\nunauthorized use and violations of statutes and security regulations, to deter\ncriminal activity, and for other similar purposes. Any user of a DoD interest\ncomputer system should be aware that any information placed in the system is\nsubject to monitoring and is not subject to any expectation of privacy. If\nmonitoring of this or any other DoD interest computer system reveals possible\nevidence of violation of criminal statutes, this evidence and any other related\ninformation, including identification information about the user, may be\nprovided to law enforcement officials. If monitoring of this or any other DoD\ninterest computer systems reveals violations of security regulations or\nunauthorized use, employees who violate security regulations or make\nunauthorized use of DoD interest computer systems are subject to appropriate\ndisciplinary action. Use of this or any other DoD interest computer system\nconstitutes consent to monitoring at all times.' + usgcb_default: '-- WARNING -- This system is for the use of authorized users only. Individuals\nusing this computer system without authority or in excess of their authority\nare subject to having all their activities on this system monitored and\nrecorded by system personnel. Anyone using this system expressly consents to\nsuch monitoring and is advised that if such monitoring reveals possible\nevidence of criminal activity system personal may provide the evidence of such\nmonitoring to law enforcement officials.' diff --git a/linux_os/guide/system/accounts/accounts-banners/remote_login_banner_text.var b/linux_os/guide/system/accounts/accounts-banners/remote_login_banner_text.var index 5f64f4f4af63..a4e24de44962 100644 --- a/linux_os/guide/system/accounts/accounts-banners/remote_login_banner_text.var +++ b/linux_os/guide/system/accounts/accounts-banners/remote_login_banner_text.var @@ -1,28 +1,31 @@ documentation_complete: true -title: 'Remote Login Banner Verbiage' +title: Remote Login Banner Verbiage Regular Expression -description: |- - Enter an appropriate login banner for your organization. Please note that new lines must - be expressed by the '\n' character and special characters like parentheses and quotation marks must be escaped with '\\'. +description: >- + Enter an appropriate login banner regular expression for your organization. + Using a regular expression is needed because some profiles (eg. STIG) allow multiple different banners. + This regular expression is used only in OVAL checks. + In remediations the remote_login_banner_contents variable is used instead. + For information about how to generate banner regular expression for your tailoring files, + see: https://complianceascode.readthedocs.io/en/latest/manual/developer/05_tools_and_utilities.html#generating-login-banner-regular-expressions type: string operator: equals -interactive: false - +interactive: true options: # CIS doesn't enforce any specific content for login banners, but doesn't allow technical information. # There is a generic content in case a remediation is necessary. # How to generate banner, check https://complianceascode.readthedocs.io/en/latest/manual/developer/05_tools_and_utilities.html#generating-login-banner-regular-expressions - cis_banners: ^(Authorized[\s\n]+uses[\s\n]+only\.[\s\n]+All[\s\n]+activity[\s\n]+may[\s\n]+be[\s\n]+monitored[\s\n]+and[\s\n]+reported\.|^(?!.*(\\|fedora|rhel|sle|ubuntu)).*)$ - cis_default: ^Authorized[\s\n]+uses[\s\n]+only\.[\s\n]+All[\s\n]+activity[\s\n]+may[\s\n]+be[\s\n]+monitored[\s\n]+and[\s\n]+reported\.$ + cis_banners: ^(Authorized[\s\n]+users[\s\n]+only\.[\s\n]+All[\s\n]+activity[\s\n]+may[\s\n]+be[\s\n]+monitored[\s\n]+and[\s\n]+reported\.|^(?!.*(\\|fedora|rhel|sle|ubuntu)).*)$ + cis_default: ^Authorized[\s\n]+users[\s\n]+only\.[\s\n]+All[\s\n]+activity[\s\n]+may[\s\n]+be[\s\n]+monitored[\s\n]+and[\s\n]+reported\.$ # First banner in 'dod_banners' must be the banner for desktop, laptop, and other devices which accommodate banners of 1300 characters dod_banners: ^(You[\s\n]+are[\s\n]+accessing[\s\n]+a[\s\n]+U\.S\.[\s\n]+Government[\s\n]+\(USG\)[\s\n]+Information[\s\n]+System[\s\n]+\(IS\)[\s\n]+that[\s\n]+is[\s\n]+provided[\s\n]+for[\s\n]+USG\-authorized[\s\n]+use[\s\n]+only\.[\s\n]+By[\s\n]+using[\s\n]+this[\s\n]+IS[\s\n]+\(which[\s\n]+includes[\s\n]+any[\s\n]+device[\s\n]+attached[\s\n]+to[\s\n]+this[\s\n]+IS\),[\s\n]+you[\s\n]+consent[\s\n]+to[\s\n]+the[\s\n]+following[\s\n]+conditions\:(?:[\n]+|(?:\\n)+)\-The[\s\n]+USG[\s\n]+routinely[\s\n]+intercepts[\s\n]+and[\s\n]+monitors[\s\n]+communications[\s\n]+on[\s\n]+this[\s\n]+IS[\s\n]+for[\s\n]+purposes[\s\n]+including,[\s\n]+but[\s\n]+not[\s\n]+limited[\s\n]+to,[\s\n]+penetration[\s\n]+testing,[\s\n]+COMSEC[\s\n]+monitoring,[\s\n]+network[\s\n]+operations[\s\n]+and[\s\n]+defense,[\s\n]+personnel[\s\n]+misconduct[\s\n]+\(PM\),[\s\n]+law[\s\n]+enforcement[\s\n]+\(LE\),[\s\n]+and[\s\n]+counterintelligence[\s\n]+\(CI\)[\s\n]+investigations\.(?:[\n]+|(?:\\n)+)\-At[\s\n]+any[\s\n]+time,[\s\n]+the[\s\n]+USG[\s\n]+may[\s\n]+inspect[\s\n]+and[\s\n]+seize[\s\n]+data[\s\n]+stored[\s\n]+on[\s\n]+this[\s\n]+IS\.(?:[\n]+|(?:\\n)+)\-Communications[\s\n]+using,[\s\n]+or[\s\n]+data[\s\n]+stored[\s\n]+on,[\s\n]+this[\s\n]+IS[\s\n]+are[\s\n]+not[\s\n]+private,[\s\n]+are[\s\n]+subject[\s\n]+to[\s\n]+routine[\s\n]+monitoring,[\s\n]+interception,[\s\n]+and[\s\n]+search,[\s\n]+and[\s\n]+may[\s\n]+be[\s\n]+disclosed[\s\n]+or[\s\n]+used[\s\n]+for[\s\n]+any[\s\n]+USG\-authorized[\s\n]+purpose\.(?:[\n]+|(?:\\n)+)\-This[\s\n]+IS[\s\n]+includes[\s\n]+security[\s\n]+measures[\s\n]+\(e\.g\.,[\s\n]+authentication[\s\n]+and[\s\n]+access[\s\n]+controls\)[\s\n]+to[\s\n]+protect[\s\n]+USG[\s\n]+interests\-\-not[\s\n]+for[\s\n]+your[\s\n]+personal[\s\n]+benefit[\s\n]+or[\s\n]+privacy\.(?:[\n]+|(?:\\n)+)\-Notwithstanding[\s\n]+the[\s\n]+above,[\s\n]+using[\s\n]+this[\s\n]+IS[\s\n]+does[\s\n]+not[\s\n]+constitute[\s\n]+consent[\s\n]+to[\s\n]+PM,[\s\n]+LE[\s\n]+or[\s\n]+CI[\s\n]+investigative[\s\n]+searching[\s\n]+or[\s\n]+monitoring[\s\n]+of[\s\n]+the[\s\n]+content[\s\n]+of[\s\n]+privileged[\s\n]+communications,[\s\n]+or[\s\n]+work[\s\n]+product,[\s\n]+related[\s\n]+to[\s\n]+personal[\s\n]+representation[\s\n]+or[\s\n]+services[\s\n]+by[\s\n]+attorneys,[\s\n]+psychotherapists,[\s\n]+or[\s\n]+clergy,[\s\n]+and[\s\n]+their[\s\n]+assistants\.[\s\n]+Such[\s\n]+communications[\s\n]+and[\s\n]+work[\s\n]+product[\s\n]+are[\s\n]+private[\s\n]+and[\s\n]+confidential\.[\s\n]+See[\s\n]+User[\s\n]+Agreement[\s\n]+for[\s\n]+details\.|I've[\s\n]+read[\s\n]+\&[\s\n]+consent[\s\n]+to[\s\n]+terms[\s\n]+in[\s\n]+IS[\s\n]+user[\s\n]+agreem't\.)$ dod_default: ^You[\s\n]+are[\s\n]+accessing[\s\n]+a[\s\n]+U\.S\.[\s\n]+Government[\s\n]+\(USG\)[\s\n]+Information[\s\n]+System[\s\n]+\(IS\)[\s\n]+that[\s\n]+is[\s\n]+provided[\s\n]+for[\s\n]+USG\-authorized[\s\n]+use[\s\n]+only\.[\s\n]+By[\s\n]+using[\s\n]+this[\s\n]+IS[\s\n]+\(which[\s\n]+includes[\s\n]+any[\s\n]+device[\s\n]+attached[\s\n]+to[\s\n]+this[\s\n]+IS\),[\s\n]+you[\s\n]+consent[\s\n]+to[\s\n]+the[\s\n]+following[\s\n]+conditions\:(?:[\n]+|(?:\\n)+)\-The[\s\n]+USG[\s\n]+routinely[\s\n]+intercepts[\s\n]+and[\s\n]+monitors[\s\n]+communications[\s\n]+on[\s\n]+this[\s\n]+IS[\s\n]+for[\s\n]+purposes[\s\n]+including,[\s\n]+but[\s\n]+not[\s\n]+limited[\s\n]+to,[\s\n]+penetration[\s\n]+testing,[\s\n]+COMSEC[\s\n]+monitoring,[\s\n]+network[\s\n]+operations[\s\n]+and[\s\n]+defense,[\s\n]+personnel[\s\n]+misconduct[\s\n]+\(PM\),[\s\n]+law[\s\n]+enforcement[\s\n]+\(LE\),[\s\n]+and[\s\n]+counterintelligence[\s\n]+\(CI\)[\s\n]+investigations\.(?:[\n]+|(?:\\n)+)\-At[\s\n]+any[\s\n]+time,[\s\n]+the[\s\n]+USG[\s\n]+may[\s\n]+inspect[\s\n]+and[\s\n]+seize[\s\n]+data[\s\n]+stored[\s\n]+on[\s\n]+this[\s\n]+IS\.(?:[\n]+|(?:\\n)+)\-Communications[\s\n]+using,[\s\n]+or[\s\n]+data[\s\n]+stored[\s\n]+on,[\s\n]+this[\s\n]+IS[\s\n]+are[\s\n]+not[\s\n]+private,[\s\n]+are[\s\n]+subject[\s\n]+to[\s\n]+routine[\s\n]+monitoring,[\s\n]+interception,[\s\n]+and[\s\n]+search,[\s\n]+and[\s\n]+may[\s\n]+be[\s\n]+disclosed[\s\n]+or[\s\n]+used[\s\n]+for[\s\n]+any[\s\n]+USG\-authorized[\s\n]+purpose\.(?:[\n]+|(?:\\n)+)\-This[\s\n]+IS[\s\n]+includes[\s\n]+security[\s\n]+measures[\s\n]+\(e\.g\.,[\s\n]+authentication[\s\n]+and[\s\n]+access[\s\n]+controls\)[\s\n]+to[\s\n]+protect[\s\n]+USG[\s\n]+interests\-\-not[\s\n]+for[\s\n]+your[\s\n]+personal[\s\n]+benefit[\s\n]+or[\s\n]+privacy\.(?:[\n]+|(?:\\n)+)\-Notwithstanding[\s\n]+the[\s\n]+above,[\s\n]+using[\s\n]+this[\s\n]+IS[\s\n]+does[\s\n]+not[\s\n]+constitute[\s\n]+consent[\s\n]+to[\s\n]+PM,[\s\n]+LE[\s\n]+or[\s\n]+CI[\s\n]+investigative[\s\n]+searching[\s\n]+or[\s\n]+monitoring[\s\n]+of[\s\n]+the[\s\n]+content[\s\n]+of[\s\n]+privileged[\s\n]+communications,[\s\n]+or[\s\n]+work[\s\n]+product,[\s\n]+related[\s\n]+to[\s\n]+personal[\s\n]+representation[\s\n]+or[\s\n]+services[\s\n]+by[\s\n]+attorneys,[\s\n]+psychotherapists,[\s\n]+or[\s\n]+clergy,[\s\n]+and[\s\n]+their[\s\n]+assistants\.[\s\n]+Such[\s\n]+communications[\s\n]+and[\s\n]+work[\s\n]+product[\s\n]+are[\s\n]+private[\s\n]+and[\s\n]+confidential\.[\s\n]+See[\s\n]+User[\s\n]+Agreement[\s\n]+for[\s\n]+details\.$ dod_short: ^I've[\s\n]+read[\s\n]+\&[\s\n]+consent[\s\n]+to[\s\n]+terms[\s\n]+in[\s\n]+IS[\s\n]+user[\s\n]+agreem't\.$ dss_odaa_default: ^Use[\s\n]+of[\s\n]+this[\s\n]+or[\s\n]+any[\s\n]+other[\s\n]+DoD[\s\n]+interest[\s\n]+computer[\s\n]+system[\s\n]+constitutes[\s\n]+consent[\s\n]+to[\s\n]+monitoring[\s\n]+at[\s\n]+all[\s\n]+times\.[\s\n]+This[\s\n]+is[\s\n]+a[\s\n]+DoD[\s\n]+interest[\s\n]+computer[\s\n]+system\.[\s\n]+All[\s\n]+DoD[\s\n]+interest[\s\n]+computer[\s\n]+systems[\s\n]+and[\s\n]+related[\s\n]+equipment[\s\n]+are[\s\n]+intended[\s\n]+for[\s\n]+the[\s\n]+communication,[\s\n]+transmission,[\s\n]+processing,[\s\n]+and[\s\n]+storage[\s\n]+of[\s\n]+official[\s\n]+U\.S\.[\s\n]+Government[\s\n]+or[\s\n]+other[\s\n]+authorized[\s\n]+information[\s\n]+only\.[\s\n]+All[\s\n]+DoD[\s\n]+interest[\s\n]+computer[\s\n]+systems[\s\n]+are[\s\n]+subject[\s\n]+to[\s\n]+monitoring[\s\n]+at[\s\n]+all[\s\n]+times[\s\n]+to[\s\n]+ensure[\s\n]+proper[\s\n]+functioning[\s\n]+of[\s\n]+equipment[\s\n]+and[\s\n]+systems[\s\n]+including[\s\n]+security[\s\n]+devices[\s\n]+and[\s\n]+systems,[\s\n]+to[\s\n]+prevent[\s\n]+unauthorized[\s\n]+use[\s\n]+and[\s\n]+violations[\s\n]+of[\s\n]+statutes[\s\n]+and[\s\n]+security[\s\n]+regulations,[\s\n]+to[\s\n]+deter[\s\n]+criminal[\s\n]+activity,[\s\n]+and[\s\n]+for[\s\n]+other[\s\n]+similar[\s\n]+purposes\.[\s\n]+Any[\s\n]+user[\s\n]+of[\s\n]+a[\s\n]+DoD[\s\n]+interest[\s\n]+computer[\s\n]+system[\s\n]+should[\s\n]+be[\s\n]+aware[\s\n]+that[\s\n]+any[\s\n]+information[\s\n]+placed[\s\n]+in[\s\n]+the[\s\n]+system[\s\n]+is[\s\n]+subject[\s\n]+to[\s\n]+monitoring[\s\n]+and[\s\n]+is[\s\n]+not[\s\n]+subject[\s\n]+to[\s\n]+any[\s\n]+expectation[\s\n]+of[\s\n]+privacy\.[\s\n]+If[\s\n]+monitoring[\s\n]+of[\s\n]+this[\s\n]+or[\s\n]+any[\s\n]+other[\s\n]+DoD[\s\n]+interest[\s\n]+computer[\s\n]+system[\s\n]+reveals[\s\n]+possible[\s\n]+evidence[\s\n]+of[\s\n]+violation[\s\n]+of[\s\n]+criminal[\s\n]+statutes,[\s\n]+this[\s\n]+evidence[\s\n]+and[\s\n]+any[\s\n]+other[\s\n]+related[\s\n]+information,[\s\n]+including[\s\n]+identification[\s\n]+information[\s\n]+about[\s\n]+the[\s\n]+user,[\s\n]+may[\s\n]+be[\s\n]+provided[\s\n]+to[\s\n]+law[\s\n]+enforcement[\s\n]+officials\.[\s\n]+If[\s\n]+monitoring[\s\n]+of[\s\n]+this[\s\n]+or[\s\n]+any[\s\n]+other[\s\n]+DoD[\s\n]+interest[\s\n]+computer[\s\n]+systems[\s\n]+reveals[\s\n]+violations[\s\n]+of[\s\n]+security[\s\n]+regulations[\s\n]+or[\s\n]+unauthorized[\s\n]+use,[\s\n]+employees[\s\n]+who[\s\n]+violate[\s\n]+security[\s\n]+regulations[\s\n]+or[\s\n]+make[\s\n]+unauthorized[\s\n]+use[\s\n]+of[\s\n]+DoD[\s\n]+interest[\s\n]+computer[\s\n]+systems[\s\n]+are[\s\n]+subject[\s\n]+to[\s\n]+appropriate[\s\n]+disciplinary[\s\n]+action\.[\s\n]+Use[\s\n]+of[\s\n]+this[\s\n]+or[\s\n]+any[\s\n]+other[\s\n]+DoD[\s\n]+interest[\s\n]+computer[\s\n]+system[\s\n]+constitutes[\s\n]+consent[\s\n]+to[\s\n]+monitoring[\s\n]+at[\s\n]+all[\s\n]+times\.$ usgcb_default: ^\-\-[\s\n]+WARNING[\s\n]+\-\-[\s\n]+This[\s\n]+system[\s\n]+is[\s\n]+for[\s\n]+the[\s\n]+use[\s\n]+of[\s\n]+authorized[\s\n]+users[\s\n]+only\.[\s\n]+Individuals[\s\n]+using[\s\n]+this[\s\n]+computer[\s\n]+system[\s\n]+without[\s\n]+authority[\s\n]+or[\s\n]+in[\s\n]+excess[\s\n]+of[\s\n]+their[\s\n]+authority[\s\n]+are[\s\n]+subject[\s\n]+to[\s\n]+having[\s\n]+all[\s\n]+their[\s\n]+activities[\s\n]+on[\s\n]+this[\s\n]+system[\s\n]+monitored[\s\n]+and[\s\n]+recorded[\s\n]+by[\s\n]+system[\s\n]+personnel\.[\s\n]+Anyone[\s\n]+using[\s\n]+this[\s\n]+system[\s\n]+expressly[\s\n]+consents[\s\n]+to[\s\n]+such[\s\n]+monitoring[\s\n]+and[\s\n]+is[\s\n]+advised[\s\n]+that[\s\n]+if[\s\n]+such[\s\n]+monitoring[\s\n]+reveals[\s\n]+possible[\s\n]+evidence[\s\n]+of[\s\n]+criminal[\s\n]+activity[\s\n]+system[\s\n]+personal[\s\n]+may[\s\n]+provide[\s\n]+the[\s\n]+evidence[\s\n]+of[\s\n]+such[\s\n]+monitoring[\s\n]+to[\s\n]+law[\s\n]+enforcement[\s\n]+officials\.$ - default: ^Authorized[\s\n]+uses[\s\n]+only\.[\s\n]+All[\s\n]+activity[\s\n]+may[\s\n]+be[\s\n]+monitored[\s\n]+and[\s\n]+reported\.$ + default: ^Authorized[\s\n]+users[\s\n]+only\.[\s\n]+All[\s\n]+activity[\s\n]+may[\s\n]+be[\s\n]+monitored[\s\n]+and[\s\n]+reported\.$ diff --git a/linux_os/guide/system/accounts/accounts-pam/enable_pam_namespace/rule.yml b/linux_os/guide/system/accounts/accounts-pam/enable_pam_namespace/rule.yml index 2c6f3d6d375c..da5b0d596ce0 100644 --- a/linux_os/guide/system/accounts/accounts-pam/enable_pam_namespace/rule.yml +++ b/linux_os/guide/system/accounts/accounts-pam/enable_pam_namespace/rule.yml @@ -22,7 +22,7 @@ identifiers: cce@rhel10: CCE-90739-4 cce@sle12: CCE-91505-8 cce@sle15: CCE-91196-6 - + cce@sle16: CCE-96060-9 ocil_clause: |- pam_namespace.so is not required or is commented out diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember/rule.yml b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember/rule.yml index 6ddeca87203b..c2b84d63960f 100644 --- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember/rule.yml +++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember/rule.yml @@ -21,6 +21,7 @@ severity: medium identifiers: cce@sle12: CCE-83173-5 cce@sle15: CCE-91398-8 + cce@sle16: CCE-95993-2 cce@slmicro5: CCE-94082-5 cce@slmicro6: CCE-94641-8 diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/rule.yml b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/rule.yml index 7212a67f9415..6f472912698a 100644 --- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/rule.yml +++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/rule.yml @@ -30,6 +30,7 @@ identifiers: cce@rhel9: CCE-83587-6 cce@rhel10: CCE-87388-5 cce@sle15: CCE-85842-3 + cce@sle16: CCE-96664-8 references: cis-csc: 1,12,15,16 diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny_root/rule.yml b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny_root/rule.yml index d836a170849b..fd7925a755f1 100644 --- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny_root/rule.yml +++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny_root/rule.yml @@ -25,6 +25,7 @@ identifiers: cce@rhel10: CCE-87975-9 cce@sle12: CCE-91468-9 cce@sle15: CCE-91171-9 + cce@sle16: CCE-96663-0 references: cis-csc: 1,12,15,16 diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_interval/rule.yml b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_interval/rule.yml index e012ebd6b3f3..8bad63e27c08 100644 --- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_interval/rule.yml +++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_interval/rule.yml @@ -29,6 +29,7 @@ identifiers: cce@rhel9: CCE-83583-5 cce@rhel10: CCE-86672-3 cce@sle15: CCE-91169-3 + cce@sle16: CCE-96665-5 references: cis-csc: 1,12,15,16 diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/rule.yml b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/rule.yml index bf6799d6f0f4..faa85597accf 100644 --- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/rule.yml +++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/rule.yml @@ -31,6 +31,7 @@ identifiers: cce@rhel9: CCE-83588-4 cce@rhel10: CCE-89250-5 cce@sle15: CCE-85841-5 + cce@sle16: CCE-96666-3 references: cis-csc: 1,12,15,16 diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pamcracklib/cracklib_accounts_password_pam_ocredit/rule.yml b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pamcracklib/cracklib_accounts_password_pam_ocredit/rule.yml index b8086a960a02..06794ce968d2 100644 --- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pamcracklib/cracklib_accounts_password_pam_ocredit/rule.yml +++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pamcracklib/cracklib_accounts_password_pam_ocredit/rule.yml @@ -21,6 +21,7 @@ severity: medium identifiers: cce@sle12: CCE-83169-3 cce@sle15: CCE-85574-2 + cce@sle16: CCE-96246-4 cce@slmicro5: CCE-93767-2 cce@slmicro6: CCE-94701-0 diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pamcracklib/cracklib_accounts_password_pam_ucredit/rule.yml b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pamcracklib/cracklib_accounts_password_pam_ucredit/rule.yml index 780f603045c1..f480c5d0113f 100644 --- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pamcracklib/cracklib_accounts_password_pam_ucredit/rule.yml +++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pamcracklib/cracklib_accounts_password_pam_ucredit/rule.yml @@ -21,6 +21,7 @@ severity: medium identifiers: cce@sle12: CCE-83166-9 cce@sle15: CCE-85675-7 + cce@sle16: CCE-96294-4 cce@slmicro5: CCE-93762-3 cce@slmicro6: CCE-94637-6 diff --git a/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_min_rounds_logindefs/rule.yml b/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_min_rounds_logindefs/rule.yml index f1bae24320ee..6c728f535085 100644 --- a/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_min_rounds_logindefs/rule.yml +++ b/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_min_rounds_logindefs/rule.yml @@ -29,6 +29,7 @@ identifiers: cce@rhel10: CCE-90508-3 cce@sle12: CCE-83171-9 cce@sle15: CCE-85567-6 + cce@sle16: CCE-95736-5 cce@slmicro5: CCE-93682-3 cce@slmicro6: CCE-94660-8 diff --git a/linux_os/guide/system/accounts/accounts-physical/logind_session_timeout/ansible/shared.yml b/linux_os/guide/system/accounts/accounts-physical/logind_session_timeout/ansible/shared.yml index 13dbf9ec612f..bb1894435ae8 100644 --- a/linux_os/guide/system/accounts/accounts-physical/logind_session_timeout/ansible/shared.yml +++ b/linux_os/guide/system/accounts/accounts-physical/logind_session_timeout/ansible/shared.yml @@ -6,7 +6,22 @@ {{{ ansible_instantiate_variables("var_logind_session_timeout") }}} -{{% if product in ["sle15", "sle16"] %}} +- name: Remove StopIdleSessionSec from main config + ansible.builtin.lineinfile: + path: /etc/systemd/logind.conf + regexp: '^\s*StopIdleSessionSec\s*=' + state: absent + +{{% if product in ["ol9", "ol10", "rhel9", "rhel10", "sle15", "sle16"] %}} + +- name: Remove StopIdleSessionSec from drop-in files + ansible.builtin.lineinfile: + path: "{{ item }}" + regexp: '^\s*StopIdleSessionSec\s*=' + state: absent + with_fileglob: + - /etc/systemd/logind.conf.d/*.conf + # create drop-in in the /etc/systemd/logind.conf.d/ directory {{% set logind_conf_file = "/etc/systemd/logind.conf.d/oscap-idle-sessions.conf" %}} {{% else %}} diff --git a/linux_os/guide/system/accounts/accounts-physical/logind_session_timeout/bash/shared.sh b/linux_os/guide/system/accounts/accounts-physical/logind_session_timeout/bash/shared.sh index 72a2ca90de7e..ea7d0c1caea4 100644 --- a/linux_os/guide/system/accounts/accounts-physical/logind_session_timeout/bash/shared.sh +++ b/linux_os/guide/system/accounts/accounts-physical/logind_session_timeout/bash/shared.sh @@ -2,9 +2,15 @@ {{{ bash_instantiate_variables("var_logind_session_timeout") }}} -{{% if product in ["sle15", "sle16"] %}} +# Remove StopIdleSessionSec from main config +{{{ lineinfile_absent("/etc/systemd/logind.conf", "^\s*StopIdleSessionSec\s*=", insensitive=true, rule_id=rule_id) }}} + +{{% if product in ["ol9", "ol10", "rhel9", "rhel10", "sle15", "sle16"] %}} # create drop-in in the /etc/systemd/logind.conf.d/ directory {{% set logind_conf_file = "/etc/systemd/logind.conf.d/oscap-idle-sessions.conf" %}} +mkdir -p "/etc/systemd/logind.conf.d/" +# remove StopIdleSessionSec from drop-in files +{{{ lineinfile_absent_in_directory("/etc/systemd/logind.conf.d", "^\s*StopIdleSessionSec\s*=", insensitive=true, filename_glob="*.conf") | indent(4) }}} {{% else %}} {{% set logind_conf_file = "/etc/systemd/logind.conf" %}} {{% endif %}} diff --git a/linux_os/guide/system/accounts/accounts-physical/logind_session_timeout/oval/shared.xml b/linux_os/guide/system/accounts/accounts-physical/logind_session_timeout/oval/shared.xml index e4466d9b0c9b..3ea13bc7f07f 100644 --- a/linux_os/guide/system/accounts/accounts-physical/logind_session_timeout/oval/shared.xml +++ b/linux_os/guide/system/accounts/accounts-physical/logind_session_timeout/oval/shared.xml @@ -1,4 +1,4 @@ -{{% if product in ["sle15", "sle16"] %}} +{{% if product in ["ol9", "ol10", "rhel9", "rhel10", "sle15", "sle16"] %}} {{% set logind_conf_file = "/etc/systemd/logind.conf.d/" %}} {{% else %}} {{% set logind_conf_file = "/etc/systemd/logind.conf" %}} @@ -6,7 +6,7 @@ <def-group> <definition class="compliance" id="logind_session_timeout" version="1"> - {{% if product in ["sle15", "sle16"] %}} + {{% if product in ["ol9", "ol10", "rhel9", "rhel10", "sle15", "sle16"] %}} {{{ oval_metadata("Ensure 'StopIdleSessionSec' is configured with desired value in section 'Login' in {{{ logind_conf_file }}}", rule_title=rule_title) }}} <criteria comment="logind is configured correctly and configuration file exists" operator="AND"> <criterion comment="Check the StopIdleSessionSec in {{{ logind_conf_file }}}" test_ref="test_logind_session_timeout_drop_in"/> diff --git a/linux_os/guide/system/accounts/accounts-physical/logind_session_timeout/tests/common.sh b/linux_os/guide/system/accounts/accounts-physical/logind_session_timeout/tests/common.sh index 441b663d9240..ce6a75106687 100644 --- a/linux_os/guide/system/accounts/accounts-physical/logind_session_timeout/tests/common.sh +++ b/linux_os/guide/system/accounts/accounts-physical/logind_session_timeout/tests/common.sh @@ -3,7 +3,7 @@ # this file prepares unified test environment used by other scenarios # These should be tuned per product to match defaults -{{% if product in ["sle15", "sle16"] %}} +{{% if product in ["ol9", "ol10", "rhel9", "rhel10", "sle15", "sle16"] %}} LOGIND_CONF_FILE="/etc/systemd/logind.conf.d/oscap-idle-sessions.conf" mkdir -p /etc/systemd/logind.conf.d/ {{% else %}} diff --git a/linux_os/guide/system/accounts/accounts-physical/logind_session_timeout/tests/dir_missing.fail.sh b/linux_os/guide/system/accounts/accounts-physical/logind_session_timeout/tests/dir_missing.fail.sh new file mode 100644 index 000000000000..8f1db2d9320b --- /dev/null +++ b/linux_os/guide/system/accounts/accounts-physical/logind_session_timeout/tests/dir_missing.fail.sh @@ -0,0 +1,5 @@ +#!/bin/bash + +{{% if product in ["rhel9", "rhel10", "sle15", "sle16"] %}} +rm -rf "/etc/systemd/logind.conf.d/" +{{% endif %}} diff --git a/linux_os/guide/system/accounts/accounts-physical/require_emergency_target_auth/ansible/shared.yml b/linux_os/guide/system/accounts/accounts-physical/require_emergency_target_auth/ansible/shared.yml index 0faa359e3937..a8bf7416aa2e 100644 --- a/linux_os/guide/system/accounts/accounts-physical/require_emergency_target_auth/ansible/shared.yml +++ b/linux_os/guide/system/accounts/accounts-physical/require_emergency_target_auth/ansible/shared.yml @@ -11,6 +11,7 @@ dest: /etc/systemd/system/emergency.service.d/10-oscap.conf block: | [Service] + ExecStart= ExecStart=-/usr/lib/systemd/systemd-sulogin-shell emergency {{% else %}} - name: Require emergency mode password diff --git a/linux_os/guide/system/accounts/accounts-physical/require_emergency_target_auth/bash/shared.sh b/linux_os/guide/system/accounts/accounts-physical/require_emergency_target_auth/bash/shared.sh index a9995656d996..43dda82dea2f 100644 --- a/linux_os/guide/system/accounts/accounts-physical/require_emergency_target_auth/bash/shared.sh +++ b/linux_os/guide/system/accounts/accounts-physical/require_emergency_target_auth/bash/shared.sh @@ -16,6 +16,7 @@ sulogin='/bin/sh -c "/sbin/sulogin; /usr/bin/systemctl --fail --no-block default {{% if 'sle' in product or 'rhel' in product or product == 'fedora' or product == 'slmicro5' or 'ol' in families %}} mkdir -p "${service_dropin_cfg_dir}" echo "[Service]" >> "${service_dropin_file}" +echo "ExecStart=" >> "${service_dropin_file}" echo "ExecStart=-$sulogin" >> "${service_dropin_file}" {{% else %}} if grep "^ExecStart=.*" "$service_file" ; then diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_minlen_login_defs/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_minlen_login_defs/rule.yml index 03693d6cf2e2..0845bd49d442 100644 --- a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_minlen_login_defs/rule.yml +++ b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_minlen_login_defs/rule.yml @@ -29,6 +29,7 @@ identifiers: cce@rhel10: CCE-87452-9 cce@sle12: CCE-83257-6 cce@sle15: CCE-91168-5 + cce@sle16: CCE-95762-1 references: cis-csc: 1,12,15,16,5 diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_set_max_life_root/ansible/shared.yml b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_set_max_life_root/ansible/shared.yml index ebcb5ac0430d..66e566378c67 100644 --- a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_set_max_life_root/ansible/shared.yml +++ b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_set_max_life_root/ansible/shared.yml @@ -1,4 +1,4 @@ -# platform = multi_platform_rhel +# platform = multi_platform_rhel,multi_platform_sle # reboot = false # strategy = restrict # complexity = low diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_set_max_life_root/bash/shared.sh b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_set_max_life_root/bash/shared.sh index 7bdb759f686f..b0f38d581bc0 100644 --- a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_set_max_life_root/bash/shared.sh +++ b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_set_max_life_root/bash/shared.sh @@ -1,4 +1,4 @@ -# platform = multi_platform_rhel,multi_platform_debian +# platform = multi_platform_debian,multi_platform_rhel,multi_platform_sle # reboot = false # strategy = restrict # complexity = low diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_set_max_life_root/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_set_max_life_root/rule.yml index 97714adfda04..2cfd1a5396f5 100644 --- a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_set_max_life_root/rule.yml +++ b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_set_max_life_root/rule.yml @@ -19,6 +19,7 @@ identifiers: cce@rhel8: CCE-87667-2 cce@rhel9: CCE-87668-0 cce@rhel10: CCE-88296-9 + cce@sle16: CCE-96252-2 ocil_clause: 'any results are returned that are not associated with a system account' diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/accounts_password_pam_unix_rounds_password_auth/ansible/shared.yml b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/accounts_password_pam_unix_rounds_password_auth/ansible/shared.yml index daf063350cb8..bf8aeb3f469c 100644 --- a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/accounts_password_pam_unix_rounds_password_auth/ansible/shared.yml +++ b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/accounts_password_pam_unix_rounds_password_auth/ansible/shared.yml @@ -6,7 +6,7 @@ {{{ ansible_instantiate_variables("var_password_pam_unix_rounds") }}} -{{% if product in ["sle12", "sle15"] %}} +{{% if product in ["sle12", "sle15", "sle16"] %}} {{{ ansible_ensure_pam_module_configuration('/etc/pam.d/common-password', 'password', 'sufficient', 'pam_unix.so', 'rounds', '{{ var_password_pam_unix_rounds }}', '', rule_id=rule_id, rule_title=rule_title) }}} {{% else %}} {{{ ansible_ensure_pam_module_configuration('/etc/pam.d/password-auth', 'password', 'sufficient', 'pam_unix.so', 'rounds', '{{ var_password_pam_unix_rounds }}', '', rule_id=rule_id, rule_title=rule_title) }}} diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/accounts_password_pam_unix_rounds_password_auth/bash/shared.sh b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/accounts_password_pam_unix_rounds_password_auth/bash/shared.sh index 9346f874318b..3bca691a411c 100644 --- a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/accounts_password_pam_unix_rounds_password_auth/bash/shared.sh +++ b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/accounts_password_pam_unix_rounds_password_auth/bash/shared.sh @@ -2,11 +2,11 @@ {{{ bash_instantiate_variables("var_password_pam_unix_rounds") }}} -{{% if product in ["sle12", "sle15"] %}} +{{% if product in ["sle12", "sle15", "sle16"] %}} {{{ bash_ensure_pam_module_configuration('/etc/pam.d/common-password', 'password', 'sufficient', 'pam_unix.so', 'rounds', "$var_password_pam_unix_rounds", '') }}} {{% elif product in ["debian12", "debian13"] %}} {{{ bash_ensure_pam_module_configuration('/etc/pam.d/common-password', 'password', '\[success=1 default=ignore\]', 'pam_unix.so', 'rounds', "$var_password_pam_unix_rounds", '') }}} -{{% elif product in ["ubuntu2404"] %}} +{{% elif product in ["ubuntu2204", "ubuntu2404"] %}} config_file="/usr/share/pam-configs/cac_unix" {{{ bash_pam_unix_enable() }}} sed -i -E '/^Password:/,/^[^[:space:]]/ { diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/accounts_password_pam_unix_rounds_password_auth/oval/shared.xml b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/accounts_password_pam_unix_rounds_password_auth/oval/shared.xml index 7e3067f20224..1ebd7c437550 100644 --- a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/accounts_password_pam_unix_rounds_password_auth/oval/shared.xml +++ b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/accounts_password_pam_unix_rounds_password_auth/oval/shared.xml @@ -1,4 +1,4 @@ -{{% if product in ["sle12", "sle15", "debian12", "debian13", 'ubuntu2404'] %}} +{{% if product in ["debian12", "debian13", "sle12", "sle15", "sle16", "ubuntu2204", "ubuntu2404"] %}} {{% set pam_passwd_file_path = "/etc/pam.d/common-password" %}} {{% else %}} {{% set pam_passwd_file_path = "/etc/pam.d/password-auth" %}} @@ -19,7 +19,7 @@ <ind:textfilecontent54_object id="object_password_auth_pam_unix_rounds" version="1"> <ind:filepath operation="pattern match">^{{{ pam_passwd_file_path }}}$</ind:filepath> - {{% if product in ["debian12", "debian13", 'ubuntu2404'] %}} + {{% if product in ["debian12", "debian13", 'ubuntu2204', 'ubuntu2404'] %}} <ind:pattern operation="pattern match">^\s*password\s+.*\s+pam_unix\.so[^#]*rounds=([0-9]*).*$</ind:pattern> {{% else %}} <ind:pattern operation="pattern match">^\s*password\s+(?:(?:sufficient)|(?:required))\s+pam_unix\.so[^#]*rounds=([0-9]*).*$</ind:pattern> diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/accounts_password_pam_unix_rounds_password_auth/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/accounts_password_pam_unix_rounds_password_auth/rule.yml index 06e867bc9d1e..f00a09c6d160 100644 --- a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/accounts_password_pam_unix_rounds_password_auth/rule.yml +++ b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/accounts_password_pam_unix_rounds_password_auth/rule.yml @@ -3,7 +3,7 @@ documentation_complete: true title: 'Set number of Password Hashing Rounds - password-auth' -{{% if product in ["sle12", "sle15", "debian12", "debian13", 'ubuntu2404'] %}} +{{% if product in ["debian12", "debian13", "sle12", "sle15", "sle16", "ubuntu2204", "ubuntu2404"] %}} {{% set pam_passwd_file_path = "/etc/pam.d/common-password" %}} {{% else %}} {{% set pam_passwd_file_path = "/etc/pam.d/password-auth" %}} @@ -15,11 +15,11 @@ description: |- <br /><br /> In file <tt>{{{ pam_passwd_file_path }}}</tt> append <tt>rounds={{{ xccdf_value("var_password_pam_unix_rounds") }}}</tt> to the <tt>pam_unix.so</tt> entry, as shown below: - {{% if product in ["debian12", "debian13", 'ubuntu2404'] %}} + {{% if product in ["debian12", "debian13", 'ubuntu2204', 'ubuntu2404'] %}} <pre>password [success=1 default=ignore] pam_unix.so <i>...existing_options...</i> rounds={{{ xccdf_value("var_password_pam_unix_rounds") }}}</pre> {{% else %}} <pre>password sufficient pam_unix.so <i>...existing_options...</i> rounds={{{ xccdf_value("var_password_pam_unix_rounds") }}}</pre> - + The system's default number of rounds is 5000. {{% endif %}} @@ -49,7 +49,7 @@ ocil: |- To verify the number of rounds for the password hashing algorithm is configured, run the following command: <pre>$ sudo grep rounds {{{ pam_passwd_file_path }}}</pre> The output should show the following match: - {{% if product in ["debian12", "debian13", 'ubuntu2404'] %}} + {{% if product in ["debian12", "debian13", 'ubuntu2204', 'ubuntu2404'] %}} <pre>password [success=1 default=ignore] pam_unix.so sha512 rounds={{{ xccdf_value("var_password_pam_unix_rounds") }}}</pre> {{% else %}} <pre>password sufficient pam_unix.so sha512 rounds={{{ xccdf_value("var_password_pam_unix_rounds") }}}</pre> @@ -62,10 +62,10 @@ fixtext: |- Add or modify the following line in "{{{ pam_passwd_file_path }}}" and set "rounds" to {{{ xccdf_value("var_password_pam_unix_rounds") }}}. For example: - {{% if product in ["debian12", "debian13", 'ubuntu2404'] %}} + {{% if product in ["debian12", "debian13", 'ubuntu2204', 'ubuntu2404'] %}} password [success=1 default=ignore] pam_unix.so sha512 rounds=5000 {{% else %}} password sufficient pam_unix.so sha512 rounds=5000 {{% endif %}} - + srg_requirement: '{{{ full_name }}} shadow password suite must be configured to use a sufficient number of hashing rounds in {{{ pam_passwd_file_path }}}.' diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_empty_passwords/ansible/shared.yml b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_empty_passwords/ansible/shared.yml index 35dffe1f94d3..78a18739de13 100644 --- a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_empty_passwords/ansible/shared.yml +++ b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_empty_passwords/ansible/shared.yml @@ -4,7 +4,7 @@ # complexity = low # disruption = medium {{% if 'ubuntu' in product %}} -{{%- set pam_config_paths = "['/etc/pam.d/common-password']" %}} +{{%- set pam_config_paths = "['/etc/pam.d/common-auth', '/etc/pam.d/common-password']" %}} {{% else %}} {{%- set pam_config_paths = "['/etc/pam.d/system-auth', '/etc/pam.d/password-auth']" -%}} {{% endif %}} diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_empty_passwords/bash/shared.sh b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_empty_passwords/bash/shared.sh index e235cdbdd4ab..90a9c6de3992 100644 --- a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_empty_passwords/bash/shared.sh +++ b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_empty_passwords/bash/shared.sh @@ -25,6 +25,18 @@ sed -i -E '/^Password-Initial:/,/^[^[:space:]]/ { } }' "$config_file" +sed -i -E '/^Auth:/,/^[^[:space:]]/ { + /pam_unix\.so/ { + s/\s*nullok//g + } +}' "$config_file" + +sed -i -E '/^Auth-Initial:/,/^[^[:space:]]/ { + /pam_unix\.so/ { + s/\s*nullok//g + } +}' "$config_file" + DEBIAN_FRONTEND=noninteractive pam-auth-update {{% else %}} if [ -f /usr/bin/authselect ]; then diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_empty_passwords/oval/shared.xml b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_empty_passwords/oval/shared.xml index ddbde376b499..ac2fc52abd05 100644 --- a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_empty_passwords/oval/shared.xml +++ b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_empty_passwords/oval/shared.xml @@ -15,7 +15,7 @@ {{% if 'sle' in product or 'slmicro' in product %}} <ind:filepath operation="pattern match">^/etc/pam.d/.*$</ind:filepath> {{% elif 'ubuntu' in product %}} - <ind:filepath operation="pattern match">^/etc/pam.d/common-password</ind:filepath> + <ind:filepath operation="pattern match">^/etc/pam.d/common-(auth|password)$</ind:filepath> {{% else %}} <ind:filepath operation="pattern match">^/etc/pam.d/(system|password)-auth$</ind:filepath> {{% endif %}} diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_empty_passwords/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_empty_passwords/rule.yml index 746e729b1057..b88e482f57ca 100644 --- a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_empty_passwords/rule.yml +++ b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_empty_passwords/rule.yml @@ -10,7 +10,7 @@ description: |- {{% if 'sle' in product or 'slmicro' in product%}} password authentication configurations in <tt>/etc/pam.d/</tt> {{% elif 'ubuntu' in product %}} - <tt>/etc/pam.d/common-password</tt> + <tt>/etc/pam.d/common-auth</tt> and <tt>/etc/pam.d/common-password</tt> {{% else %}} <tt>/etc/pam.d/system-auth</tt> and <tt>/etc/pam.d/password-auth</tt> @@ -63,7 +63,7 @@ ocil: |- {{% if 'sle' in product or 'slmicro' in product %}} <pre>$ grep pam_unix.so /etc/pam.d/* | grep nullok</pre> {{% elif 'ubuntu' in product %}} - <pre>grep nullok /etc/pam.d/common-password</pre> + <pre>grep nullok /etc/pam.d/common-auth /etc/pam.d/common-password</pre> {{% else %}} <pre>$ grep nullok /etc/pam.d/system-auth /etc/pam.d/password-auth</pre> {{% endif %}} @@ -72,10 +72,10 @@ ocil: |- prevent logins with empty passwords. fixtext: |- - Configure {{{ full_name }}} in the {{% if 'ubuntu' in product %}}common-password file {{% else %}}system-auth and password-auth files {{% endif %}} to not allow null + Configure {{{ full_name }}} in the {{% if 'ubuntu' in product %}}common-auth and common-password files {{% else %}}system-auth and password-auth files {{% endif %}} to not allow null passwords. {{% if 'ubuntu' in product %}} - Remove any instances of the "nullok" option in "/etc/pam.d/common-password" + Remove any instances of the "nullok" option in "/etc/pam.d/common-auth" and "/etc/pam.d/common-password" {{% else %}} Remove any instances of the "nullok" option in the "/etc/pam.d/system-auth" and "/etc/pam.d/password-auth" files @@ -85,7 +85,7 @@ fixtext: |- Note: Manual changes to the listed file may be overwritten by the "authselect" program. srg_requirement: |- - '{{{ full_name }}} must not allow blank or null passwords in the {{% if 'ubuntu' in product %}} common-password file.{{% else %}} system-auth file nor + '{{{ full_name }}} must not allow blank or null passwords in the {{% if 'ubuntu' in product %}} common-auth and common-password files.{{% else %}} system-auth file nor password-auth. {{% endif %}}' warnings: diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_empty_passwords/tests/no_nullok.pass.sh b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_empty_passwords/tests/no_nullok.pass.sh index 6f56a2e0ddae..d1bfb5fc8de3 100644 --- a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_empty_passwords/tests/no_nullok.pass.sh +++ b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_empty_passwords/tests/no_nullok.pass.sh @@ -12,9 +12,9 @@ Priority: 257 Conflicts: unix Auth-Type: Primary Auth: - [success=end default=ignore] pam_unix.so nullok try_first_pass + [success=end default=ignore] pam_unix.so try_first_pass Auth-Initial: - [success=end default=ignore] pam_unix.so nullok + [success=end default=ignore] pam_unix.so Account-Type: Primary Account: [success=end new_authtok_reqd=done default=ignore] pam_unix.so diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_empty_passwords/tests/nullok_commented.pass.sh b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_empty_passwords/tests/nullok_commented.pass.sh index 1c20026e7dd0..9c2ed1c87f26 100644 --- a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_empty_passwords/tests/nullok_commented.pass.sh +++ b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_empty_passwords/tests/nullok_commented.pass.sh @@ -12,9 +12,9 @@ Priority: 257 Conflicts: unix Auth-Type: Primary Auth: - [success=end default=ignore] pam_unix.so nullok try_first_pass + [success=end default=ignore] pam_unix.so try_first_pass # nullok Auth-Initial: - [success=end default=ignore] pam_unix.so nullok + [success=end default=ignore] pam_unix.so # nullok Account-Type: Primary Account: [success=end new_authtok_reqd=done default=ignore] pam_unix.so diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_empty_passwords/tests/nullok_present_auth.fail.sh b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_empty_passwords/tests/nullok_present_auth.fail.sh new file mode 100644 index 000000000000..4468cb808777 --- /dev/null +++ b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_empty_passwords/tests/nullok_present_auth.fail.sh @@ -0,0 +1,35 @@ +#!/bin/bash +# platform = multi_platform_ubuntu +# packages = pam + +config_file=/usr/share/pam-configs/tmp_unix + +cat << EOF > "$config_file" +Name: Unix authentication +Default: yes +Priority: 257 +Conflicts: unix +Auth-Type: Primary +Auth: + [success=end default=ignore] pam_unix.so nullok try_first_pass +Auth-Initial: + [success=end default=ignore] pam_unix.so nullok +Account-Type: Primary +Account: + [success=end new_authtok_reqd=done default=ignore] pam_unix.so +Account-Initial: + [success=end new_authtok_reqd=done default=ignore] pam_unix.so +Session-Type: Additional +Session: + required pam_unix.so +Session-Initial: + required pam_unix.so +Password-Type: Primary +Password: + [success=end default=ignore] pam_unix.so obscure use_authtok try_first_pass yescrypt +Password-Initial: + [success=end default=ignore] pam_unix.so obscure use_authtok try_first_pass yescrypt +EOF + +DEBIAN_FRONTEND=noninteractive pam-auth-update +rm "$config_file" diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_empty_passwords/tests/nullok_present_password.fail.sh b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_empty_passwords/tests/nullok_present_password.fail.sh new file mode 100644 index 000000000000..29e3cf57fcb9 --- /dev/null +++ b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_empty_passwords/tests/nullok_present_password.fail.sh @@ -0,0 +1,35 @@ +#!/bin/bash +# platform = multi_platform_ubuntu +# packages = pam + +config_file=/usr/share/pam-configs/tmp_unix + +cat << EOF > "$config_file" +Name: Unix authentication +Default: yes +Priority: 257 +Conflicts: unix +Auth-Type: Primary +Auth: + [success=end default=ignore] pam_unix.so try_first_pass +Auth-Initial: + [success=end default=ignore] pam_unix.so +Account-Type: Primary +Account: + [success=end new_authtok_reqd=done default=ignore] pam_unix.so +Account-Initial: + [success=end new_authtok_reqd=done default=ignore] pam_unix.so +Session-Type: Additional +Session: + required pam_unix.so +Session-Initial: + required pam_unix.so +Password-Type: Primary +Password: + [success=end default=ignore] pam_unix.so obscure use_authtok try_first_pass yescrypt nullok +Password-Initial: + [success=end default=ignore] pam_unix.so obscure use_authtok try_first_pass yescrypt nullok +EOF + +DEBIAN_FRONTEND=noninteractive pam-auth-update +rm "$config_file" diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_empty_passwords_etc_shadow/bash/shared.sh b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_empty_passwords_etc_shadow/bash/shared.sh index dd8ad70a8c69..d844d60048b9 100644 --- a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_empty_passwords_etc_shadow/bash/shared.sh +++ b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_empty_passwords_etc_shadow/bash/shared.sh @@ -1,6 +1,6 @@ # platform = multi_platform_all -readarray -t users_with_empty_pass < <(sudo awk -F: '!$2 {print $1}' /etc/shadow) +readarray -t users_with_empty_pass < <(awk -F: '!$2 {print $1}' /etc/shadow) for user_with_empty_pass in "${users_with_empty_pass[@]}" do diff --git a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/accounts_no_uid_except_zero/ansible/shared.yml b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/accounts_no_uid_except_zero/ansible/shared.yml index 1fc2e85742bb..ce2102fc53d0 100644 --- a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/accounts_no_uid_except_zero/ansible/shared.yml +++ b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/accounts_no_uid_except_zero/ansible/shared.yml @@ -11,5 +11,5 @@ - name: Lock the password of the user accounts other than root with uid 0 ansible.builtin.command: passwd -l {{ item.key }} - loop: "{{ getent_passwd | dict2items | rejectattr('key', 'search', 'root') | list }}" + loop: "{{ getent_passwd | dict2items | rejectattr('key', 'equalto', 'root') | list }}" when: item.value.1 == '0' diff --git a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/accounts_no_uid_except_zero/oval/shared.xml b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/accounts_no_uid_except_zero/oval/shared.xml index c1276fa340e1..2fa2d3e58eb4 100644 --- a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/accounts_no_uid_except_zero/oval/shared.xml +++ b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/accounts_no_uid_except_zero/oval/shared.xml @@ -1,16 +1,35 @@ <def-group> <definition class="compliance" id="accounts_no_uid_except_zero" version="1"> - {{{ oval_metadata("Only the root account should be assigned a user id of 0.", rule_title=rule_title) }}} + {{{ oval_metadata("Only the root account should be assigned a user id of 0, or the account must be locked.", rule_title=rule_title) }}} <criteria> <criterion comment="tests that there are no accounts with UID 0 except root in the /etc/passwd file" test_ref="test_accounts_no_uid_except_root" /> </criteria> </definition> - <ind:textfilecontent54_test check="all" check_existence="none_exist" comment="test that there are no accounts with UID 0 except root in the /etc/passwd file" id="test_accounts_no_uid_except_root" version="1"> + + <ind:textfilecontent54_test check="all" check_existence="any_exist" + comment="test that there are no accounts with UID 0 except root in the /etc/passwd file" + id="test_accounts_no_uid_except_root" version="1"> <ind:object object_ref="object_accounts_no_uid_except_root" /> + <ind:state state_ref="state_is_locked_in_shadow" /> </ind:textfilecontent54_test> + <ind:textfilecontent54_object id="object_accounts_no_uid_except_root" version="1"> <ind:filepath>/etc/passwd</ind:filepath> - <ind:pattern operation="pattern match">^(?!root:)[^:]*:[^:]*:0</ind:pattern> - <ind:instance datatype="int">1</ind:instance> + <ind:pattern operation="pattern match">^(?!root:)([^:]+):[^:]+:0:.*$</ind:pattern> + <ind:instance datatype="int" operation="greater than or equal">1</ind:instance> </ind:textfilecontent54_object> + + <ind:textfilecontent54_object id="object_shadow_locked_users" version="1"> + <ind:filepath>/etc/shadow</ind:filepath> + <ind:pattern operation="pattern match">^([^:]+):[!*][^:]*:.*$</ind:pattern> + <ind:instance datatype="int" operation="greater than or equal">1</ind:instance> + </ind:textfilecontent54_object> + + <local_variable id="var_locked_users" datatype="string" version="1" comment="Variable containing all locked users"> + <object_component item_field="subexpression" object_ref="object_shadow_locked_users" /> + </local_variable> + + <ind:textfilecontent54_state id="state_is_locked_in_shadow" version="1"> + <ind:subexpression datatype="string" operation="equals" var_check="at least one" var_ref="var_locked_users" /> + </ind:textfilecontent54_state> </def-group> diff --git a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/accounts_no_uid_except_zero/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/accounts_no_uid_except_zero/rule.yml index 091ca1a70df8..5293b2a6695f 100644 --- a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/accounts_no_uid_except_zero/rule.yml +++ b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/accounts_no_uid_except_zero/rule.yml @@ -4,8 +4,8 @@ title: 'Verify Only Root Has UID 0' description: |- If any account other than root has a UID of 0, this misconfiguration should - be investigated and the accounts other than root should be removed or have - their UID changed. + be investigated and the accounts other than root should be removed, locked + or have their UID changed. <br /> If the account is associated with system commands or applications the UID should be changed to one greater than "0" but less than "{{{ uid_min }}}." @@ -60,12 +60,14 @@ ocil: |- following command: <pre>$ awk -F: '$3 == 0 {print $1}' /etc/passwd</pre> <pre>root</pre> + Also make sure that if non-root account with UID "0" exist, it is locked: + <pre>$ grep -E '^[^:]+:[!*][^:]*:.*$' /etc/shadow</pre> fixtext: |- Change the UID of any account on the system, other than root, that has a UID of "0". If the account is associated with system commands or applications, the UID should be changed to one greater than "0" but less than "{{{ uid_min }}}". Otherwise, - assign a UID of greater than "{{{ uid_min }}}" that has not already been assigned. + assign a UID of greater than "{{{ uid_min }}}" that has not already been assigned or locked. srg_requirement: 'The root account must be the only account having unrestricted access to the {{{ full_name }}} system.' diff --git a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/accounts_no_uid_except_zero/tests/locked_user_uid_0.pass.sh b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/accounts_no_uid_except_zero/tests/locked_user_uid_0.pass.sh new file mode 100644 index 000000000000..e49712ca010d --- /dev/null +++ b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/accounts_no_uid_except_zero/tests/locked_user_uid_0.pass.sh @@ -0,0 +1,7 @@ +#!/bin/bash +# platform = multi_platform_all + +useradd --non-unique --uid 0 rootlocked +# configure password, otherwise user is locked +echo "rootlocked:password" | chpasswd +passwd -l rootlocked diff --git a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/accounts_no_uid_except_zero/tests/other_user_uid_0.fail.sh b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/accounts_no_uid_except_zero/tests/other_user_uid_0.fail.sh index aec75bd0ed52..1c3ada03bc0b 100644 --- a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/accounts_no_uid_except_zero/tests/other_user_uid_0.fail.sh +++ b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/accounts_no_uid_except_zero/tests/other_user_uid_0.fail.sh @@ -1,7 +1,7 @@ #!/bin/bash +# platform = multi_platform_all # -# Remediation doesn't fix the rule, only locks passwords -# of non-root accounts with uid 0. -# remediation = none useradd --non-unique --uid 0 root2 +# configure password, otherwise user is locked +echo "root2:password" | chpasswd diff --git a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/use_pam_wheel_for_su/ansible/shared.yml b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/use_pam_wheel_for_su/ansible/shared.yml deleted file mode 100644 index b6f60d4bc946..000000000000 --- a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/use_pam_wheel_for_su/ansible/shared.yml +++ /dev/null @@ -1,11 +0,0 @@ -# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_sle,multi_platform_almalinux -# reboot = false -# strategy = restrict -# complexity = low -# disruption = low - -- name: "Restrict usage of su command only to members of wheel group" - ansible.builtin.replace: - path: "/etc/pam.d/su" - regexp: '^[\s]*#[\s]*auth[\s]+required[\s]+pam_wheel\.so[\s]+use_uid$' - replace: "auth required pam_wheel.so use_uid" diff --git a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/use_pam_wheel_for_su/bash/shared.sh b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/use_pam_wheel_for_su/bash/shared.sh deleted file mode 100644 index 5bd381d1210f..000000000000 --- a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/use_pam_wheel_for_su/bash/shared.sh +++ /dev/null @@ -1,4 +0,0 @@ -# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_sle,multi_platform_almalinux - -# uncomment the option if commented -sed '/^[[:space:]]*#[[:space:]]*auth[[:space:]]\+required[[:space:]]\+pam_wheel\.so[[:space:]]\+use_uid$/s/^[[:space:]]*#//' -i /etc/pam.d/su diff --git a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/use_pam_wheel_for_su/oval/shared.xml b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/use_pam_wheel_for_su/oval/shared.xml deleted file mode 100644 index d7932de398fd..000000000000 --- a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/use_pam_wheel_for_su/oval/shared.xml +++ /dev/null @@ -1,21 +0,0 @@ -<def-group> - <definition class="compliance" id="{{{ rule_id }}}" version="1"> - {{{ oval_metadata("Only members of the wheel group should be able to authenticate through the su command.", rule_title=rule_title) }}} - <criteria operator="AND"> - <criterion test_ref="test_use_pam_wheel_for_su" /> - </criteria> - </definition> - - <ind:textfilecontent54_test id="test_use_pam_wheel_for_su" version="1" - check="all" check_existence="at_least_one_exists" - comment="check existence of use_uid option for pam_wheel.so in /etc/pam.d/su"> - <ind:object object_ref="object_use_pam_wheel_for_su" /> - </ind:textfilecontent54_test> - - <ind:textfilecontent54_object id="object_use_pam_wheel_for_su" version="1" - comment="collect pam_wheel.so line in /etc/pam.d/su if use_uid option is present in the line"> - <ind:filepath>/etc/pam.d/su</ind:filepath> - <ind:pattern operation="pattern match">^[\s]*auth[\s]+required[\s]+pam_wheel\.so[\s]+\buse_uid\b</ind:pattern> - <ind:instance datatype="int">1</ind:instance> - </ind:textfilecontent54_object> -</def-group> diff --git a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/use_pam_wheel_for_su/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/use_pam_wheel_for_su/rule.yml index 6c0ca626469e..ad32af129980 100644 --- a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/use_pam_wheel_for_su/rule.yml +++ b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/use_pam_wheel_for_su/rule.yml @@ -61,3 +61,14 @@ vuldiscussion: |- When operating systems provide the capability to escalate a functional capability, it is critical the user re-authenticate. platform: package[pam] + +template: + name: pam_options + vars: + path: /etc/pam.d/su + type: auth + control_flag: required + module: pam_wheel.so + arguments: + - argument: use_uid + new_argument: use_uid diff --git a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/use_pam_wheel_group_for_su/ansible/shared.yml b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/use_pam_wheel_group_for_su/ansible/shared.yml deleted file mode 100644 index 6d79f4e9d2de..000000000000 --- a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/use_pam_wheel_group_for_su/ansible/shared.yml +++ /dev/null @@ -1,14 +0,0 @@ -# platform = multi_platform_fedora,multi_platform_rhel,multi_platform_sle,multi_platform_slmicro,multi_platform_ubuntu -# reboot = false -# strategy = restrict -# complexity = low -# disruption = low - -{{{ ansible_instantiate_variables("var_pam_wheel_group_for_su") }}} - -- name: {{{ rule_title }}} - Add the group to the /etc/pam.d/su file - ansible.builtin.lineinfile: - path: "/etc/pam.d/su" - state: present - regexp: '^[\s]*#[\s]*auth[\s]+required[\s]+pam_wheel\.so[\s]+use_uid group=$' - line: "auth required pam_wheel.so use_uid group={{ var_pam_wheel_group_for_su }}" diff --git a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/use_pam_wheel_group_for_su/bash/shared.sh b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/use_pam_wheel_group_for_su/bash/shared.sh deleted file mode 100644 index 35df572f9f8d..000000000000 --- a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/use_pam_wheel_group_for_su/bash/shared.sh +++ /dev/null @@ -1,15 +0,0 @@ -# platform = multi_platform_fedora,multi_platform_rhel,multi_platform_sle,multi_platform_slmicro,multi_platform_ubuntu,multi_platform_debian -{{{ bash_instantiate_variables("var_pam_wheel_group_for_su") }}} - -PAM_CONF=/etc/pam.d/su - -pamstr=$(grep -P '^auth\s+required\s+pam_wheel\.so\s+(?=[^#]*\buse_uid\b)(?=[^#]*\bgroup=)' ${PAM_CONF}) -if [ -z "$pamstr" ]; then - sed -Ei '/^auth\b.*\brequired\b.*\bpam_wheel\.so/d' ${PAM_CONF} # remove any remaining uncommented pam_wheel.so line - sed -Ei "/^auth\s+sufficient\s+pam_rootok\.so.*$/a auth required pam_wheel.so use_uid group=${var_pam_wheel_group_for_su}" ${PAM_CONF} -else - group_val=$(echo -n "$pamstr" | grep -Eo '\bgroup=[_a-z][-0-9_a-z]*' | cut -d '=' -f 2) - if [ -z "${group_val}" ] || [ ${group_val} != ${var_pam_wheel_group_for_su} ]; then - sed -Ei "s/(^auth\s+required\s+pam_wheel.so\s+[^#]*group=)[_a-z][-0-9_a-z]*/\1${var_pam_wheel_group_for_su}/" ${PAM_CONF} - fi -fi diff --git a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/use_pam_wheel_group_for_su/oval/shared.xml b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/use_pam_wheel_group_for_su/oval/shared.xml deleted file mode 100644 index b841da12e366..000000000000 --- a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/use_pam_wheel_group_for_su/oval/shared.xml +++ /dev/null @@ -1,31 +0,0 @@ -<def-group> - <definition class="compliance" id="{{{ rule_id }}}" version="1"> - {{{ oval_metadata("Only members of the group set in variable 'var_pam_wheel_group_for_su' should be able to authenticate through the su command.", rule_title=rule_title) }}} - <criteria operator="AND"> - <criterion test_ref="test_use_pam_wheel_group_for_su" /> - </criteria> - </definition> - - <ind:textfilecontent54_test check="all" check_existence="at_least_one_exists" - comment="check /etc/pam.d/su for correct setting" - id="test_use_pam_wheel_group_for_su" version="1"> - <ind:object object_ref="object_use_pam_wheel_group_for_su" /> - <ind:state state_ref="state_use_pam_wheel_group_for_su" /> - </ind:textfilecontent54_test> - - <ind:textfilecontent54_object comment="check /etc/pam.d/su for correct setting" - id="object_use_pam_wheel_group_for_su" version="1"> - <ind:filepath>/etc/pam.d/su</ind:filepath> - <ind:pattern operation="pattern match">^\s*auth\s+required\s+pam_wheel\.so\s+(?=[^#]*\buse_uid\b)[^#]*\bgroup=([_a-z][-0-9_a-z]*)</ind:pattern> - <ind:instance datatype="int">1</ind:instance> - </ind:textfilecontent54_object> - - <ind:textfilecontent54_state comment="group name must be valid" - id="state_use_pam_wheel_group_for_su" version="1"> - <ind:subexpression operation="equals" datatype="string" - var_ref="var_pam_wheel_group_for_su" /> - </ind:textfilecontent54_state> - - <external_variable comment="Name of the allowed su group" - datatype="string" id="var_pam_wheel_group_for_su" version="1" /> -</def-group> diff --git a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/use_pam_wheel_group_for_su/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/use_pam_wheel_group_for_su/rule.yml index 3d00846e44a7..d1cf0a7ad598 100644 --- a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/use_pam_wheel_group_for_su/rule.yml +++ b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/use_pam_wheel_group_for_su/rule.yml @@ -37,9 +37,24 @@ ocil: |- Run the following command to check if the line is present: <pre>grep pam_wheel /etc/pam.d/su</pre> The output should contain the following line: - <pre>auth required pam_wheel.so use_uid group={{{ xccdf_value("var_pam_wheel_group_for_su") }}}</pre> + <pre>auth required pam_wheel.so use_uid group={{{ xccdf_value("var_pam_wheel_group_for_su.var") }}}</pre> warnings: - general: |- Note that <tt>ensure_pam_wheel_group_empty</tt> rule complements this requirement by ensuring the referenced group exists and has no members. + +template: + name: pam_options + vars: + path: /etc/pam.d/su + type: auth + control_flag: required + module: pam_wheel.so + arguments: + - variable: group + variable_name: var_pam_wheel_group_for_su + operation: equals + datatype: string + - argument: use_uid + new_argument: use_uid diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_polyinstantiated_tmp/rule.yml b/linux_os/guide/system/accounts/accounts-session/accounts_polyinstantiated_tmp/rule.yml index 24cfaa9eddcb..7a93cacce005 100644 --- a/linux_os/guide/system/accounts/accounts-session/accounts_polyinstantiated_tmp/rule.yml +++ b/linux_os/guide/system/accounts/accounts-session/accounts_polyinstantiated_tmp/rule.yml @@ -22,6 +22,7 @@ identifiers: cce@rhel10: CCE-88705-9 cce@sle12: CCE-91506-6 cce@sle15: CCE-91197-4 + cce@sle16: CCE-95788-6 ocil_clause: is not configured diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_polyinstantiated_var_tmp/rule.yml b/linux_os/guide/system/accounts/accounts-session/accounts_polyinstantiated_var_tmp/rule.yml index c58ada6743ce..276e58a84c72 100644 --- a/linux_os/guide/system/accounts/accounts-session/accounts_polyinstantiated_var_tmp/rule.yml +++ b/linux_os/guide/system/accounts/accounts-session/accounts_polyinstantiated_var_tmp/rule.yml @@ -22,6 +22,7 @@ identifiers: cce@rhel10: CCE-88424-7 cce@sle12: CCE-91507-4 cce@sle15: CCE-91198-2 + cce@sle16: CCE-96428-8 ocil_clause: is not configured diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_group_ownership/rule.yml b/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_group_ownership/rule.yml index ef74d0ecb3c2..3605f82340c7 100644 --- a/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_group_ownership/rule.yml +++ b/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_group_ownership/rule.yml @@ -25,6 +25,7 @@ identifiers: cce@rhel10: CCE-89225-7 cce@sle12: CCE-92295-5 cce@sle15: CCE-91408-5 + cce@sle16: CCE-96569-9 references: cis@sle12: 6.2.8 diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_user_ownership/rule.yml b/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_user_ownership/rule.yml index 203e1e8eabc8..2713d8bc60bc 100644 --- a/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_user_ownership/rule.yml +++ b/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_user_ownership/rule.yml @@ -24,6 +24,7 @@ identifiers: cce@rhel10: CCE-86981-8 cce@sle12: CCE-92296-3 cce@sle15: CCE-91409-3 + cce@sle16: CCE-96227-4 references: cis@sle12: 6.2.8 diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_on_separate_partition/oval/shared.xml b/linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_on_separate_partition/oval/shared.xml new file mode 100644 index 000000000000..02efcd031d5f --- /dev/null +++ b/linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_on_separate_partition/oval/shared.xml @@ -0,0 +1,71 @@ +<def-group> + <definition class="compliance" + id="{{{ rule_id }}}" version="1"> + {{{ oval_metadata("All interactive user home directories must reside on a separate partition from root.", rule_title=rule_title) }}} + <criteria operator="OR"> + <criterion test_ref="test_{{{ rule_id }}}" + comment="All interactive user home directories are on a separate partition"/> + <criterion test_ref="test_{{{ rule_id }}}_no_interactive_users" + comment="No interactive users exist on the system"/> + </criteria> + </definition> + + <!-- ============================================================ --> + <!-- Part 1: Collect all non-root mount points from the system --> + <!-- ============================================================ --> + <linux:partition_object id="object_{{{ rule_id }}}_non_root_partitions" version="1"> + <linux:mount_point operation="not equal">/</linux:mount_point> + </linux:partition_object> + + <!-- Build regex patterns from mount points: ^<mount_point>(/|$) + The (/|$) suffix prevents substring false matches, e.g. + mount point /home should not match home directory /home2/user --> + <local_variable id="var_{{{ rule_id }}}_mount_regex" datatype="string" version="1" + comment="Regex patterns to match home dirs on non-root partitions"> + <concat> + <literal_component>^</literal_component> + <object_component item_field="mount_point" + object_ref="object_{{{ rule_id }}}_non_root_partitions"/> + <literal_component>(/|$)</literal_component> + </concat> + </local_variable> + + <!-- ============================================================ --> + <!-- Part 2: Extract home directories of interactive users --> + <!-- Interactive users: UID >= 1000, shell not nologin, --> + <!-- username not nobody/nfsnobody --> + <!-- ============================================================ --> + <ind:textfilecontent54_object id="object_{{{ rule_id }}}_interactive_users" version="1"> + <ind:filepath>/etc/passwd</ind:filepath> + <ind:pattern operation="pattern match" + >^(?:(?!nobody|nfsnobody)[^:]*):(?:[^:]*:)[1-9]\d{3,}:(?:[^:]*:){2}([^:]+):(?!(?:/usr)?/sbin/nologin$)[^:]*$</ind:pattern> + <ind:instance datatype="int" operation="greater than or equal">1</ind:instance> + </ind:textfilecontent54_object> + + <!-- ============================================================ --> + <!-- Part 3: Test that ALL interactive users' home directories --> + <!-- match at least one non-root mount point regex --> + <!-- ============================================================ --> + <ind:textfilecontent54_test id="test_{{{ rule_id }}}" + check="all" check_existence="at_least_one_exists" + version="1" + comment="All interactive user home dirs are on separate partitions"> + <ind:object object_ref="object_{{{ rule_id }}}_interactive_users"/> + <ind:state state_ref="state_{{{ rule_id }}}_on_separate_partition"/> + </ind:textfilecontent54_test> + + <ind:textfilecontent54_state id="state_{{{ rule_id }}}_on_separate_partition" version="1"> + <ind:subexpression operation="pattern match" var_check="at least one" + var_ref="var_{{{ rule_id }}}_mount_regex"/> + </ind:textfilecontent54_state> + + <!-- ============================================================ --> + <!-- Part 4: Handle edge case - no interactive users on system --> + <!-- ============================================================ --> + <ind:textfilecontent54_test id="test_{{{ rule_id }}}_no_interactive_users" + check="all" check_existence="none_exist" + version="1" + comment="No interactive users exist on the system"> + <ind:object object_ref="object_{{{ rule_id }}}_interactive_users"/> + </ind:textfilecontent54_test> +</def-group> diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_on_separate_partition/rule.yml b/linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_on_separate_partition/rule.yml new file mode 100644 index 000000000000..d50d5b5e1112 --- /dev/null +++ b/linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_on_separate_partition/rule.yml @@ -0,0 +1,48 @@ +documentation_complete: true + +title: 'All Interactive User Home Directories Must Reside On a Separate Partition' + +description: |- + All interactive user home directories must be located on a file system + partition separate from the root (<tt>/</tt>) partition. If any interactive + user's home directory resides directly on the root file system, a failure + of that file system or a user filling it up could impact system operation. + +rationale: |- + Ensuring that interactive user home directories are on a separate + partition from the root file system prevents users from filling the root + partition, which could result in system instability or denial of service. + It also allows administrators to apply more restrictive mount options + such as <tt>noexec</tt>, <tt>nosuid</tt>, and <tt>nodev</tt> to the + partition containing user home directories. + +severity: medium + +identifiers: + cce@rhel8: CCE-90711-3 + +references: + srg: SRG-OS-000480-GPOS-00227 + +ocil_clause: 'any interactive user home directory is on the root partition' + +ocil: |- + Verify that all interactive user home directories are on a separate + file system partition with the following commands: + + List interactive users and their home directories: + <pre>$ awk -F: '($3>={{{ uid_min }}})&&($7 !~ /nologin/){print $1, $6}' /etc/passwd</pre> + + For each home directory listed, verify it is on a separate partition: + <pre>$ df <home_directory> | tail -1 | awk '{print $6}'</pre> + + If the command returns <tt>/</tt> for any interactive user home directory, + this is a finding. + +fixtext: |- + Migrate interactive user home directories that reside on the root + file system to a separate partition. + +srg_requirement: 'All {{{ full_name }}} interactive user home directories must reside on a file system separate from the root partition.' + +platform: machine diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_on_separate_partition/tests/home_on_root_partition.fail.sh b/linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_on_separate_partition/tests/home_on_root_partition.fail.sh new file mode 100644 index 000000000000..4191ed7d46f4 --- /dev/null +++ b/linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_on_separate_partition/tests/home_on_root_partition.fail.sh @@ -0,0 +1,8 @@ +#!/bin/bash +# platform = multi_platform_all +# remediation = none + +{{{ bash_remove_interactive_users_from_passwd_by_uid() }}} + +mkdir -p /root_home +useradd -m -d /root_home/testUser1 testUser1 diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_on_separate_partition/tests/home_on_separate_partition.pass.sh b/linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_on_separate_partition/tests/home_on_separate_partition.pass.sh new file mode 100644 index 000000000000..6b6858caa70b --- /dev/null +++ b/linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_on_separate_partition/tests/home_on_separate_partition.pass.sh @@ -0,0 +1,19 @@ +#!/bin/bash +# platform = multi_platform_all + +. $SHARED/partition.sh + +{{{ bash_remove_interactive_users_from_passwd_by_uid() }}} + +umount /srv || true + +clean_up_partition /srv + +create_partition + +make_fstab_correct_partition_line /srv + +mount_partition /srv + +mkdir -p /srv/home +useradd -m -d /srv/home/testUser1 testUser1 diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_on_separate_partition/tests/mixed_users_one_on_root.fail.sh b/linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_on_separate_partition/tests/mixed_users_one_on_root.fail.sh new file mode 100644 index 000000000000..94b1ed0b4054 --- /dev/null +++ b/linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_on_separate_partition/tests/mixed_users_one_on_root.fail.sh @@ -0,0 +1,23 @@ +#!/bin/bash +# platform = multi_platform_all +# remediation = none + +. $SHARED/partition.sh + +{{{ bash_remove_interactive_users_from_passwd_by_uid() }}} + +umount /srv || true + +clean_up_partition /srv + +create_partition + +make_fstab_correct_partition_line /srv + +mount_partition /srv + +mkdir -p /srv/home +useradd -m -d /srv/home/testUser1 testUser1 + +mkdir -p /root_home +useradd -m -d /root_home/testUser2 testUser2 diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_on_separate_partition/tests/no_interactive_users.pass.sh b/linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_on_separate_partition/tests/no_interactive_users.pass.sh new file mode 100644 index 000000000000..5f33e91bcd1c --- /dev/null +++ b/linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_on_separate_partition/tests/no_interactive_users.pass.sh @@ -0,0 +1,4 @@ +#!/bin/bash +# platform = multi_platform_all + +{{{ bash_remove_interactive_users_from_passwd_by_uid() }}} diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_groupownership/rule.yml b/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_groupownership/rule.yml index 4ddd6fdbecc9..d6a764c59f60 100644 --- a/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_groupownership/rule.yml +++ b/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_groupownership/rule.yml @@ -24,6 +24,7 @@ identifiers: cce@rhel10: CCE-87195-4 cce@sle12: CCE-92292-2 cce@sle15: CCE-91405-1 + cce@sle16: CCE-96340-5 references: cis@sle12: 6.2.7 diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_ownership/rule.yml b/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_ownership/rule.yml index 69e726080d45..9c3738271c36 100644 --- a/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_ownership/rule.yml +++ b/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_ownership/rule.yml @@ -26,6 +26,7 @@ identifiers: cce@rhel10: CCE-88043-5 cce@sle12: CCE-92293-0 cce@sle15: CCE-91406-9 + cce@sle16: CCE-96099-7 references: cis@sle12: 6.2.7 diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_permissions/rule.yml b/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_permissions/rule.yml index 630e46097f9e..df1cf7b7967a 100644 --- a/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_permissions/rule.yml +++ b/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_permissions/rule.yml @@ -21,6 +21,7 @@ identifiers: cce@rhel10: CCE-87460-2 cce@sle12: CCE-92290-6 cce@sle15: CCE-91403-6 + cce@sle16: CCE-96668-9 cce@slmicro5: CCE-94028-8 references: diff --git a/linux_os/guide/system/accounts/accounts-session/file_permission_user_init_files/rule.yml b/linux_os/guide/system/accounts/accounts-session/file_permission_user_init_files/rule.yml index d945e84c2b55..46ddf596ed6e 100644 --- a/linux_os/guide/system/accounts/accounts-session/file_permission_user_init_files/rule.yml +++ b/linux_os/guide/system/accounts/accounts-session/file_permission_user_init_files/rule.yml @@ -21,6 +21,7 @@ identifiers: cce@rhel10: CCE-87771-2 cce@sle12: CCE-83097-6 cce@sle15: CCE-85630-2 + cce@sle16: CCE-96448-6 cce@slmicro5: CCE-93749-0 cce@slmicro6: CCE-95059-2 diff --git a/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_bashrc/rule.yml b/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_bashrc/rule.yml index 8d3ae79e0aae..d62e681a65e2 100644 --- a/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_bashrc/rule.yml +++ b/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_bashrc/rule.yml @@ -29,6 +29,7 @@ identifiers: cce@rhel10: CCE-88580-6 cce@sle12: CCE-91530-6 cce@sle15: CCE-91215-4 + cce@sle16: CCE-95724-1 cce@slmicro5: CCE-94023-9 references: diff --git a/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_login_defs/rule.yml b/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_login_defs/rule.yml index 7e9fd1b6dcf4..2169d4fa5f9c 100644 --- a/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_login_defs/rule.yml +++ b/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_login_defs/rule.yml @@ -20,6 +20,7 @@ identifiers: cce@rhel10: CCE-89314-9 cce@sle12: CCE-83052-1 cce@sle15: CCE-85659-1 + cce@sle16: CCE-96038-5 cce@slmicro5: CCE-93753-2 cce@slmicro6: CCE-95089-9 diff --git a/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_profile/rule.yml b/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_profile/rule.yml index 09900441660f..93adfed8d28c 100644 --- a/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_profile/rule.yml +++ b/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_profile/rule.yml @@ -25,6 +25,7 @@ identifiers: cce@rhel10: CCE-87651-6 cce@sle12: CCE-91531-4 cce@sle15: CCE-91216-2 + cce@sle16: CCE-96140-9 cce@slmicro5: CCE-94024-7 references: diff --git a/linux_os/guide/system/bootloader-grub2/grub2_enable_iommu_force/rule.yml b/linux_os/guide/system/bootloader-grub2/grub2_enable_iommu_force/rule.yml index 41ee2618721c..e4796100e88f 100644 --- a/linux_os/guide/system/bootloader-grub2/grub2_enable_iommu_force/rule.yml +++ b/linux_os/guide/system/bootloader-grub2/grub2_enable_iommu_force/rule.yml @@ -19,7 +19,7 @@ identifiers: cce@rhel10: CCE-87932-0 cce@sle12: CCE-91532-2 cce@sle15: CCE-91217-0 - + cce@sle16: CCE-96649-9 ocil_clause: 'I/OMMU is not activated' diff --git a/linux_os/guide/system/bootloader-grub2/grub2_l1tf_argument/rule.yml b/linux_os/guide/system/bootloader-grub2/grub2_l1tf_argument/rule.yml index 8776d5bf3287..e457bb00cce3 100644 --- a/linux_os/guide/system/bootloader-grub2/grub2_l1tf_argument/rule.yml +++ b/linux_os/guide/system/bootloader-grub2/grub2_l1tf_argument/rule.yml @@ -30,6 +30,7 @@ identifiers: cce@rhel8: CCE-88123-5 cce@rhel9: CCE-89123-4 cce@rhel10: CCE-86521-2 + cce@sle16: CCE-96540-0 ocil_clause: 'l1tf mitigations are not configured appropriately' diff --git a/linux_os/guide/system/bootloader-grub2/grub2_mce_argument/rule.yml b/linux_os/guide/system/bootloader-grub2/grub2_mce_argument/rule.yml index b9d0db90b0f8..35cca812501a 100644 --- a/linux_os/guide/system/bootloader-grub2/grub2_mce_argument/rule.yml +++ b/linux_os/guide/system/bootloader-grub2/grub2_mce_argument/rule.yml @@ -23,6 +23,7 @@ identifiers: cce@rhel8: CCE-87098-0 cce@rhel9: CCE-88098-9 cce@rhel10: CCE-87067-5 + cce@sle16: CCE-95847-0 ocil_clause: 'MCE tolerance is not set to zero' diff --git a/linux_os/guide/system/bootloader-grub2/grub2_nosmap_argument_absent/rule.yml b/linux_os/guide/system/bootloader-grub2/grub2_nosmap_argument_absent/rule.yml index 5ef143096710..659ce0038ea1 100644 --- a/linux_os/guide/system/bootloader-grub2/grub2_nosmap_argument_absent/rule.yml +++ b/linux_os/guide/system/bootloader-grub2/grub2_nosmap_argument_absent/rule.yml @@ -22,6 +22,7 @@ identifiers: cce@rhel8: CCE-87345-5 cce@rhel9: CCE-88345-4 cce@rhel10: CCE-89372-7 + cce@sle16: CCE-95742-3 ocil_clause: 'the kernel is configured to disable SMAP' diff --git a/linux_os/guide/system/bootloader-grub2/grub2_rng_core_default_quality_argument/rule.yml b/linux_os/guide/system/bootloader-grub2/grub2_rng_core_default_quality_argument/rule.yml index ed4f2ce3dfc1..1448e85596f0 100644 --- a/linux_os/guide/system/bootloader-grub2/grub2_rng_core_default_quality_argument/rule.yml +++ b/linux_os/guide/system/bootloader-grub2/grub2_rng_core_default_quality_argument/rule.yml @@ -31,6 +31,7 @@ identifiers: cce@rhel8: CCE-89567-2 cce@rhel9: CCE-90567-9 cce@rhel10: CCE-90519-0 + cce@sle16: CCE-95794-4 ocil_clause: 'trust on hardware random number generator is not configured appropriately' diff --git a/linux_os/guide/system/bootloader-grub2/grub2_slab_nomerge_argument/rule.yml b/linux_os/guide/system/bootloader-grub2/grub2_slab_nomerge_argument/rule.yml index bc977ab55fac..4fff9eee7baf 100644 --- a/linux_os/guide/system/bootloader-grub2/grub2_slab_nomerge_argument/rule.yml +++ b/linux_os/guide/system/bootloader-grub2/grub2_slab_nomerge_argument/rule.yml @@ -29,6 +29,7 @@ identifiers: cce@rhel8: CCE-86777-0 cce@rhel9: CCE-87770-4 cce@rhel10: CCE-89884-1 + cce@sle16: CCE-95733-2 ocil_clause: 'merging of slabs with similar size is enabled' diff --git a/linux_os/guide/system/bootloader-grub2/grub2_spec_store_bypass_disable_argument/rule.yml b/linux_os/guide/system/bootloader-grub2/grub2_spec_store_bypass_disable_argument/rule.yml index 67870630e885..608da7e8a0a7 100644 --- a/linux_os/guide/system/bootloader-grub2/grub2_spec_store_bypass_disable_argument/rule.yml +++ b/linux_os/guide/system/bootloader-grub2/grub2_spec_store_bypass_disable_argument/rule.yml @@ -33,6 +33,7 @@ identifiers: cce@rhel8: CCE-89234-9 cce@rhel9: CCE-90234-6 cce@rhel10: CCE-89300-8 + cce@sle16: CCE-95929-6 ocil_clause: 'SSB is not configured appropriately' diff --git a/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_password/rule.yml b/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_password/rule.yml index c605b0770177..c1f8cd5e485f 100644 --- a/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_password/rule.yml +++ b/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_password/rule.yml @@ -9,14 +9,14 @@ description: |- <br /><br /> Since plaintext passwords are a security risk, generate a hash for the password by running the following command: - {{% if product in ["sle12", "sle15", "slmicro5", "slmicro6"] or 'ubuntu' in product %}} + {{% if 'sle' in product or 'slmicro' in product or 'ubuntu' in product %}} <pre># grub2-mkpasswd-pbkdf2</pre> {{% else %}} <pre># grub2-setpassword</pre> {{% endif %}} When prompted, enter the password that was selected. <br /><br /> - {{% if product in ["sle12", "sle15", "slmicro5", "slmicro6"] or 'ubuntu' in product %}} + {{% if 'sle' in product or 'slmicro' in product or 'ubuntu' in product %}} Using the hash from the output, modify the <tt>/etc/grub.d/40_custom</tt> file with the following content: <pre>set superusers="boot" diff --git a/linux_os/guide/system/bootloader-grub2/uefi/file_groupowner_efi_grub2_cfg/rule.yml b/linux_os/guide/system/bootloader-grub2/uefi/file_groupowner_efi_grub2_cfg/rule.yml index f85ec95dda05..e2d216c22c60 100644 --- a/linux_os/guide/system/bootloader-grub2/uefi/file_groupowner_efi_grub2_cfg/rule.yml +++ b/linux_os/guide/system/bootloader-grub2/uefi/file_groupowner_efi_grub2_cfg/rule.yml @@ -19,6 +19,7 @@ identifiers: cce@rhel8: CCE-85915-7 cce@rhel9: CCE-86696-2 cce@rhel10: CCE-88090-6 + cce@sle16: CCE-96462-7 references: cis-csc: 12,13,14,15,16,18,3,5 diff --git a/linux_os/guide/system/bootloader-grub2/uefi/file_groupowner_efi_user_cfg/rule.yml b/linux_os/guide/system/bootloader-grub2/uefi/file_groupowner_efi_user_cfg/rule.yml index b8886be9fb7b..d58624623dbb 100644 --- a/linux_os/guide/system/bootloader-grub2/uefi/file_groupowner_efi_user_cfg/rule.yml +++ b/linux_os/guide/system/bootloader-grub2/uefi/file_groupowner_efi_user_cfg/rule.yml @@ -19,6 +19,7 @@ identifiers: cce@rhel8: CCE-86012-2 cce@rhel9: CCE-86013-0 cce@rhel10: CCE-87222-6 + cce@sle16: CCE-96609-3 references: cis-csc: 12,13,14,15,16,18,3,5 diff --git a/linux_os/guide/system/bootloader-grub2/uefi/file_owner_efi_grub2_cfg/rule.yml b/linux_os/guide/system/bootloader-grub2/uefi/file_owner_efi_grub2_cfg/rule.yml index 3ee7b3854c55..d2432647b3d0 100644 --- a/linux_os/guide/system/bootloader-grub2/uefi/file_owner_efi_grub2_cfg/rule.yml +++ b/linux_os/guide/system/bootloader-grub2/uefi/file_owner_efi_grub2_cfg/rule.yml @@ -17,6 +17,7 @@ identifiers: cce@rhel8: CCE-85913-2 cce@rhel9: CCE-86695-4 cce@rhel10: CCE-89243-0 + cce@sle16: CCE-96057-5 references: cis-csc: 12,13,14,15,16,18,3,5 diff --git a/linux_os/guide/system/bootloader-grub2/uefi/file_owner_efi_user_cfg/rule.yml b/linux_os/guide/system/bootloader-grub2/uefi/file_owner_efi_user_cfg/rule.yml index 89f771cab2b7..9587955025d3 100644 --- a/linux_os/guide/system/bootloader-grub2/uefi/file_owner_efi_user_cfg/rule.yml +++ b/linux_os/guide/system/bootloader-grub2/uefi/file_owner_efi_user_cfg/rule.yml @@ -19,6 +19,7 @@ identifiers: cce@rhel8: CCE-86021-3 cce@rhel9: CCE-86022-1 cce@rhel10: CCE-89217-4 + cce@sle16: CCE-96438-7 references: cis-csc: 12,13,14,15,16,18,3,5 diff --git a/linux_os/guide/system/bootloader-grub2/uefi/file_permissions_efi_grub2_cfg/rule.yml b/linux_os/guide/system/bootloader-grub2/uefi/file_permissions_efi_grub2_cfg/rule.yml index a4a7abb81ba4..bc9267378c97 100644 --- a/linux_os/guide/system/bootloader-grub2/uefi/file_permissions_efi_grub2_cfg/rule.yml +++ b/linux_os/guide/system/bootloader-grub2/uefi/file_permissions_efi_grub2_cfg/rule.yml @@ -18,6 +18,7 @@ identifiers: cce@rhel8: CCE-85912-4 cce@rhel9: CCE-85925-6 cce@rhel10: CCE-88815-6 + cce@sle16: CCE-96129-2 references: cis-csc: 12,13,14,15,16,18,3,5 diff --git a/linux_os/guide/system/bootloader-grub2/uefi/file_permissions_efi_user_cfg/rule.yml b/linux_os/guide/system/bootloader-grub2/uefi/file_permissions_efi_user_cfg/rule.yml index 29b2d1b53306..274b9f55651f 100644 --- a/linux_os/guide/system/bootloader-grub2/uefi/file_permissions_efi_user_cfg/rule.yml +++ b/linux_os/guide/system/bootloader-grub2/uefi/file_permissions_efi_user_cfg/rule.yml @@ -18,6 +18,7 @@ identifiers: cce@rhel8: CCE-86028-8 cce@rhel9: CCE-86029-6 cce@rhel10: CCE-90297-3 + cce@sle16: CCE-96025-2 references: cis-csc: 12,13,14,15,16,18,3,5 diff --git a/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_admin_username/oval/shared.xml b/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_admin_username/oval/shared.xml index 07f99ff5bba8..170d6e34ab17 100644 --- a/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_admin_username/oval/shared.xml +++ b/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_admin_username/oval/shared.xml @@ -7,6 +7,15 @@ <criterion comment="Superuser is defined in {{{ grub2_uefi_boot_path }}}/grub.cfg and it isn't root, admin, administrator nor equal to any system username" test_ref="test_bootloader_uefi_superuser_differ_from_other_users"/> +{{% if product in ["rhel8"] %}} +<!-- In RHEL 8 cloud images (eg. AWS) the /boot/efi/EFI/redhat/grub.cfg contains a stub pointing to /boot/grub2/grub.cfg --> + <criteria operator="AND" comment="check if {{{ grub2_uefi_boot_path }}}/grub.cfg is a stub pointing to {{{ grub2_boot_path }}}/grub.cfg"> + <criterion comment="check if {{{ grub2_uefi_boot_path }}}/grub.cfg contains a configfile directive" test_ref="test_grub2_uefi_admin_username_stub" /> + <criterion comment="Superuser is defined in {{{ grub2_boot_path }}}/grub.cfg and it + isn't root, admin, administrator nor equal to any system username" + test_ref="test_bootloader_uefi_boot_superuser_differ_from_other_users"/> + </criteria> +{{% endif %}} </criteria> </definition> @@ -33,10 +42,36 @@ <ind:state state_ref="state_bootloader_uefi_superuser_differ_from_other_users" /> </ind:textfilecontent54_test> +{{% set superusers_regex = '^[\\s]*set[\\s]+superusers="(?i)\\b(?!(?:root|admin|administrator)\\b)(\\w+)".*\\n[\\s]*export[\\s]+superusers[\\s]*$' %}} + <ind:textfilecontent54_object id="object_bootloader_uefi_unique_superuser" version="1"> <ind:filepath>{{{ grub2_uefi_boot_path }}}/grub.cfg</ind:filepath> - <ind:pattern operation="pattern match" - >^[\s]*set[\s]+superusers="(?i)\b(?!(?:root|admin|administrator)\b)(\w+)".*\n[\s]*export[\s]+superusers[\s]*$</ind:pattern> + <ind:pattern operation="pattern match">{{{ superusers_regex }}}</ind:pattern> + <ind:instance datatype="int">1</ind:instance> + </ind:textfilecontent54_object> +{{% if product in ["rhel8"] %}} + <ind:textfilecontent54_test check="all" check_existence="all_exist" comment="check if {{{ grub2_uefi_boot_path }}}/grub.cfg contains a configfile directive" id="test_grub2_uefi_admin_username_stub" version="1"> + <ind:object object_ref="object_grub2_uefi_admin_username_stub" /> + </ind:textfilecontent54_test> + <ind:textfilecontent54_object id="object_grub2_uefi_admin_username_stub" version="1"> + <ind:filepath>{{{ grub2_uefi_boot_path }}}/grub.cfg</ind:filepath> + <ind:pattern operation="pattern match">^[\s]*configfile\b.*$</ind:pattern> + <ind:instance datatype="int">1</ind:instance> + </ind:textfilecontent54_object> + + <ind:textfilecontent54_test check="all" check_existence="all_exist" comment="superuser + is defined in {{{ grub2_boot_path }}}/grub.cfg. Superuser is not + equal to other system account nor root, admin, administrator" + id="test_bootloader_uefi_boot_superuser_differ_from_other_users" version="1"> + <ind:object object_ref="object_bootloader_uefi_boot_unique_superuser" /> + <ind:state state_ref="state_bootloader_uefi_superuser_differ_from_other_users" /> + </ind:textfilecontent54_test> + + <ind:textfilecontent54_object id="object_bootloader_uefi_boot_unique_superuser" version="1"> + <ind:filepath>{{{ grub2_boot_path }}}/grub.cfg</ind:filepath> + <ind:pattern operation="pattern match">{{{ superusers_regex }}}</ind:pattern> <ind:instance datatype="int">1</ind:instance> </ind:textfilecontent54_object> +{{% endif %}} + </def-group> diff --git a/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_admin_username/tests/stub.fail.sh b/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_admin_username/tests/stub.fail.sh new file mode 100644 index 000000000000..4c077fa1bb1f --- /dev/null +++ b/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_admin_username/tests/stub.fail.sh @@ -0,0 +1,13 @@ +#!/bin/bash +# platform = Red Hat Enterprise Linux 8 + +. $SHARED/grub2.sh + +cat <<'EOF' >/boot/efi/EFI/redhat/grub.cfg +search --no-floppy --set prefix --file /boot/grub2/grub.cfg +set prefix=($prefix)/boot/grub2 +configfile $prefix/grub.cfg +EOF + +GRUB_CFG_ROOT="/boot/grub2" +set_superusers "root" diff --git a/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_admin_username/tests/stub.pass.sh b/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_admin_username/tests/stub.pass.sh new file mode 100644 index 000000000000..45a6bb0c61f2 --- /dev/null +++ b/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_admin_username/tests/stub.pass.sh @@ -0,0 +1,13 @@ +#!/bin/bash +# platform = Red Hat Enterprise Linux 8 + +. $SHARED/grub2.sh + +cat <<'EOF' >/boot/efi/EFI/redhat/grub.cfg +search --no-floppy --set prefix --file /boot/grub2/grub.cfg +set prefix=($prefix)/boot/grub2 +configfile $prefix/grub.cfg +EOF + +GRUB_CFG_ROOT="/boot/grub2" +set_superusers "koskic" diff --git a/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_password/oval/shared.xml b/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_password/oval/shared.xml index 6323828071e6..c780cf69e5e1 100644 --- a/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_password/oval/shared.xml +++ b/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_password/oval/shared.xml @@ -4,9 +4,16 @@ <criteria operator="OR"> <criterion comment="make sure a password is defined in {{{ grub2_uefi_boot_path }}}/user.cfg" test_ref="test_grub2_uefi_password_usercfg" /> +{{% if product in ["rhel8"] %}} +<!-- In RHEL 8 cloud images (eg. AWS) the /boot/efi/EFI/redhat/grub.cfg contains a stub pointing to /boot/grub2/grub.cfg --> + <criteria operator="AND" comment="check if {{{ grub2_uefi_boot_path }}}/grub.cfg is a stub pointing to {{{ grub2_boot_path }}}/grub.cfg"> + <criterion comment="check if {{{ grub2_uefi_boot_path }}}/grub.cfg contains a configfile directive" test_ref="test_grub2_uefi_password_stub" /> + <criterion comment="make sure a password is defined in {{{ grub2_boot_path }}}/user.cfg" test_ref="test_grub2_uefi_password_boot_usercfg" /> + </criteria> +{{% endif %}} </criteria> </definition> - + <ind:textfilecontent54_test check="all" check_existence="all_exist" comment="make sure a password is defined in {{{ grub2_uefi_boot_path }}}/user.cfg" id="test_grub2_uefi_password_usercfg" version="1"> <ind:object object_ref="object_grub2_uefi_password_usercfg" /> </ind:textfilecontent54_test> @@ -16,4 +23,24 @@ <ind:instance datatype="int">1</ind:instance> </ind:textfilecontent54_object> +{{% if product in ["rhel8"] %}} + <ind:textfilecontent54_test check="all" check_existence="all_exist" comment="check if {{{ grub2_uefi_boot_path }}}/grub.cfg contains a configfile directive" id="test_grub2_uefi_password_stub" version="1"> + <ind:object object_ref="object_grub2_uefi_password_stub" /> + </ind:textfilecontent54_test> + <ind:textfilecontent54_object id="object_grub2_uefi_password_stub" version="1"> + <ind:filepath>{{{ grub2_uefi_boot_path }}}/grub.cfg</ind:filepath> + <ind:pattern operation="pattern match">^[\s]*configfile\b.*$</ind:pattern> + <ind:instance datatype="int">1</ind:instance> + </ind:textfilecontent54_object> + + <ind:textfilecontent54_test check="all" check_existence="all_exist" comment="make sure a password is defined in {{{ grub2_boot_path }}}/user.cfg" id="test_grub2_uefi_password_boot_usercfg" version="1"> + <ind:object object_ref="object_grub2_uefi_password_boot_usercfg" /> + </ind:textfilecontent54_test> + <ind:textfilecontent54_object id="object_grub2_uefi_password_boot_usercfg" version="1"> + <ind:filepath>{{{ grub2_boot_path }}}/user.cfg</ind:filepath> + <ind:pattern operation="pattern match">^[\s]*GRUB2_PASSWORD=grub\.pbkdf2\.sha512.*$</ind:pattern> + <ind:instance datatype="int">1</ind:instance> + </ind:textfilecontent54_object> +{{% endif %}} + </def-group> diff --git a/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_password/tests/invalid_username.fail.sh b/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_password/tests/invalid_username.fail.sh deleted file mode 100644 index c477fd7a9acd..000000000000 --- a/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_password/tests/invalid_username.fail.sh +++ /dev/null @@ -1,12 +0,0 @@ -#!/bin/bash - -# remediation = none - -. $SHARED/grub2.sh - -set_grub_uefi_root - -make_grub_password -sed -i '/set superusers/d' /boot/grub/grub.cfg -sed -i '/export superusers/d' /boot/grub/grub.cfg -set_superusers "use r" diff --git a/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_password/tests/stub.fail.sh b/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_password/tests/stub.fail.sh new file mode 100644 index 000000000000..0673a07f6c1a --- /dev/null +++ b/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_password/tests/stub.fail.sh @@ -0,0 +1,12 @@ +#!/bin/bash +# platform = Red Hat Enterprise Linux 8 + +. $SHARED/grub2.sh + +cp "/boot/efi/EFI/redhat/user.cfg" "/boot/grub2/user.cfg" +cat <<'EOF' >/boot/efi/EFI/redhat/grub.cfg +search --no-floppy --set prefix --file /boot/grub2/grub.cfg +set prefix=($prefix)/boot/grub2 +configfile $prefix/grub.cfg +EOF +rm -rf "/boot/grub2/user.cfg" diff --git a/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_password/tests/stub.pass.sh b/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_password/tests/stub.pass.sh new file mode 100644 index 000000000000..13dd27d8aca1 --- /dev/null +++ b/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_password/tests/stub.pass.sh @@ -0,0 +1,13 @@ +#!/bin/bash +# platform = Red Hat Enterprise Linux 8 + +. $SHARED/grub2.sh + +cat <<'EOF' >/boot/efi/EFI/redhat/grub.cfg +search --no-floppy --set prefix --file /boot/grub2/grub.cfg +set prefix=($prefix)/boot/grub2 +configfile $prefix/grub.cfg +EOF + +GRUB_CFG_ROOT="/boot/grub2" +make_grub_password diff --git a/linux_os/guide/system/kernel_build_config/kernel_config_acpi_custom_method/rule.yml b/linux_os/guide/system/kernel_build_config/kernel_config_acpi_custom_method/rule.yml index 475566370679..e8783af728ce 100644 --- a/linux_os/guide/system/kernel_build_config/kernel_config_acpi_custom_method/rule.yml +++ b/linux_os/guide/system/kernel_build_config/kernel_config_acpi_custom_method/rule.yml @@ -22,6 +22,7 @@ identifiers: cce@rhel8: CCE-86778-8 cce@rhel9: CCE-86779-6 cce@rhel10: CCE-89223-2 + cce@sle16: CCE-95814-0 ocil_clause: 'the kernel was not built with the required value' diff --git a/linux_os/guide/system/kernel_build_config/kernel_config_binfmt_misc/rule.yml b/linux_os/guide/system/kernel_build_config/kernel_config_binfmt_misc/rule.yml index 212d9ef32b80..4788e37e4876 100644 --- a/linux_os/guide/system/kernel_build_config/kernel_config_binfmt_misc/rule.yml +++ b/linux_os/guide/system/kernel_build_config/kernel_config_binfmt_misc/rule.yml @@ -22,6 +22,7 @@ identifiers: cce@rhel8: CCE-87766-2 cce@rhel9: CCE-87767-0 cce@rhel10: CCE-87210-1 + cce@sle16: CCE-96265-4 ocil_clause: 'the kernel was not built with the required value' diff --git a/linux_os/guide/system/kernel_build_config/kernel_config_bug/rule.yml b/linux_os/guide/system/kernel_build_config/kernel_config_bug/rule.yml index a92d750936c0..6c11fa7bba27 100644 --- a/linux_os/guide/system/kernel_build_config/kernel_config_bug/rule.yml +++ b/linux_os/guide/system/kernel_build_config/kernel_config_bug/rule.yml @@ -21,6 +21,7 @@ identifiers: cce@rhel8: CCE-86095-7 cce@rhel9: CCE-86096-5 cce@rhel10: CCE-89980-7 + cce@sle16: CCE-96106-0 ocil_clause: 'the kernel was not built with the required value' diff --git a/linux_os/guide/system/kernel_build_config/kernel_config_compat_brk/rule.yml b/linux_os/guide/system/kernel_build_config/kernel_config_compat_brk/rule.yml index 22af2d7de31d..5d112e988cae 100644 --- a/linux_os/guide/system/kernel_build_config/kernel_config_compat_brk/rule.yml +++ b/linux_os/guide/system/kernel_build_config/kernel_config_compat_brk/rule.yml @@ -23,6 +23,7 @@ identifiers: cce@rhel8: CCE-88962-6 cce@rhel9: CCE-88963-4 cce@rhel10: CCE-90053-0 + cce@sle16: CCE-95981-7 ocil_clause: 'the kernel was not built with the required value' diff --git a/linux_os/guide/system/kernel_build_config/kernel_config_compat_vdso/rule.yml b/linux_os/guide/system/kernel_build_config/kernel_config_compat_vdso/rule.yml index ff138943aedf..259cfa6521a6 100644 --- a/linux_os/guide/system/kernel_build_config/kernel_config_compat_vdso/rule.yml +++ b/linux_os/guide/system/kernel_build_config/kernel_config_compat_vdso/rule.yml @@ -22,6 +22,7 @@ identifiers: cce@rhel8: CCE-87256-4 cce@rhel9: CCE-87257-2 cce@rhel10: CCE-88353-8 + cce@sle16: CCE-96692-9 ocil_clause: 'the kernel was not built with the required value' diff --git a/linux_os/guide/system/kernel_build_config/kernel_config_debug_credentials/rule.yml b/linux_os/guide/system/kernel_build_config/kernel_config_debug_credentials/rule.yml index 9751b1e43b51..7e21594b0534 100644 --- a/linux_os/guide/system/kernel_build_config/kernel_config_debug_credentials/rule.yml +++ b/linux_os/guide/system/kernel_build_config/kernel_config_debug_credentials/rule.yml @@ -24,6 +24,7 @@ identifiers: cce@rhel8: CCE-86656-6 cce@rhel9: CCE-86657-4 cce@rhel10: CCE-88628-3 + cce@sle16: CCE-96017-9 ocil_clause: 'the kernel was not built with the required value' diff --git a/linux_os/guide/system/kernel_build_config/kernel_config_debug_fs/rule.yml b/linux_os/guide/system/kernel_build_config/kernel_config_debug_fs/rule.yml index c325f6265d8f..7170b89ea250 100644 --- a/linux_os/guide/system/kernel_build_config/kernel_config_debug_fs/rule.yml +++ b/linux_os/guide/system/kernel_build_config/kernel_config_debug_fs/rule.yml @@ -20,6 +20,7 @@ identifiers: cce@rhel8: CCE-88033-6 cce@rhel9: CCE-89033-5 cce@rhel10: CCE-90684-2 + cce@sle16: CCE-96629-1 ocil_clause: 'the kernel was not built with the required value' diff --git a/linux_os/guide/system/kernel_build_config/kernel_config_debug_list/rule.yml b/linux_os/guide/system/kernel_build_config/kernel_config_debug_list/rule.yml index 8b43c839bf66..3566c6a9d7af 100644 --- a/linux_os/guide/system/kernel_build_config/kernel_config_debug_list/rule.yml +++ b/linux_os/guide/system/kernel_build_config/kernel_config_debug_list/rule.yml @@ -21,6 +21,7 @@ identifiers: cce@rhel8: CCE-86986-7 cce@rhel9: CCE-86987-5 cce@rhel10: CCE-86739-0 + cce@sle16: CCE-96574-9 ocil_clause: 'the kernel was not built with the required value' diff --git a/linux_os/guide/system/kernel_build_config/kernel_config_debug_notifiers/rule.yml b/linux_os/guide/system/kernel_build_config/kernel_config_debug_notifiers/rule.yml index 17c0e1980733..ee4a6269a263 100644 --- a/linux_os/guide/system/kernel_build_config/kernel_config_debug_notifiers/rule.yml +++ b/linux_os/guide/system/kernel_build_config/kernel_config_debug_notifiers/rule.yml @@ -21,6 +21,7 @@ identifiers: cce@rhel8: CCE-86814-1 cce@rhel9: CCE-86815-8 cce@rhel10: CCE-89355-2 + cce@sle16: CCE-96344-7 ocil_clause: 'the kernel was not built with the required value' diff --git a/linux_os/guide/system/kernel_build_config/kernel_config_debug_sg/rule.yml b/linux_os/guide/system/kernel_build_config/kernel_config_debug_sg/rule.yml index 8d27a5881e70..466899913901 100644 --- a/linux_os/guide/system/kernel_build_config/kernel_config_debug_sg/rule.yml +++ b/linux_os/guide/system/kernel_build_config/kernel_config_debug_sg/rule.yml @@ -20,6 +20,7 @@ identifiers: cce@rhel8: CCE-87148-3 cce@rhel9: CCE-87149-1 cce@rhel10: CCE-89292-7 + cce@sle16: CCE-96359-5 ocil_clause: 'the kernel was not built with the required value' diff --git a/linux_os/guide/system/kernel_build_config/kernel_config_default_mmap_min_addr/rule.yml b/linux_os/guide/system/kernel_build_config/kernel_config_default_mmap_min_addr/rule.yml index e9f2443a603b..fad386a0619d 100644 --- a/linux_os/guide/system/kernel_build_config/kernel_config_default_mmap_min_addr/rule.yml +++ b/linux_os/guide/system/kernel_build_config/kernel_config_default_mmap_min_addr/rule.yml @@ -26,6 +26,7 @@ identifiers: cce@rhel8: CCE-88160-7 cce@rhel9: CCE-88161-5 cce@rhel10: CCE-90330-2 + cce@sle16: CCE-96450-2 platform: x86_64_arch or aarch64_arch diff --git a/linux_os/guide/system/kernel_build_config/kernel_config_devkmem/rule.yml b/linux_os/guide/system/kernel_build_config/kernel_config_devkmem/rule.yml index 16100ff20e37..57f5fd0804cd 100644 --- a/linux_os/guide/system/kernel_build_config/kernel_config_devkmem/rule.yml +++ b/linux_os/guide/system/kernel_build_config/kernel_config_devkmem/rule.yml @@ -20,6 +20,7 @@ identifiers: cce@rhel8: CCE-86947-9 cce@rhel9: CCE-86948-7 cce@rhel10: CCE-87428-9 + cce@sle16: CCE-96408-0 ocil_clause: 'the kernel was not built with the required value' diff --git a/linux_os/guide/system/kernel_build_config/kernel_config_hibernation/rule.yml b/linux_os/guide/system/kernel_build_config/kernel_config_hibernation/rule.yml index 9e05dd5b022c..ae1341bee709 100644 --- a/linux_os/guide/system/kernel_build_config/kernel_config_hibernation/rule.yml +++ b/linux_os/guide/system/kernel_build_config/kernel_config_hibernation/rule.yml @@ -21,6 +21,7 @@ identifiers: cce@rhel8: CCE-87608-6 cce@rhel9: CCE-87609-4 cce@rhel10: CCE-87786-0 + cce@sle16: CCE-95950-2 ocil_clause: 'the kernel was not built with the required value' diff --git a/linux_os/guide/system/kernel_build_config/kernel_config_ia32_emulation/rule.yml b/linux_os/guide/system/kernel_build_config/kernel_config_ia32_emulation/rule.yml index 60d176410d84..42d615759ab3 100644 --- a/linux_os/guide/system/kernel_build_config/kernel_config_ia32_emulation/rule.yml +++ b/linux_os/guide/system/kernel_build_config/kernel_config_ia32_emulation/rule.yml @@ -21,6 +21,7 @@ identifiers: cce@rhel8: CCE-88746-3 cce@rhel9: CCE-88747-1 cce@rhel10: CCE-87905-6 + cce@sle16: CCE-96396-7 platform: x86_64_arch diff --git a/linux_os/guide/system/kernel_build_config/kernel_config_kexec/rule.yml b/linux_os/guide/system/kernel_build_config/kernel_config_kexec/rule.yml index c7ba5d36f3cb..25c384c9b817 100644 --- a/linux_os/guide/system/kernel_build_config/kernel_config_kexec/rule.yml +++ b/linux_os/guide/system/kernel_build_config/kernel_config_kexec/rule.yml @@ -21,6 +21,7 @@ identifiers: cce@rhel8: CCE-87488-3 cce@rhel9: CCE-87489-1 cce@rhel10: CCE-89414-7 + cce@sle16: CCE-95737-3 ocil_clause: 'the kernel was not built with the required value' diff --git a/linux_os/guide/system/kernel_build_config/kernel_config_legacy_ptys/rule.yml b/linux_os/guide/system/kernel_build_config/kernel_config_legacy_ptys/rule.yml index 0662aab9b4d3..0c143f0929db 100644 --- a/linux_os/guide/system/kernel_build_config/kernel_config_legacy_ptys/rule.yml +++ b/linux_os/guide/system/kernel_build_config/kernel_config_legacy_ptys/rule.yml @@ -20,6 +20,7 @@ identifiers: cce@rhel8: CCE-87925-4 cce@rhel9: CCE-87926-2 cce@rhel10: CCE-89570-6 + cce@sle16: CCE-95831-4 ocil_clause: 'the kernel was not built with the required value' diff --git a/linux_os/guide/system/kernel_build_config/kernel_config_module_sig/rule.yml b/linux_os/guide/system/kernel_build_config/kernel_config_module_sig/rule.yml index 4f1bea71d00a..a23af42481e2 100644 --- a/linux_os/guide/system/kernel_build_config/kernel_config_module_sig/rule.yml +++ b/linux_os/guide/system/kernel_build_config/kernel_config_module_sig/rule.yml @@ -21,6 +21,7 @@ identifiers: cce@rhel8: CCE-89378-4 cce@rhel9: CCE-89379-2 cce@rhel10: CCE-86836-4 + cce@sle16: CCE-96615-0 ocil_clause: 'the kernel was not built with the required value' diff --git a/linux_os/guide/system/kernel_build_config/kernel_config_module_sig_all/rule.yml b/linux_os/guide/system/kernel_build_config/kernel_config_module_sig_all/rule.yml index 37e9f12e17db..dfe5a018fb5d 100644 --- a/linux_os/guide/system/kernel_build_config/kernel_config_module_sig_all/rule.yml +++ b/linux_os/guide/system/kernel_build_config/kernel_config_module_sig_all/rule.yml @@ -20,6 +20,7 @@ identifiers: cce@rhel8: CCE-89615-9 cce@rhel9: CCE-89616-7 cce@rhel10: CCE-86520-4 + cce@sle16: CCE-95955-1 ocil_clause: 'the kernel was not built with the required value' diff --git a/linux_os/guide/system/kernel_build_config/kernel_config_module_sig_force/rule.yml b/linux_os/guide/system/kernel_build_config/kernel_config_module_sig_force/rule.yml index 208327b194e7..f430259f7ef7 100644 --- a/linux_os/guide/system/kernel_build_config/kernel_config_module_sig_force/rule.yml +++ b/linux_os/guide/system/kernel_build_config/kernel_config_module_sig_force/rule.yml @@ -19,6 +19,7 @@ identifiers: cce@rhel8: CCE-89459-2 cce@rhel9: CCE-89460-0 cce@rhel10: CCE-89203-4 + cce@sle16: CCE-95719-1 ocil_clause: 'the kernel was not built with the required value' diff --git a/linux_os/guide/system/kernel_build_config/kernel_config_module_sig_hash/rule.yml b/linux_os/guide/system/kernel_build_config/kernel_config_module_sig_hash/rule.yml index f05c876e20ce..3786b5bd0ac4 100644 --- a/linux_os/guide/system/kernel_build_config/kernel_config_module_sig_hash/rule.yml +++ b/linux_os/guide/system/kernel_build_config/kernel_config_module_sig_hash/rule.yml @@ -20,6 +20,7 @@ identifiers: cce@rhel8: CCE-89843-7 cce@rhel9: CCE-89844-5 cce@rhel10: CCE-87400-8 + cce@sle16: CCE-96452-8 ocil_clause: 'the kernel was not built with the required value' diff --git a/linux_os/guide/system/kernel_build_config/kernel_config_module_sig_key/rule.yml b/linux_os/guide/system/kernel_build_config/kernel_config_module_sig_key/rule.yml index cf1c3d8e6f0e..edd1c1b88e8e 100644 --- a/linux_os/guide/system/kernel_build_config/kernel_config_module_sig_key/rule.yml +++ b/linux_os/guide/system/kernel_build_config/kernel_config_module_sig_key/rule.yml @@ -26,6 +26,7 @@ identifiers: cce@rhel8: CCE-90000-1 cce@rhel9: CCE-89999-7 cce@rhel10: CCE-90444-1 + cce@sle16: CCE-96015-3 ocil_clause: 'the kernel was not built with the required value' diff --git a/linux_os/guide/system/kernel_build_config/kernel_config_module_sig_sha512/rule.yml b/linux_os/guide/system/kernel_build_config/kernel_config_module_sig_sha512/rule.yml index 723b7653d364..3fc61093df5d 100644 --- a/linux_os/guide/system/kernel_build_config/kernel_config_module_sig_sha512/rule.yml +++ b/linux_os/guide/system/kernel_build_config/kernel_config_module_sig_sha512/rule.yml @@ -19,6 +19,7 @@ identifiers: cce@rhel8: CCE-89692-8 cce@rhel9: CCE-89691-0 cce@rhel10: CCE-87565-8 + cce@sle16: CCE-96566-5 ocil_clause: 'the kernel was not built with the required value' diff --git a/linux_os/guide/system/kernel_build_config/kernel_config_page_poisoning_no_sanity/rule.yml b/linux_os/guide/system/kernel_build_config/kernel_config_page_poisoning_no_sanity/rule.yml index 89e9f627a722..8b4577861b6f 100644 --- a/linux_os/guide/system/kernel_build_config/kernel_config_page_poisoning_no_sanity/rule.yml +++ b/linux_os/guide/system/kernel_build_config/kernel_config_page_poisoning_no_sanity/rule.yml @@ -21,6 +21,7 @@ identifiers: cce@rhel8: CCE-88574-9 cce@rhel9: CCE-88575-6 cce@rhel10: CCE-87844-7 + cce@sle16: CCE-96130-0 ocil_clause: 'the kernel was not built with the required value' diff --git a/linux_os/guide/system/kernel_build_config/kernel_config_page_poisoning_zero/rule.yml b/linux_os/guide/system/kernel_build_config/kernel_config_page_poisoning_zero/rule.yml index adf28b0b2722..4e7465236c53 100644 --- a/linux_os/guide/system/kernel_build_config/kernel_config_page_poisoning_zero/rule.yml +++ b/linux_os/guide/system/kernel_build_config/kernel_config_page_poisoning_zero/rule.yml @@ -22,6 +22,7 @@ identifiers: cce@rhel8: CCE-88808-1 cce@rhel9: CCE-88809-9 cce@rhel10: CCE-90278-3 + cce@sle16: CCE-96575-6 ocil_clause: 'the kernel was not built with the required value' diff --git a/linux_os/guide/system/kernel_build_config/kernel_config_page_table_isolation/rule.yml b/linux_os/guide/system/kernel_build_config/kernel_config_page_table_isolation/rule.yml index 08624fe8a169..8d18465fdc86 100644 --- a/linux_os/guide/system/kernel_build_config/kernel_config_page_table_isolation/rule.yml +++ b/linux_os/guide/system/kernel_build_config/kernel_config_page_table_isolation/rule.yml @@ -22,6 +22,7 @@ identifiers: cce@rhel8: CCE-88591-3 cce@rhel9: CCE-88592-1 cce@rhel10: CCE-88464-3 + cce@sle16: CCE-96529-3 platform: x86_64_arch diff --git a/linux_os/guide/system/kernel_build_config/kernel_config_panic_on_oops/rule.yml b/linux_os/guide/system/kernel_build_config/kernel_config_panic_on_oops/rule.yml index f712157a12ec..a99c8997a2e4 100644 --- a/linux_os/guide/system/kernel_build_config/kernel_config_panic_on_oops/rule.yml +++ b/linux_os/guide/system/kernel_build_config/kernel_config_panic_on_oops/rule.yml @@ -21,6 +21,7 @@ identifiers: cce@rhel8: CCE-86176-5 cce@rhel9: CCE-86177-3 cce@rhel10: CCE-89985-6 + cce@sle16: CCE-95726-6 ocil_clause: 'the kernel was not built with the required value' diff --git a/linux_os/guide/system/kernel_build_config/kernel_config_panic_timeout/rule.yml b/linux_os/guide/system/kernel_build_config/kernel_config_panic_timeout/rule.yml index 32d45b4ca2fa..c7b5e2809366 100644 --- a/linux_os/guide/system/kernel_build_config/kernel_config_panic_timeout/rule.yml +++ b/linux_os/guide/system/kernel_build_config/kernel_config_panic_timeout/rule.yml @@ -22,6 +22,7 @@ identifiers: cce@rhel8: CCE-86349-8 cce@rhel9: CCE-86350-6 cce@rhel10: CCE-86964-4 + cce@sle16: CCE-96235-7 ocil_clause: 'the kernel was not built with the required value' diff --git a/linux_os/guide/system/kernel_build_config/kernel_config_proc_kcore/rule.yml b/linux_os/guide/system/kernel_build_config/kernel_config_proc_kcore/rule.yml index a43931553372..602e57da57fd 100644 --- a/linux_os/guide/system/kernel_build_config/kernel_config_proc_kcore/rule.yml +++ b/linux_os/guide/system/kernel_build_config/kernel_config_proc_kcore/rule.yml @@ -20,6 +20,7 @@ identifiers: cce@rhel8: CCE-87105-3 cce@rhel9: CCE-87106-1 cce@rhel10: CCE-88511-1 + cce@sle16: CCE-96083-1 ocil_clause: 'the kernel was not built with the required value' diff --git a/linux_os/guide/system/kernel_build_config/kernel_config_randomize_base/rule.yml b/linux_os/guide/system/kernel_build_config/kernel_config_randomize_base/rule.yml index 5c1576aa8a46..66f6764d5bf3 100644 --- a/linux_os/guide/system/kernel_build_config/kernel_config_randomize_base/rule.yml +++ b/linux_os/guide/system/kernel_build_config/kernel_config_randomize_base/rule.yml @@ -22,6 +22,7 @@ identifiers: cce@rhel8: CCE-88318-1 cce@rhel9: CCE-88319-9 cce@rhel10: CCE-87989-0 + cce@sle16: CCE-96510-3 ocil_clause: 'the kernel was not built with the required value' diff --git a/linux_os/guide/system/kernel_build_config/kernel_config_randomize_memory/rule.yml b/linux_os/guide/system/kernel_build_config/kernel_config_randomize_memory/rule.yml index 827c666e449e..9990da02bb70 100644 --- a/linux_os/guide/system/kernel_build_config/kernel_config_randomize_memory/rule.yml +++ b/linux_os/guide/system/kernel_build_config/kernel_config_randomize_memory/rule.yml @@ -22,6 +22,7 @@ identifiers: cce@rhel8: CCE-88440-3 cce@rhel9: CCE-88441-1 cce@rhel10: CCE-88383-5 + cce@sle16: CCE-95989-0 platform: x86_64_arch diff --git a/linux_os/guide/system/kernel_build_config/kernel_config_retpoline/rule.yml b/linux_os/guide/system/kernel_build_config/kernel_config_retpoline/rule.yml index 261cd8a6ce80..059fe0c80fbc 100644 --- a/linux_os/guide/system/kernel_build_config/kernel_config_retpoline/rule.yml +++ b/linux_os/guide/system/kernel_build_config/kernel_config_retpoline/rule.yml @@ -22,6 +22,7 @@ identifiers: cce@rhel8: CCE-87494-1 cce@rhel9: CCE-87495-8 cce@rhel10: CCE-89562-3 + cce@sle16: CCE-96519-4 ocil_clause: 'the kernel was not built with the required value' diff --git a/linux_os/guide/system/kernel_build_config/kernel_config_seccomp/rule.yml b/linux_os/guide/system/kernel_build_config/kernel_config_seccomp/rule.yml index 201464ba05f5..b9d32b907bc0 100644 --- a/linux_os/guide/system/kernel_build_config/kernel_config_seccomp/rule.yml +++ b/linux_os/guide/system/kernel_build_config/kernel_config_seccomp/rule.yml @@ -24,6 +24,7 @@ identifiers: cce@rhel9: CCE-86451-2 cce@rhel10: CCE-87403-2 cce@sle15: CCE-92567-7 + cce@sle16: CCE-95777-9 ocil_clause: 'the kernel was not built with the required value' diff --git a/linux_os/guide/system/kernel_build_config/kernel_config_seccomp_filter/rule.yml b/linux_os/guide/system/kernel_build_config/kernel_config_seccomp_filter/rule.yml index fe3a38d84372..4c8a428075ee 100644 --- a/linux_os/guide/system/kernel_build_config/kernel_config_seccomp_filter/rule.yml +++ b/linux_os/guide/system/kernel_build_config/kernel_config_seccomp_filter/rule.yml @@ -22,6 +22,7 @@ identifiers: cce@rhel9: CCE-86491-8 cce@rhel10: CCE-89407-1 cce@sle15: CCE-92568-5 + cce@sle16: CCE-96560-8 ocil_clause: 'the kernel was not built with the required value' diff --git a/linux_os/guide/system/kernel_build_config/kernel_config_security/rule.yml b/linux_os/guide/system/kernel_build_config/kernel_config_security/rule.yml index f60cbb144a9e..98d382eeffe0 100644 --- a/linux_os/guide/system/kernel_build_config/kernel_config_security/rule.yml +++ b/linux_os/guide/system/kernel_build_config/kernel_config_security/rule.yml @@ -20,6 +20,7 @@ identifiers: cce@rhel9: CCE-86573-3 cce@rhel10: CCE-87679-7 cce@sle15: CCE-92570-1 + cce@sle16: CCE-96259-7 ocil_clause: 'the kernel was not built with the required value' diff --git a/linux_os/guide/system/kernel_build_config/kernel_config_security_dmesg_restrict/rule.yml b/linux_os/guide/system/kernel_build_config/kernel_config_security_dmesg_restrict/rule.yml index 707e3b575b47..4ac0bed31b1c 100644 --- a/linux_os/guide/system/kernel_build_config/kernel_config_security_dmesg_restrict/rule.yml +++ b/linux_os/guide/system/kernel_build_config/kernel_config_security_dmesg_restrict/rule.yml @@ -19,6 +19,7 @@ identifiers: cce@rhel8: CCE-87339-8 cce@rhel9: CCE-87340-6 cce@rhel10: CCE-89137-4 + cce@sle16: CCE-96445-2 ocil_clause: 'the kernel was not built with the required value' diff --git a/linux_os/guide/system/kernel_build_config/kernel_config_security_writable_hooks/rule.yml b/linux_os/guide/system/kernel_build_config/kernel_config_security_writable_hooks/rule.yml index 781acca096a1..ad631811de4a 100644 --- a/linux_os/guide/system/kernel_build_config/kernel_config_security_writable_hooks/rule.yml +++ b/linux_os/guide/system/kernel_build_config/kernel_config_security_writable_hooks/rule.yml @@ -21,6 +21,7 @@ identifiers: cce@rhel9: CCE-86885-1 cce@rhel10: CCE-89825-4 cce@sle15: CCE-92571-9 + cce@sle16: CCE-95918-9 ocil_clause: 'the kernel was not built with the required value' diff --git a/linux_os/guide/system/kernel_build_config/kernel_config_security_yama/rule.yml b/linux_os/guide/system/kernel_build_config/kernel_config_security_yama/rule.yml index 8f0d39a03642..607e85f3da64 100644 --- a/linux_os/guide/system/kernel_build_config/kernel_config_security_yama/rule.yml +++ b/linux_os/guide/system/kernel_build_config/kernel_config_security_yama/rule.yml @@ -23,6 +23,7 @@ identifiers: cce@rhel9: CCE-86717-6 cce@rhel10: CCE-87793-6 cce@sle15: CCE-92572-7 + cce@sle16: CCE-96626-7 ocil_clause: 'the kernel was not built with the required value' diff --git a/linux_os/guide/system/kernel_build_config/kernel_config_slub_debug/rule.yml b/linux_os/guide/system/kernel_build_config/kernel_config_slub_debug/rule.yml index 7a15122c2f8c..e881ea27183f 100644 --- a/linux_os/guide/system/kernel_build_config/kernel_config_slub_debug/rule.yml +++ b/linux_os/guide/system/kernel_build_config/kernel_config_slub_debug/rule.yml @@ -21,6 +21,7 @@ identifiers: cce@rhel8: CCE-88275-3 cce@rhel9: CCE-88276-1 cce@rhel10: CCE-87071-7 + cce@sle16: CCE-95987-4 ocil_clause: 'the kernel was not built with the required value' diff --git a/linux_os/guide/system/kernel_build_config/kernel_config_syn_cookies/rule.yml b/linux_os/guide/system/kernel_build_config/kernel_config_syn_cookies/rule.yml index 6388d834e296..905f36091301 100644 --- a/linux_os/guide/system/kernel_build_config/kernel_config_syn_cookies/rule.yml +++ b/linux_os/guide/system/kernel_build_config/kernel_config_syn_cookies/rule.yml @@ -24,6 +24,7 @@ identifiers: cce@rhel8: CCE-87330-7 cce@rhel9: CCE-87331-5 cce@rhel10: CCE-89322-2 + cce@sle16: CCE-95924-7 ocil_clause: 'the kernel was not built with the required value' diff --git a/linux_os/guide/system/kernel_build_config/kernel_config_unmap_kernel_at_el0/rule.yml b/linux_os/guide/system/kernel_build_config/kernel_config_unmap_kernel_at_el0/rule.yml index 742d5d6a5315..3bde406e4f86 100644 --- a/linux_os/guide/system/kernel_build_config/kernel_config_unmap_kernel_at_el0/rule.yml +++ b/linux_os/guide/system/kernel_build_config/kernel_config_unmap_kernel_at_el0/rule.yml @@ -25,6 +25,7 @@ identifiers: cce@rhel8: CCE-89179-6 cce@rhel9: CCE-89180-4 cce@rhel10: CCE-90608-1 + cce@sle16: CCE-95872-8 platform: aarch64_arch diff --git a/linux_os/guide/system/kernel_build_config/kernel_config_x86_vsyscall_emulation/rule.yml b/linux_os/guide/system/kernel_build_config/kernel_config_x86_vsyscall_emulation/rule.yml index b4519fe5d52e..afb1739706db 100644 --- a/linux_os/guide/system/kernel_build_config/kernel_config_x86_vsyscall_emulation/rule.yml +++ b/linux_os/guide/system/kernel_build_config/kernel_config_x86_vsyscall_emulation/rule.yml @@ -22,6 +22,7 @@ identifiers: cce@rhel8: CCE-87883-5 cce@rhel9: CCE-87884-3 cce@rhel10: CCE-88133-4 + cce@sle16: CCE-96298-5 ocil_clause: 'the kernel was not built with the required value' diff --git a/linux_os/guide/system/logging/log_rotation/ensure_logrotate_activated/ansible/shared.yml b/linux_os/guide/system/logging/log_rotation/ensure_logrotate_activated/ansible/shared.yml index f9f947d0bc79..e18fad5ddd4f 100644 --- a/linux_os/guide/system/logging/log_rotation/ensure_logrotate_activated/ansible/shared.yml +++ b/linux_os/guide/system/logging/log_rotation/ensure_logrotate_activated/ansible/shared.yml @@ -4,19 +4,25 @@ # complexity = low # disruption = low -- name: Configure daily log rotation in /etc/logrotate.conf +{{% if product == 'sle16' %}} +{{% set LOGROTATE_CONF_FILE="/usr/etc/logrotate.conf" %}} +{{% else %}} +{{% set LOGROTATE_CONF_FILE="/etc/logrotate.conf" %}} +{{% endif %}} + +- name: "Configure daily log rotation in {{{ LOGROTATE_CONF_FILE }}}" ansible.builtin.lineinfile: create: yes - dest: "/etc/logrotate.conf" + dest: {{{ LOGROTATE_CONF_FILE }}} regexp: '^\s*(weekly|monthly|yearly)$' line: "daily" state: present insertbefore: BOF -- name: Make sure daily log rotation setting is not overridden in /etc/logrotate.conf +- name: "Make sure daily log rotation setting is not overridden in {{{ LOGROTATE_CONF_FILE }}}" ansible.builtin.lineinfile: create: no - dest: "/etc/logrotate.conf" + dest: {{{ LOGROTATE_CONF_FILE }}} regexp: '^[\s]*(weekly|monthly|yearly)$' state: absent @@ -39,7 +45,7 @@ - name: Add logrotate call ansible.builtin.lineinfile: path: "/etc/cron.daily/logrotate" - line: '/usr/sbin/logrotate /etc/logrotate.conf' - regexp: '^[\s]*/usr/sbin/logrotate[\s\S]*/etc/logrotate.conf$' + line: '/usr/sbin/logrotate {{{ LOGROTATE_CONF_FILE }}}' + regexp: '^[\s]*/usr/sbin/logrotate[\s\S]*{{{ LOGROTATE_CONF_FILE }}}$' create: yes {{% endif %}} diff --git a/linux_os/guide/system/logging/log_rotation/ensure_logrotate_activated/bash/shared.sh b/linux_os/guide/system/logging/log_rotation/ensure_logrotate_activated/bash/shared.sh index c55cd9de94a6..82446d128faa 100644 --- a/linux_os/guide/system/logging/log_rotation/ensure_logrotate_activated/bash/shared.sh +++ b/linux_os/guide/system/logging/log_rotation/ensure_logrotate_activated/bash/shared.sh @@ -1,6 +1,10 @@ # platform = multi_platform_all -LOGROTATE_CONF_FILE="/etc/logrotate.conf" +{{% if product == 'sle16' %}} +LOGROTATE_CONF_FILE='/usr/etc/logrotate.conf' +{{% else %}} +LOGROTATE_CONF_FILE='/etc/logrotate.conf' +{{% endif %}} {{% if 'sle' in product or product == 'slmicro5' %}} SYSTEMCTL_EXEC='/usr/bin/systemctl' {{% else %}} diff --git a/linux_os/guide/system/logging/log_rotation/ensure_logrotate_activated/oval/shared.xml b/linux_os/guide/system/logging/log_rotation/ensure_logrotate_activated/oval/shared.xml index 907b69cc31e3..762e706a563d 100644 --- a/linux_os/guide/system/logging/log_rotation/ensure_logrotate_activated/oval/shared.xml +++ b/linux_os/guide/system/logging/log_rotation/ensure_logrotate_activated/oval/shared.xml @@ -11,7 +11,7 @@ test_ref="test_logrotate_conf_no_other_keyword" /> <criteria comment="Check if either logrotate timer or cron job is enabled" operator="OR"> <criterion comment="Check if /etc/cron.daily/logrotate file exists (and calls logrotate)" test_ref="test_cron_daily_logrotate_existence" /> -{{% if product in ["ol9", "rhcos4", "rhel9", "rhel10", "sle12", "sle15", "slmicro5"] %}} +{{% if 'sle' in product or product in ["ol9", "rhcos4", "rhel9", "rhel10", "slmicro5"] %}} <criterion comment="Check if logrotate timer is enabled" test_ref="test_logrotate_enabled_systemd_target" /> {{% endif %}} </criteria> @@ -25,7 +25,11 @@ </ind:textfilecontent54_test> <ind:textfilecontent54_object id="object_logrotate_conf_daily_setting" version="2"> +{{% if product == 'sle16' %}} + <ind:filepath>/usr/etc/logrotate.conf</ind:filepath> +{{% else %}} <ind:filepath>/etc/logrotate.conf</ind:filepath> +{{% endif %}} <ind:pattern operation="pattern match">^\s*daily[\s#]*$</ind:pattern> <ind:instance datatype="int">1</ind:instance> </ind:textfilecontent54_object> @@ -37,7 +41,11 @@ </ind:textfilecontent54_test> <ind:textfilecontent54_object id="object_logrotate_conf_no_other_keyword" version="2"> +{{% if product == 'sle16' %}} + <ind:filepath>/usr/etc/logrotate.conf</ind:filepath> +{{% else %}} <ind:filepath>/etc/logrotate.conf</ind:filepath> +{{% endif %}} <ind:pattern operation="pattern match">^\s*(weekly|monthly|yearly)[\s#]*$</ind:pattern> <ind:instance datatype="int">1</ind:instance> </ind:textfilecontent54_object> @@ -54,7 +62,7 @@ <ind:instance datatype="int">1</ind:instance> </ind:textfilecontent54_object> - {{% if product in ["ol9", "rhcos4", "rhel9", "rhel10", "sle12", "sle15", "slmicro5"] %}} + {{% if 'sle' in product or product in ["ol9", "rhcos4", "rhel9", "rhel10", "slmicro5"] %}} <unix:file_test check="all" check_existence="all_exist" comment="look for logrotate.timer in multi-user.target.wants and timers.target.wants" id="test_logrotate_enabled_systemd_target" version="1"> diff --git a/linux_os/guide/system/logging/log_rotation/ensure_logrotate_activated/rule.yml b/linux_os/guide/system/logging/log_rotation/ensure_logrotate_activated/rule.yml index 1e1b45b98055..3fbda225bc36 100644 --- a/linux_os/guide/system/logging/log_rotation/ensure_logrotate_activated/rule.yml +++ b/linux_os/guide/system/logging/log_rotation/ensure_logrotate_activated/rule.yml @@ -26,6 +26,7 @@ identifiers: cce@rhel10: CCE-88779-4 cce@sle12: CCE-91511-6 cce@sle15: CCE-85850-6 + cce@sle16: CCE-96682-0 cce@slmicro5: CCE-94014-8 references: diff --git a/linux_os/guide/system/logging/log_rotation/ensure_logrotate_activated/tests/logrotate_conf_weekly.fail.sh b/linux_os/guide/system/logging/log_rotation/ensure_logrotate_activated/tests/logrotate_conf_weekly.fail.sh index de41c7b2844b..7e3bf2ae36ac 100644 --- a/linux_os/guide/system/logging/log_rotation/ensure_logrotate_activated/tests/logrotate_conf_weekly.fail.sh +++ b/linux_os/guide/system/logging/log_rotation/ensure_logrotate_activated/tests/logrotate_conf_weekly.fail.sh @@ -1,3 +1,8 @@ #!/bin/bash -sed -i "s/daily/weekly/" /etc/logrotate.conf +{{% if product == 'sle16' %}} +LOGROTATE_CONF_FILE="/usr/etc/logrotate.conf" +{{% else %}} +LOGROTATE_CONF_FILE="/etc/logrotate.conf" +{{% endif %}} +sed -i "s/daily/weekly/" "${LOGROTATE_CONF_FILE}" diff --git a/linux_os/guide/system/logging/log_rotation/ensure_logrotate_activated/tests/logrotate_no_cron_daily_no_timer.fail.sh b/linux_os/guide/system/logging/log_rotation/ensure_logrotate_activated/tests/logrotate_no_cron_daily_no_timer.fail.sh index 86b1ca86090d..9ae01cc789bd 100644 --- a/linux_os/guide/system/logging/log_rotation/ensure_logrotate_activated/tests/logrotate_no_cron_daily_no_timer.fail.sh +++ b/linux_os/guide/system/logging/log_rotation/ensure_logrotate_activated/tests/logrotate_no_cron_daily_no_timer.fail.sh @@ -2,11 +2,17 @@ # packages = logrotate,crontabs +{{% if product == 'sle16' %}} +LOGROTATE_CONF_FILE="/usr/etc/logrotate.conf" +{{% else %}} +LOGROTATE_CONF_FILE="/etc/logrotate.conf" +{{% endif %}} + # disable the timer systemctl disable logrotate.timer || true # fix logrotate config -sed -i "s/weekly/daily/" /etc/logrotate.conf +sed -i "s/weekly/daily/" "${LOGROTATE_CONF_FILE}" # remove default for cron.daily rm -f /etc/cron.daily/logrotate diff --git a/linux_os/guide/system/logging/package_rsyslog-gnutls_installed/rule.yml b/linux_os/guide/system/logging/package_rsyslog-gnutls_installed/rule.yml index da05bbd7db9b..47a7de4f9934 100644 --- a/linux_os/guide/system/logging/package_rsyslog-gnutls_installed/rule.yml +++ b/linux_os/guide/system/logging/package_rsyslog-gnutls_installed/rule.yml @@ -23,6 +23,7 @@ identifiers: cce@rhel10: CCE-89106-9 cce@sle12: CCE-91512-4 cce@sle15: CCE-91199-0 + cce@sle16: CCE-95816-5 references: srg: SRG-OS-000480-GPOS-00227,SRG-OS-000120-GPOS-00061 @@ -42,6 +43,7 @@ template: pkgname: rsyslog-gnutls pkgname@sle12: rsyslog-module-gtls pkgname@sle15: rsyslog-module-gtls + pkgname@sle16: rsyslog-module-gtls fixtext: |- {{% if 'sle' not in product %}} diff --git a/linux_os/guide/system/logging/rsyslog_sending_messages/rsyslog_remote_tls/rule.yml b/linux_os/guide/system/logging/rsyslog_sending_messages/rsyslog_remote_tls/rule.yml index 7e245593bc8b..198927dcd228 100644 --- a/linux_os/guide/system/logging/rsyslog_sending_messages/rsyslog_remote_tls/rule.yml +++ b/linux_os/guide/system/logging/rsyslog_sending_messages/rsyslog_remote_tls/rule.yml @@ -25,6 +25,7 @@ identifiers: cce@rhel10: CCE-86592-3 cce@sle12: CCE-91513-2 cce@sle15: CCE-91200-6 + cce@sle16: CCE-96405-6 references: nist: AU-9(3),CM-6(a) diff --git a/linux_os/guide/system/logging/rsyslog_sending_messages/rsyslog_remote_tls_cacert/rule.yml b/linux_os/guide/system/logging/rsyslog_sending_messages/rsyslog_remote_tls_cacert/rule.yml index c9a7555c5e27..ff8c4ee91c3c 100644 --- a/linux_os/guide/system/logging/rsyslog_sending_messages/rsyslog_remote_tls_cacert/rule.yml +++ b/linux_os/guide/system/logging/rsyslog_sending_messages/rsyslog_remote_tls_cacert/rule.yml @@ -23,6 +23,7 @@ identifiers: cce@rhel10: CCE-88456-9 cce@sle12: CCE-91514-0 cce@sle15: CCE-91201-4 + cce@sle16: CCE-96407-2 references: srg: SRG-OS-000480-GPOS-00227 diff --git a/linux_os/guide/system/network/network-ipsec/directory_groupowner_etc_ipsecd/rule.yml b/linux_os/guide/system/network/network-ipsec/directory_groupowner_etc_ipsecd/rule.yml index 00c3bccff8e8..817074dc64f4 100644 --- a/linux_os/guide/system/network/network-ipsec/directory_groupowner_etc_ipsecd/rule.yml +++ b/linux_os/guide/system/network/network-ipsec/directory_groupowner_etc_ipsecd/rule.yml @@ -17,6 +17,7 @@ identifiers: cce@rhel9: CCE-86439-7 cce@rhel10: CCE-88800-8 cce@sle15: CCE-92499-3 + cce@sle16: CCE-96533-5 ocil_clause: '{{{ ocil_clause_file_group_owner(file="/etc/ipsec.d", group="root") }}}' diff --git a/linux_os/guide/system/network/network-ipsec/directory_owner_etc_ipsecd/rule.yml b/linux_os/guide/system/network/network-ipsec/directory_owner_etc_ipsecd/rule.yml index ee3fd8aacb67..bbee4ba1f94c 100644 --- a/linux_os/guide/system/network/network-ipsec/directory_owner_etc_ipsecd/rule.yml +++ b/linux_os/guide/system/network/network-ipsec/directory_owner_etc_ipsecd/rule.yml @@ -17,6 +17,7 @@ identifiers: cce@rhel9: CCE-86303-5 cce@rhel10: CCE-87636-7 cce@sle15: CCE-92508-1 + cce@sle16: CCE-96161-5 ocil_clause: '{{{ ocil_clause_file_owner(file="/etc/ipsec.d", owner="root") }}}' diff --git a/linux_os/guide/system/network/network-ipsec/directory_permissions_etc_ipsecd/rule.yml b/linux_os/guide/system/network/network-ipsec/directory_permissions_etc_ipsecd/rule.yml index 3ac5d4a863ad..9caeafde3ecb 100644 --- a/linux_os/guide/system/network/network-ipsec/directory_permissions_etc_ipsecd/rule.yml +++ b/linux_os/guide/system/network/network-ipsec/directory_permissions_etc_ipsecd/rule.yml @@ -17,6 +17,7 @@ identifiers: cce@rhel9: CCE-86306-8 cce@rhel10: CCE-88730-7 cce@sle15: CCE-92517-2 + cce@sle16: CCE-96356-1 ocil_clause: '{{{ ocil_clause_file_permissions(file="/etc/ipsec.d", perms="0700") }}}' diff --git a/linux_os/guide/system/network/network-ipsec/file_groupowner_etc_ipsec_conf/rule.yml b/linux_os/guide/system/network/network-ipsec/file_groupowner_etc_ipsec_conf/rule.yml index 6ded8f5d59e0..88e0642ac261 100644 --- a/linux_os/guide/system/network/network-ipsec/file_groupowner_etc_ipsec_conf/rule.yml +++ b/linux_os/guide/system/network/network-ipsec/file_groupowner_etc_ipsec_conf/rule.yml @@ -17,6 +17,7 @@ identifiers: cce@rhel9: CCE-86387-8 cce@rhel10: CCE-86941-2 cce@sle15: CCE-92535-4 + cce@sle16: CCE-96555-8 ocil_clause: '{{{ ocil_clause_file_group_owner(file="/etc/ipsec.conf", group="root") }}}' diff --git a/linux_os/guide/system/network/network-ipsec/file_groupowner_etc_ipsec_secrets/rule.yml b/linux_os/guide/system/network/network-ipsec/file_groupowner_etc_ipsec_secrets/rule.yml index 3335f4d11050..121c920acf70 100644 --- a/linux_os/guide/system/network/network-ipsec/file_groupowner_etc_ipsec_secrets/rule.yml +++ b/linux_os/guide/system/network/network-ipsec/file_groupowner_etc_ipsec_secrets/rule.yml @@ -17,6 +17,7 @@ identifiers: cce@rhel9: CCE-86398-5 cce@rhel10: CCE-89956-7 cce@sle15: CCE-92537-0 + cce@sle16: CCE-96394-2 ocil_clause: '{{{ ocil_clause_file_group_owner(file="/etc/ipsec.secrets", group="root") }}}' diff --git a/linux_os/guide/system/network/network-ipsec/file_owner_etc_ipsec_conf/rule.yml b/linux_os/guide/system/network/network-ipsec/file_owner_etc_ipsec_conf/rule.yml index d34d45083769..2c3cca80ac6b 100644 --- a/linux_os/guide/system/network/network-ipsec/file_owner_etc_ipsec_conf/rule.yml +++ b/linux_os/guide/system/network/network-ipsec/file_owner_etc_ipsec_conf/rule.yml @@ -16,6 +16,7 @@ identifiers: cce@rhel8: CCE-86389-4 cce@rhel9: CCE-86391-0 cce@rhel10: CCE-87602-9 + cce@sle16: CCE-96255-5 ocil_clause: '{{{ ocil_clause_file_owner(file="/etc/ipsec.conf", owner="root") }}}' diff --git a/linux_os/guide/system/network/network-ipsec/file_owner_etc_ipsec_secrets/rule.yml b/linux_os/guide/system/network/network-ipsec/file_owner_etc_ipsec_secrets/rule.yml index e852dc2af01e..f16a7747691f 100644 --- a/linux_os/guide/system/network/network-ipsec/file_owner_etc_ipsec_secrets/rule.yml +++ b/linux_os/guide/system/network/network-ipsec/file_owner_etc_ipsec_secrets/rule.yml @@ -16,6 +16,7 @@ identifiers: cce@rhel8: CCE-86400-9 cce@rhel9: CCE-86401-7 cce@rhel10: CCE-89330-5 + cce@sle16: CCE-96064-1 ocil_clause: '{{{ ocil_clause_file_owner(file="/etc/ipsec.secrets", owner="root") }}}' diff --git a/linux_os/guide/system/network/network-ipsec/file_permissions_etc_ipsec_conf/rule.yml b/linux_os/guide/system/network/network-ipsec/file_permissions_etc_ipsec_conf/rule.yml index ad04bc9de2ac..a9112623365e 100644 --- a/linux_os/guide/system/network/network-ipsec/file_permissions_etc_ipsec_conf/rule.yml +++ b/linux_os/guide/system/network/network-ipsec/file_permissions_etc_ipsec_conf/rule.yml @@ -16,6 +16,7 @@ identifiers: cce@rhel8: CCE-86393-6 cce@rhel9: CCE-86395-1 cce@rhel10: CCE-86443-9 + cce@sle16: CCE-95807-4 ocil_clause: '{{{ ocil_clause_file_permissions(file="/etc/ipsec.conf", perms="0644") }}}' diff --git a/linux_os/guide/system/network/network-ipsec/file_permissions_etc_ipsec_secrets/rule.yml b/linux_os/guide/system/network/network-ipsec/file_permissions_etc_ipsec_secrets/rule.yml index 41e2d7994ad3..cae7c2174d21 100644 --- a/linux_os/guide/system/network/network-ipsec/file_permissions_etc_ipsec_secrets/rule.yml +++ b/linux_os/guide/system/network/network-ipsec/file_permissions_etc_ipsec_secrets/rule.yml @@ -16,6 +16,7 @@ identifiers: cce@rhel8: CCE-86410-8 cce@rhel9: CCE-86411-6 cce@rhel10: CCE-89450-1 + cce@sle16: CCE-96190-4 ocil_clause: '{{{ ocil_clause_file_permissions(file="/etc/ipsec.secrets", perms="0644") }}}' diff --git a/linux_os/guide/system/network/network-iptables/directory_groupowner_etc_iptables/rule.yml b/linux_os/guide/system/network/network-iptables/directory_groupowner_etc_iptables/rule.yml index 850de8d57516..fd61baff835a 100644 --- a/linux_os/guide/system/network/network-iptables/directory_groupowner_etc_iptables/rule.yml +++ b/linux_os/guide/system/network/network-iptables/directory_groupowner_etc_iptables/rule.yml @@ -16,6 +16,7 @@ identifiers: cce@rhel8: CCE-86426-4 cce@rhel9: CCE-86427-2 cce@rhel10: CCE-86460-3 + cce@sle16: CCE-95799-3 ocil_clause: '{{{ ocil_clause_file_group_owner(file="/etc/iptables", group="root") }}}' diff --git a/linux_os/guide/system/network/network-iptables/directory_owner_etc_iptables/rule.yml b/linux_os/guide/system/network/network-iptables/directory_owner_etc_iptables/rule.yml index 73bee5710314..61e65cf453d5 100644 --- a/linux_os/guide/system/network/network-iptables/directory_owner_etc_iptables/rule.yml +++ b/linux_os/guide/system/network/network-iptables/directory_owner_etc_iptables/rule.yml @@ -16,6 +16,7 @@ identifiers: cce@rhel8: CCE-86429-8 cce@rhel9: CCE-86430-6 cce@rhel10: CCE-89981-5 + cce@sle16: CCE-96146-6 ocil_clause: '{{{ ocil_clause_file_owner(file="/etc/iptables", owner="root") }}}' diff --git a/linux_os/guide/system/network/network-iptables/directory_permissions_etc_iptables/rule.yml b/linux_os/guide/system/network/network-iptables/directory_permissions_etc_iptables/rule.yml index fe8bfe7c1de6..9ca60ed074a1 100644 --- a/linux_os/guide/system/network/network-iptables/directory_permissions_etc_iptables/rule.yml +++ b/linux_os/guide/system/network/network-iptables/directory_permissions_etc_iptables/rule.yml @@ -16,6 +16,7 @@ identifiers: cce@rhel8: CCE-86435-5 cce@rhel9: CCE-86436-3 cce@rhel10: CCE-86577-4 + cce@sle16: CCE-96612-7 ocil_clause: '{{{ ocil_clause_file_permissions(file="/etc/iptables", perms="0700") }}}' diff --git a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_ra_defrtr/rule.yml b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_ra_defrtr/rule.yml index 3b7fa656ccf9..d6c3e91138fa 100644 --- a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_ra_defrtr/rule.yml +++ b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_ra_defrtr/rule.yml @@ -15,6 +15,7 @@ identifiers: cce@rhel10: CCE-90653-7 cce@sle12: CCE-91517-3 cce@sle15: CCE-91202-2 + cce@sle16: CCE-96633-3 {{{ complete_ocil_entry_sysctl_option_value(sysctl="net.ipv6.conf.all.accept_ra_defrtr", value="0") }}} diff --git a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_ra_pinfo/rule.yml b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_ra_pinfo/rule.yml index b1e75aa592d6..449358c21675 100644 --- a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_ra_pinfo/rule.yml +++ b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_ra_pinfo/rule.yml @@ -15,6 +15,7 @@ identifiers: cce@rhel10: CCE-88717-4 cce@sle12: CCE-91518-1 cce@sle15: CCE-91203-0 + cce@sle16: CCE-95919-7 {{{ complete_ocil_entry_sysctl_option_value(sysctl="net.ipv6.conf.all.accept_ra_pinfo", value="0") }}} diff --git a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_ra_rtr_pref/rule.yml b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_ra_rtr_pref/rule.yml index 82d235cf30bf..7ba89e5d8ff1 100644 --- a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_ra_rtr_pref/rule.yml +++ b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_ra_rtr_pref/rule.yml @@ -15,6 +15,7 @@ identifiers: cce@rhel10: CCE-90302-1 cce@sle12: CCE-91519-9 cce@sle15: CCE-91204-8 + cce@sle16: CCE-96383-5 {{{ complete_ocil_entry_sysctl_option_value(sysctl="net.ipv6.conf.all.accept_ra_rtr_pref", value="0") }}} diff --git a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_redirects/rule.yml b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_redirects/rule.yml index 551d15a411a9..027e308f53db 100644 --- a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_redirects/rule.yml +++ b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_redirects/rule.yml @@ -16,6 +16,7 @@ identifiers: cce@rhel10: CCE-90083-7 cce@sle12: CCE-83246-9 cce@sle15: CCE-85708-6 + cce@sle16: CCE-96632-5 cce@slmicro5: CCE-93635-1 cce@slmicro6: CCE-95079-0 diff --git a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_source_route/rule.yml b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_source_route/rule.yml index d5356b7436e0..a96d1af2a24b 100644 --- a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_source_route/rule.yml +++ b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_source_route/rule.yml @@ -24,6 +24,7 @@ identifiers: cce@rhel10: CCE-90450-8 cce@sle12: CCE-83078-6 cce@sle15: CCE-85649-2 + cce@sle16: CCE-96132-6 cce@slmicro5: CCE-93630-2 cce@slmicro6: CCE-95074-1 diff --git a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_autoconf/rule.yml b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_autoconf/rule.yml index 9488675532ca..2b6704e6c378 100644 --- a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_autoconf/rule.yml +++ b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_autoconf/rule.yml @@ -15,6 +15,7 @@ identifiers: cce@rhel10: CCE-88386-8 cce@sle12: CCE-91520-7 cce@sle15: CCE-91205-5 + cce@sle16: CCE-96669-7 {{{ complete_ocil_entry_sysctl_option_value(sysctl="net.ipv6.conf.all.autoconf", value="0") }}} diff --git a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_max_addresses/rule.yml b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_max_addresses/rule.yml index 66431fe69b3e..413d120c2f30 100644 --- a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_max_addresses/rule.yml +++ b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_max_addresses/rule.yml @@ -17,6 +17,7 @@ identifiers: cce@rhel10: CCE-88552-5 cce@sle12: CCE-91521-5 cce@sle15: CCE-91206-3 + cce@sle16: CCE-96622-6 {{{ complete_ocil_entry_sysctl_option_value(sysctl="net.ipv6.conf.all.max_addresses", value="1") }}} diff --git a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_router_solicitations/rule.yml b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_router_solicitations/rule.yml index c58038f96902..b9e6f37fbc6c 100644 --- a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_router_solicitations/rule.yml +++ b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_router_solicitations/rule.yml @@ -15,6 +15,7 @@ identifiers: cce@rhel10: CCE-89461-8 cce@sle12: CCE-91522-3 cce@sle15: CCE-91207-1 + cce@sle16: CCE-96065-8 {{{ complete_ocil_entry_sysctl_option_value(sysctl="net.ipv6.conf.all.router_solicitations", value="0") }}} diff --git a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_accept_ra_defrtr/rule.yml b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_accept_ra_defrtr/rule.yml index 72703a4ddd80..eed209869204 100644 --- a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_accept_ra_defrtr/rule.yml +++ b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_accept_ra_defrtr/rule.yml @@ -15,6 +15,7 @@ identifiers: cce@rhel10: CCE-88613-5 cce@sle12: CCE-91523-1 cce@sle15: CCE-91208-9 + cce@sle16: CCE-96411-4 {{{ complete_ocil_entry_sysctl_option_value(sysctl="net.ipv6.conf.default.accept_ra_defrtr", value="0") }}} diff --git a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_accept_ra_pinfo/rule.yml b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_accept_ra_pinfo/rule.yml index b44a8ec176c9..f426bfda0309 100644 --- a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_accept_ra_pinfo/rule.yml +++ b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_accept_ra_pinfo/rule.yml @@ -15,6 +15,7 @@ identifiers: cce@rhel10: CCE-88012-0 cce@sle12: CCE-91524-9 cce@sle15: CCE-91209-7 + cce@sle16: CCE-96557-4 {{{ complete_ocil_entry_sysctl_option_value(sysctl="net.ipv6.conf.default.accept_ra_pinfo", value="0") }}} diff --git a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_accept_ra_rtr_pref/rule.yml b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_accept_ra_rtr_pref/rule.yml index 24855b34558d..8be051de79ce 100644 --- a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_accept_ra_rtr_pref/rule.yml +++ b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_accept_ra_rtr_pref/rule.yml @@ -15,6 +15,7 @@ identifiers: cce@rhel10: CCE-90749-3 cce@sle12: CCE-91525-6 cce@sle15: CCE-91210-5 + cce@sle16: CCE-96589-7 {{{ complete_ocil_entry_sysctl_option_value(sysctl="net.ipv6.conf.default.accept_ra_rtr_pref", value="0") }}} diff --git a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_accept_redirects/rule.yml b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_accept_redirects/rule.yml index 7db2187f43ec..8f8f0be40d5b 100644 --- a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_accept_redirects/rule.yml +++ b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_accept_redirects/rule.yml @@ -16,6 +16,7 @@ identifiers: cce@rhel10: CCE-89486-5 cce@sle12: CCE-83223-8 cce@sle15: CCE-85722-7 + cce@sle16: CCE-96192-0 cce@slmicro5: CCE-93636-9 cce@slmicro6: CCE-95080-8 diff --git a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_autoconf/rule.yml b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_autoconf/rule.yml index 3c5b873a4c98..26697c15d21c 100644 --- a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_autoconf/rule.yml +++ b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_autoconf/rule.yml @@ -15,6 +15,7 @@ identifiers: cce@rhel10: CCE-86607-9 cce@sle12: CCE-91526-4 cce@sle15: CCE-91211-3 + cce@sle16: CCE-96177-1 {{{ complete_ocil_entry_sysctl_option_value(sysctl="net.ipv6.conf.default.autoconf", value="0") }}} diff --git a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_max_addresses/rule.yml b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_max_addresses/rule.yml index 1ca02e21ab20..60f370531c26 100644 --- a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_max_addresses/rule.yml +++ b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_max_addresses/rule.yml @@ -17,6 +17,7 @@ identifiers: cce@rhel10: CCE-89273-7 cce@sle12: CCE-91527-2 cce@sle15: CCE-91212-1 + cce@sle16: CCE-95727-4 {{{ complete_ocil_entry_sysctl_option_value(sysctl="net.ipv6.conf.default.max_addresses", value="1") }}} diff --git a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_router_solicitations/rule.yml b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_router_solicitations/rule.yml index a6fd5ec63f57..5ecba12f7eb4 100644 --- a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_router_solicitations/rule.yml +++ b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_router_solicitations/rule.yml @@ -15,6 +15,7 @@ identifiers: cce@rhel10: CCE-89658-9 cce@sle12: CCE-91528-0 cce@sle15: CCE-91213-9 + cce@sle16: CCE-96390-0 {{{ complete_ocil_entry_sysctl_option_value(sysctl="net.ipv6.conf.default.router_solicitations", value="0") }}} diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_accept_local/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_accept_local/rule.yml index 5091848972c4..cde2ea069c6a 100644 --- a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_accept_local/rule.yml +++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_accept_local/rule.yml @@ -16,6 +16,7 @@ identifiers: cce@rhel8: CCE-88789-3 cce@rhel9: CCE-89789-2 cce@rhel10: CCE-86895-0 + cce@sle16: CCE-96055-9 {{{ complete_ocil_entry_sysctl_option_value(sysctl="net.ipv4.conf.all.accept_local", value="0") }}} diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_accept_redirects/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_accept_redirects/rule.yml index fb26eb41907a..654a99a37f0d 100644 --- a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_accept_redirects/rule.yml +++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_accept_redirects/rule.yml @@ -23,6 +23,7 @@ identifiers: cce@rhel10: CCE-90409-4 cce@sle12: CCE-83090-1 cce@sle15: CCE-85651-8 + cce@sle16: CCE-96527-7 cce@slmicro5: CCE-93633-6 cce@slmicro6: CCE-95077-4 diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_accept_source_route/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_accept_source_route/rule.yml index 5fd871ab0fea..9bd302a891fb 100644 --- a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_accept_source_route/rule.yml +++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_accept_source_route/rule.yml @@ -24,6 +24,7 @@ identifiers: cce@rhel10: CCE-90165-2 cce@sle12: CCE-83064-6 cce@sle15: CCE-85648-4 + cce@sle16: CCE-96355-3 cce@slmicro5: CCE-93629-4 cce@slmicro6: CCE-95073-3 diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_arp_filter/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_arp_filter/rule.yml index fc747f705c48..ac9db557bdcd 100644 --- a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_arp_filter/rule.yml +++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_arp_filter/rule.yml @@ -20,6 +20,7 @@ identifiers: cce@rhel9: CCE-89555-7 cce@rhel10: CCE-89431-1 cce@sle15: CCE-92609-7 + cce@sle16: CCE-96549-1 {{{ complete_ocil_entry_sysctl_option_value(sysctl="net.ipv4.conf.all.arp_filter", value=xccdf_value("sysctl_net_ipv4_conf_all_arp_filter_value")) }}} diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_arp_ignore/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_arp_ignore/rule.yml index 916872b8ffe0..9302d69a4d77 100644 --- a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_arp_ignore/rule.yml +++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_arp_ignore/rule.yml @@ -18,6 +18,7 @@ identifiers: cce@rhel9: CCE-89889-0 cce@rhel10: CCE-87433-9 cce@sle15: CCE-92610-5 + cce@sle16: CCE-96367-8 {{{ complete_ocil_entry_sysctl_option_value(sysctl="net.ipv4.conf.all.arp_ignore", value=xccdf_value("sysctl_net_ipv4_conf_all_arp_ignore")) }}} diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_drop_gratuitous_arp/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_drop_gratuitous_arp/rule.yml index c3a61454b8e4..b3c83e6a668a 100644 --- a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_drop_gratuitous_arp/rule.yml +++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_drop_gratuitous_arp/rule.yml @@ -18,6 +18,7 @@ identifiers: cce@rhel8: CCE-88001-3 cce@rhel9: CCE-89001-2 cce@rhel10: CCE-89975-7 + cce@sle16: CCE-96672-1 {{{ complete_ocil_entry_sysctl_option_value(sysctl="net.ipv4.conf.all.drop_gratuitous_arp", value="1") }}} diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_route_localnet/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_route_localnet/rule.yml index cd544692838a..3c2723ad9125 100644 --- a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_route_localnet/rule.yml +++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_route_localnet/rule.yml @@ -16,6 +16,7 @@ identifiers: cce@rhel9: CCE-89023-6 cce@rhel10: CCE-87566-6 cce@sle15: CCE-92611-3 + cce@sle16: CCE-96513-7 {{{ complete_ocil_entry_sysctl_option_value(sysctl="net.ipv4.conf.all.route_localnet", value="0") }}} diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_shared_media/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_shared_media/rule.yml index 311db0b56990..8a1d5353ccef 100644 --- a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_shared_media/rule.yml +++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_shared_media/rule.yml @@ -14,6 +14,7 @@ identifiers: cce@rhel8: CCE-88333-0 cce@rhel9: CCE-89333-9 cce@rhel10: CCE-87897-5 + cce@sle16: CCE-95865-2 {{{ complete_ocil_entry_sysctl_option_value(sysctl="net.ipv4.conf.all.shared_media", value="0") }}} diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_accept_source_route/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_accept_source_route/rule.yml index 81acc33e797e..8658fc9a8c75 100644 --- a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_accept_source_route/rule.yml +++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_accept_source_route/rule.yml @@ -24,6 +24,7 @@ identifiers: cce@rhel10: CCE-88071-6 cce@sle12: CCE-83079-4 cce@sle15: CCE-85650-0 + cce@sle16: CCE-96076-5 cce@slmicro5: CCE-93631-0 cce@slmicro6: CCE-95075-8 diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_rp_filter/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_rp_filter/rule.yml index b57fd00eea2f..332b397304fe 100644 --- a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_rp_filter/rule.yml +++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_rp_filter/rule.yml @@ -21,6 +21,7 @@ identifiers: cce@rhel10: CCE-87424-8 cce@sle12: CCE-91534-8 cce@sle15: CCE-91219-6 + cce@sle16: CCE-96229-0 cce@slmicro5: CCE-93989-2 references: diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_secure_redirects/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_secure_redirects/rule.yml index e93e06ac07ab..d0fcab062731 100644 --- a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_secure_redirects/rule.yml +++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_secure_redirects/rule.yml @@ -19,6 +19,7 @@ identifiers: cce@rhel10: CCE-87878-5 cce@sle12: CCE-91536-3 cce@sle15: CCE-91221-2 + cce@sle16: CCE-96196-1 cce@slmicro5: CCE-93988-4 references: diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_shared_media/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_shared_media/rule.yml index 03b578066423..6b58733b25c2 100644 --- a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_shared_media/rule.yml +++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_shared_media/rule.yml @@ -14,6 +14,7 @@ identifiers: cce@rhel8: CCE-88444-5 cce@rhel9: CCE-89444-4 cce@rhel10: CCE-89010-3 + cce@sle16: CCE-96642-4 {{{ complete_ocil_entry_sysctl_option_value(sysctl="net.ipv4.conf.default.shared_media", value="0") }}} diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_ip_local_port_range/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_ip_local_port_range/rule.yml index 942c1351b285..8edb7ace3694 100644 --- a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_ip_local_port_range/rule.yml +++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_ip_local_port_range/rule.yml @@ -18,6 +18,7 @@ identifiers: cce@rhel10: CCE-90347-6 cce@sle12: CCE-91540-5 cce@sle15: CCE-91225-3 + cce@sle16: CCE-96447-8 {{{ complete_ocil_entry_sysctl_option_value(sysctl="net.ipv4.ip_local_port_range", value="32768 65535") }}} diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_tcp_rfc1337/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_tcp_rfc1337/rule.yml index d6721442dc54..1fe1d752c719 100644 --- a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_tcp_rfc1337/rule.yml +++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_tcp_rfc1337/rule.yml @@ -18,6 +18,7 @@ identifiers: cce@rhel10: CCE-86164-1 cce@sle12: CCE-91538-9 cce@sle15: CCE-91223-8 + cce@sle16: CCE-96069-0 {{{ complete_ocil_entry_sysctl_option_value(sysctl="net.ipv4.tcp_rfc1337", value="1") }}} diff --git a/linux_os/guide/system/network/network-nftables/directory_groupowner_etc_nftables/rule.yml b/linux_os/guide/system/network/network-nftables/directory_groupowner_etc_nftables/rule.yml index 4838427b8bcb..4b0b04bb39b9 100644 --- a/linux_os/guide/system/network/network-nftables/directory_groupowner_etc_nftables/rule.yml +++ b/linux_os/guide/system/network/network-nftables/directory_groupowner_etc_nftables/rule.yml @@ -17,6 +17,7 @@ identifiers: cce@rhel9: CCE-86309-2 cce@rhel10: CCE-87879-3 cce@sle15: CCE-92500-8 + cce@sle16: CCE-96397-5 ocil_clause: '{{{ ocil_clause_file_group_owner(file="/etc/nftables", group="root") }}}' diff --git a/linux_os/guide/system/network/network-nftables/directory_owner_etc_nftables/rule.yml b/linux_os/guide/system/network/network-nftables/directory_owner_etc_nftables/rule.yml index 14eb51f4a138..d1e8d31f6366 100644 --- a/linux_os/guide/system/network/network-nftables/directory_owner_etc_nftables/rule.yml +++ b/linux_os/guide/system/network/network-nftables/directory_owner_etc_nftables/rule.yml @@ -17,6 +17,7 @@ identifiers: cce@rhel9: CCE-86313-4 cce@rhel10: CCE-88672-1 cce@sle15: CCE-92509-9 + cce@sle16: CCE-96211-8 ocil_clause: '{{{ ocil_clause_file_owner(file="/etc/nftables", owner="root") }}}' diff --git a/linux_os/guide/system/network/network-nftables/directory_permissions_etc_nftables/rule.yml b/linux_os/guide/system/network/network-nftables/directory_permissions_etc_nftables/rule.yml index a9d01ad9c783..4acab56b2bd9 100644 --- a/linux_os/guide/system/network/network-nftables/directory_permissions_etc_nftables/rule.yml +++ b/linux_os/guide/system/network/network-nftables/directory_permissions_etc_nftables/rule.yml @@ -17,6 +17,7 @@ identifiers: cce@rhel9: CCE-86320-9 cce@rhel10: CCE-88802-4 cce@sle15: CCE-92521-4 + cce@sle16: CCE-96496-5 ocil_clause: '{{{ ocil_clause_file_permissions(file="/etc/nftables", perms="0700") }}}' diff --git a/linux_os/guide/system/network/network-wireless/wireless_software/wireless_disable_in_bios/rule.yml b/linux_os/guide/system/network/network-wireless/wireless_software/wireless_disable_in_bios/rule.yml index 8514f1be0618..bf988c70fd08 100644 --- a/linux_os/guide/system/network/network-wireless/wireless_software/wireless_disable_in_bios/rule.yml +++ b/linux_os/guide/system/network/network-wireless/wireless_software/wireless_disable_in_bios/rule.yml @@ -16,6 +16,16 @@ rationale: |- severity: unknown +ocil_clause: 'wireless devices (WiFi or Bluetooth) are enabled in BIOS' + +ocil: |- + Verify that built-in wireless devices (WiFi and Bluetooth) are disabled in the system + boot firmware (BIOS/UEFI). The process to configure this setting varies by hardware + manufacturer and model. Some systems may not have wireless devices or may not provide + BIOS-level controls for wireless devices. + Consult your hardware manual or vendor documentation for specific instructions on how to + access the firmware setup during boot and disable wireless device support. + identifiers: cce@rhcos4: CCE-82659-4 cce@rhel9: CCE-89909-6 diff --git a/linux_os/guide/system/permissions/files/dir_perms_world_writable_root_owned/rule.yml b/linux_os/guide/system/permissions/files/dir_perms_world_writable_root_owned/rule.yml index dbaec786e5ec..7e8dfdccc7b4 100644 --- a/linux_os/guide/system/permissions/files/dir_perms_world_writable_root_owned/rule.yml +++ b/linux_os/guide/system/permissions/files/dir_perms_world_writable_root_owned/rule.yml @@ -21,6 +21,7 @@ identifiers: cce@rhel10: CCE-89514-4 cce@sle12: CCE-91597-5 cce@sle15: CCE-91239-4 + cce@sle16: CCE-95897-5 references: srg: SRG-OS-000480-GPOS-00227,SRG-OS-000138-GPOS-00069 diff --git a/linux_os/guide/system/permissions/files/dir_perms_world_writable_system_owned/rule.yml b/linux_os/guide/system/permissions/files/dir_perms_world_writable_system_owned/rule.yml index 3a3bc5278b49..b5fe9798720c 100644 --- a/linux_os/guide/system/permissions/files/dir_perms_world_writable_system_owned/rule.yml +++ b/linux_os/guide/system/permissions/files/dir_perms_world_writable_system_owned/rule.yml @@ -28,6 +28,9 @@ references: stigid@ol7: OL07-00-021031 stigid@ol8: OL08-00-010700 +identifiers: + cce@rhel9: CCE-86469-4 + ocil_clause: 'there is output' ocil: |- diff --git a/linux_os/guide/system/permissions/files/dir_system_commands_group_root_owned/rule.yml b/linux_os/guide/system/permissions/files/dir_system_commands_group_root_owned/rule.yml index 1285c94d87a1..4a300fcd8a49 100644 --- a/linux_os/guide/system/permissions/files/dir_system_commands_group_root_owned/rule.yml +++ b/linux_os/guide/system/permissions/files/dir_system_commands_group_root_owned/rule.yml @@ -40,6 +40,7 @@ identifiers: cce@rhel10: CCE-89520-1 cce@sle12: CCE-83244-4 cce@sle15: CCE-85743-3 + cce@sle16: CCE-95915-5 cce@slmicro5: CCE-93702-9 cce@slmicro6: CCE-94700-2 diff --git a/linux_os/guide/system/permissions/files/dir_system_commands_root_owned/rule.yml b/linux_os/guide/system/permissions/files/dir_system_commands_root_owned/rule.yml index d3b464811bd9..12dc621b7fde 100644 --- a/linux_os/guide/system/permissions/files/dir_system_commands_root_owned/rule.yml +++ b/linux_os/guide/system/permissions/files/dir_system_commands_root_owned/rule.yml @@ -38,6 +38,7 @@ identifiers: cce@rhel10: CCE-88203-5 cce@sle12: CCE-83242-8 cce@sle15: CCE-85741-7 + cce@sle16: CCE-96321-5 cce@slmicro5: CCE-93700-3 cce@slmicro6: CCE-94698-8 diff --git a/linux_os/guide/system/permissions/files/file_groupowner_etc_crypttab/rule.yml b/linux_os/guide/system/permissions/files/file_groupowner_etc_crypttab/rule.yml index f9a6756eca37..bf123935cac6 100644 --- a/linux_os/guide/system/permissions/files/file_groupowner_etc_crypttab/rule.yml +++ b/linux_os/guide/system/permissions/files/file_groupowner_etc_crypttab/rule.yml @@ -17,6 +17,7 @@ identifiers: cce@rhel8: CCE-86362-1 cce@rhel9: CCE-86363-9 cce@rhel10: CCE-88558-2 + cce@sle16: CCE-95756-3 ocil_clause: '{{{ ocil_clause_file_group_owner(file="/etc/crypttab", group="root") }}}' diff --git a/linux_os/guide/system/permissions/files/file_groupowner_etc_sysconfig_sshd/rule.yml b/linux_os/guide/system/permissions/files/file_groupowner_etc_sysconfig_sshd/rule.yml index 6a57207cc9b5..09a5d5beac04 100644 --- a/linux_os/guide/system/permissions/files/file_groupowner_etc_sysconfig_sshd/rule.yml +++ b/linux_os/guide/system/permissions/files/file_groupowner_etc_sysconfig_sshd/rule.yml @@ -2,7 +2,7 @@ documentation_complete: true title: 'Verify Group Who Owns /etc/sysconfig/sshd File' -description: '{{{ describe_file_group_owner(file="/etc/sysconfig/sshd", group="root") }}}' +description: '{{{ describe_file_group_owner(file=sshd_sysconfig_file, group="root") }}}' rationale: |- The <tt>/etc/sysconfig/sshd</tt> file contains configuration options for the SSH daemon. @@ -14,19 +14,19 @@ severity: medium identifiers: cce@rhel8: CCE-89268-7 -ocil_clause: '{{{ ocil_clause_file_group_owner(file="/etc/sysconfig/sshd", group="root") }}}' +ocil_clause: '{{{ ocil_clause_file_group_owner(file=sshd_sysconfig_file, group="root") }}}' ocil: |- - {{{ ocil_file_group_owner(file="/etc/sysconfig/sshd", group="root") }}} + {{{ ocil_file_group_owner(file=sshd_sysconfig_file, group="root") }}} -fixtext: '{{{ fixtext_file_group_owner(file="/etc/sysconfig/sshd", group="root") }}}' +fixtext: '{{{ fixtext_file_group_owner(file=sshd_sysconfig_file, group="root") }}}' -srg_requirement: '{{{ srg_requirement_file_group_owner(file="/etc/sysconfig/sshd", group="root") }}}' +srg_requirement: '{{{ srg_requirement_file_group_owner(file=sshd_sysconfig_file, group="root") }}}' template: name: file_groupowner vars: - filepath: /etc/sysconfig/sshd + filepath: '{{{ sshd_sysconfig_file }}}' gid_or_name: '0' platform: system_with_kernel diff --git a/linux_os/guide/system/permissions/files/file_groupowner_systemmap/rule.yml b/linux_os/guide/system/permissions/files/file_groupowner_systemmap/rule.yml index b15ee9a13dd1..c168d31a5c39 100644 --- a/linux_os/guide/system/permissions/files/file_groupowner_systemmap/rule.yml +++ b/linux_os/guide/system/permissions/files/file_groupowner_systemmap/rule.yml @@ -20,6 +20,7 @@ identifiers: cce@rhel8: CCE-86583-2 cce@rhel9: CCE-86584-0 cce@rhel10: CCE-90164-5 + cce@sle16: CCE-95738-1 ocil_clause: '{{{ ocil_clause_file_group_owner(file="/boot/System.map*", group="root") }}}' diff --git a/linux_os/guide/system/permissions/files/file_owner_etc_crypttab/rule.yml b/linux_os/guide/system/permissions/files/file_owner_etc_crypttab/rule.yml index 7e4dc62c9a3c..750234e46588 100644 --- a/linux_os/guide/system/permissions/files/file_owner_etc_crypttab/rule.yml +++ b/linux_os/guide/system/permissions/files/file_owner_etc_crypttab/rule.yml @@ -17,6 +17,7 @@ identifiers: cce@rhel8: CCE-86365-4 cce@rhel9: CCE-86366-2 cce@rhel10: CCE-89519-3 + cce@sle16: CCE-96640-8 ocil_clause: '{{{ ocil_clause_file_owner(file="/etc/crypttab", owner="root") }}}' diff --git a/linux_os/guide/system/permissions/files/file_owner_etc_sysconfig_sshd/rule.yml b/linux_os/guide/system/permissions/files/file_owner_etc_sysconfig_sshd/rule.yml index 64785d24ce67..758f6cc3dc7e 100644 --- a/linux_os/guide/system/permissions/files/file_owner_etc_sysconfig_sshd/rule.yml +++ b/linux_os/guide/system/permissions/files/file_owner_etc_sysconfig_sshd/rule.yml @@ -2,7 +2,7 @@ documentation_complete: true title: 'Verify User Who Owns /etc/sysconfig/sshd File' -description: '{{{ describe_file_owner(file="/etc/sysconfig/sshd", owner="root") }}}' +description: '{{{ describe_file_owner(file=sshd_sysconfig_file, owner="root") }}}' rationale: |- The <tt>/etc/sysconfig/sshd</tt> file contains configuration options for the SSH daemon. @@ -14,19 +14,19 @@ severity: medium identifiers: cce@rhel8: CCE-89269-5 -ocil_clause: '{{{ ocil_clause_file_owner(file="/etc/sysconfig/sshd", owner="root") }}}' +ocil_clause: '{{{ ocil_clause_file_owner(file=sshd_sysconfig_file, owner="root") }}}' ocil: |- - {{{ ocil_file_owner(file="/etc/sysconfig/sshd", owner="root") }}} + {{{ ocil_file_owner(file=sshd_sysconfig_file, owner="root") }}} -fixtext: '{{{ fixtext_file_owner(file="/etc/sysconfig/sshd", owner="root") }}}' +fixtext: '{{{ fixtext_file_owner(file=sshd_sysconfig_file, owner="root") }}}' -srg_requirement: '{{{ srg_requirement_file_owner(file="/etc/sysconfig/sshd", owner="root") }}}' +srg_requirement: '{{{ srg_requirement_file_owner(file=sshd_sysconfig_file, owner="root") }}}' template: name: file_owner vars: - filepath: /etc/sysconfig/sshd + filepath: '{{{ sshd_sysconfig_file }}}' uid_or_name: '0' platform: system_with_kernel diff --git a/linux_os/guide/system/permissions/files/file_owner_systemmap/rule.yml b/linux_os/guide/system/permissions/files/file_owner_systemmap/rule.yml index d10ec7e1ebd4..6a5a019b1605 100644 --- a/linux_os/guide/system/permissions/files/file_owner_systemmap/rule.yml +++ b/linux_os/guide/system/permissions/files/file_owner_systemmap/rule.yml @@ -20,6 +20,7 @@ identifiers: cce@rhel8: CCE-86586-5 cce@rhel9: CCE-86587-3 cce@rhel10: CCE-89808-0 + cce@sle16: CCE-96671-3 ocil_clause: '{{{ ocil_clause_file_owner(file="/boot/System.map*", owner="root") }}}' diff --git a/linux_os/guide/system/permissions/files/file_permissions_etc_crypttab/rule.yml b/linux_os/guide/system/permissions/files/file_permissions_etc_crypttab/rule.yml index f3a6e8920bca..d9af9dca12e1 100644 --- a/linux_os/guide/system/permissions/files/file_permissions_etc_crypttab/rule.yml +++ b/linux_os/guide/system/permissions/files/file_permissions_etc_crypttab/rule.yml @@ -17,6 +17,7 @@ identifiers: cce@rhel8: CCE-86369-6 cce@rhel9: CCE-86370-4 cce@rhel10: CCE-88726-5 + cce@sle16: CCE-95862-9 ocil_clause: '{{{ ocil_clause_file_permissions(file="/etc/crypttab", perms="0600") }}}' diff --git a/linux_os/guide/system/permissions/files/file_permissions_etc_sysconfig_sshd/rule.yml b/linux_os/guide/system/permissions/files/file_permissions_etc_sysconfig_sshd/rule.yml index 156efad15e09..fab349e834b8 100644 --- a/linux_os/guide/system/permissions/files/file_permissions_etc_sysconfig_sshd/rule.yml +++ b/linux_os/guide/system/permissions/files/file_permissions_etc_sysconfig_sshd/rule.yml @@ -3,7 +3,7 @@ documentation_complete: true title: 'Verify Permissions on /etc/sysconfig/sshd File' description: |- - {{{ describe_file_permissions(file="/etc/sysconfig/sshd", perms="0640") }}} + {{{ describe_file_permissions(file=sshd_sysconfig_file, perms="0640") }}} rationale: |- The <tt>/etc/sysconfig/sshd</tt> file contains configuration options for the SSH daemon. @@ -15,19 +15,19 @@ severity: medium identifiers: cce@rhel8: CCE-89270-3 -ocil_clause: '{{{ ocil_clause_file_permissions(file="/etc/sysconfig/sshd", perms="-rw-r-----") }}}' +ocil_clause: '{{{ ocil_clause_file_permissions(file=sshd_sysconfig_file, perms="-rw-r-----") }}}' ocil: |- - {{{ ocil_file_permissions(file="/etc/sysconfig/sshd", perms="-rw-r-----") }}} + {{{ ocil_file_permissions(file=sshd_sysconfig_file, perms="-rw-r-----") }}} -fixtext: '{{{ fixtext_file_permissions(file="/etc/sysconfig/sshd", mode="0640") }}}' +fixtext: '{{{ fixtext_file_permissions(file=sshd_sysconfig_file, mode="0640") }}}' -srg_requirement: '{{{ srg_requirement_file_permission(file="/etc/sysconfig/sshd", mode="0640") }}}' +srg_requirement: '{{{ srg_requirement_file_permission(file=sshd_sysconfig_file, mode="0640") }}}' template: name: file_permissions vars: - filepath: /etc/sysconfig/sshd + filepath: '{{{ sshd_sysconfig_file }}}' filemode: '0640' allow_stricter_permissions: "true" diff --git a/linux_os/guide/system/permissions/files/file_permissions_systemmap/rule.yml b/linux_os/guide/system/permissions/files/file_permissions_systemmap/rule.yml index 9190b28c74e7..e64a82b43400 100644 --- a/linux_os/guide/system/permissions/files/file_permissions_systemmap/rule.yml +++ b/linux_os/guide/system/permissions/files/file_permissions_systemmap/rule.yml @@ -20,6 +20,7 @@ identifiers: cce@rhel8: CCE-82892-1 cce@rhel9: CCE-86581-6 cce@rhel10: CCE-86786-1 + cce@sle16: CCE-96220-9 ocil_clause: '{{{ ocil_clause_file_permissions(file="/boot/System.map*", perms="-rw-------") }}}' diff --git a/linux_os/guide/system/permissions/files/file_permissions_unauthorized_sgid/rule.yml b/linux_os/guide/system/permissions/files/file_permissions_unauthorized_sgid/rule.yml index ae63ad59d9e2..fb19523d62d2 100644 --- a/linux_os/guide/system/permissions/files/file_permissions_unauthorized_sgid/rule.yml +++ b/linux_os/guide/system/permissions/files/file_permissions_unauthorized_sgid/rule.yml @@ -26,6 +26,7 @@ identifiers: cce@rhel10: CCE-90184-3 cce@sle12: CCE-91472-1 cce@sle15: CCE-91175-0 + cce@sle16: CCE-95910-6 references: cis-csc: 12,13,14,15,16,18,3,5 diff --git a/linux_os/guide/system/permissions/files/file_permissions_unauthorized_suid/rule.yml b/linux_os/guide/system/permissions/files/file_permissions_unauthorized_suid/rule.yml index 9ccab80ce39b..341e375c781e 100644 --- a/linux_os/guide/system/permissions/files/file_permissions_unauthorized_suid/rule.yml +++ b/linux_os/guide/system/permissions/files/file_permissions_unauthorized_suid/rule.yml @@ -26,6 +26,7 @@ identifiers: cce@rhel10: CCE-86999-0 cce@sle12: CCE-91473-9 cce@sle15: CCE-91174-3 + cce@sle16: CCE-96423-9 references: cis-csc: 12,13,14,15,16,18,3,5 diff --git a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_etc_gshadow/rule.yml b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_etc_gshadow/rule.yml index 46e60ad632b0..5fd648c30c3d 100644 --- a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_etc_gshadow/rule.yml +++ b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_etc_gshadow/rule.yml @@ -22,6 +22,7 @@ identifiers: cce@rhel10: CCE-90043-1 cce@sle12: CCE-92225-2 cce@sle15: CCE-91348-3 + cce@sle16: CCE-95841-3 cce@slmicro5: CCE-93967-8 references: diff --git a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_etc_shells/rule.yml b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_etc_shells/rule.yml index f518cb5cd15d..114ab8dd6b32 100644 --- a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_etc_shells/rule.yml +++ b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_etc_shells/rule.yml @@ -17,6 +17,7 @@ identifiers: cce@rhel9: CCE-90434-2 cce@rhel10: CCE-90020-9 cce@sle15: CCE-92541-2 + cce@sle16: CCE-96404-9 references: nist: AC-3,MP-2 diff --git a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_owner_etc_gshadow/rule.yml b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_owner_etc_gshadow/rule.yml index f49d8842b722..c3d73782a0a8 100644 --- a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_owner_etc_gshadow/rule.yml +++ b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_owner_etc_gshadow/rule.yml @@ -16,6 +16,7 @@ identifiers: cce@rhel10: CCE-87701-9 cce@sle12: CCE-91557-9 cce@sle15: CCE-91230-3 + cce@sle16: CCE-96275-3 cce@slmicro5: CCE-93959-5 references: diff --git a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_owner_etc_shells/rule.yml b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_owner_etc_shells/rule.yml index 0d0c52baae12..89abfb9b8709 100644 --- a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_owner_etc_shells/rule.yml +++ b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_owner_etc_shells/rule.yml @@ -17,6 +17,7 @@ identifiers: cce@rhel9: CCE-90435-9 cce@rhel10: CCE-89594-6 cce@sle15: CCE-92547-9 + cce@sle16: CCE-96138-3 references: nist: AC-3,MP-2 diff --git a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_backup_etc_shadow/rule.yml b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_backup_etc_shadow/rule.yml index c2080fde3fcd..b3e300599f20 100644 --- a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_backup_etc_shadow/rule.yml +++ b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_backup_etc_shadow/rule.yml @@ -57,3 +57,4 @@ template: filemode@ubuntu2404: '0640' filemode@sle12: '0640' filemode@sle15: '0640' + filemode@sle16: '0640' diff --git a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_etc_gshadow/rule.yml b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_etc_gshadow/rule.yml index 49b4c7967b2c..83f8fd8acf6f 100644 --- a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_etc_gshadow/rule.yml +++ b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_etc_gshadow/rule.yml @@ -25,6 +25,7 @@ identifiers: cce@rhel10: CCE-86975-0 cce@sle12: CCE-91558-7 cce@sle15: CCE-91231-1 + cce@sle16: CCE-96193-8 cce@slmicro5: CCE-93951-2 references: diff --git a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_etc_shadow/rule.yml b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_etc_shadow/rule.yml index e52241f482f1..1e0ec24f75d1 100644 --- a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_etc_shadow/rule.yml +++ b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_etc_shadow/rule.yml @@ -69,5 +69,6 @@ template: filemode@debian13: '0640' filemode@sle12: '0640' filemode@sle15: '0640' + filemode@sle16: '0640' filemode@ubuntu2204: '0640' filemode@ubuntu2404: '0640' diff --git a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_etc_shells/rule.yml b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_etc_shells/rule.yml index 83701e95cc30..de73d8f1a6ca 100644 --- a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_etc_shells/rule.yml +++ b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_etc_shells/rule.yml @@ -17,6 +17,7 @@ identifiers: cce@rhel9: CCE-90432-6 cce@rhel10: CCE-89912-0 cce@sle15: CCE-92562-8 + cce@sle16: CCE-96599-6 references: nist: AC-3,MP-2 diff --git a/linux_os/guide/system/permissions/files/permissions_local_var_log/rule.yml b/linux_os/guide/system/permissions/files/permissions_local_var_log/rule.yml index af819ea482cb..1be0bd45ad28 100644 --- a/linux_os/guide/system/permissions/files/permissions_local_var_log/rule.yml +++ b/linux_os/guide/system/permissions/files/permissions_local_var_log/rule.yml @@ -63,6 +63,7 @@ template: filepath: /var/log/ recursive@sle12: 'true' recursive@sle15: 'true' + recursive@sle16: 'true' recursive@slmicro5: 'true' recursive@slmicro6: 'true' recursive@ubuntu2204: 'true' diff --git a/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_groupownerships_var_log/bash/shared.sh b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_groupownerships_var_log/bash/shared.sh index 6579223bec38..db9e7825fbab 100644 --- a/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_groupownerships_var_log/bash/shared.sh +++ b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_groupownerships_var_log/bash/shared.sh @@ -7,6 +7,18 @@ # see https://workbench.cisecurity.org/benchmarks/18959/tickets/23964 # regarding sssd and gdm exclusions +declare -A valid_shells +while read -r line; do + [[ "$line" == /* ]] && valid_shells["$line"]=1 +done < /etc/shells + +declare -A users_with_valid_shells +while IFS=: read -r user _ _ _ _ _ shell; do + if [[ ${valid_shells["$shell"]} == 1 ]]; then + users_with_valid_shells["$user"]=1 + fi +done < /etc/passwd + find -P /var/log/ -type f -regextype posix-extended \ ! -group root ! -group adm \ ! -name 'gdm' ! -name 'gdm3' \ @@ -26,4 +38,11 @@ find -P /var/log/ -type f -regextype posix-extended \ ! -regex '.*/localmessages(.*)' \ ! -regex '.*/secure(.*)' \ ! -regex '.*/waagent.log(.*)' \ - -regex '.*' -exec chgrp --no-dereference root {} \; + -print0 | while IFS= read -r -d '' log_file + do + # Set to root if owned by a user with a valid shell + user=$(stat -c "%U" "$log_file") + if [[ "${users_with_valid_shells["$user"]}" == "1" ]]; then + chgrp --no-dereference root "$log_file" + fi + done diff --git a/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_groupownerships_var_log/oval/shared.xml b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_groupownerships_var_log/oval/shared.xml index bb1b411ae7fe..02f7f4ce5fdb 100644 --- a/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_groupownerships_var_log/oval/shared.xml +++ b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_groupownerships_var_log/oval/shared.xml @@ -21,8 +21,8 @@ <unix:object object_ref="object_group_ownership_var_log" /> <unix:state state_ref="state_group_ownership_adm_var_log_auth_log"/> <unix:state state_ref="state_group_ownership_root_var_log_auth_log"/> - {{%- if product == "ubuntu2204" %}} - <unix:state state_ref="{{{ rule_id }}}_group_only_has_sys_uids"/> + {{%- if 'ubuntu' in product %}} + <unix:state state_ref="{{{ rule_id }}}_state_owner_is_system_user"/> {{%- endif %}} </unix:file_test> <unix:file_object comment="/var/log/*" id="object_group_ownership_var_log" version="1"> @@ -96,47 +96,43 @@ <unix:file_state id="{{{ rule_id }}}_exclude_files_waagent" version="1"> <unix:filename operation="pattern match">^waagent\.log.*$</unix:filename> </unix:file_state> - {{%- if product == "ubuntu2204" %}} - <unix:file_state id="{{{ rule_id }}}_group_only_has_sys_uids" version="1"> - <unix:group_id datatype="int" var_ref="empty_group_ids" var_check="at least one"/> + {{%- if 'ubuntu' in product %}} + <unix:file_state id="{{{ rule_id }}}_state_owner_is_system_user" version="1"> + <unix:group_id datatype="int" operation="equals" var_ref="{{{ rule_id }}}_var_system_gids" var_check="at least one" /> </unix:file_state> - <local_variable id="empty_group_ids" comment="Group IDs with no members" datatype="int" version="1"> - <object_component item_field="subexpression" object_ref="empty_members_in_etc_group"/> - </local_variable> - - <ind:textfilecontent54_object comment="Groups with no members" id="empty_members_in_etc_group" version="1"> - <ind:filepath>/etc/group</ind:filepath> - <ind:pattern operation="pattern match" var_ref="variable_{{{ rule_id }}}_group_regex" var_check="at least one"/> + <!-- Fetch all shells designated as valid login shells from /etc/shells --> + <ind:textfilecontent54_object id="{{{ rule_id }}}_object_valid_shells" version="1" comment="valid shells"> + <ind:filepath>/etc/shells</ind:filepath> + <ind:pattern operation="pattern match">^(/.*)$</ind:pattern> <ind:instance datatype="int" operation="greater than or equal">1</ind:instance> </ind:textfilecontent54_object> - <local_variable id="variable_{{{ rule_id }}}_group_regex" datatype="string" version="1" comment="gid rows retrieved from /etc/passwd"> - <concat> - <literal_component>^[^:]+:[^:]*:(</literal_component> - <object_component item_field="subexpression" object_ref="obj_{{{ rule_id }}}_gids_with_only_sys_uids" /> - <literal_component>):$</literal_component> - </concat> + <local_variable id="{{{ rule_id }}}_var_valid_shells" comment="list of valid shells" datatype="string" version="1"> + <object_component item_field="subexpression" object_ref="{{{ rule_id }}}_object_valid_shells" /> </local_variable> - - <ind:textfilecontent54_object id="obj_{{{ rule_id }}}_gids_with_only_sys_uids" version="1"> + + <ind:textfilecontent54_object id="{{{ rule_id }}}_object_system_users" version="1" comment="users who have an invalid shell"> <ind:filepath>/etc/passwd</ind:filepath> - <ind:pattern operation="pattern match" var_ref="variable_{{{ rule_id }}}_regex" var_check="at least one"/> + <ind:pattern operation="pattern match">^[^:]+:[^:]+:[0-9]+:([0-9]+):.*$</ind:pattern> <ind:instance datatype="int" operation="greater than or equal">1</ind:instance> + <filter action="exclude">{{{ rule_id }}}_state_shell_is_valid</filter> </ind:textfilecontent54_object> - <local_variable id="variable_{{{ rule_id }}}_regex" datatype="string" version="1" comment="uid rows retrieved from /etc/passwd"> + <ind:textfilecontent54_state id="{{{ rule_id }}}_state_shell_is_valid" version="1"> + <ind:text operation="pattern match" var_ref="{{{ rule_id }}}_var_valid_shells_regex" var_check="at least one"></ind:text> + </ind:textfilecontent54_state> + + <local_variable id="{{{ rule_id }}}_var_valid_shells_regex" datatype="string" version="1" comment="regex of valid shells"> <concat> - <literal_component>^[^:]*:[^:]*:</literal_component> - <object_component item_field="subexpression" object_ref="obj_{{{ rule_id }}}_sys_uid" /> - <literal_component>:(\d+):.*$</literal_component> + <literal_component>^.*:(</literal_component> + <object_component item_field="subexpression" object_ref="{{{ rule_id }}}_object_valid_shells" /> + <literal_component>)$</literal_component> </concat> </local_variable> - <ind:textfilecontent54_object id="obj_{{{ rule_id }}}_sys_uid" version="1"> - <ind:filepath>/etc/passwd</ind:filepath> - <ind:pattern operation="pattern match">^[^:]+:[^:]*:(\d\d?\d?):.*$</ind:pattern> - <ind:instance datatype="int" operation="greater than or equal">1</ind:instance> - </ind:textfilecontent54_object> + <local_variable id="{{{ rule_id }}}_var_system_gids" comment="GIDs of users with invalid shells" datatype="int" version="1"> + <object_component item_field="subexpression" object_ref="{{{ rule_id }}}_object_system_users" /> + </local_variable> {{%- endif %}} </def-group> diff --git a/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_groupownerships_var_log/tests/excluded_files.pass.sh b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_groupownerships_var_log/tests/excluded_files.pass.sh index 1960379c3e08..7dd2a108ed05 100644 --- a/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_groupownerships_var_log/tests/excluded_files.pass.sh +++ b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_groupownerships_var_log/tests/excluded_files.pass.sh @@ -1,6 +1,5 @@ #!/bin/bash # platform = multi_platform_ubuntu -# packages = rsyslog chgrp root -R /var/log/* diff --git a/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_groupownerships_var_log/tests/owned_by_adm.pass.sh b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_groupownerships_var_log/tests/owned_by_adm.pass.sh index 4afa612eb706..be307cb3eced 100644 --- a/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_groupownerships_var_log/tests/owned_by_adm.pass.sh +++ b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_groupownerships_var_log/tests/owned_by_adm.pass.sh @@ -1,6 +1,5 @@ #!/bin/bash # platform = multi_platform_ubuntu -# packages = rsyslog chgrp root -R /var/log/* diff --git a/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_groupownerships_var_log/tests/owned_by_nobody.fail.sh b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_groupownerships_var_log/tests/owned_by_nobody.fail.sh deleted file mode 100644 index 207dd03b6cd1..000000000000 --- a/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_groupownerships_var_log/tests/owned_by_nobody.fail.sh +++ /dev/null @@ -1,13 +0,0 @@ -#!/bin/bash -# platform = multi_platform_ubuntu -# packages = rsyslog - -chgrp root -R /var/log/* - -touch /var/log/test.log -chgrp nogroup /var/log/test.log -{{%- if product == 'ubuntu2204' %}} -#make sure nogroup has members -usermod -aG nogroup nobody -chown nobody /var/log/test.log -{{%- endif %}} diff --git a/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_groupownerships_var_log/tests/owned_by_non_sys_acc_grp.fail.sh b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_groupownerships_var_log/tests/owned_by_non_sys_acc_grp.fail.sh deleted file mode 100644 index 53bcf848e1a5..000000000000 --- a/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_groupownerships_var_log/tests/owned_by_non_sys_acc_grp.fail.sh +++ /dev/null @@ -1,12 +0,0 @@ -#!/bin/bash -# platform = multi_platform_ubuntu -# packages = rsyslog - -chown root -R /var/log/* - -groupadd testgroup -useradd testUser -usermod -g testgroup testUser - -touch /var/log/test.log -chgrp testgroup /var/log/test.log diff --git a/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_groupownerships_var_log/tests/owned_by_root.pass.sh b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_groupownerships_var_log/tests/owned_by_root.pass.sh index a9b0b730fe07..a04a0c38499b 100644 --- a/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_groupownerships_var_log/tests/owned_by_root.pass.sh +++ b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_groupownerships_var_log/tests/owned_by_root.pass.sh @@ -1,6 +1,5 @@ #!/bin/bash # platform = multi_platform_ubuntu -# packages = rsyslog chgrp root -R /var/log/* diff --git a/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_groupownerships_var_log/tests/owned_by_sys_acc_grp.pass.sh b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_groupownerships_var_log/tests/owned_by_sys_acc_grp.pass.sh deleted file mode 100644 index 49afdf1ad47b..000000000000 --- a/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_groupownerships_var_log/tests/owned_by_sys_acc_grp.pass.sh +++ /dev/null @@ -1,12 +0,0 @@ -#!/bin/bash -# platform = Ubuntu 22.04 -# packages = rsyslog - -chown root -R /var/log/* - -groupadd testgroup -useradd -r testUser -usermod -g testgroup testUser - -touch /var/log/test.log -chgrp testgroup /var/log/test.log diff --git a/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_groupownerships_var_log/tests/owned_by_user_with_shell.fail.sh b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_groupownerships_var_log/tests/owned_by_user_with_shell.fail.sh new file mode 100644 index 000000000000..3308000d466e --- /dev/null +++ b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_groupownerships_var_log/tests/owned_by_user_with_shell.fail.sh @@ -0,0 +1,9 @@ +#!/bin/bash +# platform = multi_platform_ubuntu + +useradd -m -s /bin/bash test_user_with_shell + +chown root:root -R /var/log/* + +touch /var/log/test_log_file +chgrp test_user_with_shell /var/log/test_log_file diff --git a/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_groupownerships_var_log/tests/owned_by_user_without_shell.pass.sh b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_groupownerships_var_log/tests/owned_by_user_without_shell.pass.sh new file mode 100644 index 000000000000..d985321e5124 --- /dev/null +++ b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_groupownerships_var_log/tests/owned_by_user_without_shell.pass.sh @@ -0,0 +1,9 @@ +#!/bin/bash +# platform = multi_platform_ubuntu + +useradd -m -s /usr/sbin/nologin test_user_no_shell + +chown root:root -R /var/log/* + +touch /var/log/test_log_file +chgrp test_user_no_shell /var/log/test_log_file diff --git a/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_ownerships_var_log/bash/shared.sh b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_ownerships_var_log/bash/shared.sh index ee4cce9fd671..eafb1e165112 100644 --- a/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_ownerships_var_log/bash/shared.sh +++ b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_ownerships_var_log/bash/shared.sh @@ -7,6 +7,18 @@ # see https://workbench.cisecurity.org/benchmarks/18959/tickets/23964 # regarding sssd and gdm exclusions +declare -A valid_shells +while read -r line; do + [[ "$line" == /* ]] && valid_shells["$line"]=1 +done < /etc/shells + +declare -A users_with_valid_shells +while IFS=: read -r user _ _ _ _ _ shell; do + if [[ ${valid_shells["$shell"]} == 1 ]]; then + users_with_valid_shells["$user"]=1 + fi +done < /etc/passwd + find -P /var/log/ -type f -regextype posix-extended \ ! -user root ! -user syslog \ ! -name 'gdm' ! -name 'gdm3' \ @@ -26,4 +38,11 @@ find -P /var/log/ -type f -regextype posix-extended \ ! -regex '.*/localmessages(.*)' \ ! -regex '.*/secure(.*)' \ ! -regex '.*/waagent.log(.*)' \ - -regex '.*' -exec chown --no-dereference root {} \; + -print0 | while IFS= read -r -d '' log_file + do + # Set to root if owned by a user with a valid shell + user=$(stat -c "%U" "$log_file") + if [[ "${users_with_valid_shells["$user"]}" == "1" ]]; then + chown --no-dereference root "$log_file" + fi + done diff --git a/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_ownerships_var_log/oval/shared.xml b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_ownerships_var_log/oval/shared.xml index 95095bbb8837..b97743b02346 100644 --- a/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_ownerships_var_log/oval/shared.xml +++ b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_ownerships_var_log/oval/shared.xml @@ -20,8 +20,8 @@ <unix:object object_ref="object_file_ownership_var_log" /> <unix:state state_ref="state_file_ownership_syslog_var_log_auth_log"/> <unix:state state_ref="state_file_ownership_root_var_log_auth_log"/> - {{%- if product == "ubuntu2204" %}} - <unix:state state_ref="{{{ rule_id }}}_system_files_with_empty_group"/> + {{%- if 'ubuntu' in product %}} + <unix:state state_ref="state_file_ownership_owner_is_system_user"/> {{%- endif %}} </unix:file_test> <unix:file_object comment="/var/log/*" id="object_file_ownership_var_log" version="1"> @@ -108,9 +108,43 @@ <unix:filepath operation="pattern match">^/var/log/exim4/.*$</unix:filepath> </unix:file_state> {{% endif %}} - {{%- if product == "ubuntu2204" %}} - <unix:file_state id="{{{ rule_id }}}_system_files_with_empty_group" version="3"> - <unix:user_id datatype="int" operation="less than">{{{ uid_min }}}</unix:user_id> + + <unix:file_state id="state_file_ownership_owner_is_system_user" version="1"> + <unix:user_id datatype="int" operation="equals" var_ref="{{{ rule_id }}}_var_system_uids" var_check="at least one" /> </unix:file_state> - {{%- endif %}} + + <!-- Fetch all shells designated as valid login shells from /etc/shells --> + <ind:textfilecontent54_object id="{{{ rule_id }}}_object_valid_shells" version="1" comment="valid shells"> + <ind:filepath>/etc/shells</ind:filepath> + <ind:pattern operation="pattern match">^(/.*)$</ind:pattern> + <ind:instance datatype="int" operation="greater than or equal">1</ind:instance> + </ind:textfilecontent54_object> + + <local_variable id="{{{ rule_id }}}_var_valid_shells" comment="list of valid shells" datatype="string" version="1"> + <object_component item_field="subexpression" object_ref="{{{ rule_id }}}_object_valid_shells" /> + </local_variable> + + <!-- Find users who have a shell that is NOT in the list of valid shells (System Users) --> + <ind:textfilecontent54_object id="{{{ rule_id }}}_object_system_users" version="1" comment="users who have an invalid shell"> + <ind:filepath>/etc/passwd</ind:filepath> + <ind:pattern operation="pattern match">^[^:]+:[^:]+:([0-9]+):.*$</ind:pattern> + <ind:instance datatype="int" operation="greater than or equal">1</ind:instance> + <filter action="exclude">{{{ rule_id }}}_state_shell_is_valid</filter> + </ind:textfilecontent54_object> + + <ind:textfilecontent54_state id="{{{ rule_id }}}_state_shell_is_valid" version="1"> + <ind:text operation="pattern match" var_ref="{{{ rule_id }}}_var_valid_shells_regex" var_check="at least one"></ind:text> + </ind:textfilecontent54_state> + + <local_variable id="{{{ rule_id }}}_var_valid_shells_regex" datatype="string" version="1" comment="regex of valid shells"> + <concat> + <literal_component>^.*:(</literal_component> + <object_component item_field="subexpression" object_ref="{{{ rule_id }}}_object_valid_shells" /> + <literal_component>)$</literal_component> + </concat> + </local_variable> + + <local_variable id="{{{ rule_id }}}_var_system_uids" comment="UIDs of users with invalid shells" datatype="int" version="1"> + <object_component item_field="subexpression" object_ref="{{{ rule_id }}}_object_system_users" /> + </local_variable> </def-group> diff --git a/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_ownerships_var_log/tests/owned_by_nobody.fail.sh b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_ownerships_var_log/tests/owned_by_nobody.fail.sh deleted file mode 100644 index 1bd7955a7dc2..000000000000 --- a/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_ownerships_var_log/tests/owned_by_nobody.fail.sh +++ /dev/null @@ -1,8 +0,0 @@ -#!/bin/bash -# platform = multi_platform_ubuntu -# packages = rsyslog - -chown root -R /var/log/* - -touch /var/log/test.log -chown nobody /var/log/test.log diff --git a/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_ownerships_var_log/tests/owned_by_root.pass.sh b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_ownerships_var_log/tests/owned_by_root.pass.sh index 3405d1f42030..c9ea476a15aa 100644 --- a/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_ownerships_var_log/tests/owned_by_root.pass.sh +++ b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_ownerships_var_log/tests/owned_by_root.pass.sh @@ -1,6 +1,5 @@ #!/bin/bash # platform = multi_platform_ubuntu -# packages = rsyslog chown root -R /var/log/* diff --git a/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_ownerships_var_log/tests/owned_by_sysacc.pass.sh b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_ownerships_var_log/tests/owned_by_sysacc.pass.sh deleted file mode 100644 index 70bb73134866..000000000000 --- a/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_ownerships_var_log/tests/owned_by_sysacc.pass.sh +++ /dev/null @@ -1,10 +0,0 @@ -#!/bin/bash -# platform = Ubuntu 22.04 -# packages = rsyslog - -chown root -R /var/log/* - -useradd -r testUser - -touch /var/log/test.log -chown testUser /var/log/test.log diff --git a/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_ownerships_var_log/tests/owned_by_syslog.pass.sh b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_ownerships_var_log/tests/owned_by_syslog.pass.sh index 697ac57b5507..b13a50eff8b1 100644 --- a/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_ownerships_var_log/tests/owned_by_syslog.pass.sh +++ b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_ownerships_var_log/tests/owned_by_syslog.pass.sh @@ -1,6 +1,7 @@ #!/bin/bash # platform = multi_platform_ubuntu -# packages = rsyslog + +useradd -r syslog || true chown root -R /var/log/* diff --git a/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_ownerships_var_log/tests/owned_by_user_with_shell.fail.sh b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_ownerships_var_log/tests/owned_by_user_with_shell.fail.sh new file mode 100644 index 000000000000..6215bee12392 --- /dev/null +++ b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_ownerships_var_log/tests/owned_by_user_with_shell.fail.sh @@ -0,0 +1,9 @@ +#!/bin/bash +# platform = multi_platform_ubuntu + +useradd -m -s /bin/bash test_user_with_shell + +chown root:root -R /var/log/* + +touch /var/log/test_log_file +chown test_user_with_shell /var/log/test_log_file diff --git a/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_ownerships_var_log/tests/owned_by_user_without_shell.pass.sh b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_ownerships_var_log/tests/owned_by_user_without_shell.pass.sh new file mode 100644 index 000000000000..b1e5fae1718f --- /dev/null +++ b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_ownerships_var_log/tests/owned_by_user_without_shell.pass.sh @@ -0,0 +1,9 @@ +#!/bin/bash +# platform = multi_platform_ubuntu + +useradd -m -s /usr/sbin/nologin test_user_no_shell + +chown root:root -R /var/log/* + +touch /var/log/test_log_file +chown test_user_no_shell /var/log/test_log_file diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/directory_groupowner_etc_sysctld/rule.yml b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/directory_groupowner_etc_sysctld/rule.yml index fe9ad0c2cb13..4b7a99b4add2 100644 --- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/directory_groupowner_etc_sysctld/rule.yml +++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/directory_groupowner_etc_sysctld/rule.yml @@ -17,6 +17,7 @@ identifiers: cce@rhel9: CCE-86325-8 cce@rhel10: CCE-90122-3 cce@sle15: CCE-92506-5 + cce@sle16: CCE-96187-0 ocil_clause: '{{{ ocil_clause_file_group_owner(file="/etc/sysctl.d", group="root") }}}' diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/directory_owner_etc_sysctld/rule.yml b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/directory_owner_etc_sysctld/rule.yml index 4fcf06a18c77..5bd29766509c 100644 --- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/directory_owner_etc_sysctld/rule.yml +++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/directory_owner_etc_sysctld/rule.yml @@ -17,6 +17,7 @@ identifiers: cce@rhel9: CCE-86330-8 cce@rhel10: CCE-87242-4 cce@sle15: CCE-92513-1 + cce@sle16: CCE-96370-2 ocil_clause: '{{{ ocil_clause_file_owner(file="/etc/sysctl.d", owner="root") }}}' diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/directory_permissions_etc_sysctld/rule.yml b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/directory_permissions_etc_sysctld/rule.yml index 7f93f2ef4dc1..e00b35cee6b9 100644 --- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/directory_permissions_etc_sysctld/rule.yml +++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/directory_permissions_etc_sysctld/rule.yml @@ -17,6 +17,7 @@ identifiers: cce@rhel9: CCE-86337-3 cce@rhel10: CCE-89782-7 cce@sle15: CCE-92527-1 + cce@sle16: CCE-95827-2 ocil_clause: '{{{ ocil_clause_file_permissions(file="/etc/sysctl.d", perms="0755") }}}' diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_groupownership_system_commands_dirs/ansible/shared.yml b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_groupownership_system_commands_dirs/ansible/shared.yml index 429962905c3e..78c03e7011b6 100644 --- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_groupownership_system_commands_dirs/ansible/shared.yml +++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_groupownership_system_commands_dirs/ansible/shared.yml @@ -11,7 +11,11 @@ follow: no recurse: no register: system_command_files_found + {{% if 'ol9' in product %}} + with_items: ['/bin', '/sbin', '/usr/bin', '/usr/sbin', '/usr/libexec','/usr/local/bin', '/usr/local/sbin'] + {{% else %}} with_items: ['/bin', '/sbin', '/usr/bin', '/usr/sbin', '/usr/local/bin', '/usr/local/sbin'] + {{% endif %}} changed_when: false - name: "{{{ rule_title }}} - Set group ownership to root for system command files" diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_groupownership_system_commands_dirs/bash/shared.sh b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_groupownership_system_commands_dirs/bash/shared.sh index 00a12fdfa865..bc803976ee28 100644 --- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_groupownership_system_commands_dirs/bash/shared.sh +++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_groupownership_system_commands_dirs/bash/shared.sh @@ -1,3 +1,6 @@ # platform = multi_platform_fedora,multi_platform_ol,multi_platform_rhel,multi_platform_sle,multi_platform_slmicro,multi_platform_almalinux - +{{% if 'ol9' in product %}} +find -P /bin /sbin /usr/bin /usr/sbin /usr/libexec /usr/local/bin /usr/local/sbin \! -group root -type f -exec chgrp root '{}' \; || true +{{% else %}} find -P /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin \! -group root -type f -exec chgrp root '{}' \; || true +{{% endif %}} diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_groupownership_system_commands_dirs/oval/shared.xml b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_groupownership_system_commands_dirs/oval/shared.xml index 16936790ef09..08d91bab154d 100644 --- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_groupownership_system_commands_dirs/oval/shared.xml +++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_groupownership_system_commands_dirs/oval/shared.xml @@ -17,7 +17,11 @@ <unix:file_object comment="system commands files" id="object_groupownership_system_commands_dirs" version="1"> <!-- Check that system commands within directories /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin belong to group with gid 0 (root) or gid < {{{ gid_min }}} (system account)--> + {{% if 'ol9' in product %}} + <unix:path operation="pattern match">^\/s?bin|^\/usr\/s?bin|^\/usr\/libexec|^\/usr\/local\/s?bin</unix:path> + {{% else %}} <unix:path operation="pattern match">^\/s?bin|^\/usr\/s?bin|^\/usr\/local\/s?bin</unix:path> + {{% endif %}} <unix:filename operation="pattern match">^.*$</unix:filename> <filter action="include">state_groupowner_system_commands_dirs_not_root_or_system_account</filter> <filter action="exclude">state_groupowner_system_commands_dirs_symlink</filter> diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_groupownership_system_commands_dirs/rule.yml b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_groupownership_system_commands_dirs/rule.yml index 37ae549a7174..950ff7cc9d11 100644 --- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_groupownership_system_commands_dirs/rule.yml +++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_groupownership_system_commands_dirs/rule.yml @@ -9,6 +9,9 @@ description: |- /sbin /usr/bin /usr/sbin + {{%- if 'ol9' in product %}} + /usr/libexec + {{%- endif %}} /usr/local/bin /usr/local/sbin </pre> @@ -39,6 +42,7 @@ identifiers: cce@rhel10: CCE-89800-7 cce@sle12: CCE-83243-6 cce@sle15: CCE-85742-5 + cce@sle16: CCE-96446-0 cce@slmicro5: CCE-93701-1 cce@slmicro6: CCE-94699-6 @@ -54,7 +58,11 @@ ocil_clause: 'any system commands are returned and is not group-owned by a requi ocil: |- Verify the system commands contained in the following directories are group-owned by "root", or a required system account, with the following command: + {{%- if 'ol9' in product %}} + $ sudo find -L /bin /sbin /usr/bin /usr/sbin /usr/libexec /usr/local/bin /usr/local/sbin ! -group root -exec ls -l {} \; + {{%- else %}} $ sudo find -L /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin ! -group root -exec ls -l {} \; + {{%- endif %}} fixtext: |- Configure the system commands to be protected from unauthorized access. diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_groupownership_system_commands_dirs/tests/correct_groupowner.pass.sh b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_groupownership_system_commands_dirs/tests/correct_groupowner.pass.sh index 48bd0d2c8f5c..9fe7a63d4783 100644 --- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_groupownership_system_commands_dirs/tests/correct_groupowner.pass.sh +++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_groupownership_system_commands_dirs/tests/correct_groupowner.pass.sh @@ -1,3 +1,7 @@ #!/bin/bash +{{% if 'ol9' in product %}} +find -P /bin /sbin /usr/bin /usr/sbin /usr/libexec /usr/local/bin /usr/local/sbin \! -group root -type f -exec chgrp --no-dereference root '{}' \; || true +{{% else %}} find -P /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin \! -group root -type f -exec chgrp --no-dereference root '{}' \; || true +{{% endif %}} diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_groupownership_system_commands_dirs/tests/incorrect_groupownership.fail.sh b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_groupownership_system_commands_dirs/tests/incorrect_groupownership.fail.sh index f65c98a225ab..8013aaed79fa 100644 --- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_groupownership_system_commands_dirs/tests/incorrect_groupownership.fail.sh +++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_groupownership_system_commands_dirs/tests/incorrect_groupownership.fail.sh @@ -2,13 +2,21 @@ groupadd group_test +{{% if 'ol9' in product %}} +find -P /bin/ /sbin/ /usr/bin/ /usr/sbin/ /usr/libexec/ /usr/local/bin/ /usr/local/sbin/ -type f -exec chgrp --no-dereference root {} \; || true +{{% else %}} find -P /bin/ /sbin/ /usr/bin/ /usr/sbin/ /usr/local/bin/ /usr/local/sbin/ -type f -exec chgrp --no-dereference root {} \; || true +{{% endif %}} {{% if 'ubuntu' in product %}} for TESTFILE in /bin/test_me /sbin/test_me /usr/bin/test_me /usr/sbin/test_me /usr/local/bin/test_me /usr/local/sbin/test_me {{% else %}} +{{% if 'ol9' in product %}} +for TESTFILE in /bin/test_me /sbin/test_me /usr/bin/test_me /usr/libexec/test_me /usr/sbin/test_me /usr/local/bin/test_me +{{% else %}} for TESTFILE in /bin/test_me /sbin/test_me /usr/bin/test_me /usr/sbin/test_me /usr/local/bin/test_me {{% endif %}} +{{% endif %}} do if [[ ! -f $TESTFILE ]] then diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_groupownership_system_commands_dirs/tests/symlink.pass.sh b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_groupownership_system_commands_dirs/tests/symlink.pass.sh index 6c9035268936..e27ef5963fc9 100644 --- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_groupownership_system_commands_dirs/tests/symlink.pass.sh +++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_groupownership_system_commands_dirs/tests/symlink.pass.sh @@ -2,7 +2,11 @@ groupadd group_test +{{% if 'ol9' in product %}} +find -P /bin/ /sbin/ /usr/bin/ /usr/sbin/ /usr/libexec /usr/local/bin/ /usr/local/sbin/ \! -group root -type f -exec chgrp --no-dereference root {} \; || true +{{% else %}} find -P /bin/ /sbin/ /usr/bin/ /usr/sbin/ /usr/local/bin/ /usr/local/sbin/ \! -group root -type f -exec chgrp --no-dereference root {} \; || true +{{% endif %}} ln -s $(mktemp -p /tmp) /usr/bin/test.log.symlink chgrp -h group_test /usr/bin/test.log.symlink diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_ownership_binary_dirs/rule.yml b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_ownership_binary_dirs/rule.yml index 1b91da3b6535..fade0c0a085e 100644 --- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_ownership_binary_dirs/rule.yml +++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_ownership_binary_dirs/rule.yml @@ -30,6 +30,7 @@ identifiers: cce@rhel10: CCE-89620-9 cce@sle12: CCE-83241-0 cce@sle15: CCE-85730-0 + cce@sle16: CCE-96514-5 cce@slmicro5: CCE-93699-7 cce@slmicro6: CCE-94697-0 diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_permissions_binary_dirs/rule.yml b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_permissions_binary_dirs/rule.yml index 4ddad0a17e22..5cd917fc6c08 100644 --- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_permissions_binary_dirs/rule.yml +++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_permissions_binary_dirs/rule.yml @@ -30,6 +30,7 @@ identifiers: cce@rhel10: CCE-86978-4 cce@sle12: CCE-83240-2 cce@sle15: CCE-85729-2 + cce@sle16: CCE-95994-0 cce@slmicro5: CCE-93698-9 cce@slmicro6: CCE-94696-2 diff --git a/linux_os/guide/system/permissions/files/sysctl_fs_protected_fifos/rule.yml b/linux_os/guide/system/permissions/files/sysctl_fs_protected_fifos/rule.yml index d21952c3300d..f6325c7cfb07 100644 --- a/linux_os/guide/system/permissions/files/sysctl_fs_protected_fifos/rule.yml +++ b/linux_os/guide/system/permissions/files/sysctl_fs_protected_fifos/rule.yml @@ -15,6 +15,7 @@ severity: medium identifiers: cce@rhel9: CCE-85884-5 cce@rhel10: CCE-87125-1 + cce@sle16: CCE-96680-4 references: nist: CM-6(a),AC-6(1) diff --git a/linux_os/guide/system/permissions/files/sysctl_fs_protected_hardlinks/rule.yml b/linux_os/guide/system/permissions/files/sysctl_fs_protected_hardlinks/rule.yml index e80a9af6cd9a..ce10b4d619a7 100644 --- a/linux_os/guide/system/permissions/files/sysctl_fs_protected_hardlinks/rule.yml +++ b/linux_os/guide/system/permissions/files/sysctl_fs_protected_hardlinks/rule.yml @@ -19,6 +19,7 @@ identifiers: cce@rhel10: CCE-86689-7 cce@sle12: CCE-91559-5 cce@sle15: CCE-91252-7 + cce@sle16: CCE-95822-3 references: nerc-cip: CIP-003-8 R5.1.1,CIP-003-8 R5.3,CIP-004-6 R2.3,CIP-007-3 R2.1,CIP-007-3 R2.2,CIP-007-3 R2.3,CIP-007-3 R5.1,CIP-007-3 R5.1.1,CIP-007-3 R5.1.2 diff --git a/linux_os/guide/system/permissions/files/sysctl_fs_protected_regular/rule.yml b/linux_os/guide/system/permissions/files/sysctl_fs_protected_regular/rule.yml index bcf733e4ad0a..9a6b3ba2e0f4 100644 --- a/linux_os/guide/system/permissions/files/sysctl_fs_protected_regular/rule.yml +++ b/linux_os/guide/system/permissions/files/sysctl_fs_protected_regular/rule.yml @@ -16,6 +16,7 @@ severity: medium identifiers: cce@rhel9: CCE-85885-2 cce@rhel10: CCE-90354-2 + cce@sle16: CCE-96679-6 references: nist: CM-6(a),AC-6(1) diff --git a/linux_os/guide/system/permissions/files/sysctl_fs_protected_symlinks/rule.yml b/linux_os/guide/system/permissions/files/sysctl_fs_protected_symlinks/rule.yml index 9f068896501b..1a88d1d8b782 100644 --- a/linux_os/guide/system/permissions/files/sysctl_fs_protected_symlinks/rule.yml +++ b/linux_os/guide/system/permissions/files/sysctl_fs_protected_symlinks/rule.yml @@ -21,6 +21,7 @@ identifiers: cce@rhel10: CCE-88796-8 cce@sle12: CCE-91560-3 cce@sle15: CCE-91253-5 + cce@sle16: CCE-96456-9 references: nerc-cip: CIP-003-8 R5.1.1,CIP-003-8 R5.3,CIP-004-6 R2.3,CIP-007-3 R2.1,CIP-007-3 R2.2,CIP-007-3 R2.3,CIP-007-3 R5.1,CIP-007-3 R5.1.1,CIP-007-3 R5.1.2 diff --git a/linux_os/guide/system/permissions/mounting/bios_disable_usb_boot/rule.yml b/linux_os/guide/system/permissions/mounting/bios_disable_usb_boot/rule.yml index 3af92cfa15c0..38b47b6de468 100644 --- a/linux_os/guide/system/permissions/mounting/bios_disable_usb_boot/rule.yml +++ b/linux_os/guide/system/permissions/mounting/bios_disable_usb_boot/rule.yml @@ -14,6 +14,14 @@ rationale: |- severity: unknown +ocil_clause: 'the system allows booting from USB devices' + +ocil: |- + Verify that booting from USB devices is disabled in the system boot firmware (BIOS/UEFI). + The process to configure this setting varies by hardware manufacturer and model. + Consult your hardware manual or vendor documentation for specific instructions on how to + access the firmware setup during boot and disable USB boot capabilities. + identifiers: cce@rhcos4: CCE-82662-8 cce@rhel9: CCE-87913-0 diff --git a/linux_os/guide/system/permissions/partitions/mount_option_boot_noexec/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_boot_noexec/rule.yml index cbd941664727..773ff170a481 100644 --- a/linux_os/guide/system/permissions/partitions/mount_option_boot_noexec/rule.yml +++ b/linux_os/guide/system/permissions/partitions/mount_option_boot_noexec/rule.yml @@ -23,7 +23,7 @@ identifiers: cce@rhel10: CCE-90334-4 cce@sle12: CCE-91541-3 cce@sle15: CCE-91234-5 - + cce@sle16: CCE-96582-2 template: name: mount_option diff --git a/linux_os/guide/system/permissions/partitions/mount_option_boot_nosuid/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_boot_nosuid/rule.yml index b90a2baf6565..6ef99131bf3d 100644 --- a/linux_os/guide/system/permissions/partitions/mount_option_boot_nosuid/rule.yml +++ b/linux_os/guide/system/permissions/partitions/mount_option_boot_nosuid/rule.yml @@ -23,6 +23,7 @@ identifiers: cce@rhel10: CCE-88881-8 cce@sle12: CCE-91542-1 cce@sle15: CCE-91235-2 + cce@sle16: CCE-96648-1 references: nerc-cip: CIP-003-8 R5.1.1,CIP-003-8 R5.3,CIP-004-6 R2.3,CIP-007-3 R2.1,CIP-007-3 R2.2,CIP-007-3 R2.3,CIP-007-3 R5.1,CIP-007-3 R5.1.1,CIP-007-3 R5.1.2 diff --git a/linux_os/guide/system/permissions/partitions/mount_option_home_noexec/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_home_noexec/rule.yml index 097283478533..912d86cc0b97 100644 --- a/linux_os/guide/system/permissions/partitions/mount_option_home_noexec/rule.yml +++ b/linux_os/guide/system/permissions/partitions/mount_option_home_noexec/rule.yml @@ -21,6 +21,7 @@ identifiers: cce@rhel10: CCE-87810-8 cce@sle12: CCE-91543-9 cce@sle15: CCE-91236-0 + cce@sle16: CCE-96288-6 references: nist: CM-6(b) diff --git a/linux_os/guide/system/permissions/partitions/mount_option_home_nosuid/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_home_nosuid/rule.yml index 673295341d39..ccb05ba12ef7 100644 --- a/linux_os/guide/system/permissions/partitions/mount_option_home_nosuid/rule.yml +++ b/linux_os/guide/system/permissions/partitions/mount_option_home_nosuid/rule.yml @@ -21,6 +21,7 @@ identifiers: cce@rhel10: CCE-88987-3 cce@sle12: CCE-83100-8 cce@sle15: CCE-85633-6 + cce@sle16: CCE-95966-8 cce@slmicro5: CCE-93791-2 cce@slmicro6: CCE-95062-6 diff --git a/linux_os/guide/system/permissions/partitions/mount_option_nodev_nonroot_local_partitions/ansible/shared.yml b/linux_os/guide/system/permissions/partitions/mount_option_nodev_nonroot_local_partitions/ansible/shared.yml index c72785a6d38b..cfdc35156eb4 100644 --- a/linux_os/guide/system/permissions/partitions/mount_option_nodev_nonroot_local_partitions/ansible/shared.yml +++ b/linux_os/guide/system/permissions/partitions/mount_option_nodev_nonroot_local_partitions/ansible/shared.yml @@ -31,6 +31,7 @@ - lustre - davfs - fuse.sshfs + - vfat - name: "{{{ rule_title }}}: Ensure non-root local partitions are mounted with nodev option" ansible.posix.mount: @@ -41,13 +42,17 @@ fstype: "{{ item.fstype }}" when: - "item.mount is match('/\\w')" + - "item.mount is not match('/(boot|efi)')" - "item.options is not search('nodev')" - "item.fstype not in excluded_fstypes" + # Attempting to change polyinstantiated mounts for /tmp and /var/tmp, if present, will fail + - "(not accounts_polyinstantiated_var_tmp | default(false)) or item.mount != '/var/tmp/tmp-inst'" + - "(not accounts_polyinstantiated_tmp | default(false)) or item.mount != '/tmp/tmp-inst'" with_items: - "{{ ansible_facts.mounts }}" - name: "{{{ rule_title }}}: Ensure non-root local partitions are present with nodev option in /etc/fstab" ansible.builtin.replace: path: /etc/fstab - regexp: '^\s*(?!#)(/dev/\S+|UUID=\S+)\s+(/\w\S*)\s+(\S+)\s+(?!.*\bnodev\b)(\S+)(.*)$' + regexp: '^\s*(?!#)(/dev/\S+|UUID=\S+)\s+(/(?!boot|efi)\w\S*)\s+(?!vfat\s)(\S+)\s+(?!.*\bnodev\b)(\S+)(.*)$' replace: '\1 \2 \3 \4,nodev \5' diff --git a/linux_os/guide/system/permissions/partitions/mount_option_nodev_nonroot_local_partitions/bash/shared.sh b/linux_os/guide/system/permissions/partitions/mount_option_nodev_nonroot_local_partitions/bash/shared.sh index 361518e7a35f..bbd4d580c072 100644 --- a/linux_os/guide/system/permissions/partitions/mount_option_nodev_nonroot_local_partitions/bash/shared.sh +++ b/linux_os/guide/system/permissions/partitions/mount_option_nodev_nonroot_local_partitions/bash/shared.sh @@ -30,6 +30,7 @@ excluded_fstypes=( lustre davfs fuse.sshfs + vfat ) for partition_record in "${partitions_records[@]}"; do @@ -38,6 +39,11 @@ for partition_record in "${partitions_records[@]}"; do device="$(echo "${partition_record}" | cut -d " " -f2)" device_type="$(echo "${partition_record}" | cut -d " " -f3)" + # Skip /boot and /efi partitions + if [[ "$mount_point" =~ ^/(boot|efi) ]]; then + continue + fi + # Skip polyinstantiated directories if printf '%s\0' "${polyinstantiated_dirs[@]}" | grep -qxzF "$mount_point"; then continue @@ -59,5 +65,5 @@ for partition_record in "${partitions_records[@]}"; do {{{ bash_ensure_partition_is_mounted("$mount_point") | indent(4) }}} done -# Remediate unmounted /etc/fstab entries -sed -i -E '/nodev/! s;^\s*(/dev/\S+|UUID=\S+)\s+(/\w\S*)\s+(\S+)\s+(\S+)(.*)$;\1 \2 \3 \4,nodev \5;' /etc/fstab +# Remediate unmounted /etc/fstab entries, excluding /boot, /efi, and vfat partitions +sed -i -E '/nodev/! { /^\s*(\/dev\/\S+|UUID=\S+)\s+\/(boot|efi)/! { /^\s*(\/dev\/\S+|UUID=\S+)\s+\/\w\S*\s+vfat\s/! s;^\s*(/dev/\S+|UUID=\S+)\s+(/\w\S*)\s+(\S+)\s+(\S+)(.*)$;\1 \2 \3 \4,nodev \5; } }' /etc/fstab diff --git a/linux_os/guide/system/permissions/partitions/mount_option_nodev_nonroot_local_partitions/oval/shared.xml b/linux_os/guide/system/permissions/partitions/mount_option_nodev_nonroot_local_partitions/oval/shared.xml index 89361099bf93..10964a0511fd 100644 --- a/linux_os/guide/system/permissions/partitions/mount_option_nodev_nonroot_local_partitions/oval/shared.xml +++ b/linux_os/guide/system/permissions/partitions/mount_option_nodev_nonroot_local_partitions/oval/shared.xml @@ -33,7 +33,7 @@ <linux:partition_state id="state_local_nodev" version="1"> <!-- this check defines a local partition as one which has a device node in /dev --> <linux:device operation="pattern match">^/dev/.*$</linux:device> - <linux:fs_type operation="pattern match">^(?!afs$|autofs$|ceph$|cifs$|smb3$|smbfs$|sshfs$|ncpfs$|ncp$|nfs$|nfs4$|gfs$|gfs2$|glusterfs$|gpfs$|pvfs2$|ocfs2$|lustre$|davfs$|fuse\.sshfs$).+</linux:fs_type> + <linux:fs_type operation="pattern match">^(?!afs$|autofs$|ceph$|cifs$|smb3$|smbfs$|sshfs$|ncpfs$|ncp$|nfs$|nfs4$|gfs$|gfs2$|glusterfs$|gpfs$|pvfs2$|ocfs2$|lustre$|davfs$|fuse\.sshfs$|vfat$).+</linux:fs_type> <linux:mount_options datatype="string" entity_check="all" operation="not equal">nodev</linux:mount_options> </linux:partition_state> @@ -46,7 +46,7 @@ </ind:textfilecontent54_test> <ind:textfilecontent54_object version="1" id="object_non_root_partitions_in_fstab"> <ind:filepath>/etc/fstab</ind:filepath> - <ind:pattern operation="pattern match">^\s*(?!#)(?:/dev/\S+|UUID=\S+)\s+/\w\S*\s+\S+\s+(\S+)</ind:pattern> + <ind:pattern operation="pattern match">^\s*(?!#)(?:/dev/\S+|UUID=\S+)\s+/(?!boot|efi)\w\S*\s+(?!vfat\s)\S+\s+(\S+)</ind:pattern> <ind:instance datatype="int" operation="greater than or equal">1</ind:instance> </ind:textfilecontent54_object> <ind:textfilecontent54_state version="1" diff --git a/linux_os/guide/system/permissions/partitions/mount_option_nodev_nonroot_local_partitions/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_nodev_nonroot_local_partitions/rule.yml index 936da9856dfb..0b982c79c1c1 100644 --- a/linux_os/guide/system/permissions/partitions/mount_option_nodev_nonroot_local_partitions/rule.yml +++ b/linux_os/guide/system/permissions/partitions/mount_option_nodev_nonroot_local_partitions/rule.yml @@ -24,6 +24,7 @@ ocil: | ocil_clause: "some mounts appear among output lines" + severity: medium identifiers: @@ -32,6 +33,7 @@ identifiers: cce@rhel10: CCE-88981-6 cce@sle12: CCE-91544-7 cce@sle15: CCE-91237-8 + cce@sle16: CCE-96023-7 references: cis-csc: 11,14,3,9 @@ -50,3 +52,16 @@ fixtext: |- Configure the "/etc/fstab" to use the "nodev" option on all non-root local partitions. srg_requirement: '{{{ full_name }}} must prevent special devices on non-root local partitions.' + +warnings: + - general: |- + This rule checks only local partitions, identified as those backed by + a device node in <tt>/dev</tt>. Network file systems such as NFS, CIFS, + GlusterFS and others are excluded because they do not expose local + device nodes. The <tt>/boot</tt> and <tt>/efi</tt> partitions are + excluded because they are special partitions usually handled by a + systemd mount unit, and enforcing <tt>nodev</tt> on them during + operating system installation causes issues. Partitions with the + <tt>vfat</tt> file system type are excluded because vfat does not + support Unix device special files, so <tt>nodev</tt> enforcement on + them is not meaningful. diff --git a/linux_os/guide/system/permissions/partitions/mount_option_nodev_nonroot_local_partitions/tests/vfat_without_nodev.pass.sh b/linux_os/guide/system/permissions/partitions/mount_option_nodev_nonroot_local_partitions/tests/vfat_without_nodev.pass.sh new file mode 100644 index 000000000000..7eb91ff88110 --- /dev/null +++ b/linux_os/guide/system/permissions/partitions/mount_option_nodev_nonroot_local_partitions/tests/vfat_without_nodev.pass.sh @@ -0,0 +1,19 @@ +#!/bin/bash + +. $SHARED/partition.sh + +# Add nodev option to all records in fstab to ensure that test will +# run on environment where everything is set correctly for rule check. +cp /etc/fstab /etc/fstab.backup +sed -i -e 's/\bnodev\b/,/g' -e 's/,,//g' -e 's/\s,\s/defaults/g' /etc/fstab.backup +awk '{$4 = $4",nodev"; print}' /etc/fstab.backup > /etc/fstab +# Remount all partitions. (--all option can't be used because it doesn't +# mount e.g. /boot partition +declare -a partitions=( $(awk '{print $2}' /etc/fstab | grep "^/\w") ) +for partition in ${partitions[@]}; do + mount -o remount "$partition" +done + +# A vfat partition without nodev should be ignored by the rule. +PARTITION="/dev/new_partition1"; create_partition +make_fstab_given_partition_line "/tmp/partition1" vfat defaults diff --git a/linux_os/guide/system/permissions/partitions/mount_option_opt_nosuid/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_opt_nosuid/rule.yml index d5493739a92f..4e9086e97dc2 100644 --- a/linux_os/guide/system/permissions/partitions/mount_option_opt_nosuid/rule.yml +++ b/linux_os/guide/system/permissions/partitions/mount_option_opt_nosuid/rule.yml @@ -24,6 +24,7 @@ identifiers: cce@rhel10: CCE-86868-7 cce@sle12: CCE-91584-3 cce@sle15: CCE-91270-9 + cce@sle16: CCE-95940-3 platform: mount[opt] diff --git a/linux_os/guide/system/permissions/partitions/mount_option_srv_nosuid/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_srv_nosuid/rule.yml index f5f66509d8af..b196cc82a4a5 100644 --- a/linux_os/guide/system/permissions/partitions/mount_option_srv_nosuid/rule.yml +++ b/linux_os/guide/system/permissions/partitions/mount_option_srv_nosuid/rule.yml @@ -24,6 +24,7 @@ identifiers: cce@rhel10: CCE-90162-9 cce@sle12: CCE-91585-0 cce@sle15: CCE-91271-7 + cce@sle16: CCE-95863-7 platform: mount[srv] diff --git a/linux_os/guide/system/permissions/partitions/mount_option_tmp_noexec/ansible/sle16.yml b/linux_os/guide/system/permissions/partitions/mount_option_tmp_noexec/ansible/sle16.yml new file mode 100644 index 000000000000..8dfea23acad8 --- /dev/null +++ b/linux_os/guide/system/permissions/partitions/mount_option_tmp_noexec/ansible/sle16.yml @@ -0,0 +1,28 @@ +# platform = SUSE Linux Enterprise 16 +# reboot = true +# strategy = configure +# complexity = low +# disruption = low + +- name: '{{{ rule_title }}} - Check if noexec options is configured in /usr/lib/systemd/system/tmp.mount' + ansible.builtin.lineinfile: + path: /usr/lib/systemd/system/tmp.mount + regexp: ^[\s]*Options=[\s]*.*noexec.*$ + state: absent + check_mode: true + register: noexec_match + +# if no match, collect current options and add noexec +- name: '{{{ rule_title }}} - Collect previously configured options' + ansible.builtin.shell: + cmd: sed -n 's/^[\s]*Options=[\s]*\(.*\)$/\1/p' /usr/lib/systemd/system/tmp.mount + register: current_options + when: + - noexec_match is defined and noexec_match.found == 0 + + +- name: '{{{ rule_title }}} - Add noexec option to previously configured options' + ansible.builtin.shell: + cmd: sed -i "s/^Options=.*/Options={{ current_options.stdout }},noexec/g" /usr/lib/systemd/system/tmp.mount + when: + - noexec_match.found == 0 and current_options is defined diff --git a/linux_os/guide/system/permissions/partitions/mount_option_tmp_noexec/bash/sle16.sh b/linux_os/guide/system/permissions/partitions/mount_option_tmp_noexec/bash/sle16.sh new file mode 100644 index 000000000000..9f694b9bb9d3 --- /dev/null +++ b/linux_os/guide/system/permissions/partitions/mount_option_tmp_noexec/bash/sle16.sh @@ -0,0 +1,23 @@ +# platform = SUSE Linux Enterprise 16 +# reboot = true +# strategy = configure +# complexity = low +# disruption = low + +tmp_mount_file="/usr/lib/systemd/system/tmp.mount" + +# if already set, skip +if grep -qE '^[\s]*Options=[\s]*.*noexec.*$' ${tmp_mount_file}; then + echo "noexec option already present, skipping remediation" + exit 0 +fi + +# no options set, add it +if ! grep -qE '^[\s]*Options=[\s]*.*$' ${tmp_mount_file}; then + echo "Options=noexec" >> ${tmp_mount_file} +else + # collect currently set options + current_options=$(sed -n 's/^[\s]*Options=[\s]*\(.*\)$/\1/p' ${tmp_mount_file}) + # add noexec to current options and replace + sed -i "s/^Options=.*/Options=${current_options},noexec/g" ${tmp_mount_file} +fi diff --git a/linux_os/guide/system/permissions/partitions/mount_option_tmp_noexec/oval/sle16.xml b/linux_os/guide/system/permissions/partitions/mount_option_tmp_noexec/oval/sle16.xml new file mode 100644 index 000000000000..81bec910ddfd --- /dev/null +++ b/linux_os/guide/system/permissions/partitions/mount_option_tmp_noexec/oval/sle16.xml @@ -0,0 +1,18 @@ +<def-group> + <definition class="compliance" id="mount_option_tmp_noexec" version="1"> + {{{ oval_metadata("ensure tmp.mount services has noexec option configured.") }}} + <criteria> + <criterion comment="check noexec is set in Options in /usr/lib/systemd/system/tmp.mount" test_ref="test_tmp_mount_noexec_option" /> + </criteria> + </definition> + + <ind:textfilecontent54_test check="all" check_existence="all_exist" comment="check noexec is set in Options in /usr/lib/systemd/system/tmp.mount" id="test_tmp_mount_noexec_option" version="1"> + <ind:object object_ref="object_tmp_mount_noexec_option" /> + </ind:textfilecontent54_test> + <ind:textfilecontent54_object id="object_tmp_mount_noexec_option" comment="Options has noexec set in /usr/lib/systemd/system/tmp.mount" version="1"> + <ind:filepath>/usr/lib/systemd/system/tmp.mount</ind:filepath> + <ind:pattern operation="pattern match">^[\s]*Options=.*noexec.*$</ind:pattern> + <ind:instance datatype="int" operation="equals">1</ind:instance> + </ind:textfilecontent54_object> + +</def-group> diff --git a/linux_os/guide/system/permissions/partitions/mount_option_tmp_noexec/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_tmp_noexec/rule.yml index 735018892a8c..75fb0ec5f6c6 100644 --- a/linux_os/guide/system/permissions/partitions/mount_option_tmp_noexec/rule.yml +++ b/linux_os/guide/system/permissions/partitions/mount_option_tmp_noexec/rule.yml @@ -23,6 +23,7 @@ identifiers: cce@rhel10: CCE-87095-6 cce@sle12: CCE-91586-8 cce@sle15: CCE-91272-5 + cce@sle16: CCE-96696-0 cce@slmicro5: CCE-94079-1 references: @@ -39,7 +40,7 @@ references: srg: SRG-OS-000368-GPOS-00154 stigid@ol8: OL08-00-040125 -{{% if product == 'slmicro5' %}} +{{% if product in ['slmicro5', 'sle16'] %}} platform: system_with_kernel {{% else %}} platform: mount[tmp] diff --git a/linux_os/guide/system/permissions/partitions/mount_option_tmp_nosuid/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_tmp_nosuid/rule.yml index 1485f4d8ee99..cf0e126f67e2 100644 --- a/linux_os/guide/system/permissions/partitions/mount_option_tmp_nosuid/rule.yml +++ b/linux_os/guide/system/permissions/partitions/mount_option_tmp_nosuid/rule.yml @@ -23,6 +23,7 @@ identifiers: cce@rhel10: CCE-87318-2 cce@sle12: CCE-91587-6 cce@sle15: CCE-91273-3 + cce@sle16: CCE-96573-1 references: cis-csc: 11,13,14,3,8,9 diff --git a/linux_os/guide/system/permissions/partitions/mount_option_var_log_noexec/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_var_log_noexec/rule.yml index 819040553a9d..e2cbb432ed89 100644 --- a/linux_os/guide/system/permissions/partitions/mount_option_var_log_noexec/rule.yml +++ b/linux_os/guide/system/permissions/partitions/mount_option_var_log_noexec/rule.yml @@ -23,6 +23,7 @@ identifiers: cce@rhel10: CCE-89129-1 cce@sle12: CCE-91588-4 cce@sle15: CCE-91274-1 + cce@sle16: CCE-96444-5 references: nerc-cip: CIP-003-8 R5.1.1,CIP-003-8 R5.3,CIP-004-6 R2.3,CIP-007-3 R2.1,CIP-007-3 R2.2,CIP-007-3 R2.3,CIP-007-3 R5.1,CIP-007-3 R5.1.1,CIP-007-3 R5.1.2 diff --git a/linux_os/guide/system/permissions/partitions/mount_option_var_log_nosuid/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_var_log_nosuid/rule.yml index 936812700f4d..5ec43738c51b 100644 --- a/linux_os/guide/system/permissions/partitions/mount_option_var_log_nosuid/rule.yml +++ b/linux_os/guide/system/permissions/partitions/mount_option_var_log_nosuid/rule.yml @@ -24,6 +24,7 @@ identifiers: cce@rhel10: CCE-90639-6 cce@sle12: CCE-91589-2 cce@sle15: CCE-91275-8 + cce@sle16: CCE-95774-6 references: nerc-cip: CIP-003-8 R5.1.1,CIP-003-8 R5.3,CIP-004-6 R2.3,CIP-007-3 R2.1,CIP-007-3 R2.2,CIP-007-3 R2.3,CIP-007-3 R5.1,CIP-007-3 R5.1.1,CIP-007-3 R5.1.2 diff --git a/linux_os/guide/system/permissions/partitions/mount_option_var_noexec/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_var_noexec/rule.yml index 1900132c63d8..87808eae8c22 100644 --- a/linux_os/guide/system/permissions/partitions/mount_option_var_noexec/rule.yml +++ b/linux_os/guide/system/permissions/partitions/mount_option_var_noexec/rule.yml @@ -22,6 +22,7 @@ identifiers: cce@rhel10: CCE-90153-8 cce@sle12: CCE-91590-0 cce@sle15: CCE-91276-6 + cce@sle16: CCE-96551-7 platform: mount[var] diff --git a/linux_os/guide/system/permissions/partitions/mount_option_var_nosuid/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_var_nosuid/rule.yml index 4ecbb408721f..d1a14d993188 100644 --- a/linux_os/guide/system/permissions/partitions/mount_option_var_nosuid/rule.yml +++ b/linux_os/guide/system/permissions/partitions/mount_option_var_nosuid/rule.yml @@ -17,6 +17,7 @@ identifiers: cce@rhel10: CCE-89496-4 cce@sle12: CCE-91591-8 cce@sle15: CCE-91277-4 + cce@sle16: CCE-95884-3 {{{ complete_ocil_entry_mount_option("/var", "nosuid") }}} diff --git a/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_noexec/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_noexec/rule.yml index 5a49a43030a5..cce28561b5c0 100644 --- a/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_noexec/rule.yml +++ b/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_noexec/rule.yml @@ -24,6 +24,7 @@ identifiers: cce@rhel10: CCE-87347-1 cce@sle12: CCE-91592-6 cce@sle15: CCE-91278-2 + cce@sle16: CCE-95723-3 references: cis@sle12: 1.1.12 diff --git a/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_nosuid/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_nosuid/rule.yml index dbe30c165901..3b0d2f507d03 100644 --- a/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_nosuid/rule.yml +++ b/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_nosuid/rule.yml @@ -24,6 +24,7 @@ identifiers: cce@rhel10: CCE-87892-6 cce@sle12: CCE-91593-4 cce@sle15: CCE-91279-0 + cce@sle16: CCE-96199-5 references: cis@sle12: 1.1.14 diff --git a/linux_os/guide/system/permissions/restrictions/coredumps/coredump_disable_backtraces/rule.yml b/linux_os/guide/system/permissions/restrictions/coredumps/coredump_disable_backtraces/rule.yml index 99fbd8321d5d..5db74d51bd52 100644 --- a/linux_os/guide/system/permissions/restrictions/coredumps/coredump_disable_backtraces/rule.yml +++ b/linux_os/guide/system/permissions/restrictions/coredumps/coredump_disable_backtraces/rule.yml @@ -66,7 +66,7 @@ warnings: platform: package[systemd] -{{% if product in ["rhel8", "rhel9"] %}} +{{% if product in ["ol8", "ol9", "rhel8", "rhel9"] %}} conflicts: - sysctl_kernel_core_pattern {{% endif %}} diff --git a/linux_os/guide/system/permissions/restrictions/coredumps/coredump_disable_storage/rule.yml b/linux_os/guide/system/permissions/restrictions/coredumps/coredump_disable_storage/rule.yml index bd826b199009..793680264655 100644 --- a/linux_os/guide/system/permissions/restrictions/coredumps/coredump_disable_storage/rule.yml +++ b/linux_os/guide/system/permissions/restrictions/coredumps/coredump_disable_storage/rule.yml @@ -63,7 +63,7 @@ warnings: platform: package[systemd] -{{% if product in ["rhel8", "rhel9"] %}} +{{% if product in ["ol8", "ol9", "rhel8", "rhel9"] %}} conflicts: - sysctl_kernel_core_pattern {{% endif %}} diff --git a/linux_os/guide/system/permissions/restrictions/coredumps/disable_users_coredumps/rule.yml b/linux_os/guide/system/permissions/restrictions/coredumps/disable_users_coredumps/rule.yml index 9f457c1f838b..c7f0e9bc4e9f 100644 --- a/linux_os/guide/system/permissions/restrictions/coredumps/disable_users_coredumps/rule.yml +++ b/linux_os/guide/system/permissions/restrictions/coredumps/disable_users_coredumps/rule.yml @@ -56,7 +56,7 @@ srg_requirement: '{{{ full_name }}} must disable core dumps for all users.' platform: package[pam] -{{% if product in ["rhel8", "rhel9"] %}} +{{% if product in ["ol8", "ol9", "rhel8", "rhel9"] %}} conflicts: - sysctl_kernel_core_pattern {{% endif %}} diff --git a/linux_os/guide/system/permissions/restrictions/coredumps/service_systemd-coredump_disabled/rule.yml b/linux_os/guide/system/permissions/restrictions/coredumps/service_systemd-coredump_disabled/rule.yml index 58b2fe312066..296ea17c8df0 100644 --- a/linux_os/guide/system/permissions/restrictions/coredumps/service_systemd-coredump_disabled/rule.yml +++ b/linux_os/guide/system/permissions/restrictions/coredumps/service_systemd-coredump_disabled/rule.yml @@ -45,7 +45,7 @@ fixtext: '{{{ fixtext_service_disabled("systemd-coredump") }}}' srg_requirement: '{{{ srg_requirement_service_disabled("systemd-coredump") }}}' -{{% if product in ["rhel8", "rhel9"] %}} +{{% if product in ["ol8", "ol9", "rhel8", "rhel9"] %}} conflicts: - sysctl_kernel_core_pattern {{% endif %}} diff --git a/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/rule.yml b/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/rule.yml index c6116f14cf9a..dcd1619f190b 100644 --- a/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/rule.yml +++ b/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/rule.yml @@ -20,6 +20,7 @@ identifiers: cce@rhel10: CCE-88686-1 cce@sle12: CCE-83125-5 cce@sle15: CCE-83299-8 + cce@sle16: CCE-96503-8 cce@slmicro5: CCE-93627-8 cce@slmicro6: CCE-94727-5 diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/ansible/shared.yml b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/ansible/shared.yml index 8d95be5ac6b1..174866b22b55 100644 --- a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/ansible/shared.yml +++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/ansible/shared.yml @@ -4,9 +4,16 @@ # complexity = low # disruption = medium +- name: "{{{ rule_title }}} - Set fact for sysctl paths" + ansible.builtin.set_fact: + sysctl_paths: + - "/etc/sysctl.d/" + - "/run/sysctl.d/" + - "/usr/local/lib/sysctl.d/" + - name: "{{{ rule_title }}} - Find all files that contain kernel.core_pattern" ansible.builtin.shell: - cmd: find -L /etc/sysctl.conf /etc/sysctl.d/ /run/sysctl.d/ -type f -name '*.conf' | xargs grep -HP '^\s*kernel.core_pattern\s*=\s*.*$' + cmd: find -L {{ sysctl_paths | join(" ") }} -type f -name '*.conf' | xargs grep -HP '^\s*kernel.core_pattern\s*=\s*.*$' register: find_all_values check_mode: false changed_when: false @@ -14,7 +21,7 @@ - name: "{{{ rule_title }}} - Find all files that set kernel.core_pattern to correct value" ansible.builtin.shell: - cmd: find -L /etc/sysctl.conf /etc/sysctl.d/ /run/sysctl.d/ -type f -name '*.conf' | xargs grep -HP '^\s*kernel.core_pattern\s*=\s*$' + cmd: find -L {{ sysctl_paths | join(" ") }} -type f -name '*.conf' | xargs grep -HP '^\s*kernel.core_pattern\s*=\s*$' register: find_correct_value check_mode: false changed_when: false @@ -23,15 +30,23 @@ - name: "{{{ rule_title }}} - Comment out any occurrences of kernel.core_pattern from config files" ansible.builtin.replace: path: '{{ item | split(":") | first }}' - regexp: ^[\s]*kernel.core_pattern + regexp: '^[\s]*kernel.core_pattern' replace: '#kernel.core_pattern' loop: '{{ find_all_values.stdout_lines }}' when: find_correct_value.stdout_lines | length == 0 or find_all_values.stdout_lines | length > find_correct_value.stdout_lines | length +- name: "{{{ rule_title }}} - Comment out any occurrences of kernel.core_pattern from /etc/sysctl.conf" + ansible.builtin.replace: + path: "{{ item }}" + regexp: '^[\s]*kernel.core_pattern' + replace: '#kernel.core_pattern' + with_fileglob: + - "/etc/sysctl.conf" + - name: "{{{ rule_title }}} - Ensure sysctl kernel.core_pattern is set to empty" ansible.posix.sysctl: - name: kernel.core_pattern - value: ' ' # ansible sysctl module doesn't allow empty string, a space string is allowed and has the same semantics as sysctl will ignore spaces - sysctl_file: "/etc/sysctl.conf" + name: "kernel.core_pattern" + value: ' ' # ansible sysctl module doesn't allow empty string, a space string is allowed and has the same semantics as sysctl will ignore spaces + sysctl_file: "/etc/sysctl.d/kernel_core_pattern.conf" state: present - reload: true + reload: yes diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/bash/shared.sh b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/bash/shared.sh index 2b2f1cd70b66..301e434e8c03 100644 --- a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/bash/shared.sh +++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/bash/shared.sh @@ -5,49 +5,39 @@ # disruption = medium # Comment out any occurrences of kernel.core_pattern from /etc/sysctl.d/*.conf files -for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf; do +for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf; do + + # skip systemd-sysctl symlink (/etc/sysctl.d/99-sysctl.conf -> /etc/sysctl.conf) + if [[ "$(readlink -f "$f")" == "/etc/sysctl.conf" ]]; then continue; fi matching_list=$(grep -P '^(?!#).*[\s]*kernel.core_pattern.*$' $f | uniq ) if ! test -z "$matching_list"; then while IFS= read -r entry; do escaped_entry=$(sed -e 's|/|\\/|g' <<< "$entry") # comment out "kernel.core_pattern" matches to preserve user data - sed -i "s/^${escaped_entry}$/# &/g" $f + sed -i --follow-symlinks "s/^${escaped_entry}$/# &/g" $f done <<< "$matching_list" fi done +# +# Set sysctl config file which to save the desired value +# + +SYSCONFIG_FILE='/etc/sysctl.d/kernel_core_pattern.conf' + # # Set runtime for kernel.core_pattern # -/sbin/sysctl -q -n -w kernel.core_pattern="" +if {{{ bash_not_bootc_build() }}} ; then + /sbin/sysctl -q -n -w kernel.core_pattern="" +fi # # If kernel.core_pattern present in /etc/sysctl.conf, change value to empty # else, add "kernel.core_pattern =" to /etc/sysctl.conf # -# Test if the config_file is a symbolic link. If so, use --follow-symlinks with sed. -# Otherwise, regular sed command will do. -sed_command=('sed' '-i') -if test -L "/etc/sysctl.conf"; then - sed_command+=('--follow-symlinks') -fi - -# Strip any search characters in the key arg so that the key can be replaced without -# adding any search characters to the config file. -stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^kernel.core_pattern") -# shellcheck disable=SC2059 -printf -v formatted_output "%s=" "$stripped_key" +sed -i --follow-symlinks "/^kernel.core_pattern/d" /etc/sysctl.conf -# If the key exists, change it. Otherwise, add it to the config_file. -# We search for the key string followed by a word boundary (matched by \>), -# so if we search for 'setting', 'setting2' won't match. -if LC_ALL=C grep -q -m 1 -i -e "^kernel.core_pattern\\>" "/etc/sysctl.conf"; then - escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output") - "${sed_command[@]}" "s/^kernel.core_pattern\\>.*/$escaped_formatted_output/gi" "/etc/sysctl.conf" -else - # \n is precaution for case where file ends without trailing newline - - printf '%s\n' "$formatted_output" >> "/etc/sysctl.conf" -fi +{{{ bash_replace_or_append('${SYSCONFIG_FILE}', '^kernel.core_pattern', '', cce_identifiers=cce_identifiers) }}} diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/oval/shared.xml b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/oval/shared.xml index 3fba84e44eac..8005c5990f02 100644 --- a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/oval/shared.xml +++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/oval/shared.xml @@ -37,155 +37,68 @@ </unix:sysctl_state> </def-group> + <def-group> <definition class="compliance" id="sysctl_kernel_core_pattern_empty_string_static" version="3"> {{{ oval_metadata("The kernel 'kernel.core_pattern' parameter should be set to an empty string in the system configuration.", rule_title=rule_title) }}} - <criteria operator="AND"> - <criteria operator="OR"> - <criterion comment="kernel static parameter kernel.core_pattern set to an empty string in /etc/sysctl.conf" - test_ref="test_sysctl_kernel_core_pattern_empty_string_static"/> - <!-- see sysctl.d(5) --> - <criterion comment="kernel static parameter kernel.core_pattern set to an empty string in /etc/sysctl.d/*.conf" - test_ref="test_sysctl_kernel_core_pattern_empty_string_static_etc_sysctld"/> - <criterion comment="kernel static parameter kernel.core_pattern set to an empty string in /run/sysctl.d/*.conf" - test_ref="test_sysctl_kernel_core_pattern_empty_string_static_run_sysctld"/> + <criteria operator="OR"> + <criterion comment="kernel static parameter kernel.core_pattern set to an empty string in sysctl files not managed by packages" + test_ref="test_sysctl_kernel_core_pattern_empty_string_static_user"/> + <criteria operator="AND"> + <criterion comment="kernel static parameter kernel.core_pattern missing in sysctl files not managed by packages" + test_ref="test_sysctl_kernel_core_pattern_empty_string_static_user_missing"/> + <criterion comment="kernel static parameter kernel.core_pattern set to an empty string in sysctl files managed by packages" + test_ref="test_sysctl_kernel_core_pattern_empty_string_static_pkg_correct"/> </criteria> - <criterion comment="Check that kernel_core_pattern is defined in only one file" test_ref="test_sysctl_kernel_core_pattern_empty_string_defined_in_one_file" /> </criteria> </definition> - <ind:textfilecontent54_test id="test_sysctl_kernel_core_pattern_empty_string_static" version="1" + <!-- Test: user files have correct value --> + <ind:textfilecontent54_test id="test_sysctl_kernel_core_pattern_empty_string_static_user" version="1" check="all" check_existence="all_exist" comment="kernel.core_pattern static configuration" state_operator="OR"> - <ind:object object_ref="object_static_sysctl_sysctl_kernel_core_pattern_empty_string"/> + <ind:object object_ref="object_static_user_sysctl_kernel_core_pattern_empty_string"/> <ind:state state_ref="state_static_sysctld_sysctl_kernel_core_pattern_empty_string"/> </ind:textfilecontent54_test> - <ind:textfilecontent54_test id="test_sysctl_kernel_core_pattern_empty_string_static_etc_sysctld" version="1" check="all" - comment="kernel.core_pattern static configuration in /etc/sysctl.d/*.conf" state_operator="OR"> - <ind:object object_ref="object_static_etc_sysctld_sysctl_kernel_core_pattern_empty_string"/> - <ind:state state_ref="state_static_sysctld_sysctl_kernel_core_pattern_empty_string"/> - + <!-- Test: user files are missing (none_exist) --> + <ind:textfilecontent54_test id="test_sysctl_kernel_core_pattern_empty_string_static_user_missing" version="1" + check="all" check_existence="none_exist" + comment="kernel.core_pattern static configuration" state_operator="AND"> + <ind:object object_ref="object_static_user_sysctl_kernel_core_pattern_empty_string"/> </ind:textfilecontent54_test> - <ind:textfilecontent54_test id="test_sysctl_kernel_core_pattern_empty_string_static_run_sysctld" version="1" check="all" - comment="kernel.core_pattern static configuration in /run/sysctl.d/*.conf" state_operator="OR"> - <ind:object object_ref="object_static_run_sysctld_sysctl_kernel_core_pattern_empty_string"/> + <!-- Test: package-managed files have correct value --> + <ind:textfilecontent54_test id="test_sysctl_kernel_core_pattern_empty_string_static_pkg_correct" version="2" + check="all" check_existence="all_exist" + comment="kernel.core_pattern static configuration in /usr/lib/sysctl.d/*.conf" state_operator="OR"> + <ind:object object_ref="object_static_usr_lib_sysctld_sysctl_kernel_core_pattern_empty_string"/> <ind:state state_ref="state_static_sysctld_sysctl_kernel_core_pattern_empty_string"/> - </ind:textfilecontent54_test> -{{% if target_oval_version >= [5, 11] %}} - <ind:variable_test check="all" check_existence="all_exist" comment="Check that only one file contains kernel_core_pattern" - id="test_sysctl_kernel_core_pattern_empty_string_defined_in_one_file" version="1"> - <ind:object object_ref="object_sysctl_kernel_core_pattern_empty_string_defined_in_one_file" /> - <ind:state state_ref="state_sysctl_kernel_core_pattern_empty_string_defined_in_one_file" /> - </ind:variable_test> - - <ind:variable_object id="object_sysctl_kernel_core_pattern_empty_string_defined_in_one_file" version="1"> - <ind:var_ref>local_var_sysctl_kernel_core_pattern_empty_string_counter</ind:var_ref> - </ind:variable_object> - - <ind:variable_state id="state_sysctl_kernel_core_pattern_empty_string_defined_in_one_file" version="1"> - <ind:value operation="equals" datatype="int">1</ind:value> - </ind:variable_state> - - <local_variable comment="Count unique sysctls" datatype="int" id="local_var_sysctl_kernel_core_pattern_empty_string_counter" version="1"> - <count> - <unique> - <object_component object_ref="object_sysctl_kernel_core_pattern_empty_string_static_set_sysctls" item_field="filepath" /> - </unique> - </count> - </local_variable> - - <ind:textfilecontent54_object id="object_sysctl_kernel_core_pattern_empty_string_static_set_sysctls" version="1"> - <set> - <object_reference>object_sysctl_kernel_core_pattern_empty_string_static_set_sysctls_unfiltered</object_reference> - <filter action="exclude">state_sysctl_kernel_core_pattern_empty_string_filepath_is_symlink</filter> - </set> - </ind:textfilecontent54_object> - <ind:textfilecontent54_state id="state_sysctl_kernel_core_pattern_empty_string_filepath_is_symlink" version="1"> - <ind:filepath operation="equals" var_check="at least one" var_ref="local_var_sysctl_kernel_core_pattern_empty_string_safe_symlinks" datatype="string" /> - </ind:textfilecontent54_state> - - <!-- <no symlink handling> --> - <!-- We craft a variable with blank string to combine with the symlink paths found. - This ultimately avoids referencing a variable with "no values", - we reference a variable with a blank string --> - <local_variable comment="Unique list of symlink conf files" datatype="string" id="local_var_sysctl_kernel_core_pattern_empty_string_safe_symlinks" version="1"> - <unique> - <object_component object_ref="var_object_symlink_sysctl_kernel_core_pattern_empty_string" item_field="value" /> - </unique> - </local_variable> - - <ind:variable_object id="var_object_symlink_sysctl_kernel_core_pattern_empty_string" comment="combine the blank string with symlink paths found" version="1"> - <set> - <object_reference>var_obj_symlink_sysctl_kernel_core_pattern_empty_string</object_reference> - <object_reference>var_obj_blank_sysctl_kernel_core_pattern_empty_string</object_reference> - </set> - </ind:variable_object> - - <ind:variable_object id="var_obj_blank_sysctl_kernel_core_pattern_empty_string" comment="variable object of the blank string" version="1"> - <ind:var_ref>local_var_blank_path_sysctl_kernel_core_pattern_empty_string</ind:var_ref> - </ind:variable_object> - - <local_variable comment="Blank string" datatype="string" id="local_var_blank_path_sysctl_kernel_core_pattern_empty_string" version="1"> - <literal_component datatype="string"></literal_component> - </local_variable> - - <ind:variable_object id="var_obj_symlink_sysctl_kernel_core_pattern_empty_string" comment="variable object of the symlinks found" version="1"> - <ind:var_ref>local_var_symlinks_sysctl_kernel_core_pattern_empty_string</ind:var_ref> - </ind:variable_object> - <!-- </no symlink handling> --> - - <local_variable comment="Unique list of symlink conf files" datatype="string" id="local_var_symlinks_sysctl_kernel_core_pattern_empty_string" version="1"> - <unique> - <object_component object_ref="object_sysctl_kernel_core_pattern_empty_string_symlinks" item_field="filepath" /> - </unique> - </local_variable> - - <!-- "pattern match" doesn't seem to work with symlink_object, not sure if a bug or not. - Workaround by querying for all conf files found --> - <unix:symlink_object comment="Symlinks referencing files in default dirs" id="object_sysctl_kernel_core_pattern_empty_string_symlinks" version="1"> - <unix:filepath operation="equals" var_ref="local_var_conf_files_sysctl_kernel_core_pattern_empty_string" /> - <filter action="exclude">state_symlink_points_outside_usual_dirs_sysctl_kernel_core_pattern_empty_string</filter> - </unix:symlink_object> - - <!-- The state matches symlinks that don't point to the default dirs, i.e. paths that are not: - ^/etc/sysctl.conf$ - ^/etc/sysctl.d/.*$ - ^/run/sysctl.d/.*$ - ^/usr/lib/sysctl.d/.*$ --> - <unix:symlink_state comment="State that matches symlinks referencing files not in the default dirs" id="state_symlink_points_outside_usual_dirs_sysctl_kernel_core_pattern_empty_string" version="1"> - <unix:canonical_path operation="pattern match">^(?!(\/etc\/sysctl\.conf$|(\/etc|\/run|\/usr\/lib)\/sysctl\.d\/)).*$</unix:canonical_path> - </unix:symlink_state> -{{% endif %}} - <local_variable comment="List of conf files" datatype="string" id="local_var_conf_files_sysctl_kernel_core_pattern_empty_string" version="1"> - <object_component object_ref="object_sysctl_kernel_core_pattern_empty_string_static_set_sysctls_unfiltered" item_field="filepath" /> - </local_variable> - - <!-- Avoid directly referencing a possibly empty collection, one empty collection will cause the - variable to have no value even when there are valid objects. --> - <ind:textfilecontent54_object id="object_sysctl_kernel_core_pattern_empty_string_static_set_sysctls_unfiltered" version="1"> + <!-- User files: union of etc + run + usr/local/lib --> + <ind:textfilecontent54_object id="object_static_user_sysctl_kernel_core_pattern_empty_string" version="1"> <set> - <object_reference>object_static_etc_sysctls_sysctl_kernel_core_pattern_empty_string</object_reference> - <object_reference>object_static_run_usr_sysctls_sysctl_kernel_core_pattern_empty_string</object_reference> + <object_reference>object_static_etc_lib_sysctls_sysctl_kernel_core_pattern_empty_string</object_reference> + <object_reference>object_static_run_usr_local_sysctls_sysctl_kernel_core_pattern_empty_string</object_reference> </set> </ind:textfilecontent54_object> - <ind:textfilecontent54_object id="object_static_etc_sysctls_sysctl_kernel_core_pattern_empty_string" version="1"> + <ind:textfilecontent54_object id="object_static_etc_lib_sysctls_sysctl_kernel_core_pattern_empty_string" version="1"> <set> <object_reference>object_static_sysctl_sysctl_kernel_core_pattern_empty_string</object_reference> <object_reference>object_static_etc_sysctld_sysctl_kernel_core_pattern_empty_string</object_reference> </set> </ind:textfilecontent54_object> - <ind:textfilecontent54_object id="object_static_run_usr_sysctls_sysctl_kernel_core_pattern_empty_string" version="1"> + <ind:textfilecontent54_object id="object_static_run_usr_local_sysctls_sysctl_kernel_core_pattern_empty_string" version="1"> <set> + <object_reference>object_static_usr_local_lib_sysctld_sysctl_kernel_core_pattern_empty_string</object_reference> <object_reference>object_static_run_sysctld_sysctl_kernel_core_pattern_empty_string</object_reference> </set> </ind:textfilecontent54_object> + <!-- Individual directory objects --> <ind:textfilecontent54_object id="object_static_sysctl_sysctl_kernel_core_pattern_empty_string" version="1"> <ind:filepath>/etc/sysctl.conf</ind:filepath> <ind:pattern operation="pattern match">^[[:blank:]]*kernel.core_pattern[[:blank:]]*=[[:blank:]]*(.*)$</ind:pattern> @@ -205,6 +118,23 @@ <ind:pattern operation="pattern match">^[[:blank:]]*kernel.core_pattern[[:blank:]]*=[[:blank:]]*(.*)$</ind:pattern> <ind:instance datatype="int" operation="greater than or equal">1</ind:instance> </ind:textfilecontent54_object> + + <ind:textfilecontent54_object id="object_static_usr_local_lib_sysctld_sysctl_kernel_core_pattern_empty_string" version="1"> + <ind:path>/usr/local/lib/sysctl.d</ind:path> + <ind:filename operation="pattern match">^.*\.conf$</ind:filename> + <ind:pattern operation="pattern match">^[[:blank:]]*kernel.core_pattern[[:blank:]]*=[[:blank:]]*(.*)$</ind:pattern> + <ind:instance datatype="int" operation="greater than or equal">1</ind:instance> + </ind:textfilecontent54_object> + + <!-- Package-managed files: /usr/lib/sysctl.d/ --> + <ind:textfilecontent54_object id="object_static_usr_lib_sysctld_sysctl_kernel_core_pattern_empty_string" version="1"> + <ind:path>/usr/lib/sysctl.d</ind:path> + <ind:filename operation="pattern match">^.*\.conf$</ind:filename> + <ind:pattern operation="pattern match">^[[:blank:]]*kernel.core_pattern[[:blank:]]*=[[:blank:]]*(.*)$</ind:pattern> + <ind:instance datatype="int" operation="greater than or equal">1</ind:instance> + </ind:textfilecontent54_object> + + <!-- State: subexpression must be empty string --> <ind:textfilecontent54_state id="state_static_sysctld_sysctl_kernel_core_pattern_empty_string" version="1"> <ind:subexpression operation="equals" datatype="string"></ind:subexpression> </ind:textfilecontent54_state> diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_modules_disabled/rule.yml b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_modules_disabled/rule.yml index ea7ed7dd56c9..7848282d36d4 100644 --- a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_modules_disabled/rule.yml +++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_modules_disabled/rule.yml @@ -20,6 +20,7 @@ identifiers: cce@rhel10: CCE-87060-0 cce@sle12: CCE-91566-0 cce@sle15: CCE-91256-8 + cce@sle16: CCE-96441-1 {{{ complete_ocil_entry_sysctl_option_value(sysctl="kernel.modules_disabled", value="1") }}} diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_panic_on_oops/rule.yml b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_panic_on_oops/rule.yml index 4978ee7b55fa..d5e0ff2d7630 100644 --- a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_panic_on_oops/rule.yml +++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_panic_on_oops/rule.yml @@ -19,6 +19,7 @@ identifiers: cce@rhel8: CCE-87666-4 cce@rhel9: CCE-88666-3 cce@rhel10: CCE-88293-6 + cce@sle16: CCE-96624-2 {{{ complete_ocil_entry_sysctl_option_value(sysctl="kernel.panic_on_oops", value="1") }}} diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_perf_cpu_time_max_percent/rule.yml b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_perf_cpu_time_max_percent/rule.yml index 4193087a450b..efa5539867f5 100644 --- a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_perf_cpu_time_max_percent/rule.yml +++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_perf_cpu_time_max_percent/rule.yml @@ -18,6 +18,7 @@ identifiers: cce@rhel10: CCE-87824-9 cce@sle12: CCE-91567-8 cce@sle15: CCE-91257-6 + cce@sle16: CCE-95810-8 {{{ complete_ocil_entry_sysctl_option_value(sysctl="kernel.perf_cpu_time_max_percent", value="1") }}} diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_perf_event_max_sample_rate/rule.yml b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_perf_event_max_sample_rate/rule.yml index a9cd4ecb8b02..311c2a720ae3 100644 --- a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_perf_event_max_sample_rate/rule.yml +++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_perf_event_max_sample_rate/rule.yml @@ -19,6 +19,7 @@ identifiers: cce@rhel10: CCE-88924-6 cce@sle12: CCE-91569-4 cce@sle15: CCE-91259-2 + cce@sle16: CCE-96293-6 {{{ complete_ocil_entry_sysctl_option_value(sysctl="kernel.perf_event_max_sample_rate", value="1") }}} diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_perf_event_paranoid/rule.yml b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_perf_event_paranoid/rule.yml index 0a3b7150118e..15066db66a1a 100644 --- a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_perf_event_paranoid/rule.yml +++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_perf_event_paranoid/rule.yml @@ -17,6 +17,7 @@ identifiers: cce@rhel10: CCE-90142-1 cce@sle12: CCE-91568-6 cce@sle15: CCE-91258-4 + cce@sle16: CCE-96571-5 references: nist: AC-6 diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_pid_max/rule.yml b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_pid_max/rule.yml index d4fdaab86b80..d87e5a513942 100644 --- a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_pid_max/rule.yml +++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_pid_max/rule.yml @@ -19,6 +19,7 @@ identifiers: cce@rhel10: CCE-88134-2 cce@sle12: CCE-91570-2 cce@sle15: CCE-91260-0 + cce@sle16: CCE-95760-5 {{{ complete_ocil_entry_sysctl_option_value(sysctl="kernel.pid_max", value="65536") }}} diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_sysrq/rule.yml b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_sysrq/rule.yml index 61cb3a8d4f6c..7a4c299a370b 100644 --- a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_sysrq/rule.yml +++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_sysrq/rule.yml @@ -19,6 +19,7 @@ identifiers: cce@rhel10: CCE-90232-0 cce@sle12: CCE-91571-0 cce@sle15: CCE-91261-8 + cce@sle16: CCE-96062-5 {{{ complete_ocil_entry_sysctl_option_value(sysctl="kernel.sysrq", value="0") }}} diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled/rule.yml b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled/rule.yml index 53af78ce203b..d2d1e2cf9284 100644 --- a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled/rule.yml +++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled/rule.yml @@ -16,6 +16,7 @@ identifiers: cce@rhel8: CCE-82974-7 cce@rhel9: CCE-83957-1 cce@rhel10: CCE-89405-5 + cce@sle16: CCE-96676-2 references: nist: AC-6,SC-7(10) diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_yama_ptrace_scope/rule.yml b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_yama_ptrace_scope/rule.yml index 2c6e83019b64..3a56b472e039 100644 --- a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_yama_ptrace_scope/rule.yml +++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_yama_ptrace_scope/rule.yml @@ -20,6 +20,7 @@ identifiers: cce@rhel10: CCE-88785-1 cce@sle12: CCE-91572-8 cce@sle15: CCE-91262-6 + cce@sle16: CCE-96674-7 references: nist: SC-7(10) diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_net_core_bpf_jit_harden/rule.yml b/linux_os/guide/system/permissions/restrictions/sysctl_net_core_bpf_jit_harden/rule.yml index e05977fecfbb..49c4d362a87a 100644 --- a/linux_os/guide/system/permissions/restrictions/sysctl_net_core_bpf_jit_harden/rule.yml +++ b/linux_os/guide/system/permissions/restrictions/sysctl_net_core_bpf_jit_harden/rule.yml @@ -17,6 +17,7 @@ identifiers: cce@rhel8: CCE-82934-1 cce@rhel9: CCE-83966-2 cce@rhel10: CCE-89631-6 + cce@sle16: CCE-96656-4 references: nist: CM-6,SC-7(10) diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_vm_mmap_min_addr/rule.yml b/linux_os/guide/system/permissions/restrictions/sysctl_vm_mmap_min_addr/rule.yml index 3b247e01b199..581d1200fe48 100644 --- a/linux_os/guide/system/permissions/restrictions/sysctl_vm_mmap_min_addr/rule.yml +++ b/linux_os/guide/system/permissions/restrictions/sysctl_vm_mmap_min_addr/rule.yml @@ -19,6 +19,7 @@ identifiers: cce@rhel10: CCE-87534-4 cce@sle12: CCE-91573-6 cce@sle15: CCE-91263-4 + cce@sle16: CCE-96371-0 {{{ complete_ocil_entry_sysctl_option_value(sysctl="vm.mmap_min_addr", value="65536") }}} diff --git a/linux_os/guide/system/selinux/directory_groupowner_etc_selinux/rule.yml b/linux_os/guide/system/selinux/directory_groupowner_etc_selinux/rule.yml index 96333381c14e..4cf322bb6f65 100644 --- a/linux_os/guide/system/selinux/directory_groupowner_etc_selinux/rule.yml +++ b/linux_os/guide/system/selinux/directory_groupowner_etc_selinux/rule.yml @@ -17,6 +17,7 @@ identifiers: cce@rhel9: CCE-86274-8 cce@rhel10: CCE-87637-5 cce@sle15: CCE-92501-6 + cce@sle16: CCE-96054-2 ocil_clause: '{{{ ocil_clause_file_group_owner(file="/etc/selinux", group="root") }}}' diff --git a/linux_os/guide/system/selinux/directory_owner_etc_selinux/rule.yml b/linux_os/guide/system/selinux/directory_owner_etc_selinux/rule.yml index 5f14cf353776..5273edd45640 100644 --- a/linux_os/guide/system/selinux/directory_owner_etc_selinux/rule.yml +++ b/linux_os/guide/system/selinux/directory_owner_etc_selinux/rule.yml @@ -17,6 +17,7 @@ identifiers: cce@rhel9: CCE-86271-4 cce@rhel10: CCE-89309-9 cce@sle15: CCE-92510-7 + cce@sle16: CCE-96414-8 ocil_clause: '{{{ ocil_clause_file_owner(file="/etc/selinux", owner="root") }}}' diff --git a/linux_os/guide/system/selinux/directory_permissions_etc_selinux/rule.yml b/linux_os/guide/system/selinux/directory_permissions_etc_selinux/rule.yml index b2bbcef59795..1428e4d9ff4a 100644 --- a/linux_os/guide/system/selinux/directory_permissions_etc_selinux/rule.yml +++ b/linux_os/guide/system/selinux/directory_permissions_etc_selinux/rule.yml @@ -17,6 +17,7 @@ identifiers: cce@rhel9: CCE-86279-7 cce@rhel10: CCE-87997-3 cce@sle15: CCE-92524-8 + cce@sle16: CCE-96570-7 ocil_clause: '{{{ ocil_clause_file_permissions(file="/etc/selinux", perms="0755") }}}' diff --git a/linux_os/guide/system/selinux/file_groupowner_etc_sestatus_conf/rule.yml b/linux_os/guide/system/selinux/file_groupowner_etc_sestatus_conf/rule.yml index 73216cabd0aa..96b0d62306f2 100644 --- a/linux_os/guide/system/selinux/file_groupowner_etc_sestatus_conf/rule.yml +++ b/linux_os/guide/system/selinux/file_groupowner_etc_sestatus_conf/rule.yml @@ -16,6 +16,7 @@ identifiers: cce@rhel8: CCE-86288-8 cce@rhel9: CCE-86289-6 cce@rhel10: CCE-89741-3 + cce@sle16: CCE-95848-8 ocil_clause: '{{{ ocil_clause_file_group_owner(file="/etc/sestatus.conf", group="root") }}}' diff --git a/linux_os/guide/system/selinux/file_owner_etc_sestatus_conf/rule.yml b/linux_os/guide/system/selinux/file_owner_etc_sestatus_conf/rule.yml index ba62bf3c001b..923c2deafc18 100644 --- a/linux_os/guide/system/selinux/file_owner_etc_sestatus_conf/rule.yml +++ b/linux_os/guide/system/selinux/file_owner_etc_sestatus_conf/rule.yml @@ -16,6 +16,7 @@ identifiers: cce@rhel8: CCE-86285-4 cce@rhel9: CCE-86286-2 cce@rhel10: CCE-86503-0 + cce@sle16: CCE-95806-6 ocil_clause: '{{{ ocil_clause_file_owner(file="/etc/sestatus.conf", owner="root") }}}' diff --git a/linux_os/guide/system/selinux/file_permissions_etc_sestatus_conf/rule.yml b/linux_os/guide/system/selinux/file_permissions_etc_sestatus_conf/rule.yml index 0ae5fea5b3bb..23c360f25e80 100644 --- a/linux_os/guide/system/selinux/file_permissions_etc_sestatus_conf/rule.yml +++ b/linux_os/guide/system/selinux/file_permissions_etc_sestatus_conf/rule.yml @@ -16,6 +16,7 @@ identifiers: cce@rhel8: CCE-86291-2 cce@rhel9: CCE-86293-8 cce@rhel10: CCE-90692-5 + cce@sle16: CCE-95722-5 ocil_clause: '{{{ ocil_clause_file_permissions(file="/etc/sestatus.conf", perms="0644") }}}' diff --git a/linux_os/guide/system/selinux/grub2_enable_selinux/ansible/shared.yml b/linux_os/guide/system/selinux/grub2_enable_selinux/ansible/shared.yml index 38c97f2e8870..4ddfa4f42c56 100644 --- a/linux_os/guide/system/selinux/grub2_enable_selinux/ansible/shared.yml +++ b/linux_os/guide/system/selinux/grub2_enable_selinux/ansible/shared.yml @@ -1,4 +1,4 @@ -# platform = multi_platform_rhel,multi_platform_rhv,multi_platform_fedora,multi_platform_ol,SUSE Linux Enterprise 15,multi_platform_almalinux +# platform = SUSE Linux Enterprise 15,SUSE Linux Enterprise 16,multi_platform_almalinux,multi_platform_fedora,multi_platform_ol,multi_platform_rhel,multi_platform_rhv # reboot = false # strategy = restrict # complexity = low diff --git a/linux_os/guide/system/selinux/grub2_enable_selinux/bash/shared.sh b/linux_os/guide/system/selinux/grub2_enable_selinux/bash/shared.sh index 997a564e0c71..b9c10607aa7b 100644 --- a/linux_os/guide/system/selinux/grub2_enable_selinux/bash/shared.sh +++ b/linux_os/guide/system/selinux/grub2_enable_selinux/bash/shared.sh @@ -1,4 +1,4 @@ -# platform = multi_platform_rhel,multi_platform_rhv,multi_platform_fedora,multi_platform_ol,SUSE Linux Enterprise 15,multi_platform_almalinux +# platform = SUSE Linux Enterprise 15,SUSE Linux Enterprise 16,multi_platform_almalinux,multi_platform_fedora,multi_platform_ol,multi_platform_rhel,multi_platform_rhv sed -i --follow-symlinks "s/selinux=0//gI" /etc/default/grub /etc/grub2.cfg /etc/grub.d/* sed -i --follow-symlinks "s/enforcing=0//gI" /etc/default/grub /etc/grub2.cfg /etc/grub.d/* diff --git a/linux_os/guide/system/selinux/package_setroubleshoot-plugins_removed/rule.yml b/linux_os/guide/system/selinux/package_setroubleshoot-plugins_removed/rule.yml index c203843bb30c..2578c0675617 100644 --- a/linux_os/guide/system/selinux/package_setroubleshoot-plugins_removed/rule.yml +++ b/linux_os/guide/system/selinux/package_setroubleshoot-plugins_removed/rule.yml @@ -21,6 +21,7 @@ identifiers: cce@rhel10: CCE-89365-1 cce@sle12: CCE-91582-7 cce@sle15: CCE-91269-1 + cce@sle16: CCE-96431-2 {{{ complete_ocil_entry_package(package="setroubleshoot-plugins") }}} diff --git a/linux_os/guide/system/selinux/package_setroubleshoot-server_removed/rule.yml b/linux_os/guide/system/selinux/package_setroubleshoot-server_removed/rule.yml index 2e64ff92ed3e..b4d07c4ba6f2 100644 --- a/linux_os/guide/system/selinux/package_setroubleshoot-server_removed/rule.yml +++ b/linux_os/guide/system/selinux/package_setroubleshoot-server_removed/rule.yml @@ -22,6 +22,7 @@ identifiers: cce@rhel10: CCE-89569-8 cce@sle12: CCE-91580-1 cce@sle15: CCE-91267-5 + cce@sle16: CCE-96268-8 {{{ complete_ocil_entry_package(package="setroubleshoot-server") }}} diff --git a/linux_os/guide/system/selinux/package_setroubleshoot_removed/rule.yml b/linux_os/guide/system/selinux/package_setroubleshoot_removed/rule.yml index 5948b2d9202c..8c8fd76fa459 100644 --- a/linux_os/guide/system/selinux/package_setroubleshoot_removed/rule.yml +++ b/linux_os/guide/system/selinux/package_setroubleshoot_removed/rule.yml @@ -22,6 +22,7 @@ identifiers: cce@rhel10: CCE-89902-1 cce@sle12: CCE-91581-9 cce@sle15: CCE-91268-3 + cce@sle16: CCE-96597-0 template: name: package_removed diff --git a/linux_os/guide/system/selinux/selinux-booleans/sebool_deny_execmem/rule.yml b/linux_os/guide/system/selinux/selinux-booleans/sebool_deny_execmem/rule.yml index 54e9870d16ed..1c5b8900ad3a 100644 --- a/linux_os/guide/system/selinux/selinux-booleans/sebool_deny_execmem/rule.yml +++ b/linux_os/guide/system/selinux/selinux-booleans/sebool_deny_execmem/rule.yml @@ -20,6 +20,7 @@ identifiers: cce@rhel10: CCE-87708-4 cce@sle12: CCE-91575-1 cce@sle15: CCE-91265-9 + cce@sle16: CCE-96278-7 {{{ complete_ocil_entry_sebool_var(sebool="deny_execmem") }}} diff --git a/linux_os/guide/system/selinux/selinux-booleans/sebool_polyinstantiation_enabled/rule.yml b/linux_os/guide/system/selinux/selinux-booleans/sebool_polyinstantiation_enabled/rule.yml index 98f8fb788a78..dc41037d27f1 100644 --- a/linux_os/guide/system/selinux/selinux-booleans/sebool_polyinstantiation_enabled/rule.yml +++ b/linux_os/guide/system/selinux/selinux-booleans/sebool_polyinstantiation_enabled/rule.yml @@ -18,6 +18,7 @@ identifiers: cce@rhel10: CCE-88652-3 cce@sle12: CCE-91579-3 cce@sle15: CCE-91238-6 + cce@sle16: CCE-95753-0 {{{ complete_ocil_entry_sebool_var(sebool="polyinstantiation_enabled") }}} diff --git a/linux_os/guide/system/selinux/selinux-booleans/sebool_ssh_sysadm_login/rule.yml b/linux_os/guide/system/selinux/selinux-booleans/sebool_ssh_sysadm_login/rule.yml index 33e7510ffbae..778bfb653bff 100644 --- a/linux_os/guide/system/selinux/selinux-booleans/sebool_ssh_sysadm_login/rule.yml +++ b/linux_os/guide/system/selinux/selinux-booleans/sebool_ssh_sysadm_login/rule.yml @@ -32,6 +32,7 @@ identifiers: cce@rhel10: CCE-90429-2 cce@sle12: CCE-91574-4 cce@sle15: CCE-91264-2 + cce@sle16: CCE-95928-8 {{{ complete_ocil_entry_sebool_disabled(sebool="ssh_sysadm_login") }}} diff --git a/linux_os/guide/system/selinux/selinux_not_disabled/ansible/shared.yml b/linux_os/guide/system/selinux/selinux_not_disabled/ansible/shared.yml index 756897defedf..b3a694a27ed0 100644 --- a/linux_os/guide/system/selinux/selinux_not_disabled/ansible/shared.yml +++ b/linux_os/guide/system/selinux/selinux_not_disabled/ansible/shared.yml @@ -4,19 +4,22 @@ # complexity = low # disruption = low -- name: "{{{ rule_title }}} - Check current SELinux state" +- name: "{{{ rule_title }}} - Check current SELinux configuration" ansible.builtin.command: - cmd: getenforce - register: current_selinux_state + cmd: grep -oP '^\s*SELINUX=\K(enforcing|permissive|disabled)' /etc/selinux/config + register: selinux_config_state check_mode: false changed_when: false + failed_when: false -{{{ ansible_selinux_config_set(parameter="SELINUX", value="permissive", rule_title=rule_title) }}} +- name: "{{{ rule_title }}} - Set SELinux state to permissive if disabled or not configured" + block: + {{{ ansible_selinux_config_set(parameter="SELINUX", value="permissive", rule_title=rule_title) | indent(4) }}} -- name: "{{{ rule_title }}} - Mark system to relabel SELinux on next boot" - ansible.builtin.file: - path: /.autorelabel - state: touch - access_time: preserve - modification_time: preserve - when: current_selinux_state.stdout | lower != "permissive" + - name: "{{{ rule_title }}} - Mark system to relabel SELinux on next boot" + ansible.builtin.file: + path: /.autorelabel + state: touch + access_time: preserve + modification_time: preserve + when: selinux_config_state.stdout not in ['enforcing', 'permissive'] diff --git a/linux_os/guide/system/selinux/selinux_not_disabled/bash/shared.sh b/linux_os/guide/system/selinux/selinux_not_disabled/bash/shared.sh index 95b0795ea481..c5e6dd817545 100644 --- a/linux_os/guide/system/selinux/selinux_not_disabled/bash/shared.sh +++ b/linux_os/guide/system/selinux/selinux_not_disabled/bash/shared.sh @@ -4,6 +4,16 @@ # complexity = low # disruption = low -{{{ bash_selinux_config_set(parameter="SELINUX", value="permissive", rule_id=rule_id) }}} +# Check current SELinux state in config file +selinux_current_state="" +if [ -f "/etc/selinux/config" ]; then + selinux_current_state=$(grep -oP '^\s*SELINUX=\K(enforcing|permissive|disabled)' /etc/selinux/config || true) +fi -fixfiles onboot +# Only remediate if SELinux is disabled or not configured +# If already set to enforcing or permissive, it's compliant - preserve the current state +if [ "$selinux_current_state" != "enforcing" ] && [ "$selinux_current_state" != "permissive" ]; then + # SELinux is disabled or not configured, set to permissive as a conservative approach + {{{ bash_selinux_config_set(parameter="SELINUX", value="permissive", rule_id=rule_id) }}} + fixfiles onboot +fi diff --git a/linux_os/guide/system/selinux/selinux_not_disabled/rule.yml b/linux_os/guide/system/selinux/selinux_not_disabled/rule.yml index e9648d4d2235..73fe9ca6df76 100644 --- a/linux_os/guide/system/selinux/selinux_not_disabled/rule.yml +++ b/linux_os/guide/system/selinux/selinux_not_disabled/rule.yml @@ -9,7 +9,8 @@ description: |- <pre>SELINUX=enforcing</pre> OR <pre>SELINUX=permissive</pre> - Ensure that all files have correct SELinux labels by running: + If SELinux is currently disabled or not configured, ensure that all files have correct SELinux + labels by running: <pre>fixfiles onboot</pre> Then reboot the system. @@ -40,7 +41,11 @@ ocil: |- fixtext: |- Configure {{{ full_name }}} to enable SELinux. - Edit the file <tt>/etc/selinux/config</tt> and add or modify the following line: + If SELinux is currently set to "enforcing" or "permissive" in /etc/selinux/config, + the system is compliant and no changes are needed. + + If SELinux is disabled or not configured, edit the file <tt>/etc/selinux/config</tt> + and add or modify the following line: <pre>SELINUX=enforcing</pre> OR <pre>SELINUX=permissive</pre> @@ -49,7 +54,9 @@ fixtext: |- warnings: - general: |- - In case the SELinux is "disabled", the automated remediation will adopt a more - conservative approach and set it to "permissive" in order to avoid any system disruption - and give the administrator the opportunity to assess the impact and necessary efforts - before setting it to "enforcing", which is strongly recommended. + The automated remediation checks the SELinux configuration in /etc/selinux/config. + If SELinux is already set to "enforcing" or "permissive", the current state is preserved + and no changes are made. If SELinux is "disabled" or not configured, the remediation will + adopt a conservative approach and set it to "permissive" in order to avoid any system + disruption and give the administrator the opportunity to assess the impact and necessary + efforts before setting it to "enforcing", which is strongly recommended. diff --git a/linux_os/guide/system/software/disk_partitioning/partition_for_boot/rule.yml b/linux_os/guide/system/software/disk_partitioning/partition_for_boot/rule.yml index 01c898effa81..11ea801cb32c 100644 --- a/linux_os/guide/system/software/disk_partitioning/partition_for_boot/rule.yml +++ b/linux_os/guide/system/software/disk_partitioning/partition_for_boot/rule.yml @@ -22,7 +22,7 @@ identifiers: cce@rhel10: CCE-90755-0 cce@sle12: CCE-91484-6 cce@sle15: CCE-91176-8 - + cce@sle16: CCE-96430-4 {{{ complete_ocil_entry_separate_partition(part="/boot") }}} diff --git a/linux_os/guide/system/software/disk_partitioning/partition_for_home/rule.yml b/linux_os/guide/system/software/disk_partitioning/partition_for_home/rule.yml index f20cf960ae8e..9ea58be5c905 100644 --- a/linux_os/guide/system/software/disk_partitioning/partition_for_home/rule.yml +++ b/linux_os/guide/system/software/disk_partitioning/partition_for_home/rule.yml @@ -23,6 +23,7 @@ identifiers: cce@rhel10: CCE-88231-6 cce@sle12: CCE-83152-9 cce@sle15: CCE-85639-3 + cce@sle16: CCE-95729-0 cce@slmicro5: CCE-93796-1 cce@slmicro6: CCE-95066-7 diff --git a/linux_os/guide/system/software/disk_partitioning/partition_for_opt/rule.yml b/linux_os/guide/system/software/disk_partitioning/partition_for_opt/rule.yml index dbb3529e26d0..077f8b781141 100644 --- a/linux_os/guide/system/software/disk_partitioning/partition_for_opt/rule.yml +++ b/linux_os/guide/system/software/disk_partitioning/partition_for_opt/rule.yml @@ -22,6 +22,7 @@ identifiers: cce@rhel10: CCE-90750-1 cce@sle12: CCE-91485-3 cce@sle15: CCE-91177-6 + cce@sle16: CCE-96081-5 {{{ complete_ocil_entry_separate_partition(part="/opt") }}} diff --git a/linux_os/guide/system/software/disk_partitioning/partition_for_srv/rule.yml b/linux_os/guide/system/software/disk_partitioning/partition_for_srv/rule.yml index 871ce4fc85ed..773ee54cce20 100644 --- a/linux_os/guide/system/software/disk_partitioning/partition_for_srv/rule.yml +++ b/linux_os/guide/system/software/disk_partitioning/partition_for_srv/rule.yml @@ -25,6 +25,7 @@ identifiers: cce@rhel10: CCE-88936-0 cce@sle12: CCE-91486-1 cce@sle15: CCE-91178-4 + cce@sle16: CCE-95922-1 {{{ complete_ocil_entry_separate_partition(part="/srv") }}} diff --git a/linux_os/guide/system/software/disk_partitioning/partition_for_usr/rule.yml b/linux_os/guide/system/software/disk_partitioning/partition_for_usr/rule.yml index a91af9b298db..ec9a94703a6b 100644 --- a/linux_os/guide/system/software/disk_partitioning/partition_for_usr/rule.yml +++ b/linux_os/guide/system/software/disk_partitioning/partition_for_usr/rule.yml @@ -21,7 +21,7 @@ identifiers: cce@rhel10: CCE-90748-5 cce@sle12: CCE-91488-7 cce@sle15: CCE-91180-0 - + cce@sle16: CCE-96274-6 {{{ complete_ocil_entry_separate_partition(part="/usr") }}} diff --git a/linux_os/guide/system/software/disk_partitioning/partition_for_var/rule.yml b/linux_os/guide/system/software/disk_partitioning/partition_for_var/rule.yml index 98f4a53535fe..0c9ca10087f2 100644 --- a/linux_os/guide/system/software/disk_partitioning/partition_for_var/rule.yml +++ b/linux_os/guide/system/software/disk_partitioning/partition_for_var/rule.yml @@ -22,6 +22,7 @@ identifiers: cce@rhel10: CCE-89166-3 cce@sle12: CCE-83153-7 cce@sle15: CCE-85640-1 + cce@sle16: CCE-95761-3 cce@slmicro5: CCE-93797-9 cce@slmicro6: CCE-95067-5 diff --git a/linux_os/guide/system/software/disk_partitioning/partition_for_var_log/rule.yml b/linux_os/guide/system/software/disk_partitioning/partition_for_var_log/rule.yml index 267652595db1..4afdabd4c279 100644 --- a/linux_os/guide/system/software/disk_partitioning/partition_for_var_log/rule.yml +++ b/linux_os/guide/system/software/disk_partitioning/partition_for_var_log/rule.yml @@ -20,6 +20,7 @@ identifiers: cce@rhel10: CCE-88355-3 cce@sle12: CCE-91489-5 cce@sle15: CCE-91181-8 + cce@sle16: CCE-95945-2 references: cis-csc: 1,12,14,15,16,3,5,6,8 diff --git a/linux_os/guide/system/software/disk_partitioning/partition_for_var_tmp/rule.yml b/linux_os/guide/system/software/disk_partitioning/partition_for_var_tmp/rule.yml index c83b50a9f044..80b218b85f76 100644 --- a/linux_os/guide/system/software/disk_partitioning/partition_for_var_tmp/rule.yml +++ b/linux_os/guide/system/software/disk_partitioning/partition_for_var_tmp/rule.yml @@ -22,6 +22,7 @@ identifiers: cce@rhel10: CCE-87694-6 cce@sle12: CCE-91490-3 cce@sle15: CCE-91182-6 + cce@sle16: CCE-96245-6 references: cis@sle12: 1.1.11 diff --git a/linux_os/guide/system/software/disk_partitioning/systemd_tmp_mount_enabled/rule.yml b/linux_os/guide/system/software/disk_partitioning/systemd_tmp_mount_enabled/rule.yml index 6f6532637e10..946e387e60c7 100644 --- a/linux_os/guide/system/software/disk_partitioning/systemd_tmp_mount_enabled/rule.yml +++ b/linux_os/guide/system/software/disk_partitioning/systemd_tmp_mount_enabled/rule.yml @@ -20,6 +20,7 @@ identifiers: cce@rhel8: CCE-86890-1 cce@rhel9: CCE-86891-9 cce@rhel10: CCE-89797-5 + cce@sle16: CCE-96195-3 ocil: |- {{{ ocil_systemd_mount_enabled("tmp") }}} diff --git a/linux_os/guide/system/software/gnome/enable_dconf_user_profile/ansible/shared.yml b/linux_os/guide/system/software/gnome/enable_dconf_user_profile/ansible/shared.yml index c6d042fb3ba3..df0e3739cdc3 100644 --- a/linux_os/guide/system/software/gnome/enable_dconf_user_profile/ansible/shared.yml +++ b/linux_os/guide/system/software/gnome/enable_dconf_user_profile/ansible/shared.yml @@ -4,9 +4,4 @@ # complexity = low # disruption = medium -- name: "Configure GNOME3 DConf User Profile" - ansible.builtin.lineinfile: - dest: "/etc/dconf/profile/gdm" - line: "user-db:user\nsystem-db:gdm" - create: yes - state: present +{{{ ansible_enable_dconf_user_profile(profile="gdm", database="gdm") }}} diff --git a/linux_os/guide/system/software/gnome/enable_dconf_user_profile/bash/shared.sh b/linux_os/guide/system/software/gnome/enable_dconf_user_profile/bash/shared.sh index 06ba69b527b3..a0f5289b7df6 100644 --- a/linux_os/guide/system/software/gnome/enable_dconf_user_profile/bash/shared.sh +++ b/linux_os/guide/system/software/gnome/enable_dconf_user_profile/bash/shared.sh @@ -1,3 +1,3 @@ # platform = multi_platform_sle -echo -e 'user-db:user\nsystem-db:gdm' > /etc/dconf/profile/gdm +{{{ bash_enable_dconf_user_profile(profile="gdm", database="gdm") }}} diff --git a/linux_os/guide/system/software/gnome/gnome_login_screen/dconf_gnome_disable_user_list/ansible/shared.yml b/linux_os/guide/system/software/gnome/gnome_login_screen/dconf_gnome_disable_user_list/ansible/shared.yml index d7ef96c9dce7..1d1453d42a41 100644 --- a/linux_os/guide/system/software/gnome/gnome_login_screen/dconf_gnome_disable_user_list/ansible/shared.yml +++ b/linux_os/guide/system/software/gnome/gnome_login_screen/dconf_gnome_disable_user_list/ansible/shared.yml @@ -21,6 +21,10 @@ create: yes register: result_lineinfile +{{% if product in ['sle15', 'sle16'] %}} +{{{ ansible_enable_dconf_user_profile(profile="gdm", database="gdm") }}} +{{% endif %}} + - name: Dconf Update ansible.builtin.command: dconf update when: result_ini is changed or result_lineinfile is changed diff --git a/linux_os/guide/system/software/gnome/gnome_login_screen/dconf_gnome_disable_user_list/bash/shared.sh b/linux_os/guide/system/software/gnome/gnome_login_screen/dconf_gnome_disable_user_list/bash/shared.sh index 418467e2393d..4041b82f06fb 100644 --- a/linux_os/guide/system/software/gnome/gnome_login_screen/dconf_gnome_disable_user_list/bash/shared.sh +++ b/linux_os/guide/system/software/gnome/gnome_login_screen/dconf_gnome_disable_user_list/bash/shared.sh @@ -5,5 +5,9 @@ {{{ bash_enable_dconf_user_profile(profile="gdm", database="gdm") }}} {{% endif %}} +{{% if product in ['sle15', 'sle16'] %}} +{{{ bash_enable_dconf_user_profile(profile="gdm", database="gdm") }}} +{{% endif %}} + {{{ bash_dconf_settings("org/gnome/login-screen", "disable-user-list", "true", dconf_gdm_dir, "00-security-settings", rule_id=rule_id) }}} {{{ bash_dconf_lock("org/gnome/login-screen", "disable-user-list", dconf_gdm_dir, "00-security-settings-lock") }}} diff --git a/linux_os/guide/system/software/gnome/gnome_login_screen/dconf_gnome_disable_user_list/policy/stig/shared.yml b/linux_os/guide/system/software/gnome/gnome_login_screen/dconf_gnome_disable_user_list/policy/stig/shared.yml index 9d2f897592bb..a30d3e50ba2e 100644 --- a/linux_os/guide/system/software/gnome/gnome_login_screen/dconf_gnome_disable_user_list/policy/stig/shared.yml +++ b/linux_os/guide/system/software/gnome/gnome_login_screen/dconf_gnome_disable_user_list/policy/stig/shared.yml @@ -19,9 +19,9 @@ fixtext: |- Configure {{{ full_name }}} to disable the user list at logon for graphical user interfaces. Create a database to contain the systemwide screensaver settings (if it does not already exist) with the following command: - Note: The example below is using the database "local" for the system. If the system is using another database in "/etc/dconf/profile/user", the file should be created under the appropriate subdirectory. + Note: The example below is using the database "{{{ dconf_gdm_dir }}}" for the system. If the system is using another database in "/etc/dconf/profile/user", the file should be created under the appropriate subdirectory. - $ sudo touch /etc/dconf/db/local.d/02-login-screen + $ sudo touch /etc/dconf/db/{{{ dconf_gdm_dir }}}/02-login-screen [org/gnome/login-screen] disable-user-list=true @@ -29,4 +29,3 @@ fixtext: |- Update the system databases: $ sudo dconf update - diff --git a/linux_os/guide/system/software/gnome/gnome_login_screen/gnome_gdm_disable_unattended_automatic_login/bash/shared.sh b/linux_os/guide/system/software/gnome/gnome_login_screen/gnome_gdm_disable_unattended_automatic_login/bash/shared.sh index 21e8eae8050b..501d4a066b6e 100644 --- a/linux_os/guide/system/software/gnome/gnome_login_screen/gnome_gdm_disable_unattended_automatic_login/bash/shared.sh +++ b/linux_os/guide/system/software/gnome/gnome_login_screen/gnome_gdm_disable_unattended_automatic_login/bash/shared.sh @@ -1,11 +1,9 @@ # platform = multi_platform_sle,multi_platform_slmicro -if ! (sed -n '/^DISPLAYMANAGER_AUTOLOGIN=\"\"/p' /etc/sysconfig/displaymanager) -then +if ! grep -q '^DISPLAYMANAGER_AUTOLOGIN=""' /etc/sysconfig/displaymanager; then sed -i "s/^DISPLAYMANAGER_AUTOLOGIN=.*/DISPLAYMANAGER_AUTOLOGIN=\"\"/g" /etc/sysconfig/displaymanager fi -if ! (sed -n '/^DISPLAYMANAGER_PASSWORD_LESS_LOGIN=\"no\"/p' /etc/sysconfig/displaymanager) -then +if ! grep -q '^DISPLAYMANAGER_PASSWORD_LESS_LOGIN="no"' /etc/sysconfig/displaymanager; then sed -i "s/^DISPLAYMANAGER_PASSWORD_LESS_LOGIN=.*/DISPLAYMANAGER_PASSWORD_LESS_LOGIN=\"no\"/g" /etc/sysconfig/displaymanager fi diff --git a/linux_os/guide/system/software/gnome/gnome_login_screen/gnome_gdm_disable_xdmcp/rule.yml b/linux_os/guide/system/software/gnome/gnome_login_screen/gnome_gdm_disable_xdmcp/rule.yml index 4f228f0c3a4a..ac8e9953350d 100644 --- a/linux_os/guide/system/software/gnome/gnome_login_screen/gnome_gdm_disable_xdmcp/rule.yml +++ b/linux_os/guide/system/software/gnome/gnome_login_screen/gnome_gdm_disable_xdmcp/rule.yml @@ -11,9 +11,7 @@ title: 'Disable XDMCP in GDM' {{% endif %}} description: |- - XDMCP is an unencrypted protocol, and therefore, presents a security risk, see e.g. - {{{ weblink("https://help.gnome.org/admin/gdm/stable/security.html.en_GB#xdmcpsecurity", "XDMCP Gnome docs") }}}. - + XDMCP is an unencrypted protocol, and therefore, presents a security risk. To disable XDMCP support in Gnome, set <code>Enable</code> to <code>false</code> under the <code>[xdmcp]</code> configuration section in <code>{{{ gdm_conf_path }}}</code>. For example: <pre> [xdmcp] diff --git a/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_automount/ansible/shared.yml b/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_automount/ansible/shared.yml index 3a44e002d5c9..7781bf9f6818 100644 --- a/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_automount/ansible/shared.yml +++ b/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_automount/ansible/shared.yml @@ -5,7 +5,11 @@ # disruption = medium - name: "Disable GNOME3 Automounting - automount" community.general.ini_file: +{{% if product in ['sle15', 'sle16'] %}} + dest: /etc/dconf/db/{{{ dconf_gdm_dir }}}/00-security-settings +{{% else %}} dest: /etc/dconf/db/local.d/00-security-settings +{{% endif %}} section: org/gnome/desktop/media-handling option: automount value: "false" @@ -15,20 +19,18 @@ - name: "Prevent user modification of GNOME3 Automounting - automount" ansible.builtin.lineinfile: +{{% if product in ['sle15', 'sle16'] %}} + path: /etc/dconf/db/{{{ dconf_gdm_dir }}}/locks/00-security-settings-lock +{{% else %}} path: /etc/dconf/db/local.d/locks/00-security-settings-lock +{{% endif %}} regexp: '^/org/gnome/desktop/media-handling/automount$' line: '/org/gnome/desktop/media-handling/automount' create: yes register: result_lineinfile -# apply fix for enable_dconf_user_profile, OVAL checks it {{% if product in ['sle15', 'sle16'] %}} -- name: "Configure GNOME3 DConf User Profile" - ansible.builtin.lineinfile: - dest: "/etc/dconf/profile/gdm" - line: "user-db:user\nsystem-db:gdm" - create: yes - state: present +{{{ ansible_enable_dconf_user_profile(profile="gdm", database="gdm") }}} {{% endif %}} - name: Dconf Update diff --git a/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_automount/bash/shared.sh b/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_automount/bash/shared.sh index cb549a403266..0fc5cf0727ac 100644 --- a/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_automount/bash/shared.sh +++ b/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_automount/bash/shared.sh @@ -8,7 +8,9 @@ # apply fix for enable_dconf_user_profile, OVAL checks it {{% if product in ['sle15', 'sle16'] %}} {{{ bash_enable_dconf_user_profile(profile="gdm", database="gdm") }}} -{{% endif %}} - +{{{ bash_dconf_settings("org/gnome/desktop/media-handling", "automount", "false", dconf_gdm_dir, "00-security-settings", rule_id=rule_id) }}} +{{{ bash_dconf_lock("org/gnome/desktop/media-handling", "automount", dconf_gdm_dir, "00-security-settings-lock") }}} +{{% else %}} {{{ bash_dconf_settings("org/gnome/desktop/media-handling", "automount", "false", "local.d", "00-security-settings", rule_id=rule_id) }}} {{{ bash_dconf_lock("org/gnome/desktop/media-handling", "automount", "local.d", "00-security-settings-lock") }}} +{{% endif %}} diff --git a/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_automount/oval/shared.xml b/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_automount/oval/shared.xml index 35d7819f6072..e84d9434d7c6 100644 --- a/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_automount/oval/shared.xml +++ b/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_automount/oval/shared.xml @@ -20,7 +20,11 @@ </ind:textfilecontent54_test> <ind:textfilecontent54_object id="obj_dconf_gnome_disable_automount" version="1"> +{{% if product in ['sle15', 'sle16'] %}} + <ind:path>/etc/dconf/db/{{{ dconf_gdm_dir }}}/</ind:path> +{{% else %}} <ind:path>/etc/dconf/db/local.d/</ind:path> +{{% endif %}} <ind:filename operation="pattern match">^.*$</ind:filename> <ind:pattern operation="pattern match">^\[org/gnome/desktop/media-handling\]([^\n]*\n+)+?automount=false$</ind:pattern> <ind:instance datatype="int">1</ind:instance> @@ -33,7 +37,11 @@ </ind:textfilecontent54_test> <ind:textfilecontent54_object id="obj_prevent_user_gnome_automount" version="1"> +{{% if product in ['sle15', 'sle16'] %}} + <ind:path>/etc/dconf/db/{{{ dconf_gdm_dir }}}/locks/</ind:path> +{{% else %}} <ind:path>/etc/dconf/db/local.d/locks/</ind:path> +{{% endif %}} <ind:filename operation="pattern match">^.*$</ind:filename> <ind:pattern operation="pattern match">^/org/gnome/desktop/media-handling/automount$</ind:pattern> <ind:instance datatype="int">1</ind:instance> diff --git a/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_automount/rule.yml b/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_automount/rule.yml index d4c138569ff3..18d34513ebe2 100644 --- a/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_automount/rule.yml +++ b/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_automount/rule.yml @@ -7,12 +7,12 @@ description: |- The system's default desktop environment, GNOME3, will mount devices and removable media (such as DVDs, CDs and USB flash drives) whenever they are inserted into the system. To disable automount within GNOME3, add or set - <tt>automount</tt> to <tt>false</tt> in <tt>/etc/dconf/db/local.d/00-security-settings</tt>. + <tt>automount</tt> to <tt>false</tt> in <tt>/etc/dconf/db/{{{ dconf_gdm_dir }}}/00-security-settings</tt>. For example: <pre>[org/gnome/desktop/media-handling] automount=false</pre> Once the settings have been added, add a lock to - <tt>/etc/dconf/db/local.d/locks/00-security-settings-lock</tt> to prevent user modification. + <tt>/etc/dconf/db/{{{ dconf_gdm_dir }}}/locks/00-security-settings-lock</tt> to prevent user modification. For example: <pre>/org/gnome/desktop/media-handling/automount</pre> After the settings have been set, run <tt>dconf update</tt>. @@ -51,6 +51,5 @@ ocil: |- <pre>$ gsettings get org.gnome.desktop.media-handling automount</pre> If properly configured, the output for <tt>automount</tt> should be <tt>false</tt>. To ensure that users cannot enable automount in GNOME3, run the following: - <pre>$ grep 'automount' /etc/dconf/db/local.d/locks/*</pre> + <pre>$ grep 'automount' /etc/dconf/db/{{{ dconf_gdm_dir }}}/locks/*</pre> If properly configured, the output for <tt>automount</tt> should be <tt>/org/gnome/desktop/media-handling/automount</tt> - diff --git a/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_automount/tests/correct_value.pass.sh b/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_automount/tests/correct_value.pass.sh index 7d4b240f1bef..5efc7755c127 100644 --- a/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_automount/tests/correct_value.pass.sh +++ b/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_automount/tests/correct_value.pass.sh @@ -8,6 +8,10 @@ install_dconf_and_gdm_if_needed clean_dconf_settings add_dconf_profiles +{{% if product in ['sle15', 'sle16'] %}} +add_dconf_setting "org/gnome/desktop/media-handling" "automount" "false" "{{{ dconf_gdm_dir }}}" "00-security-settings" +add_dconf_lock "org/gnome/desktop/media-handling" "automount" "{{{ dconf_gdm_dir }}}" "00-security-settings" +{{% else %}} add_dconf_setting "org/gnome/desktop/media-handling" "automount" "false" "local.d" "00-security-settings" add_dconf_lock "org/gnome/desktop/media-handling" "automount" "local.d" "00-security-settings" - +{{% endif %}} diff --git a/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_automount/tests/missing_profiles.fail.sh b/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_automount/tests/missing_profiles.fail.sh index 4f7194e4915b..27ec3eb39bb4 100644 --- a/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_automount/tests/missing_profiles.fail.sh +++ b/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_automount/tests/missing_profiles.fail.sh @@ -8,5 +8,10 @@ install_dconf_and_gdm_if_needed clean_dconf_settings +{{% if product in ['sle15', 'sle16'] %}} +add_dconf_setting "org/gnome/desktop/media-handling" "automount" "false" "{{{ dconf_gdm_dir }}}" "00-security-settings" +add_dconf_lock "org/gnome/desktop/media-handling" "automount" "{{{ dconf_gdm_dir }}}" "00-security-settings" +{{% else %}} add_dconf_setting "org/gnome/desktop/media-handling" "automount" "false" "local.d" "00-security-settings" add_dconf_lock "org/gnome/desktop/media-handling" "automount" "local.d" "00-security-settings" +{{% endif %}} diff --git a/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_automount/tests/wrong_value.fail.sh b/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_automount/tests/wrong_value.fail.sh index af2b99f699e1..a6ad1796e7e2 100644 --- a/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_automount/tests/wrong_value.fail.sh +++ b/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_automount/tests/wrong_value.fail.sh @@ -7,5 +7,10 @@ install_dconf_and_gdm_if_needed clean_dconf_settings add_dconf_profiles +{{% if product in ['sle15', 'sle16'] %}} +add_dconf_setting "org/gnome/desktop/media-handling" "automount-open" "false" "{{{ dconf_gdm_dir }}}" "00-security-settings" +add_dconf_lock "org/gnome/desktop/media-handling" "automount-open" "{{{ dconf_gdm_dir }}}" "00-security-settings" +{{% else %}} add_dconf_setting "org/gnome/desktop/media-handling" "automount-open" "false" "local.d" "00-security-settings" add_dconf_lock "org/gnome/desktop/media-handling" "automount-open" "local.d" "00-security-settings" +{{% endif %}} diff --git a/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_automount_open/ansible/shared.yml b/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_automount_open/ansible/shared.yml index b807cc913da5..ba9b7ef40073 100644 --- a/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_automount_open/ansible/shared.yml +++ b/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_automount_open/ansible/shared.yml @@ -5,7 +5,11 @@ # disruption = medium - name: "Disable GNOME3 Automounting - automount-open" community.general.ini_file: +{{% if product in ['sle15', 'sle16'] %}} + dest: /etc/dconf/db/{{{ dconf_gdm_dir }}}/00-security-settings +{{% else %}} dest: /etc/dconf/db/local.d/00-security-settings +{{% endif %}} section: org/gnome/desktop/media-handling option: automount-open value: "false" @@ -15,20 +19,18 @@ - name: "Prevent user modification of GNOME3 Automounting - automount-open" ansible.builtin.lineinfile: +{{% if product in ['sle15', 'sle16'] %}} + path: /etc/dconf/db/{{{ dconf_gdm_dir }}}/locks/00-security-settings-lock +{{% else %}} path: /etc/dconf/db/local.d/locks/00-security-settings-lock +{{% endif %}} regexp: '^/org/gnome/desktop/media-handling/automount-open$' line: '/org/gnome/desktop/media-handling/automount-open' create: yes register: result_lineinfile -# apply fix for enable_dconf_user_profile, OVAL checks it {{% if product in ['sle15', 'sle16'] %}} -- name: "Configure GNOME3 DConf User Profile" - ansible.builtin.lineinfile: - dest: "/etc/dconf/profile/gdm" - line: "user-db:user\nsystem-db:gdm" - create: yes - state: present +{{{ ansible_enable_dconf_user_profile(profile="gdm", database="gdm") }}} {{% endif %}} - name: Dconf Update diff --git a/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_automount_open/bash/shared.sh b/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_automount_open/bash/shared.sh index fb7ce9c74e2a..8f3790bd0722 100644 --- a/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_automount_open/bash/shared.sh +++ b/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_automount_open/bash/shared.sh @@ -8,7 +8,9 @@ # apply fix for enable_dconf_user_profile, OVAL checks it {{% if product in ['sle15', 'sle16'] %}} {{{ bash_enable_dconf_user_profile(profile="gdm", database="gdm") }}} -{{% endif %}} - +{{{ bash_dconf_settings("org/gnome/desktop/media-handling", "automount-open", "false", dconf_gdm_dir , "00-security-settings", rule_id=rule_id) }}} +{{{ bash_dconf_lock("org/gnome/desktop/media-handling", "automount-open", dconf_gdm_dir, "00-security-settings-lock") }}} +{{% else %}} {{{ bash_dconf_settings("org/gnome/desktop/media-handling", "automount-open", "false", "local.d", "00-security-settings", rule_id=rule_id) }}} {{{ bash_dconf_lock("org/gnome/desktop/media-handling", "automount-open", "local.d", "00-security-settings-lock") }}} +{{% endif %}} diff --git a/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_automount_open/oval/shared.xml b/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_automount_open/oval/shared.xml index d4000f292d26..be74ea547fa2 100644 --- a/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_automount_open/oval/shared.xml +++ b/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_automount_open/oval/shared.xml @@ -20,7 +20,11 @@ </ind:textfilecontent54_test> <ind:textfilecontent54_object id="obj_dconf_gnome_disable_automount_open" version="1"> +{{% if product in ['sle15', 'sle16'] %}} + <ind:path>/etc/dconf/db/{{{ dconf_gdm_dir }}}/</ind:path> +{{% else %}} <ind:path>/etc/dconf/db/local.d/</ind:path> +{{% endif %}} <ind:filename operation="pattern match">^.*$</ind:filename> <ind:pattern operation="pattern match">^\[org/gnome/desktop/media-handling\]([^\n]*\n+)+?automount-open=false$</ind:pattern> <ind:instance datatype="int">1</ind:instance> @@ -33,7 +37,11 @@ </ind:textfilecontent54_test> <ind:textfilecontent54_object id="obj_prevent_user_gnome_automount_open" version="1"> +{{% if product in ['sle15', 'sle16'] %}} + <ind:path>/etc/dconf/db/{{{ dconf_gdm_dir }}}/locks/</ind:path> +{{% else %}} <ind:path>/etc/dconf/db/local.d/locks/</ind:path> +{{% endif %}} <ind:filename operation="pattern match">^.*$</ind:filename> <ind:pattern operation="pattern match">^/org/gnome/desktop/media-handling/automount-open$</ind:pattern> <ind:instance datatype="int">1</ind:instance> diff --git a/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_automount_open/rule.yml b/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_automount_open/rule.yml index 1e0636944e3a..6757aeabd6d5 100644 --- a/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_automount_open/rule.yml +++ b/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_automount_open/rule.yml @@ -7,12 +7,12 @@ description: |- The system's default desktop environment, GNOME3, will mount devices and removable media (such as DVDs, CDs and USB flash drives) whenever they are inserted into the system. To disable automount-open within GNOME3, add or set - <tt>automount-open</tt> to <tt>false</tt> in <tt>/etc/dconf/db/local.d/00-security-settings</tt>. + <tt>automount-open</tt> to <tt>false</tt> in <tt>/etc/dconf/db/{{{ dconf_gdm_dir }}}/00-security-settings</tt>. For example: <pre>[org/gnome/desktop/media-handling] automount-open=false</pre> Once the settings have been added, add a lock to - <tt>/etc/dconf/db/local.d/locks/00-security-settings-lock</tt> to prevent user modification. + <tt>/etc/dconf/db/{{{ dconf_gdm_dir }}}/locks/00-security-settings-lock</tt> to prevent user modification. For example: <pre>/org/gnome/desktop/media-handling/automount-open</pre> After the settings have been set, run <tt>dconf update</tt>. @@ -52,7 +52,7 @@ ocil: |- <pre>$ gsettings get org.gnome.desktop.media-handling automount-open</pre> If properly configured, the output for <tt>automount-open</tt>should be <tt>false</tt>. To ensure that users cannot enable automount opening in GNOME3, run the following: - <pre>$ grep 'automount-open' /etc/dconf/db/local.d/locks/*</pre> + <pre>$ grep 'automount-open' /etc/dconf/db/{{{ dconf_gdm_dir }}}/locks/*</pre> If properly configured, the output for <tt>automount-open</tt> should be <tt>/org/gnome/desktop/media-handling/automount-open</tt> diff --git a/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_automount_open/tests/correct_value.pass.sh b/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_automount_open/tests/correct_value.pass.sh index 4539136d777d..1abf5d412314 100644 --- a/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_automount_open/tests/correct_value.pass.sh +++ b/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_automount_open/tests/correct_value.pass.sh @@ -8,7 +8,10 @@ install_dconf_and_gdm_if_needed clean_dconf_settings add_dconf_profiles +{{% if product in ['sle15', 'sle16'] %}} +add_dconf_setting "org/gnome/desktop/media-handling" "automount-open" "false" "{{{ dconf_gdm_dir }}}" "00-security-settings" +add_dconf_lock "org/gnome/desktop/media-handling" "automount-open" "{{{ dconf_gdm_dir }}}" "00-security-settings" +{{% else %}} add_dconf_setting "org/gnome/desktop/media-handling" "automount-open" "false" "local.d" "00-security-settings" add_dconf_lock "org/gnome/desktop/media-handling" "automount-open" "local.d" "00-security-settings" - - +{{% endif %}} diff --git a/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_automount_open/tests/missing_profiles.fail.sh b/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_automount_open/tests/missing_profiles.fail.sh index 21c8d7c2f7a0..73b45031cd11 100644 --- a/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_automount_open/tests/missing_profiles.fail.sh +++ b/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_automount_open/tests/missing_profiles.fail.sh @@ -8,5 +8,10 @@ install_dconf_and_gdm_if_needed clean_dconf_settings +{{% if product in ['sle15', 'sle16'] %}} +add_dconf_setting "org/gnome/desktop/media-handling" "automount-open" "false" "{{{ dconf_gdm_dir }}}" "00-security-settings" +add_dconf_lock "org/gnome/desktop/media-handling" "automount-open" "{{{ dconf_gdm_dir }}}" "00-security-settings" +{{% else %}} add_dconf_setting "org/gnome/desktop/media-handling" "automount-open" "false" "local.d" "00-security-settings" add_dconf_lock "org/gnome/desktop/media-handling" "automount-open" "local.d" "00-security-settings" +{{% endif %}} diff --git a/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_autorun/ansible/shared.yml b/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_autorun/ansible/shared.yml index cb6e011ff7ea..f5349391234d 100644 --- a/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_autorun/ansible/shared.yml +++ b/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_autorun/ansible/shared.yml @@ -1,11 +1,15 @@ -# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_almalinux +# platform = multi_platform_almalinux,multi_platform_fedora,multi_platform_ol,multi_platform_rhel,multi_platform_sle # reboot = false # strategy = unknown # complexity = low # disruption = medium - name: "Disable GNOME3 Automounting - autorun-never" community.general.ini_file: +{{% if product in ['sle15', 'sle16'] %}} + dest: /etc/dconf/db/{{{ dconf_gdm_dir }}}/00-security-settings +{{% else %}} dest: /etc/dconf/db/local.d/00-security-settings +{{% endif %}} section: org/gnome/desktop/media-handling option: autorun-never value: "true" @@ -15,7 +19,11 @@ - name: "Prevent user modification of GNOME3 Automounting - autorun-never" ansible.builtin.lineinfile: +{{% if product in ['sle15', 'sle16'] %}} + path: /etc/dconf/db/{{{ dconf_gdm_dir }}}/locks/00-security-settings-lock +{{% else %}} path: /etc/dconf/db/local.d/locks/00-security-settings-lock +{{% endif %}} regexp: '^/org/gnome/desktop/media-handling/autorun-never$' line: '/org/gnome/desktop/media-handling/autorun-never' create: yes @@ -24,3 +32,7 @@ - name: Dconf Update ansible.builtin.command: dconf update when: result_ini is changed or result_lineinfile is changed + +{{% if product in ['sle15', 'sle16'] %}} +{{{ ansible_enable_dconf_user_profile(profile="gdm", database="gdm") }}} +{{% endif %}} diff --git a/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_autorun/bash/shared.sh b/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_autorun/bash/shared.sh index a0f809515812..35ce8adc2d9a 100644 --- a/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_autorun/bash/shared.sh +++ b/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_autorun/bash/shared.sh @@ -5,5 +5,11 @@ {{{ bash_enable_dconf_user_profile(profile="gdm", database="gdm") }}} {{% endif %}} +{{% if product in ['sle15', 'sle16'] %}} +{{{ bash_enable_dconf_user_profile(profile="gdm", database="gdm") }}} +{{{ bash_dconf_settings("org/gnome/desktop/media-handling", "autorun-never", "true", dconf_gdm_dir, "00-security-settings", rule_id=rule_id) }}} +{{{ bash_dconf_lock("org/gnome/desktop/media-handling", "autorun-never", dconf_gdm_dir, "00-security-settings-lock") }}} +{{% else %}} {{{ bash_dconf_settings("org/gnome/desktop/media-handling", "autorun-never", "true", "local.d", "00-security-settings", rule_id=rule_id) }}} {{{ bash_dconf_lock("org/gnome/desktop/media-handling", "autorun-never", "local.d", "00-security-settings-lock") }}} +{{% endif %}} diff --git a/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_autorun/oval/shared.xml b/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_autorun/oval/shared.xml index 976ac69ae151..e7f55bf5d43f 100644 --- a/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_autorun/oval/shared.xml +++ b/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_autorun/oval/shared.xml @@ -20,7 +20,11 @@ </ind:textfilecontent54_test> <ind:textfilecontent54_object id="obj_dconf_gnome_disable_autorun" version="1"> +{{% if product in ['sle15', 'sle16'] %}} + <ind:path>/etc/dconf/db/{{{ dconf_gdm_dir }}}/</ind:path> +{{% else %}} <ind:path>/etc/dconf/db/local.d/</ind:path> +{{% endif %}} <ind:filename operation="pattern match">^.*$</ind:filename> <ind:pattern operation="pattern match">^\[org/gnome/desktop/media-handling\]([^\n]*\n+)+?autorun-never=true$</ind:pattern> <ind:instance datatype="int">1</ind:instance> @@ -33,7 +37,11 @@ </ind:textfilecontent54_test> <ind:textfilecontent54_object id="obj_prevent_user_gnome_autorun" version="1"> +{{% if product in ['sle15', 'sle16'] %}} + <ind:path>/etc/dconf/db/{{{ dconf_gdm_dir }}}/locks/</ind:path> +{{% else %}} <ind:path>/etc/dconf/db/local.d/locks/</ind:path> +{{% endif %}} <ind:filename operation="pattern match">^.*$</ind:filename> <ind:pattern operation="pattern match">^/org/gnome/desktop/media-handling/autorun-never$</ind:pattern> <ind:instance datatype="int">1</ind:instance> diff --git a/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_autorun/rule.yml b/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_autorun/rule.yml index 6bd3a7d1c5cf..55fc533a287c 100644 --- a/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_autorun/rule.yml +++ b/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_autorun/rule.yml @@ -7,12 +7,12 @@ description: |- The system's default desktop environment, GNOME3, will mount devices and removable media (such as DVDs, CDs and USB flash drives) whenever they are inserted into the system. To disable autorun-never within GNOME3, add or set - <tt>autorun-never</tt> to <tt>true</tt> in <tt>/etc/dconf/db/local.d/00-security-settings</tt>. + <tt>autorun-never</tt> to <tt>true</tt> in <tt>/etc/dconf/db/{{{ dconf_gdm_dir }}}/00-security-settings</tt>. For example: <pre>[org/gnome/desktop/media-handling] autorun-never=true</pre> Once the settings have been added, add a lock to - <tt>/etc/dconf/db/local.d/locks/00-security-settings-lock</tt> to prevent user modification. + <tt>/etc/dconf/db/{{{ dconf_gdm_dir }}}/locks/00-security-settings-lock</tt> to prevent user modification. For example: <pre>/org/gnome/desktop/media-handling/autorun-never</pre> After the settings have been set, run <tt>dconf update</tt>. @@ -51,7 +51,7 @@ ocil: |- <pre>$ gsettings get org.gnome.desktop.media-handling autorun-never</pre> If properly configured, the output for <tt>autorun-never</tt>should be <tt>true</tt>. To ensure that users cannot enable autorun in GNOME3, run the following: - <pre>$ grep 'autorun-never' /etc/dconf/db/local.d/locks/*</pre> + <pre>$ grep 'autorun-never' /etc/dconf/db/{{{ dconf_gdm_dir }}}/locks/*</pre> If properly configured, the output for <tt>autorun-never</tt> should be <tt>/org/gnome/desktop/media-handling/autorun-never</tt> diff --git a/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_autorun/tests/correct_value.pass.sh b/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_autorun/tests/correct_value.pass.sh index 4dc8e1444d97..35a93fead2eb 100644 --- a/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_autorun/tests/correct_value.pass.sh +++ b/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_autorun/tests/correct_value.pass.sh @@ -8,5 +8,10 @@ install_dconf_and_gdm_if_needed clean_dconf_settings add_dconf_profiles +{{% if product in ['sle15', 'sle16'] %}} +add_dconf_setting "org/gnome/desktop/media-handling" "autorun-never" "true" "{{{ dconf_gdm_dir }}}" "00-security-settings" +add_dconf_lock "org/gnome/desktop/media-handling" "autorun-never" "{{{ dconf_gdm_dir }}}" "00-security-settings" +{{% else %}} add_dconf_setting "org/gnome/desktop/media-handling" "autorun-never" "true" "local.d" "00-security-settings" add_dconf_lock "org/gnome/desktop/media-handling" "autorun-never" "local.d" "00-security-settings" +{{% endif %}} diff --git a/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_autorun/tests/missing_profiles.fail.sh b/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_autorun/tests/missing_profiles.fail.sh index 85dd9a330681..a7991c7f5383 100644 --- a/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_autorun/tests/missing_profiles.fail.sh +++ b/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_autorun/tests/missing_profiles.fail.sh @@ -1,5 +1,5 @@ #!/bin/bash -# platform = multi_platform_ubuntu +# platform = multi_platform_sle,multi_platform_ubuntu # packages = gdm,dconf # profiles = xccdf_org.ssgproject.content_profile_stig @@ -8,5 +8,10 @@ install_dconf_and_gdm_if_needed clean_dconf_settings +{{% if product in ['sle15', 'sle16'] %}} +add_dconf_setting "org/gnome/desktop/media-handling" "autorun-never" "true" "{{{ dconf_gdm_dir }}}" "00-security-settings" +add_dconf_lock "org/gnome/desktop/media-handling" "autorun-never" "{{{ dconf_gdm_dir }}}" "00-security-settings" +{{% else %}} add_dconf_setting "org/gnome/desktop/media-handling" "autorun-never" "true" "local.d" "00-security-settings" add_dconf_lock "org/gnome/desktop/media-handling" "autorun-never" "local.d" "00-security-settings" +{{% endif %}} diff --git a/linux_os/guide/system/software/gnome/gnome_remote_access_settings/dconf_gnome_remote_access_credential_prompt/ansible/shared.yml b/linux_os/guide/system/software/gnome/gnome_remote_access_settings/dconf_gnome_remote_access_credential_prompt/ansible/shared.yml index d11221f62506..708b572f31e7 100644 --- a/linux_os/guide/system/software/gnome/gnome_remote_access_settings/dconf_gnome_remote_access_credential_prompt/ansible/shared.yml +++ b/linux_os/guide/system/software/gnome/gnome_remote_access_settings/dconf_gnome_remote_access_credential_prompt/ansible/shared.yml @@ -5,7 +5,11 @@ # disruption = medium - name: "Require Credential Prompting for Remote Access in GNOME3" community.general.ini_file: +{{% if product in ['sle15', 'sle16'] %}} + dest: /etc/dconf/db/{{{ dconf_gdm_dir }}}/00-security-settings +{{% else %}} dest: /etc/dconf/db/local.d/00-security-settings +{{% endif %}} section: org/gnome/Vino option: authentication-methods value: "['vnc']" @@ -15,7 +19,11 @@ - name: "Prevent user modification of GNOME3 Credential Prompting for Remote Access" ansible.builtin.lineinfile: +{{% if product in ['sle15', 'sle16'] %}} + path: /etc/dconf/db/{{{ dconf_gdm_dir }}}/locks/00-security-settings-lock +{{% else %}} path: /etc/dconf/db/local.d/locks/00-security-settings-lock +{{% endif %}} regexp: '^/org/gnome/Vino/authentication-methods$' line: '/org/gnome/Vino/authentication-methods' create: yes @@ -24,3 +32,7 @@ - name: Dconf Update ansible.builtin.command: dconf update when: result_ini is changed or result_lineinfile is changed + +{{% if product in ['sle15', 'sle16'] %}} +{{{ ansible_enable_dconf_user_profile(profile="gdm", database="gdm") }}} +{{% endif %}} diff --git a/linux_os/guide/system/software/gnome/gnome_remote_access_settings/dconf_gnome_remote_access_credential_prompt/bash/shared.sh b/linux_os/guide/system/software/gnome/gnome_remote_access_settings/dconf_gnome_remote_access_credential_prompt/bash/shared.sh index 872cc4bad130..f42aab8bc6a3 100644 --- a/linux_os/guide/system/software/gnome/gnome_remote_access_settings/dconf_gnome_remote_access_credential_prompt/bash/shared.sh +++ b/linux_os/guide/system/software/gnome/gnome_remote_access_settings/dconf_gnome_remote_access_credential_prompt/bash/shared.sh @@ -1,5 +1,10 @@ # platform = multi_platform_all - +{{% if product in ['sle15', 'sle16'] %}} +{{{ bash_enable_dconf_user_profile(profile="gdm", database="gdm") }}} +{{{ bash_dconf_settings("org/gnome/Vino", "authentication-methods", "['vnc']", dconf_gdm_dir, "00-security-settings", rule_id=rule_id) }}} +{{{ bash_dconf_lock("org/gnome/Vino", "authentication-methods", dconf_gdm_dir, "00-security-settings-lock") }}} +{{% else %}} {{{ bash_dconf_settings("org/gnome/Vino", "authentication-methods", "['vnc']", "local.d", "00-security-settings", rule_id=rule_id) }}} {{{ bash_dconf_lock("org/gnome/Vino", "authentication-methods", "local.d", "00-security-settings-lock") }}} +{{% endif %}} diff --git a/linux_os/guide/system/software/gnome/gnome_remote_access_settings/dconf_gnome_remote_access_credential_prompt/oval/shared.xml b/linux_os/guide/system/software/gnome/gnome_remote_access_settings/dconf_gnome_remote_access_credential_prompt/oval/shared.xml index c92bd856aaa2..d62647da25f0 100644 --- a/linux_os/guide/system/software/gnome/gnome_remote_access_settings/dconf_gnome_remote_access_credential_prompt/oval/shared.xml +++ b/linux_os/guide/system/software/gnome/gnome_remote_access_settings/dconf_gnome_remote_access_credential_prompt/oval/shared.xml @@ -18,7 +18,11 @@ </ind:textfilecontent54_test> <ind:textfilecontent54_object id="obj_configure_remote_access_creds" version="1"> +{{% if product in ['sle15', 'sle16'] %}} + <ind:path>/etc/dconf/db/{{{ dconf_gdm_dir }}}/</ind:path> +{{% else %}} <ind:path>/etc/dconf/db/local.d/</ind:path> +{{% endif %}} <ind:filename operation="pattern match">^.*$</ind:filename> <ind:pattern operation="pattern match">^\[org/gnome/Vino\]([^\n]*\n+)+?authentication-methods=\['vnc'\]$</ind:pattern> <ind:instance datatype="int">1</ind:instance> @@ -31,7 +35,11 @@ </ind:textfilecontent54_test> <ind:textfilecontent54_object id="obj_prevent_user_remote_access_creds" version="1"> +{{% if product in ['sle15', 'sle16'] %}} + <ind:path>/etc/dconf/db/{{{ dconf_gdm_dir }}}/locks/</ind:path> +{{% else %}} <ind:path>/etc/dconf/db/local.d/locks/</ind:path> +{{% endif %}} <ind:filename operation="pattern match">^.*$</ind:filename> <ind:pattern operation="pattern match">^/org/gnome/Vino/authentication-methods$</ind:pattern> <ind:instance datatype="int">1</ind:instance> diff --git a/linux_os/guide/system/software/gnome/gnome_remote_access_settings/dconf_gnome_remote_access_credential_prompt/rule.yml b/linux_os/guide/system/software/gnome/gnome_remote_access_settings/dconf_gnome_remote_access_credential_prompt/rule.yml index 9cd95350def2..8da990470a3b 100644 --- a/linux_os/guide/system/software/gnome/gnome_remote_access_settings/dconf_gnome_remote_access_credential_prompt/rule.yml +++ b/linux_os/guide/system/software/gnome/gnome_remote_access_settings/dconf_gnome_remote_access_credential_prompt/rule.yml @@ -7,12 +7,12 @@ description: |- By default, <tt>GNOME</tt> does not require credentials when using <tt>Vino</tt> for remote access. To configure the system to require remote credentials, add or set <tt>authentication-methods</tt> to <tt>['vnc']</tt> in - <tt>/etc/dconf/db/local.d/00-security-settings</tt>. For example: + <tt>/etc/dconf/db/{{{ dconf_gdm_dir }}}/00-security-settings</tt>. For example: <pre>[org/gnome/Vino] authentication-methods=['vnc'] </pre> Once the settings have been added, add a lock to - <tt>/etc/dconf/db/local.d/locks/00-security-settings-lock</tt> to prevent user modification. + <tt>/etc/dconf/db/{{{ dconf_gdm_dir }}}/locks/00-security-settings-lock</tt> to prevent user modification. For example: <pre>/org/gnome/Vino/authentication-methods</pre> After the settings have been set, run <tt>dconf update</tt>. @@ -41,7 +41,6 @@ ocil: |- <pre>$ gsettings get org.gnome.Vino authentication-methods</pre> If properly configured, the output should be <tt>false</tt>. To ensure that users cannot disable credentials for remote access, run the following: - <pre>$ grep authentication-methods /etc/dconf/db/local.d/locks/*</pre> + <pre>$ grep authentication-methods /etc/dconf/db/{{{ dconf_gdm_dir }}}/locks/*</pre> If properly configured, the output should be <tt>/org/gnome/Vino/authentication-methods</tt> - diff --git a/linux_os/guide/system/software/gnome/gnome_remote_access_settings/dconf_gnome_remote_access_encryption/ansible/shared.yml b/linux_os/guide/system/software/gnome/gnome_remote_access_settings/dconf_gnome_remote_access_encryption/ansible/shared.yml index f57ab3f7d511..e7a50cac89f6 100644 --- a/linux_os/guide/system/software/gnome/gnome_remote_access_settings/dconf_gnome_remote_access_encryption/ansible/shared.yml +++ b/linux_os/guide/system/software/gnome/gnome_remote_access_settings/dconf_gnome_remote_access_encryption/ansible/shared.yml @@ -5,7 +5,11 @@ # disruption = medium - name: "Require Encryption for Remote Access in GNOME3" community.general.ini_file: +{{% if product in ['sle15', 'sle16'] %}} + dest: /etc/dconf/db/{{{ dconf_gdm_dir }}}/00-security-settings +{{% else %}} dest: /etc/dconf/db/local.d/00-security-settings +{{% endif %}} section: org/gnome/Vino option: require-encryption value: "true" @@ -15,7 +19,11 @@ - name: "Prevent user modification of GNOME3 Encryption for Remote Access" ansible.builtin.lineinfile: +{{% if product in ['sle15', 'sle16'] %}} + path: /etc/dconf/db/{{{ dconf_gdm_dir }}}/locks/00-security-settings-lock +{{% else %}} path: /etc/dconf/db/local.d/locks/00-security-settings-lock +{{% endif %}} regexp: '^/org/gnome/Vino/require-encryption$' line: '/org/gnome/Vino/require-encryption' create: yes @@ -24,3 +32,7 @@ - name: Dconf Update ansible.builtin.command: dconf update when: result_ini is changed or result_lineinfile is changed + +{{% if product in ['sle15', 'sle16'] %}} +{{{ ansible_enable_dconf_user_profile(profile="gdm", database="gdm") }}} +{{% endif %}} diff --git a/linux_os/guide/system/software/gnome/gnome_remote_access_settings/dconf_gnome_remote_access_encryption/bash/shared.sh b/linux_os/guide/system/software/gnome/gnome_remote_access_settings/dconf_gnome_remote_access_encryption/bash/shared.sh index 51d61baf3068..944c461e081b 100644 --- a/linux_os/guide/system/software/gnome/gnome_remote_access_settings/dconf_gnome_remote_access_encryption/bash/shared.sh +++ b/linux_os/guide/system/software/gnome/gnome_remote_access_settings/dconf_gnome_remote_access_encryption/bash/shared.sh @@ -1,5 +1,10 @@ # platform = multi_platform_all - +{{% if product in ['sle15', 'sle16'] %}} +{{{ bash_enable_dconf_user_profile(profile="gdm", database="gdm") }}} +{{{ bash_dconf_settings("org/gnome/Vino", "require-encryption", "true", dconf_gdm_dir, "00-security-settings", rule_id=rule_id) }}} +{{{ bash_dconf_lock("org/gnome/Vino", "require-encryption", dconf_gdm_dir, "00-security-settings-lock") }}} +{{% else %}} {{{ bash_dconf_settings("org/gnome/Vino", "require-encryption", "true", "local.d", "00-security-settings", rule_id=rule_id) }}} {{{ bash_dconf_lock("org/gnome/Vino", "require-encryption", "local.d", "00-security-settings-lock") }}} +{{% endif %}} diff --git a/linux_os/guide/system/software/gnome/gnome_remote_access_settings/dconf_gnome_remote_access_encryption/oval/shared.xml b/linux_os/guide/system/software/gnome/gnome_remote_access_settings/dconf_gnome_remote_access_encryption/oval/shared.xml index 39ba68f4f149..fe360890aa8e 100644 --- a/linux_os/guide/system/software/gnome/gnome_remote_access_settings/dconf_gnome_remote_access_encryption/oval/shared.xml +++ b/linux_os/guide/system/software/gnome/gnome_remote_access_settings/dconf_gnome_remote_access_encryption/oval/shared.xml @@ -18,7 +18,11 @@ </ind:textfilecontent54_test> <ind:textfilecontent54_object id="obj_configure_remote_access_encryption" version="1"> +{{% if product in ['sle15', 'sle16'] %}} + <ind:path>/etc/dconf/db/{{{ dconf_gdm_dir }}}/</ind:path> +{{% else %}} <ind:path>/etc/dconf/db/local.d/</ind:path> +{{% endif %}} <ind:filename operation="pattern match">^.*$</ind:filename> <ind:pattern operation="pattern match">^\[org/gnome/Vino\]([^\n]*\n+)+?require-encryption=true$</ind:pattern> <ind:instance datatype="int">1</ind:instance> @@ -31,7 +35,11 @@ </ind:textfilecontent54_test> <ind:textfilecontent54_object id="obj_prevent_user_remote_access_encryption" version="1"> +{{% if product in ['sle15', 'sle16'] %}} + <ind:path>/etc/dconf/db/{{{ dconf_gdm_dir }}}/locks/</ind:path> +{{% else %}} <ind:path>/etc/dconf/db/local.d/locks/</ind:path> +{{% endif %}} <ind:filename operation="pattern match">^.*$</ind:filename> <ind:pattern operation="pattern match">^/org/gnome/Vino/require-encryption$</ind:pattern> <ind:instance datatype="int">1</ind:instance> diff --git a/linux_os/guide/system/software/gnome/gnome_remote_access_settings/dconf_gnome_remote_access_encryption/rule.yml b/linux_os/guide/system/software/gnome/gnome_remote_access_settings/dconf_gnome_remote_access_encryption/rule.yml index 12a8f4499433..1e3bb3e00e86 100644 --- a/linux_os/guide/system/software/gnome/gnome_remote_access_settings/dconf_gnome_remote_access_encryption/rule.yml +++ b/linux_os/guide/system/software/gnome/gnome_remote_access_settings/dconf_gnome_remote_access_encryption/rule.yml @@ -7,12 +7,12 @@ description: |- By default, <tt>GNOME</tt> requires encryption when using <tt>Vino</tt> for remote access. To prevent remote access encryption from being disabled, add or set <tt>require-encryption</tt> to <tt>true</tt> in - <tt>/etc/dconf/db/local.d/00-security-settings</tt>. For example: + <tt>/etc/dconf/db/{{{ dconf_gdm_dir }}}/00-security-settings</tt>. For example: <pre>[org/gnome/Vino] require-encryption=true </pre> Once the settings have been added, add a lock to - <tt>/etc/dconf/db/local.d/locks/00-security-settings-lock</tt> to prevent user modification. + <tt>/etc/dconf/db/{{{ dconf_gdm_dir }}}/locks/00-security-settings-lock</tt> to prevent user modification. For example: <pre>/org/gnome/Vino/require-encryption</pre> After the settings have been set, run <tt>dconf update</tt>. @@ -49,7 +49,6 @@ ocil: |- <pre>$ gsettings get org.gnome.Vino require-encrpytion</pre> If properly configured, the output should be <tt>true</tt>. To ensure that users cannot disable encrypted remote connections, run the following: - <pre>$ grep require-encryption /etc/dconf/db/local.d/locks/*</pre> + <pre>$ grep require-encryption /etc/dconf/db/{{{ dconf_gdm_dir }}}/locks/*</pre> If properly configured, the output should be <tt>/org/gnome/Vino/require-encryption</tt> - diff --git a/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_idle_activation_enabled/ansible/shared.yml b/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_idle_activation_enabled/ansible/shared.yml index dbccc97c5176..02b8b0430c14 100644 --- a/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_idle_activation_enabled/ansible/shared.yml +++ b/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_idle_activation_enabled/ansible/shared.yml @@ -5,7 +5,11 @@ # disruption = medium - name: "Enable GNOME3 Screensaver Idle Activation" community.general.ini_file: +{{% if product in ['sle15', 'sle16'] %}} + dest: "/etc/dconf/db/{{{ dconf_gdm_dir }}}/00-security-settings" +{{% else %}} dest: "/etc/dconf/db/local.d/00-security-settings" +{{% endif %}} section: "org/gnome/desktop/screensaver" option: "idle-activation-enabled" value: "true" @@ -15,7 +19,11 @@ - name: "Prevent user modification of GNOME idle-activation-enabled" ansible.builtin.lineinfile: +{{% if product in ['sle15', 'sle16'] %}} + path: /etc/dconf/db/{{{ dconf_gdm_dir }}}/locks/00-security-settings-lock +{{% else %}} path: /etc/dconf/db/local.d/locks/00-security-settings-lock +{{% endif %}} regexp: '^/org/gnome/desktop/screensaver/idle-activation-enabled$' line: '/org/gnome/desktop/screensaver/idle-activation-enabled' create: yes @@ -24,3 +32,7 @@ - name: Dconf Update ansible.builtin.command: dconf update when: result_ini is changed or result_lineinfile is changed + +{{% if product in ['sle15', 'sle16'] %}} +{{{ ansible_enable_dconf_user_profile(profile="gdm", database="gdm") }}} +{{% endif %}} diff --git a/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_idle_activation_enabled/bash/shared.sh b/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_idle_activation_enabled/bash/shared.sh index 571567335263..31ee53228b9b 100644 --- a/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_idle_activation_enabled/bash/shared.sh +++ b/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_idle_activation_enabled/bash/shared.sh @@ -1,5 +1,10 @@ # platform = multi_platform_all - +{{% if product in ['sle15', 'sle16'] %}} +{{{ bash_enable_dconf_user_profile(profile="gdm", database="gdm") }}} +{{{ bash_dconf_settings("org/gnome/desktop/screensaver", "idle-activation-enabled", "true", dconf_gdm_dir , "00-security-settings", rule_id=rule_id) }}} +{{{ bash_dconf_lock("org/gnome/desktop/screensaver", "idle-activation-enabled", dconf_gdm_dir, "00-security-settings-lock") }}} +{{% else %}} {{{ bash_dconf_settings("org/gnome/desktop/screensaver", "idle-activation-enabled", "true", "local.d", "00-security-settings", rule_id=rule_id) }}} {{{ bash_dconf_lock("org/gnome/desktop/screensaver", "idle-activation-enabled", "local.d", "00-security-settings-lock") }}} +{{% endif %}} diff --git a/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_idle_activation_enabled/oval/shared.xml b/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_idle_activation_enabled/oval/shared.xml index 849b09080d2a..7ed4cdd67f84 100644 --- a/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_idle_activation_enabled/oval/shared.xml +++ b/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_idle_activation_enabled/oval/shared.xml @@ -18,7 +18,11 @@ </ind:textfilecontent54_test> <ind:textfilecontent54_object id="obj_screensaver_idle_activation_enabled" version="1"> +{{% if product in ['sle15', 'sle16'] %}} + <ind:path>/etc/dconf/db/{{{ dconf_gdm_dir }}}/</ind:path> +{{% else %}} <ind:path>/etc/dconf/db/local.d/</ind:path> +{{% endif %}} <ind:filename operation="pattern match">^.*$</ind:filename> <ind:pattern operation="pattern match">^\[org/gnome/desktop/screensaver\]([^\n]*\n+)+?idle-activation-enabled=true$</ind:pattern> <ind:instance datatype="int">1</ind:instance> @@ -31,7 +35,11 @@ </ind:textfilecontent54_test> <ind:textfilecontent54_object id="obj_prevent_user_change_idle_activation_enabled" version="1"> +{{% if product in ['sle15', 'sle16'] %}} + <ind:path>/etc/dconf/db/{{{ dconf_gdm_dir }}}/locks/</ind:path> +{{% else %}} <ind:path>/etc/dconf/db/local.d/locks/</ind:path> +{{% endif %}} <ind:filename operation="pattern match">^.*$</ind:filename> <ind:pattern operation="pattern match">^/org/gnome/desktop/screensaver/idle-activation-enabled$</ind:pattern> <ind:instance datatype="int">1</ind:instance> diff --git a/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_idle_activation_enabled/rule.yml b/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_idle_activation_enabled/rule.yml index c2d48df41ac4..dfc2874675d3 100644 --- a/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_idle_activation_enabled/rule.yml +++ b/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_idle_activation_enabled/rule.yml @@ -6,11 +6,11 @@ title: 'Enable GNOME3 Screensaver Idle Activation' description: |- To activate the screensaver in the GNOME3 desktop after a period of inactivity, add or set <tt>idle-activation-enabled</tt> to <tt>true</tt> in - <tt>/etc/dconf/db/local.d/00-security-settings</tt>. For example: + <tt>/etc/dconf/db/{{{ dconf_gdm_dir }}}/00-security-settings</tt>. For example: <pre>[org/gnome/desktop/screensaver] idle-activation-enabled=true</pre> Once the setting has been added, add a lock to - <tt>/etc/dconf/db/local.d/locks/00-security-settings-lock</tt> to prevent user modification. + <tt>/etc/dconf/db/{{{ dconf_gdm_dir }}}/locks/00-security-settings-lock</tt> to prevent user modification. For example: <pre>/org/gnome/desktop/screensaver/idle-activation-enabled</pre> After the settings have been set, run <tt>dconf update</tt>. @@ -59,6 +59,5 @@ ocil: |- <pre>$ gsettings get org.gnome.desktop.screensaver idle-activation-enabled</pre> If properly configured, the output should be <tt>true</tt>. To ensure that users cannot disable the screensaver idle inactivity setting, run the following: - <pre>$ grep idle-activation-enabled /etc/dconf/db/local.d/locks/*</pre> + <pre>$ grep idle-activation-enabled /etc/dconf/db/{{{ dconf_gdm_dir }}}/locks/*</pre> If properly configured, the output should be <tt>/org/gnome/desktop/screensaver/idle-activation-enabled</tt> - diff --git a/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_idle_activation_enabled/tests/comment.fail.sh b/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_idle_activation_enabled/tests/comment.fail.sh index e8ff2ac2955c..5d205dd8d052 100644 --- a/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_idle_activation_enabled/tests/comment.fail.sh +++ b/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_idle_activation_enabled/tests/comment.fail.sh @@ -4,7 +4,14 @@ . $SHARED/dconf_test_functions.sh clean_dconf_settings +{{% if product in ['sle15', 'sle16'] %}} +add_dconf_setting "org/gnome/desktop/screensaver" "#idle-activation-enabled" "true" \ + "{{{ dconf_gdm_dir }}}" "00-security-settings" +add_dconf_lock "org/gnome/desktop/screensaver" "idle-activation-enabled" "{{{ dconf_gdm_dir }}}" \ + "00-security-settings-lock" +{{% else %}} add_dconf_setting "org/gnome/desktop/screensaver" "#idle-activation-enabled" "true" \ "local.d" "00-security-settings" add_dconf_lock "org/gnome/desktop/screensaver" "idle-activation-enabled" "local.d" \ "00-security-settings-lock" +{{% endif %}} diff --git a/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_idle_activation_enabled/tests/correct_value.pass.sh b/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_idle_activation_enabled/tests/correct_value.pass.sh index 3d7cfa54c6d2..17cd6d979b5c 100644 --- a/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_idle_activation_enabled/tests/correct_value.pass.sh +++ b/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_idle_activation_enabled/tests/correct_value.pass.sh @@ -4,7 +4,15 @@ . $SHARED/dconf_test_functions.sh clean_dconf_settings +{{% if product in ['sle15', 'sle16'] %}} +add_dconf_profiles +add_dconf_setting "org/gnome/desktop/screensaver" "idle-activation-enabled" "true" \ + "{{{ dconf_gdm_dir }}}" "00-security-settings" +add_dconf_lock "org/gnome/desktop/screensaver" "idle-activation-enabled" "{{{ dconf_gdm_dir }}}" \ + "00-security-settings-lock" +{{% else %}} add_dconf_setting "org/gnome/desktop/screensaver" "idle-activation-enabled" "true" \ "local.d" "00-security-settings" add_dconf_lock "org/gnome/desktop/screensaver" "idle-activation-enabled" "local.d" \ "00-security-settings-lock" +{{% endif %}} diff --git a/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_idle_activation_enabled/tests/missing_lock.fail.sh b/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_idle_activation_enabled/tests/missing_lock.fail.sh index 5cfef8b62db8..831bb770d9b5 100644 --- a/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_idle_activation_enabled/tests/missing_lock.fail.sh +++ b/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_idle_activation_enabled/tests/missing_lock.fail.sh @@ -4,5 +4,10 @@ . $SHARED/dconf_test_functions.sh clean_dconf_settings +{{% if product in ['sle15', 'sle16'] %}} +add_dconf_setting "org/gnome/desktop/screensaver" "idle-activation-enabled" "true" \ + "{{{ dconf_gdm_dir }}}" "00-security-settings" +{{% else %}} add_dconf_setting "org/gnome/desktop/screensaver" "idle-activation-enabled" "true" \ "local.d" "00-security-settings" +{{% endif %}} diff --git a/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_idle_activation_enabled/tests/wrong_value.fail.sh b/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_idle_activation_enabled/tests/wrong_value.fail.sh index 76b9088c85f5..88027535c535 100644 --- a/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_idle_activation_enabled/tests/wrong_value.fail.sh +++ b/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_idle_activation_enabled/tests/wrong_value.fail.sh @@ -4,7 +4,14 @@ . $SHARED/dconf_test_functions.sh clean_dconf_settings +{{% if product in ['sle15', 'sle16'] %}} +add_dconf_setting "org/gnome/desktop/screensaver" "idle-activation-enabled" "false" \ + "{{{ dconf_gdm_dir }}}" "00-security-settings" +add_dconf_lock "org/gnome/desktop/screensaver" "idle-activation-enabled" "{{{ dconf_gdm_dir }}}" \ + "00-security-settings-lock" +{{% else %}} add_dconf_setting "org/gnome/desktop/screensaver" "idle-activation-enabled" "false" \ "local.d" "00-security-settings" add_dconf_lock "org/gnome/desktop/screensaver" "idle-activation-enabled" "local.d" \ "00-security-settings-lock" +{{% endif %}} diff --git a/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_idle_delay/ansible/shared.yml b/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_idle_delay/ansible/shared.yml index 78360c115b16..a1e43dcd17e6 100644 --- a/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_idle_delay/ansible/shared.yml +++ b/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_idle_delay/ansible/shared.yml @@ -7,7 +7,11 @@ - name: "Set GNOME3 Screensaver Inactivity Timeout" community.general.ini_file: +{{% if product in ['sle15', 'sle16'] %}} + dest: "/etc/dconf/db/{{{ dconf_gdm_dir }}}/00-security-settings" +{{% else %}} dest: "/etc/dconf/db/local.d/00-security-settings" +{{% endif %}} section: "org/gnome/desktop/session" option: idle-delay value: "uint32 {{ inactivity_timeout_value }}" @@ -15,6 +19,28 @@ no_extra_spaces: yes register: result_ini +{{% if 'ubuntu' in product or product in ["sle15", "sle16"] %}} +- name: "Prevent user modification of GNOME Screensaver Inactivity Timeout" + ansible.builtin.lineinfile: +{{% if product in ['sle15', 'sle16'] %}} + path: /etc/dconf/db/{{{ dconf_gdm_dir }}}/locks/00-security-settings-lock +{{% else %}} + path: /etc/dconf/db/local.d/locks/00-security-settings-lock +{{% endif %}} + regexp: '^/org/gnome/desktop/session/idle-delay$' + line: '/org/gnome/desktop/session/idle-delay' + create: yes + register: result_lineinfile +{{% endif %}} + - name: Dconf Update ansible.builtin.command: dconf update +{{% if 'ubuntu' in product or product in ["sle15", "sle16"] %}} + when: result_ini is changed or result_lineinfile is changed +{{% else %}} when: result_ini is changed +{{% endif %}} + +{{% if product in ['sle15', 'sle16'] %}} +{{{ ansible_enable_dconf_user_profile(profile="gdm", database="gdm") }}} +{{% endif %}} diff --git a/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_idle_delay/bash/shared.sh b/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_idle_delay/bash/shared.sh index de0854c03f83..48fbd7b92677 100644 --- a/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_idle_delay/bash/shared.sh +++ b/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_idle_delay/bash/shared.sh @@ -6,6 +6,15 @@ {{{ bash_dconf_lock("org/gnome/desktop/session", "idle-delay", "local.d", "00-security-settings-lock") }}} {{% endif %}} +{{% if product in ['sle15', 'sle16'] %}} +{{{ bash_enable_dconf_user_profile(profile="gdm", database="gdm") }}} +{{{ bash_dconf_lock("org/gnome/desktop/session", "idle-delay", dconf_gdm_dir, "00-security-settings-lock") }}} +{{% endif %}} + {{{ bash_instantiate_variables("inactivity_timeout_value") }}} +{{% if product in ['sle15', 'sle16'] %}} +{{{ bash_dconf_settings("org/gnome/desktop/session", "idle-delay", "uint32 ${inactivity_timeout_value}", dconf_gdm_dir, "00-security-settings", rule_id=rule_id) }}} +{{% else %}} {{{ bash_dconf_settings("org/gnome/desktop/session", "idle-delay", "uint32 ${inactivity_timeout_value}", "local.d", "00-security-settings", rule_id=rule_id) }}} +{{% endif %}} diff --git a/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_idle_delay/oval/shared.xml b/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_idle_delay/oval/shared.xml index a4173903a2c2..5108cdd21a2a 100644 --- a/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_idle_delay/oval/shared.xml +++ b/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_idle_delay/oval/shared.xml @@ -7,7 +7,7 @@ <extend_definition comment="dconf user profile exists" definition_ref="enable_dconf_user_profile" /> <criterion comment="idle delay has been configured" test_ref="test_screensaver_idle_delay" /> <criterion comment="idle delay is set correctly" test_ref="test_screensaver_idle_delay_setting" /> - {{% if 'ubuntu' in product %}} + {{% if 'ubuntu' in product or product in ["sle15", "sle16"] %}} <criterion comment="screensaver idle delay setting is locked" test_ref="test_screensaver_idle_delay_locked" /> {{% endif %}} </criteria> @@ -21,7 +21,11 @@ </ind:textfilecontent54_test> <ind:textfilecontent54_object id="obj_screensaver_idle_delay" version="1"> +{{% if product in ['sle15', 'sle16'] %}} + <ind:path>/etc/dconf/db/{{{ dconf_gdm_dir }}}/</ind:path> +{{% else %}} <ind:path>/etc/dconf/db/local.d/</ind:path> +{{% endif %}} <ind:filename operation="pattern match">^.*$</ind:filename> <!-- GSettings expects unsigned integer when setting 'idle-delay' per: https://bugzilla.redhat.com/show_bug.cgi?id=1141779#c3 @@ -39,8 +43,12 @@ <ind:state state_ref="state_screensaver_idle_delay_setting_not_zero" /> </ind:textfilecontent54_test> <ind:textfilecontent54_object id="obj_screensaver_idle_delay_setting" - version="1"> + version="1"> +{{% if product in ['sle15', 'sle16'] %}} + <ind:path>/etc/dconf/db/{{{ dconf_gdm_dir }}}/</ind:path> +{{% else %}} <ind:path>/etc/dconf/db/local.d/</ind:path> +{{% endif %}} <ind:filename operation="pattern match">^.*$</ind:filename> <!-- GSettings expects unsigned integer when setting 'idle-delay' per: https://bugzilla.redhat.com/show_bug.cgi?id=1141779#c3 @@ -60,7 +68,7 @@ <external_variable comment="inactivity timeout variable" datatype="int" id="inactivity_timeout_value" version="1" /> -{{% if 'ubuntu' in product %}} +{{% if 'ubuntu' in product or product in ["sle15", "sle16"] %}} <ind:textfilecontent54_test check="all" check_existence="all_exist" comment="screensaver idle delay setting is locked" id="test_screensaver_idle_delay_locked" version="1"> @@ -68,7 +76,11 @@ </ind:textfilecontent54_test> <ind:textfilecontent54_object id="obj_screensaver_idle_delay_locked" version="1"> +{{% if product in ['sle15', 'sle16'] %}} + <ind:path>/etc/dconf/db/{{{ dconf_gdm_dir }}}/locks/</ind:path> +{{% else %}} <ind:path>/etc/dconf/db/local.d/locks/</ind:path> +{{% endif %}} <ind:filename operation="pattern match">^.*$</ind:filename> <ind:pattern operation="pattern match">^/org/gnome/desktop/session/idle-delay$</ind:pattern> <ind:instance datatype="int">1</ind:instance> diff --git a/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_idle_delay/policy/stig/shared.yml b/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_idle_delay/policy/stig/shared.yml index 7b7bf0160181..f36b8f38b7cb 100644 --- a/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_idle_delay/policy/stig/shared.yml +++ b/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_idle_delay/policy/stig/shared.yml @@ -20,9 +20,9 @@ fixtext: |- Create a database to contain the system-wide screensaver settings (if it does not already exist) with the following command: - $ sudo touch /etc/dconf/db/local.d/00-screensaver + $ sudo touch /etc/dconf/db/{{{ dconf_gdm_dir }}}/00-screensaver - Edit /etc/dconf/db/local.d/00-screensaver and add or update the following lines: + Edit /etc/dconf/db/{{{ dconf_gdm_dir }}}/00-screensaver and add or update the following lines: [org/gnome/desktop/session] # Set the lock time out to 900 seconds before the session is considered idle diff --git a/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_idle_delay/rule.yml b/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_idle_delay/rule.yml index 7eceaf8c48ce..6689d0bd7a5a 100644 --- a/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_idle_delay/rule.yml +++ b/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_idle_delay/rule.yml @@ -5,11 +5,11 @@ title: 'Set GNOME3 Screensaver Inactivity Timeout' description: |- The idle time-out value for inactivity in the GNOME3 desktop is configured via the <tt>idle-delay</tt> - setting must be set under an appropriate configuration file(s) in the <tt>/etc/dconf/db/local.d</tt> directory - and locked in <tt>/etc/dconf/db/local.d/locks</tt> directory to prevent user modification. + setting must be set under an appropriate configuration file(s) in the <tt>/etc/dconf/db/{{{ dconf_gdm_dir }}}</tt> directory + and locked in <tt>/etc/dconf/db/{{{ dconf_gdm_dir }}}/locks</tt> directory to prevent user modification. <br /><br /> For example, to configure the system for a 15 minute delay, add the following to - <tt>/etc/dconf/db/local.d/00-security-settings</tt>: + <tt>/etc/dconf/db/{{{ dconf_gdm_dir }}}/00-security-settings</tt>: <pre>[org/gnome/desktop/session] idle-delay=uint32 900</pre> @@ -56,11 +56,10 @@ ocil: |- <pre>$ gsettings get org.gnome.desktop.session idle-delay</pre> If properly configured, the output should be <tt>'uint32 {{{ xccdf_value("inactivity_timeout_value") }}}'</tt>. To ensure that users cannot change the screensaver inactivity timeout setting, run the following: - <pre>$ grep idle-delay /etc/dconf/db/local.d/locks/*</pre> + <pre>$ grep idle-delay /etc/dconf/db/{{{ dconf_gdm_dir }}}/locks/*</pre> If properly configured, the output should be <tt>/org/gnome/desktop/session/idle-delay</tt> fixtext: |- {{{ fixtext_dconf_ini_file("org/gnome/desktop/session", "idle-delay", "uint32 " ~ xccdf_value("inactivity_timeout_value")) }}} srg_requirement: '{{{ full_name }}} must automatically lock graphical user sessions after 15 minutes of inactivity.' - diff --git a/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_idle_delay/tests/comment.fail.sh b/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_idle_delay/tests/comment.fail.sh index e2932554e36b..5e0c633763aa 100644 --- a/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_idle_delay/tests/comment.fail.sh +++ b/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_idle_delay/tests/comment.fail.sh @@ -5,8 +5,14 @@ clean_dconf_settings add_dconf_profiles +{{% if product in ['sle15', 'sle16'] %}} +add_dconf_setting "org/gnome/desktop/session" "#idle-delay" "uint32 900" "{{{ dconf_gdm_dir }}}" "00-security-settings" +{{% else %}} add_dconf_setting "org/gnome/desktop/session" "#idle-delay" "uint32 900" "local.d" "00-security-settings" +{{% endif %}} {{% if 'ubuntu' in product %}} add_dconf_lock "org/gnome/desktop/session" "idle-delay" "local.d" "00-security-settings" +{{% elif product in ['sle15', 'sle16'] %}} +add_dconf_lock "org/gnome/desktop/session" "idle-delay" "{{{ dconf_gdm_dir }}}" "00-security-settings" {{% endif %}} diff --git a/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_idle_delay/tests/correct_value.pass.sh b/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_idle_delay/tests/correct_value.pass.sh index b3796ebc3248..6669faeae713 100644 --- a/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_idle_delay/tests/correct_value.pass.sh +++ b/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_idle_delay/tests/correct_value.pass.sh @@ -7,8 +7,14 @@ clean_dconf_settings add_dconf_profiles +{{% if product in ['sle15', 'sle16'] %}} +add_dconf_setting "org/gnome/desktop/session" "idle-delay" "uint32 900" "{{{ dconf_gdm_dir }}}" "00-security-settings" +{{% else %}} add_dconf_setting "org/gnome/desktop/session" "idle-delay" "uint32 900" "local.d" "00-security-settings" +{{% endif %}} {{% if 'ubuntu' in product %}} add_dconf_lock "org/gnome/desktop/session" "idle-delay" "local.d" "00-security-settings" +{{% elif product in ['sle15', 'sle16'] %}} +add_dconf_lock "org/gnome/desktop/session" "idle-delay" "{{{ dconf_gdm_dir }}}" "00-security-settings" {{% endif %}} diff --git a/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_idle_delay/tests/correct_value_wrong_db.fail.sh b/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_idle_delay/tests/correct_value_wrong_db.fail.sh index ade75844d249..6f01caf81842 100644 --- a/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_idle_delay/tests/correct_value_wrong_db.fail.sh +++ b/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_idle_delay/tests/correct_value_wrong_db.fail.sh @@ -11,4 +11,6 @@ add_dconf_setting "org/gnome/desktop/session" "idle-delay" "uint32 900" "dummy.d {{% if 'ubuntu' in product %}} add_dconf_lock "org/gnome/desktop/session" "idle-delay" "local.d" "00-security-settings" +{{% elif product in ["sle15", "sle16"] %}} +add_dconf_lock "org/gnome/desktop/session" "idle-delay" "{{{ dconf_gdm_dir }}}" "00-security-settings" {{% endif %}} diff --git a/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_idle_delay/tests/wrong_value.fail.sh b/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_idle_delay/tests/wrong_value.fail.sh index 8fbcb996b7ec..9ba07b3d3fa0 100644 --- a/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_idle_delay/tests/wrong_value.fail.sh +++ b/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_idle_delay/tests/wrong_value.fail.sh @@ -6,8 +6,14 @@ clean_dconf_settings add_dconf_profiles +{{% if product in ['sle15', 'sle16'] %}} +add_dconf_setting "org/gnome/desktop/session" "idle-delay" "uint32 2900" "{{{ dconf_gdm_dir }}}" "00-security-settings" +{{% else %}} add_dconf_setting "org/gnome/desktop/session" "idle-delay" "uint32 2900" "local.d" "00-security-settings" +{{% endif %}} {{% if 'ubuntu' in product %}} add_dconf_lock "org/gnome/desktop/session" "idle-delay" "local.d" "00-security-settings" +{{% elif product in ["sle15", "sle16"] %}} +add_dconf_lock "org/gnome/desktop/session" "idle-delay" "{{{ dconf_gdm_dir }}}" "00-security-settings" {{% endif %}} diff --git a/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_idle_delay/tests/zero_value.fail.sh b/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_idle_delay/tests/zero_value.fail.sh index fd90576957b2..f1f163681170 100644 --- a/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_idle_delay/tests/zero_value.fail.sh +++ b/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_idle_delay/tests/zero_value.fail.sh @@ -6,8 +6,14 @@ clean_dconf_settings add_dconf_profiles +{{% if product in ["sle15", "sle16"] %}} +add_dconf_setting "org/gnome/desktop/session" "idle-delay" "uint32 0" "{{{ dconf_gdm_dir }}}" "00-security-settings" +{{% else %}} add_dconf_setting "org/gnome/desktop/session" "idle-delay" "uint32 0" "local.d" "00-security-settings" +{{% endif %}} {{% if 'ubuntu' in product %}} add_dconf_lock "org/gnome/desktop/session" "idle-delay" "local.d" "00-security-settings" +{{% elif product in ["sle15", "sle16"] %}} +add_dconf_lock "org/gnome/desktop/session" "idle-delay" "{{{ dconf_gdm_dir }}}" "00-security-settings" {{% endif %}} diff --git a/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_lock_delay/ansible/shared.yml b/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_lock_delay/ansible/shared.yml index e8391fd4e5c7..2c98a7d25ae9 100644 --- a/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_lock_delay/ansible/shared.yml +++ b/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_lock_delay/ansible/shared.yml @@ -7,7 +7,11 @@ - name: "Set GNOME3 Screensaver Lock Delay After Activation Period" community.general.ini_file: +{{% if product in ['sle15', 'sle16'] %}} + dest: "/etc/dconf/db/{{{ dconf_gdm_dir }}}/00-security-settings" +{{% else %}} dest: "/etc/dconf/db/local.d/00-security-settings" +{{% endif %}} section: "org/gnome/desktop/screensaver" option: lock-delay value: "uint32 {{ var_screensaver_lock_delay }}" @@ -15,16 +19,24 @@ no_extra_spaces: yes register: result_ini -# apply fix for enable_dconf_user_profile, OVAL checks it {{% if product in ['sle15', 'sle16'] %}} -- name: "Configure GNOME3 DConf User Profile" +- name: "Prevent user modification of GNOME Screensaver Lock Delay" ansible.builtin.lineinfile: - dest: "/etc/dconf/profile/gdm" - line: "user-db:user\nsystem-db:gdm" + path: /etc/dconf/db/{{{ dconf_gdm_dir }}}/locks/00-security-settings-lock + regexp: '^/org/gnome/desktop/screensaver/lock-delay$' + line: '/org/gnome/desktop/screensaver/lock-delay' create: yes - state: present + register: result_lineinfile {{% endif %}} - name: Dconf Update ansible.builtin.command: dconf update +{{% if product in ['sle15', 'sle16'] %}} + when: result_ini is changed or result_lineinfile is changed +{{% else %}} when: result_ini is changed +{{% endif %}} + +{{% if product in ['sle15', 'sle16'] %}} +{{{ ansible_enable_dconf_user_profile(profile="gdm", database="gdm") }}} +{{% endif %}} diff --git a/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_lock_delay/bash/shared.sh b/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_lock_delay/bash/shared.sh index 43612b5703d7..ea2d8951f0c3 100644 --- a/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_lock_delay/bash/shared.sh +++ b/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_lock_delay/bash/shared.sh @@ -6,11 +6,12 @@ {{{ bash_dconf_lock("org/gnome/desktop/screensaver", "lock-delay", "local.d", "00-security-settings-lock") }}} {{% endif %}} -# apply fix for enable_dconf_user_profile, OVAL checks it -{{% if product in ['sle15', 'sle16'] %}} -{{{ bash_enable_dconf_user_profile(profile="gdm", database="gdm") }}} -{{% endif %}} - {{{ bash_instantiate_variables("var_screensaver_lock_delay") }}} +{{% if product in ['sle15', 'sle16'] %}} +{{{ bash_enable_dconf_user_profile(profile="gdm", database="gdm") }}} +{{{ bash_dconf_lock("org/gnome/desktop/screensaver", "lock-delay", dconf_gdm_dir, "00-security-settings-lock") }}} +{{{ bash_dconf_settings("org/gnome/desktop/screensaver", "lock-delay", "uint32 ${var_screensaver_lock_delay}", dconf_gdm_dir, "00-security-settings", rule_id=rule_id) }}} +{{% else %}} {{{ bash_dconf_settings("org/gnome/desktop/screensaver", "lock-delay", "uint32 ${var_screensaver_lock_delay}", "local.d", "00-security-settings", rule_id=rule_id) }}} +{{% endif %}} diff --git a/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_lock_delay/oval/shared.xml b/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_lock_delay/oval/shared.xml index 6eef845bafad..2262be9e45d7 100644 --- a/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_lock_delay/oval/shared.xml +++ b/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_lock_delay/oval/shared.xml @@ -8,7 +8,7 @@ <extend_definition comment="dconf user profile exists" definition_ref="enable_dconf_user_profile" /> <criterion comment="screensaver lock delay is configured" test_ref="test_screensaver_lock_delay" /> <criterion comment="lock delay is set correctly" test_ref="test_screensaver_lock_delay_setting" /> - {{% if 'ubuntu' in product %}} + {{% if 'ubuntu' in product or product in ["sle15", "sle16"] %}} <criterion comment="screensaver lock delay setting is locked" test_ref="test_screensaver_lock_delay_locked" /> {{% endif %}} </criteria> @@ -22,7 +22,11 @@ </ind:textfilecontent54_test> <ind:textfilecontent54_object id="obj_screensaver_lock_delay" version="1"> +{{% if product in ['sle15', 'sle16'] %}} + <ind:path>/etc/dconf/db/{{{ dconf_gdm_dir }}}/</ind:path> +{{% else %}} <ind:path>/etc/dconf/db/local.d/</ind:path> +{{% endif %}} <ind:filename operation="pattern match">^.*$</ind:filename> <!-- GSettings expects unsigned integer when setting 'lock-delay' per: https://bugzilla.redhat.com/show_bug.cgi?id=1141779#c3 @@ -39,7 +43,11 @@ </ind:textfilecontent54_test> <ind:textfilecontent54_object id="obj_screensaver_lock_delay_setting" version="1"> +{{% if product in ['sle15', 'sle16'] %}} + <ind:path>/etc/dconf/db/{{{ dconf_gdm_dir }}}/</ind:path> +{{% else %}} <ind:path>/etc/dconf/db/local.d/</ind:path> +{{% endif %}} <ind:filename operation="pattern match">^.*$</ind:filename> <!-- GSettings expects unsigned integer when setting 'lock-delay' per: https://bugzilla.redhat.com/show_bug.cgi?id=1141779#c3 @@ -55,14 +63,18 @@ <external_variable comment="screensaver lock delay variable" datatype="int" id="var_screensaver_lock_delay" version="1" /> -{{% if 'ubuntu' in product %}} +{{% if 'ubuntu' in product or product in ["sle15", "sle16"] %}} <ind:textfilecontent54_test check="all" check_existence="all_exist" comment="screensaver lock delay setting is locked" id="test_screensaver_lock_delay_locked" version="1"> <ind:object object_ref="obj_screensaver_lock_delay_locked" /> </ind:textfilecontent54_test> <ind:textfilecontent54_object id="obj_screensaver_lock_delay_locked" version="1"> +{{% if product in ['sle15', 'sle16'] %}} + <ind:path>/etc/dconf/db/{{{ dconf_gdm_dir }}}/locks/</ind:path> +{{% else %}} <ind:path>/etc/dconf/db/local.d/locks/</ind:path> +{{% endif %}} <ind:filename operation="pattern match">^.*$</ind:filename> <ind:pattern operation="pattern match">^/org/gnome/desktop/screensaver/lock-delay$</ind:pattern> <ind:instance datatype="int">1</ind:instance> diff --git a/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_lock_delay/policy/stig/shared.yml b/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_lock_delay/policy/stig/shared.yml index 741936e68063..89f30d897c8f 100644 --- a/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_lock_delay/policy/stig/shared.yml +++ b/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_lock_delay/policy/stig/shared.yml @@ -20,9 +20,9 @@ fixtext: |- Create a database to contain the system-wide screensaver settings (if it does not already exist) with the following command: - Note: The example below is using the database "local" for the system, so if the system is using another database in "/etc/dconf/profile/user", the file should be created under the appropriate subdirectory. + Note: The example below is using the database "{{{ dconf_gdm_dir }}}" for the system, so if the system is using another database in "/etc/dconf/profile/user", the file should be created under the appropriate subdirectory. - $ sudo touch /etc/dconf/db/local.d/00-screensaver + $ sudo touch /etc/dconf/db/{{{ dconf_gdm_dir }}}/00-screensaver [org/gnome/desktop/screensaver] lock-delay=uint32 5 diff --git a/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_lock_delay/rule.yml b/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_lock_delay/rule.yml index 8c3d9b000416..f056cb276aff 100644 --- a/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_lock_delay/rule.yml +++ b/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_lock_delay/rule.yml @@ -6,7 +6,7 @@ title: 'Set GNOME3 Screensaver Lock Delay After Activation Period' description: |- To activate the locking delay of the screensaver in the GNOME3 desktop when the screensaver is activated, add or set <tt>lock-delay</tt> to <tt>uint32 {{{ xccdf_value("var_screensaver_lock_delay") }}}</tt> in - <tt>/etc/dconf/db/local.d/00-security-settings</tt>. For example: + <tt>/etc/dconf/db/{{{ dconf_gdm_dir }}}/00-security-settings</tt>. For example: <pre>[org/gnome/desktop/screensaver] lock-delay=uint32 {{{ xccdf_value("var_screensaver_lock_delay") }}} </pre> @@ -50,4 +50,3 @@ fixtext: |- {{{ fixtext_dconf_ini_file("org/gnome/desktop/screensaver/lock-delay", "lock-delay", xccdf_value("var_screensaver_lock_delay")) }}} srg_requirement: '{{{ full_name }}} must initiate a session lock for graphical user interfaces when the screensaver is activated.' - diff --git a/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_lock_delay/tests/comment.fail.sh b/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_lock_delay/tests/comment.fail.sh index eecddf1b9d68..91506eef020e 100644 --- a/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_lock_delay/tests/comment.fail.sh +++ b/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_lock_delay/tests/comment.fail.sh @@ -5,8 +5,14 @@ clean_dconf_settings add_dconf_profiles +{{% if product in ['sle15', 'sle16'] %}} +add_dconf_setting "org/gnome/desktop/screensaver" "#lock-delay" "uint32 5" "{{{ dconf_gdm_dir }}}" "00-security-settings" +{{% else %}} add_dconf_setting "org/gnome/desktop/screensaver" "#lock-delay" "uint32 5" "local.d" "00-security-settings" +{{% endif %}} {{% if 'ubuntu' in product %}} add_dconf_lock "org/gnome/desktop/screensaver" "lock-delay" "local.d" "00-security-settings" +{{% elif product in ['sle15', 'sle16'] %}} +add_dconf_lock "org/gnome/desktop/screensaver" "lock-delay" "{{{ dconf_gdm_dir }}}" "00-security-settings" {{% endif %}} diff --git a/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_lock_delay/tests/correct_value.pass.sh b/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_lock_delay/tests/correct_value.pass.sh index da0acbdc0e8d..0d2d78c07a5c 100644 --- a/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_lock_delay/tests/correct_value.pass.sh +++ b/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_lock_delay/tests/correct_value.pass.sh @@ -7,8 +7,14 @@ clean_dconf_settings add_dconf_profiles +{{% if product in ['sle15', 'sle16'] %}} +add_dconf_setting "org/gnome/desktop/screensaver" "lock-delay" "uint32 5" "{{{ dconf_gdm_dir }}}" "00-security-settings" +{{% else %}} add_dconf_setting "org/gnome/desktop/screensaver" "lock-delay" "uint32 5" "local.d" "00-security-settings" +{{% endif %}} {{% if 'ubuntu' in product %}} add_dconf_lock "org/gnome/desktop/screensaver" "lock-delay" "local.d" "00-security-settings" +{{% elif product in ['sle15', 'sle16'] %}} +add_dconf_lock "org/gnome/desktop/screensaver" "lock-delay" "{{{ dconf_gdm_dir }}}" "00-security-settings" {{% endif %}} diff --git a/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_lock_delay/tests/correct_value_wrong_db.fail.sh b/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_lock_delay/tests/correct_value_wrong_db.fail.sh index 631861913830..28a2f1b08eaf 100644 --- a/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_lock_delay/tests/correct_value_wrong_db.fail.sh +++ b/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_lock_delay/tests/correct_value_wrong_db.fail.sh @@ -10,4 +10,6 @@ add_dconf_setting "org/gnome/desktop/screensaver" "lock-delay" "uint32 5" "dummy {{% if 'ubuntu' in product %}} add_dconf_lock "org/gnome/desktop/screensaver" "lock-delay" "local.d" "00-security-settings" +{{% elif product in ['sle15', 'sle16'] %}} +add_dconf_lock "org/gnome/desktop/screensaver" "lock-delay" "{{{ dconf_gdm_dir }}}" "00-security-settings" {{% endif %}} diff --git a/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_lock_delay/tests/missing_profiles.fail.sh b/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_lock_delay/tests/missing_profiles.fail.sh index c42150d3e513..b1e396ef0fcc 100644 --- a/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_lock_delay/tests/missing_profiles.fail.sh +++ b/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_lock_delay/tests/missing_profiles.fail.sh @@ -7,5 +7,10 @@ clean_dconf_settings +{{% if product in ['sle15', 'sle16'] %}} +add_dconf_setting "org/gnome/desktop/screensaver" "lock-delay" "uint32 5" "{{{ dconf_gdm_dir }}}" "00-security-settings" +add_dconf_lock "org/gnome/desktop/screensaver" "lock-delay" "{{{ dconf_gdm_dir }}}" "00-security-settings" +{{% else %}} add_dconf_setting "org/gnome/desktop/screensaver" "lock-delay" "uint32 5" "local.d" "00-security-settings" add_dconf_lock "org/gnome/desktop/screensaver" "lock-delay" "local.d" "00-security-settings" +{{% endif %}} diff --git a/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_lock_delay/tests/setting_not_there.fail.sh b/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_lock_delay/tests/setting_not_there.fail.sh index fb80ab1957f8..82d7c77d7d7a 100644 --- a/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_lock_delay/tests/setting_not_there.fail.sh +++ b/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_lock_delay/tests/setting_not_there.fail.sh @@ -8,4 +8,6 @@ clean_dconf_settings {{% if 'ubuntu' in product %}} add_dconf_lock "org/gnome/desktop/screensaver" "lock-delay" "local.d" "00-security-settings" +{{% elif product in ['sle15', 'sle16'] %}} +add_dconf_lock "org/gnome/desktop/screensaver" "lock-delay" "{{{ dconf_gdm_dir }}}" "00-security-settings" {{% endif %}} diff --git a/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_lock_delay/tests/wrong_value.fail.sh b/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_lock_delay/tests/wrong_value.fail.sh index a35461b30473..bc5deb4f7640 100644 --- a/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_lock_delay/tests/wrong_value.fail.sh +++ b/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_lock_delay/tests/wrong_value.fail.sh @@ -6,8 +6,14 @@ clean_dconf_settings add_dconf_profiles +{{% if product in ['sle15', 'sle16'] %}} +add_dconf_setting "org/gnome/desktop/screensaver" "lock-delay" "uint32 100" "{{{ dconf_gdm_dir }}}" "00-security-settings" +{{% else %}} add_dconf_setting "org/gnome/desktop/screensaver" "lock-delay" "uint32 100" "local.d" "00-security-settings" +{{% endif %}} {{% if 'ubuntu' in product %}} add_dconf_lock "org/gnome/desktop/screensaver" "lock-delay" "local.d" "00-security-settings" +{{% elif product in ['sle15', 'sle16'] %}} +add_dconf_lock "org/gnome/desktop/screensaver" "lock-delay" "{{{ dconf_gdm_dir }}}" "00-security-settings" {{% endif %}} diff --git a/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_lock_enabled/ansible/shared.yml b/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_lock_enabled/ansible/shared.yml index 1ec387f21571..596989ef71fa 100644 --- a/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_lock_enabled/ansible/shared.yml +++ b/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_lock_enabled/ansible/shared.yml @@ -26,7 +26,7 @@ - name: "{{{ rule_title }}} - Enable GNOME3 Screensaver Lock After Idle Period" community.general.ini_file: - dest: "/etc/dconf/db/local.d/00-security-settings" + dest: "/etc/dconf/db/{{{ dconf_gdm_dir }}}/00-security-settings" section: "org/gnome/desktop/lockdown" option: disable-lock-screen value: "false" @@ -37,7 +37,7 @@ - name: "{{{ rule_title }}} - Prevent user modification of GNOME disable-lock-screen" ansible.builtin.lineinfile: - path: /etc/dconf/db/local.d/locks/00-security-settings-lock + path: /etc/dconf/db/{{{ dconf_gdm_dir }}}/locks/00-security-settings-lock regexp: '^/org/gnome/desktop/lockdown/disable-lock-screen$' line: '/org/gnome/desktop/lockdown/disable-lock-screen' create: yes @@ -67,3 +67,7 @@ when: - ansible_distribution == 'SLES' - (lockdown_config is changed or lockdown_lock is changed) + +{{% if product in ['sle15', 'sle16'] %}} +{{{ ansible_enable_dconf_user_profile(profile="gdm", database="gdm") }}} +{{% endif %}} diff --git a/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_lock_enabled/bash/shared.sh b/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_lock_enabled/bash/shared.sh index 6f69921eed10..b1cbfc4a048f 100644 --- a/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_lock_enabled/bash/shared.sh +++ b/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_lock_enabled/bash/shared.sh @@ -6,9 +6,10 @@ {{% endif %}} {{% if 'sle' in product %}} +{{{ bash_enable_dconf_user_profile(profile="gdm", database="gdm") }}} gsettings set org.gnome.desktop.lockdown disable-lock-screen false -{{{ bash_dconf_settings("org/gnome/desktop/lockdown", "disable-lock-screen", "false", "local.d", "00-security-settings", rule_id=rule_id) }}} -{{{ bash_dconf_lock("org/gnome/desktop/lockdown", "disable-lock-screen", "local.d", "00-security-settings-lock") }}} +{{{ bash_dconf_settings("org/gnome/desktop/lockdown", "disable-lock-screen", "false", dconf_gdm_dir, "00-security-settings", rule_id=rule_id) }}} +{{{ bash_dconf_lock("org/gnome/desktop/lockdown", "disable-lock-screen", dconf_gdm_dir, "00-security-settings-lock") }}} {{% else %}} {{{ bash_dconf_settings("org/gnome/desktop/screensaver", "lock-enabled", "true", "local.d", "00-security-settings", rule_id=rule_id) }}} {{{ bash_dconf_lock("org/gnome/desktop/screensaver", "lock-enabled", "local.d", "00-security-settings-lock") }}} diff --git a/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_lock_enabled/oval/shared.xml b/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_lock_enabled/oval/shared.xml index 0ea882c9ccbc..a577396eea33 100644 --- a/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_lock_enabled/oval/shared.xml +++ b/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_lock_enabled/oval/shared.xml @@ -18,11 +18,13 @@ </ind:textfilecontent54_test> <ind:textfilecontent54_object id="obj_screensaver_lock_enabled" version="1"> - <ind:path>/etc/dconf/db/local.d/</ind:path> +{{% if product in ['sle12', 'sle15', 'sle16'] %}} + <ind:path>/etc/dconf/db/{{{ dconf_gdm_dir }}}/</ind:path> <ind:filename operation="pattern match">^.*$</ind:filename> -{{% if product in ['sle12','sle15'] %}} <ind:pattern operation="pattern match">^\[org/gnome/desktop/lockdown\]([^\n]*\n+)+?disable-lock-screen=false$</ind:pattern> {{% else %}} + <ind:path>/etc/dconf/db/local.d/</ind:path> + <ind:filename operation="pattern match">^.*$</ind:filename> <ind:pattern operation="pattern match">^\[org/gnome/desktop/screensaver\]([^\n]*\n+)+?lock-enabled=true$</ind:pattern> {{% endif %}} <ind:instance datatype="int">1</ind:instance> @@ -35,11 +37,13 @@ </ind:textfilecontent54_test> <ind:textfilecontent54_object id="obj_prevent_user_screensaver_lock" version="1"> - <ind:path>/etc/dconf/db/local.d/locks/</ind:path> +{{% if product in ['sle12', 'sle15', 'sle16'] %}} + <ind:path>/etc/dconf/db/{{{ dconf_gdm_dir }}}/locks/</ind:path> <ind:filename operation="pattern match">^.*$</ind:filename> -{{% if product in ['sle12','sle15'] %}} <ind:pattern operation="pattern match">^/org/gnome/desktop/lockdown/disable-lock-screen$</ind:pattern> {{% else %}} + <ind:path>/etc/dconf/db/local.d/locks/</ind:path> + <ind:filename operation="pattern match">^.*$</ind:filename> <ind:pattern operation="pattern match">^/org/gnome/desktop/screensaver/lock-enabled$</ind:pattern> {{% endif %}} <ind:instance datatype="int">1</ind:instance> diff --git a/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_lock_enabled/policy/stig/shared.yml b/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_lock_enabled/policy/stig/shared.yml index 67cfb664c5a7..16e0a00da038 100644 --- a/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_lock_enabled/policy/stig/shared.yml +++ b/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_lock_enabled/policy/stig/shared.yml @@ -24,9 +24,9 @@ fixtext: |- Create a database to contain the systemwide screensaver settings (if it does not already exist) with the following command: - Note: The example below is using the database "local" for the system. If the system is using another database in "/etc/dconf/profile/user", the file should be created under the appropriate subdirectory. + Note: The example below is using the database "{{{ dconf_gdm_dir }}}" for the system. If the system is using another database in "/etc/dconf/profile/user", the file should be created under the appropriate subdirectory. - $ sudo touch /etc/dconf/db/local.d/locks/session + $ sudo touch /etc/dconf/db/{{{ dconf_gdm_dir }}}/locks/session Add the following setting to prevent nonprivileged users from modifying it: diff --git a/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_lock_enabled/rule.yml b/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_lock_enabled/rule.yml index 7ba4dfea377c..52cd9f02e1d1 100644 --- a/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_lock_enabled/rule.yml +++ b/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_lock_enabled/rule.yml @@ -13,12 +13,12 @@ description: |- {{% else %}} To activate locking of the screensaver in the GNOME3 desktop when it is activated, add or set <tt>lock-enabled</tt> to <tt>true</tt> in - <tt>/etc/dconf/db/local.d/00-security-settings</tt>. For example: + <tt>/etc/dconf/db/{{{ dconf_gdm_dir }}}/00-security-settings</tt>. For example: <pre>[org/gnome/desktop/screensaver] lock-enabled=true </pre> Once the settings have been added, add a lock to - <tt>/etc/dconf/db/local.d/locks/00-security-settings-lock</tt> to prevent user modification. + <tt>/etc/dconf/db/{{{ dconf_gdm_dir }}}/locks/00-security-settings-lock</tt> to prevent user modification. For example: <pre>/org/gnome/desktop/screensaver/lock-enabled</pre> After the settings have been set, run <tt>dconf update</tt>. @@ -71,7 +71,7 @@ ocil: |- <pre>$ gsettings get org.gnome.desktop.screensaver lock-enabled</pre> If properly configured, the output should be <tt>true</tt>. To ensure that users cannot change how long until the screensaver locks, run the following: - <pre>$ grep lock-enabled /etc/dconf/db/local.d/locks/*</pre> + <pre>$ grep lock-enabled /etc/dconf/db/{{{ dconf_gdm_dir }}}/locks/*</pre> If properly configured, the output for <tt>lock-enabled</tt> should be <tt>/org/gnome/desktop/screensaver/lock-enabled</tt> {{% endif %}} @@ -80,4 +80,3 @@ fixtext: |- srg_requirement: |- {{{ full_name }}} must enable a user session lock until that user re-establishes access using established identification and authentication procedures for graphical user sessions. - diff --git a/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_lock_enabled/tests/comment.fail.sh b/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_lock_enabled/tests/comment.fail.sh index 1af588e1acfe..71bf01f44d5a 100644 --- a/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_lock_enabled/tests/comment.fail.sh +++ b/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_lock_enabled/tests/comment.fail.sh @@ -7,9 +7,9 @@ clean_dconf_settings add_dconf_profiles {{% if 'sle' in product %}} -add_dconf_setting "org/gnome/desktop/lockdown", "disable-lock-screen", "true", "local.d", "00-security-settings" -add_dconf_lock "org/gnome/desktop/lockdown", "disable-lock-screen", "local.d", "00-security-settings-lock" +add_dconf_setting "org/gnome/desktop/lockdown" "#disable-lock-screen" "false" "{{{ dconf_gdm_dir }}}" "00-security-settings" +add_dconf_lock "org/gnome/desktop/lockdown" "disable-lock-screen" "{{{ dconf_gdm_dir }}}" "00-security-settings-lock" {{% else %}} -add_dconf_setting "org/gnome/desktop/screensaver", "#lock-enabled", "true", "local.d", "00-security-settings" -add_dconf_lock "org/gnome/desktop/screensaver", "lock-enabled", "local.d", "00-security-settings" +add_dconf_setting "org/gnome/desktop/screensaver" "#lock-enabled" "true" "local.d" "00-security-settings" +add_dconf_lock "org/gnome/desktop/screensaver" "lock-enabled" "local.d" "00-security-settings" {{% endif %}} diff --git a/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_lock_enabled/tests/correct_value.pass.sh b/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_lock_enabled/tests/correct_value.pass.sh index 2318b3ac3f13..4dfbde66f382 100644 --- a/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_lock_enabled/tests/correct_value.pass.sh +++ b/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_lock_enabled/tests/correct_value.pass.sh @@ -7,8 +7,8 @@ clean_dconf_settings add_dconf_profiles {{% if 'sle' in product %}} -add_dconf_settings "org/gnome/desktop/lockdown", "disable-lock-screen", "false", "local.d", "00-security-settings" -add_dconf_lock "org/gnome/desktop/lockdown", "disable-lock-screen", "local.d", "00-security-settings-lock" +add_dconf_setting "org/gnome/desktop/lockdown" "disable-lock-screen" "false" "{{{ dconf_gdm_dir }}}" "00-security-settings" +add_dconf_lock "org/gnome/desktop/lockdown" "disable-lock-screen" "{{{ dconf_gdm_dir }}}" "00-security-settings-lock" {{% else %}} add_dconf_setting "org/gnome/desktop/screensaver" "lock-enabled" "true" "local.d" "00-security-settings" add_dconf_lock "org/gnome/desktop/screensaver" "lock-enabled" "local.d" "00-security-settings" diff --git a/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_lock_enabled/tests/correct_value_unlocked.fail.sh b/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_lock_enabled/tests/correct_value_unlocked.fail.sh index 3e4c4c6a9642..c0993a206d03 100644 --- a/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_lock_enabled/tests/correct_value_unlocked.fail.sh +++ b/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_lock_enabled/tests/correct_value_unlocked.fail.sh @@ -7,7 +7,7 @@ clean_dconf_settings add_dconf_profiles {{% if 'sle' in product %}} -add_dconf_settings "org/gnome/desktop/lockdown", "disable-lock-screen", "false", "local.d", "00-security-settings" +add_dconf_setting "org/gnome/desktop/lockdown" "disable-lock-screen" "false" "{{{ dconf_gdm_dir }}}" "00-security-settings" {{% else %}} add_dconf_setting "org/gnome/desktop/screensaver" "lock-enabled" "true" "local.d" "00-security-settings" {{% endif %}} diff --git a/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_lock_enabled/tests/correct_value_wrong_db.fail.sh b/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_lock_enabled/tests/correct_value_wrong_db.fail.sh index ed706e42f5ed..af49dcf086ef 100644 --- a/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_lock_enabled/tests/correct_value_wrong_db.fail.sh +++ b/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_lock_enabled/tests/correct_value_wrong_db.fail.sh @@ -7,8 +7,8 @@ clean_dconf_settings add_dconf_profiles {{% if 'sle' in product %}} -add_dconf_settings "org/gnome/desktop/lockdown", "disable-lock-screen", "false", "dummy.d", "00-security-settings" -add_dconf_lock "org/gnome/desktop/lockdown", "disable-lock-screen", "dummy.d", "00-security-settings-lock" +add_dconf_setting "org/gnome/desktop/lockdown" "disable-lock-screen" "false" "dummy.d" "00-security-settings" +add_dconf_lock "org/gnome/desktop/lockdown" "disable-lock-screen" "dummy.d" "00-security-settings-lock" {{% else %}} add_dconf_setting "org/gnome/desktop/screensaver" "lock-enabled" "true" "dummy.d" "00-security-settings" add_dconf_lock "org/gnome/desktop/screensaver" "lock-enabled" "dummy.d" "00-security-settings" diff --git a/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_lock_enabled/tests/wrong_value.fail.sh b/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_lock_enabled/tests/wrong_value.fail.sh index 8390dbcafb9b..a27061680661 100644 --- a/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_lock_enabled/tests/wrong_value.fail.sh +++ b/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_lock_enabled/tests/wrong_value.fail.sh @@ -7,9 +7,9 @@ clean_dconf_settings add_dconf_profiles {{% if 'sle' in product %}} -add_dconf_setting "org/gnome/desktop/lockdown", "disable-lock-screen", "true", "local.d", "00-security-settings" -add_dconf_lock "org/gnome/desktop/lockdown", "disable-lock-screen", "local.d", "00-security-settings-lock" +add_dconf_setting "org/gnome/desktop/lockdown" "disable-lock-screen" "true" "{{{ dconf_gdm_dir }}}" "00-security-settings" +add_dconf_lock "org/gnome/desktop/lockdown" "disable-lock-screen" "{{{ dconf_gdm_dir }}}" "00-security-settings-lock" {{% else %}} -add_dconf_setting "org/gnome/desktop/screensaver", "lock-enabled", "false", "local.d", "00-security-settings" -add_dconf_lock "org/gnome/desktop/screensaver", "lock-enabled", "local.d", "00-security-settings" +add_dconf_setting "org/gnome/desktop/screensaver" "lock-enabled" "false" "local.d" "00-security-settings" +add_dconf_lock "org/gnome/desktop/screensaver" "lock-enabled" "local.d" "00-security-settings" {{% endif %}} diff --git a/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_mode_blank/ansible/shared.yml b/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_mode_blank/ansible/shared.yml index ae2562a44779..3eb9ca04d3be 100644 --- a/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_mode_blank/ansible/shared.yml +++ b/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_mode_blank/ansible/shared.yml @@ -5,7 +5,11 @@ # disruption = medium - name: "Implement Blank Screensaver" community.general.ini_file: +{{% if product in ['sle15', 'sle16'] %}} + dest: "/etc/dconf/db/{{{ dconf_gdm_dir }}}/00-security-settings" +{{% else %}} dest: "/etc/dconf/db/local.d/00-security-settings" +{{% endif %}} section: "org/gnome/desktop/screensaver" option: picture-uri value: string '' @@ -15,7 +19,11 @@ - name: "Prevent user modification of GNOME picture-uri" ansible.builtin.lineinfile: +{{% if product in ['sle15', 'sle16'] %}} + path: /etc/dconf/db/{{{ dconf_gdm_dir }}}/locks/00-security-settings-lock +{{% else %}} path: /etc/dconf/db/local.d/locks/00-security-settings-lock +{{% endif %}} regexp: '^/org/gnome/desktop/screensaver/picture-uri$' line: '/org/gnome/desktop/screensaver/picture-uri' create: yes @@ -24,3 +32,7 @@ - name: Dconf Update ansible.builtin.command: dconf update when: result_ini is changed or result_lineinfile is changed + +{{% if product in ['sle15', 'sle16'] %}} +{{{ ansible_enable_dconf_user_profile(profile="gdm", database="gdm") }}} +{{% endif %}} diff --git a/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_mode_blank/bash/shared.sh b/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_mode_blank/bash/shared.sh index ac2ab25018cf..e4d620dd1de3 100644 --- a/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_mode_blank/bash/shared.sh +++ b/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_mode_blank/bash/shared.sh @@ -1,5 +1,10 @@ # platform = multi_platform_all - +{{% if product in ['sle15', 'sle16'] %}} +{{{ bash_enable_dconf_user_profile(profile="gdm", database="gdm") }}} +{{{ bash_dconf_settings("org/gnome/desktop/screensaver", "picture-uri", "string ''", dconf_gdm_dir, "00-security-settings", rule_id=rule_id) }}} +{{{ bash_dconf_lock("org/gnome/desktop/screensaver", "picture-uri", dconf_gdm_dir, "00-security-settings-lock") }}} +{{% else %}} {{{ bash_dconf_settings("org/gnome/desktop/screensaver", "picture-uri", "string ''", "local.d", "00-security-settings", rule_id=rule_id) }}} {{{ bash_dconf_lock("org/gnome/desktop/screensaver", "picture-uri", "local.d", "00-security-settings-lock") }}} +{{% endif %}} diff --git a/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_mode_blank/oval/shared.xml b/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_mode_blank/oval/shared.xml index efecb44de698..fcbf59314639 100644 --- a/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_mode_blank/oval/shared.xml +++ b/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_mode_blank/oval/shared.xml @@ -18,7 +18,11 @@ </ind:textfilecontent54_test> <ind:textfilecontent54_object id="obj_screensaver_mode_blank" version="1"> +{{% if product in ['sle15', 'sle16'] %}} + <ind:path>/etc/dconf/db/{{{ dconf_gdm_dir }}}/</ind:path> +{{% else %}} <ind:path>/etc/dconf/db/local.d/</ind:path> +{{% endif %}} <ind:filename operation="pattern match">^.*$</ind:filename> <!-- GSettings expects proper datatype specifier when setting 'picture-uri' per: https://bugzilla.redhat.com/show_bug.cgi?id=1141779#c3 @@ -34,7 +38,11 @@ </ind:textfilecontent54_test> <ind:textfilecontent54_object id="obj_prevent_user_screensaver_mode_change" version="1"> +{{% if product in ['sle15', 'sle16'] %}} + <ind:path>/etc/dconf/db/{{{ dconf_gdm_dir }}}/locks/</ind:path> +{{% else %}} <ind:path>/etc/dconf/db/local.d/locks/</ind:path> +{{% endif %}} <ind:filename operation="pattern match">^.*$</ind:filename> <ind:pattern operation="pattern match">^/org/gnome/desktop/screensaver/picture-uri$</ind:pattern> <ind:instance datatype="int">1</ind:instance> diff --git a/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_mode_blank/policy/stig/shared.yml b/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_mode_blank/policy/stig/shared.yml index 840f0d76f633..562189e4b2ce 100644 --- a/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_mode_blank/policy/stig/shared.yml +++ b/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_mode_blank/policy/stig/shared.yml @@ -4,12 +4,12 @@ srg_requirement: |- fixtext: |- Configure {{{ full_name }}} to prevent a user from overriding the picture-uri setting for graphical user interfaces. - In the file "/etc/dconf/db/local.d/00-security-settings", add or update the following lines: + In the file "/etc/dconf/db/{{{ dconf_gdm_dir }}}/00-security-settings", add or update the following lines: [org/gnome/desktop/screensaver] picture-uri='' - Prevent user modification by adding the following line to "/etc/dconf/db/local.d/locks/00-security-settings-lock": + Prevent user modification by adding the following line to "/etc/dconf/db/{{{ dconf_gdm_dir }}}/locks/00-security-settings-lock": /org/gnome/desktop/screensaver/picture-uri diff --git a/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_mode_blank/rule.yml b/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_mode_blank/rule.yml index 08105969028c..d333b030f189 100644 --- a/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_mode_blank/rule.yml +++ b/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_mode_blank/rule.yml @@ -29,12 +29,12 @@ description: |- {{% endif %}} To set the screensaver mode in the GNOME3 desktop to a blank screen, add or set <tt>picture-uri</tt> to <tt>string ''</tt> in - <tt>/etc/dconf/db/local.d/00-security-settings</tt>. For example: + <tt>/etc/dconf/db/{{{ dconf_gdm_dir }}}/00-security-settings</tt>. For example: <pre>[org/gnome/desktop/screensaver] picture-uri=string '' </pre> Once the settings have been added, add a lock to - <tt>/etc/dconf/db/local.d/locks/00-security-settings-lock</tt> to prevent user modification. + <tt>/etc/dconf/db/{{{ dconf_gdm_dir }}}/locks/00-security-settings-lock</tt> to prevent user modification. For example: <pre>/org/gnome/desktop/screensaver/picture-uri</pre> After the settings have been set, run <tt>dconf update</tt>. @@ -76,10 +76,8 @@ ocil: |- If properly configured, the output should be <tt>''</tt>. To ensure that users cannot set the screensaver background, run the following: - <pre>$ grep picture-uri /etc/dconf/db/local.d/locks/*</pre> + <pre>$ grep picture-uri /etc/dconf/db/{{{ dconf_gdm_dir }}}/locks/*</pre> If properly configured, the output should be <tt>/org/gnome/desktop/screensaver/picture-uri</tt> fixtext: |- {{{ fixtext_dconf_ini_file("org/gnome/desktop/screensaver", "picture-uri", "string ''") }}} - - diff --git a/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_mode_blank/tests/comment.fail.sh b/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_mode_blank/tests/comment.fail.sh index 50536e57f4f7..030d50ccc39f 100644 --- a/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_mode_blank/tests/comment.fail.sh +++ b/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_mode_blank/tests/comment.fail.sh @@ -4,5 +4,10 @@ . $SHARED/dconf_test_functions.sh clean_dconf_settings +{{% if product in ['sle15', 'sle16'] %}} +add_dconf_setting "org/gnome/desktop/screensaver" "#picture-uri" "string ''" "{{{ dconf_gdm_dir }}}" "00-security-settings" +add_dconf_lock "org/gnome/desktop/screensaver" "picture-uri" "{{{ dconf_gdm_dir }}}" "00-security-settings" +{{% else %}} add_dconf_setting "org/gnome/desktop/screensaver" "#picture-uri" "string ''" "local.d" "00-security-settings" add_dconf_lock "org/gnome/desktop/screensaver" "picture-uri" "local.d" "00-security-settings" +{{% endif %}} diff --git a/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_mode_blank/tests/correct_value.pass.sh b/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_mode_blank/tests/correct_value.pass.sh index c91e95395e68..22dd8ce9c146 100644 --- a/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_mode_blank/tests/correct_value.pass.sh +++ b/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_mode_blank/tests/correct_value.pass.sh @@ -5,5 +5,11 @@ . $SHARED/dconf_test_functions.sh clean_dconf_settings +add_dconf_profiles +{{% if product in ['sle15', 'sle16'] %}} +add_dconf_setting "org/gnome/desktop/screensaver" "picture-uri" "string ''" "{{{ dconf_gdm_dir }}}" "00-security-settings" +add_dconf_lock "org/gnome/desktop/screensaver" "picture-uri" "{{{ dconf_gdm_dir }}}" "00-security-settings" +{{% else %}} add_dconf_setting "org/gnome/desktop/screensaver" "picture-uri" "string ''" "local.d" "00-security-settings" add_dconf_lock "org/gnome/desktop/screensaver" "picture-uri" "local.d" "00-security-settings" +{{% endif %}} diff --git a/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_mode_blank/tests/correct_value_not_locked.fail.sh b/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_mode_blank/tests/correct_value_not_locked.fail.sh index 13da60b3c1ba..ca26333951c2 100644 --- a/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_mode_blank/tests/correct_value_not_locked.fail.sh +++ b/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_mode_blank/tests/correct_value_not_locked.fail.sh @@ -5,4 +5,8 @@ . $SHARED/dconf_test_functions.sh clean_dconf_settings +{{% if product in ['sle15', 'sle16'] %}} +add_dconf_setting "org/gnome/desktop/screensaver" "picture-uri" "string ''" "{{{ dconf_gdm_dir }}}" "00-security-settings" +{{% else %}} add_dconf_setting "org/gnome/desktop/screensaver" "picture-uri" "string ''" "local.d" "00-security-settings" +{{% endif %}} diff --git a/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_mode_blank/tests/wrong_value.fail.sh b/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_mode_blank/tests/wrong_value.fail.sh index 100505531147..f611107f57eb 100644 --- a/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_mode_blank/tests/wrong_value.fail.sh +++ b/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_mode_blank/tests/wrong_value.fail.sh @@ -5,5 +5,10 @@ . $SHARED/dconf_test_functions.sh clean_dconf_settings +{{% if product in ['sle15', 'sle16'] %}} +add_dconf_setting "org/gnome/desktop/screensaver" "picture-uri" "string 'somestring'" "{{{ dconf_gdm_dir }}}" "00-security-settings" +add_dconf_lock "org/gnome/desktop/screensaver" "picture-uri" "{{{ dconf_gdm_dir }}}" "00-security-settings" +{{% else %}} add_dconf_setting "org/gnome/desktop/screensaver" "picture-uri" "string 'somestring'" "local.d" "00-security-settings" add_dconf_lock "org/gnome/desktop/screensaver" "picture-uri" "local.d" "00-security-settings" +{{% endif %}} diff --git a/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_user_locks/ansible/shared.yml b/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_user_locks/ansible/shared.yml index dc46618d7922..fc7d586753d7 100644 --- a/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_user_locks/ansible/shared.yml +++ b/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_user_locks/ansible/shared.yml @@ -1,11 +1,15 @@ -# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_almalinux +# platform = multi_platform_almalinux,multi_platform_fedora,multi_platform_ol,multi_platform_rhel,multi_platform_sle # reboot = false # strategy = unknown # complexity = low # disruption = medium - name: "Prevent user modification of GNOME lock-delay" ansible.builtin.lineinfile: +{{% if product in ['sle15', 'sle16'] %}} + path: /etc/dconf/db/{{{ dconf_gdm_dir }}}/locks/00-security-settings-lock +{{% else %}} path: /etc/dconf/db/local.d/locks/00-security-settings-lock +{{% endif %}} regexp: '^/org/gnome/desktop/screensaver/lock-delay$' line: '/org/gnome/desktop/screensaver/lock-delay' create: yes @@ -14,3 +18,7 @@ - name: Dconf Update ansible.builtin.command: dconf update when: result_lineinfile is changed + +{{% if product in ['sle15', 'sle16'] %}} +{{{ ansible_enable_dconf_user_profile(profile="gdm", database="gdm") }}} +{{% endif %}} diff --git a/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_user_locks/bash/shared.sh b/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_user_locks/bash/shared.sh index dbe7cc7989ad..b03ed1890806 100644 --- a/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_user_locks/bash/shared.sh +++ b/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_user_locks/bash/shared.sh @@ -1,3 +1,8 @@ # platform = multi_platform_all +{{% if product in ['sle15', 'sle16'] %}} +{{{ bash_enable_dconf_user_profile(profile="gdm", database="gdm") }}} +{{{ bash_dconf_lock("org/gnome/desktop/screensaver", "lock-delay", dconf_gdm_dir, "00-security-settings-lock") }}} +{{% else %}} {{{ bash_dconf_lock("org/gnome/desktop/screensaver", "lock-delay", "local.d", "00-security-settings-lock") }}} +{{% endif %}} diff --git a/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_user_locks/oval/shared.xml b/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_user_locks/oval/shared.xml index def9ec108083..f699b71bf5e2 100644 --- a/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_user_locks/oval/shared.xml +++ b/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_user_locks/oval/shared.xml @@ -17,7 +17,11 @@ </ind:textfilecontent54_test> <ind:textfilecontent54_object id="obj_user_change_lock_delay_lock" version="1"> +{{% if product in ['sle15', 'sle16'] %}} + <ind:path>/etc/dconf/db/{{{ dconf_gdm_dir }}}/locks/</ind:path> +{{% else %}} <ind:path>/etc/dconf/db/local.d/locks/</ind:path> +{{% endif %}} <ind:filename operation="pattern match">^.*$</ind:filename> <ind:pattern operation="pattern match">^/org/gnome/desktop/screensaver/lock-delay$</ind:pattern> <ind:instance datatype="int">1</ind:instance> diff --git a/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_user_locks/policy/stig/shared.yml b/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_user_locks/policy/stig/shared.yml index 1148261cd190..ca69fddf4141 100644 --- a/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_user_locks/policy/stig/shared.yml +++ b/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_user_locks/policy/stig/shared.yml @@ -20,9 +20,9 @@ fixtext: |- Create a database to contain the systemwide screensaver settings (if it does not already exist) with the following command: - Note: The example below is using the database "local" for the system. If the system is using another database in "/etc/dconf/profile/user", the file should be created under the appropriate subdirectory. + Note: The example below is using the database "{{{ dconf_gdm_dir }}}" for the system. If the system is using another database in "/etc/dconf/profile/user", the file should be created under the appropriate subdirectory. - $ sudo touch /etc/dconf/db/local.d/locks/session + $ sudo touch /etc/dconf/db/{{{ dconf_gdm_dir }}}/locks/session Add the following setting to prevent nonprivileged users from modifying it: @@ -31,5 +31,3 @@ fixtext: |- Run the following command to update the database: $ sudo dconf update - - diff --git a/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_user_locks/rule.yml b/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_user_locks/rule.yml index 730d76960d3c..ba32b858449c 100644 --- a/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_user_locks/rule.yml +++ b/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_user_locks/rule.yml @@ -6,7 +6,7 @@ title: 'Ensure Users Cannot Change GNOME3 Screensaver Settings' description: |- If not already configured, ensure that users cannot change GNOME3 screensaver lock settings by adding <tt>/org/gnome/desktop/screensaver/lock-delay</tt> - to <tt>/etc/dconf/db/local.d/locks/00-security-settings-lock</tt> to prevent user modification. + to <tt>/etc/dconf/db/{{{ dconf_gdm_dir }}}/locks/00-security-settings-lock</tt> to prevent user modification. For example: <pre>/org/gnome/desktop/screensaver/lock-delay</pre> After the settings have been set, run <tt>dconf update</tt>. @@ -43,7 +43,7 @@ ocil_clause: 'GNOME3 session settings are not locked or configured properly' ocil: |- To ensure that users cannot change session idle and lock settings, run the following: - <pre>$ grep 'lock-delay' /etc/dconf/db/local.d/locks/*</pre> + <pre>$ grep 'lock-delay' /etc/dconf/db/{{{ dconf_gdm_dir }}}/locks/*</pre> If properly configured, the output should return: <tt>/org/gnome/desktop/screensaver/lock-delay</tt> @@ -51,4 +51,3 @@ fixtext: |- {{{ fixtext_dconf_lock_settings("/org/gnome/desktop/screensaver/lock-delay") }}} srg_requirement: '{{{ full_name }}} must prevent a user from overriding the session lock-delay setting for the graphical user interface.' - diff --git a/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_user_locks/tests/correct_value.pass.sh b/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_user_locks/tests/correct_value.pass.sh index ad69666cc4b7..9f38debb5fb8 100644 --- a/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_user_locks/tests/correct_value.pass.sh +++ b/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_user_locks/tests/correct_value.pass.sh @@ -4,4 +4,9 @@ . $SHARED/dconf_test_functions.sh clean_dconf_settings +add_dconf_profiles +{{% if product in ['sle15', 'sle16'] %}} +add_dconf_lock "org/gnome/desktop/screensaver" "lock-delay" "{{{ dconf_gdm_dir }}}" "00-security-settings" +{{% else %}} add_dconf_lock "org/gnome/desktop/screensaver" "lock-delay" "local.d" "00-security-settings" +{{% endif %}} diff --git a/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_session_idle_user_locks/ansible/shared.yml b/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_session_idle_user_locks/ansible/shared.yml index 96f41f70b77d..0cf4587c0708 100644 --- a/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_session_idle_user_locks/ansible/shared.yml +++ b/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_session_idle_user_locks/ansible/shared.yml @@ -6,7 +6,11 @@ - name: "Prevent user modification of GNOME Session idle-delay" ansible.builtin.lineinfile: +{{% if product in ['sle15', 'sle16'] %}} + path: /etc/dconf/db/{{{ dconf_gdm_dir }}}/locks/00-security-settings-lock +{{% else %}} path: /etc/dconf/db/local.d/locks/00-security-settings-lock +{{% endif %}} regexp: '^/org/gnome/desktop/session/idle-delay$' line: '/org/gnome/desktop/session/idle-delay' create: yes @@ -15,3 +19,7 @@ - name: Dconf Update ansible.builtin.command: dconf update when: result_lineinfile is changed + +{{% if product in ['sle15', 'sle16'] %}} +{{{ ansible_enable_dconf_user_profile(profile="gdm", database="gdm") }}} +{{% endif %}} diff --git a/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_session_idle_user_locks/bash/shared.sh b/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_session_idle_user_locks/bash/shared.sh index ddbf4705e21b..054532bc47b7 100644 --- a/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_session_idle_user_locks/bash/shared.sh +++ b/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_session_idle_user_locks/bash/shared.sh @@ -1,4 +1,8 @@ # platform = multi_platform_all - +{{% if product in ['sle15', 'sle16'] %}} +{{{ bash_enable_dconf_user_profile(profile="gdm", database="gdm") }}} +{{{ bash_dconf_lock("org/gnome/desktop/session", "idle-delay", dconf_gdm_dir, "00-security-settings-lock") }}} +{{% else %}} {{{ bash_dconf_lock("org/gnome/desktop/session", "idle-delay", "local.d", "00-security-settings-lock") }}} +{{% endif %}} diff --git a/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_session_idle_user_locks/oval/shared.xml b/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_session_idle_user_locks/oval/shared.xml index 4cfe57106d64..3cd1195f1fde 100644 --- a/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_session_idle_user_locks/oval/shared.xml +++ b/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_session_idle_user_locks/oval/shared.xml @@ -17,7 +17,11 @@ </ind:textfilecontent54_test> <ind:textfilecontent54_object id="obj_user_change_idle_delay_lock" version="1"> +{{% if product in ['sle15', 'sle16'] %}} + <ind:path>/etc/dconf/db/{{{ dconf_gdm_dir }}}/locks/</ind:path> +{{% else %}} <ind:path>/etc/dconf/db/local.d/locks/</ind:path> +{{% endif %}} <ind:filename operation="pattern match">^.*$</ind:filename> <ind:pattern operation="pattern match">^/org/gnome/desktop/session/idle-delay$</ind:pattern> <ind:instance datatype="int">1</ind:instance> diff --git a/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_session_idle_user_locks/policy/stig/shared.yml b/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_session_idle_user_locks/policy/stig/shared.yml index 9a880652c8c2..68ad72a16d52 100644 --- a/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_session_idle_user_locks/policy/stig/shared.yml +++ b/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_session_idle_user_locks/policy/stig/shared.yml @@ -22,9 +22,9 @@ fixtext: |- Create a database to contain the systemwide screensaver settings (if it does not already exist) with the following command: - Note: The example below is using the database "local" for the system. If the system is using another database in "/etc/dconf/profile/user", the file should be created under the appropriate subdirectory. + Note: The example below is using the database "{{{ dconf_gdm_dir }}}" for the system. If the system is using another database in "/etc/dconf/profile/user", the file should be created under the appropriate subdirectory. - $ sudo touch /etc/dconf/db/local.d/locks/session + $ sudo touch /etc/dconf/db/{{{ dconf_gdm_dir }}}/locks/session Add the following setting to prevent nonprivileged users from modifying it: @@ -33,5 +33,3 @@ fixtext: |- Run the following command to update the database: $ sudo dconf update - - diff --git a/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_session_idle_user_locks/rule.yml b/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_session_idle_user_locks/rule.yml index 467ac938fae9..8660efc708bf 100644 --- a/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_session_idle_user_locks/rule.yml +++ b/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_session_idle_user_locks/rule.yml @@ -6,7 +6,7 @@ title: 'Ensure Users Cannot Change GNOME3 Session Idle Settings' description: |- If not already configured, ensure that users cannot change GNOME3 session idle settings by adding <tt>/org/gnome/desktop/session/idle-delay</tt> - to <tt>/etc/dconf/db/local.d/locks/00-security-settings-lock</tt> to prevent user modification. + to <tt>/etc/dconf/db/{{{ dconf_gdm_dir }}}/locks/00-security-settings-lock</tt> to prevent user modification. For example: <pre>/org/gnome/desktop/session/idle-delay</pre> After the settings have been set, run <tt>dconf update</tt>. @@ -48,7 +48,7 @@ ocil_clause: 'idle-delay is not locked' ocil: |- To ensure that users cannot change session idle and lock settings, run the following: - <pre>$ grep 'idle-delay' /etc/dconf/db/local.d/locks/*</pre> + <pre>$ grep 'idle-delay' /etc/dconf/db/{{{ dconf_gdm_dir }}}/locks/*</pre> If properly configured, the output should return: <tt>/org/gnome/desktop/session/idle-delay</tt> @@ -56,4 +56,3 @@ fixtext: |- {{{ fixtext_dconf_lock_settings("/org/gnome/desktop/session/idle-delay") }}} srg_requirement: '{{{ full_name }}} must prevent a user from overriding the session idle-delay setting for the graphical user interface.' - diff --git a/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_session_idle_user_locks/tests/comented_value.fail.sh b/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_session_idle_user_locks/tests/comented_value.fail.sh index ac4a3cf56076..8b3c7fb27796 100644 --- a/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_session_idle_user_locks/tests/comented_value.fail.sh +++ b/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_session_idle_user_locks/tests/comented_value.fail.sh @@ -4,6 +4,9 @@ . $SHARED/dconf_test_functions.sh clean_dconf_settings +{{% if product in ['sle15', 'sle16'] %}} +add_dconf_lock "# org/gnome/desktop/session" "idle-delay" "{{{ dconf_gdm_dir }}}" "00-security-settings-lock" +{{% else %}} add_dconf_lock "# org/gnome/desktop/session" "idle-delay" "local.d" "00-security-settings-lock" - +{{% endif %}} dconf update diff --git a/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_session_idle_user_locks/tests/correct_value.pass.sh b/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_session_idle_user_locks/tests/correct_value.pass.sh index d5a371196316..1ea2fe380812 100644 --- a/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_session_idle_user_locks/tests/correct_value.pass.sh +++ b/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_session_idle_user_locks/tests/correct_value.pass.sh @@ -4,6 +4,10 @@ . $SHARED/dconf_test_functions.sh clean_dconf_settings +add_dconf_profiles +{{% if product in ['sle15', 'sle16'] %}} +add_dconf_lock "org/gnome/desktop/session" "idle-delay" "{{{ dconf_gdm_dir }}}" "00-security-settings-lock" +{{% else %}} add_dconf_lock "org/gnome/desktop/session" "idle-delay" "local.d" "00-security-settings-lock" - +{{% endif %}} dconf update diff --git a/linux_os/guide/system/software/integrity/certified-vendor/installed_OS_is_vendor_supported/oval/shared.xml b/linux_os/guide/system/software/integrity/certified-vendor/installed_OS_is_vendor_supported/oval/shared.xml index a028877c12a7..5d86a46a2388 100644 --- a/linux_os/guide/system/software/integrity/certified-vendor/installed_OS_is_vendor_supported/oval/shared.xml +++ b/linux_os/guide/system/software/integrity/certified-vendor/installed_OS_is_vendor_supported/oval/shared.xml @@ -16,6 +16,7 @@ <extend_definition comment="Installed OS is SLE16" definition_ref="installed_OS_is_sle16" /> <extend_definition comment="Installed OS is SLE Micro 5" definition_ref="installed_OS_is_slmicro5" /> <extend_definition comment="Installed OS is SLE Micro 6" definition_ref="installed_OS_is_slmicro6" /> + <extend_definition comment="Installed OS is Ubuntu 22.04" definition_ref="installed_OS_is_ubuntu2204" /> <extend_definition comment="Installed OS is Ubuntu 24.04" definition_ref="installed_OS_is_ubuntu2404" /> </criteria> </definition> diff --git a/linux_os/guide/system/software/integrity/crypto/configure_custom_crypto_policy_cis/rule.yml b/linux_os/guide/system/software/integrity/crypto/configure_custom_crypto_policy_cis/rule.yml index b80f01777048..72387b459f09 100644 --- a/linux_os/guide/system/software/integrity/crypto/configure_custom_crypto_policy_cis/rule.yml +++ b/linux_os/guide/system/software/integrity/crypto/configure_custom_crypto_policy_cis/rule.yml @@ -52,7 +52,8 @@ title: Implement Custom Crypto Policy Modules for CIS Benchmark { "module_name": "NO-RPMSHA1", "key": "hash@rpm", - "value": "-SHA1" + "value": "-SHA1", + "scope": "rpm-sequoia" }, ] %}} {{% elif product == "rhel10" or product == "fedora" %}} diff --git a/linux_os/guide/system/software/integrity/crypto/configure_libreswan_crypto_policy/rule.yml b/linux_os/guide/system/software/integrity/crypto/configure_libreswan_crypto_policy/rule.yml index 8a14c3de7d55..f568fb714d9f 100644 --- a/linux_os/guide/system/software/integrity/crypto/configure_libreswan_crypto_policy/rule.yml +++ b/linux_os/guide/system/software/integrity/crypto/configure_libreswan_crypto_policy/rule.yml @@ -67,4 +67,4 @@ fixtext: |- srg_requirement: '{{{ full_name }}} must implement NIST FIPS-validated cryptography for the following: to provision digital signatures, to generate cryptographic hashes, and to protect data requiring data-at-rest protections in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards.' -platform: system_with_kernel +platform: system_with_kernel and package[libreswan] diff --git a/linux_os/guide/system/software/integrity/crypto/configure_ssh_crypto_policy/ansible/shared.yml b/linux_os/guide/system/software/integrity/crypto/configure_ssh_crypto_policy/ansible/shared.yml index cfbff70b845c..65dccf57d6e7 100644 --- a/linux_os/guide/system/software/integrity/crypto/configure_ssh_crypto_policy/ansible/shared.yml +++ b/linux_os/guide/system/software/integrity/crypto/configure_ssh_crypto_policy/ansible/shared.yml @@ -6,6 +6,6 @@ - name: "{{{ rule_title }}}" ansible.builtin.lineinfile: - dest: /etc/sysconfig/sshd + dest: '{{{ sshd_sysconfig_file }}}' state: absent regexp: (?i)^\s*CRYPTO_POLICY.*$ diff --git a/linux_os/guide/system/software/integrity/crypto/configure_ssh_crypto_policy/bash/shared.sh b/linux_os/guide/system/software/integrity/crypto/configure_ssh_crypto_policy/bash/shared.sh index 2a04f5ea6bc0..8066e15c264a 100644 --- a/linux_os/guide/system/software/integrity/crypto/configure_ssh_crypto_policy/bash/shared.sh +++ b/linux_os/guide/system/software/integrity/crypto/configure_ssh_crypto_policy/bash/shared.sh @@ -1,5 +1,5 @@ # platform = multi_platform_all -SSH_CONF="/etc/sysconfig/sshd" +SSH_CONF="{{{ sshd_sysconfig_file }}}" sed -i "/^\s*CRYPTO_POLICY.*$/Id" $SSH_CONF diff --git a/linux_os/guide/system/software/integrity/crypto/configure_ssh_crypto_policy/oval/shared.xml b/linux_os/guide/system/software/integrity/crypto/configure_ssh_crypto_policy/oval/shared.xml index e51181528eb3..0265d746b9ab 100644 --- a/linux_os/guide/system/software/integrity/crypto/configure_ssh_crypto_policy/oval/shared.xml +++ b/linux_os/guide/system/software/integrity/crypto/configure_ssh_crypto_policy/oval/shared.xml @@ -1,3 +1,4 @@ +{{%- set sshd_sysconfig = sshd_sysconfig_file -%}} <def-group> <definition class="compliance" id="configure_ssh_crypto_policy" version="1"> {{{ oval_metadata("SSH should be configured to use the system-wide crypto policy setting.", rule_title=rule_title) }}} @@ -14,7 +15,7 @@ </ind:textfilecontent54_test> <ind:textfilecontent54_object id="object_configure_ssh_crypto_policy" version="1"> - <ind:filepath>/etc/sysconfig/sshd</ind:filepath> + <ind:filepath>{{{ sshd_sysconfig }}}</ind:filepath> <ind:pattern operation="pattern match">^\s*(?i)CRYPTO_POLICY\s*=.*$</ind:pattern> <ind:instance datatype="int" operation="greater than or equal">1</ind:instance> </ind:textfilecontent54_object> diff --git a/linux_os/guide/system/software/integrity/crypto/configure_ssh_crypto_policy/rule.yml b/linux_os/guide/system/software/integrity/crypto/configure_ssh_crypto_policy/rule.yml index 7e722ab1170f..ccd2d2b2b5e5 100644 --- a/linux_os/guide/system/software/integrity/crypto/configure_ssh_crypto_policy/rule.yml +++ b/linux_os/guide/system/software/integrity/crypto/configure_ssh_crypto_policy/rule.yml @@ -1,4 +1,5 @@ documentation_complete: true +{{% set sshd_sysconfig = sshd_sysconfig_file %}} title: 'Configure SSH to use System Crypto Policy' @@ -9,7 +10,7 @@ description: |- set up to ignore it. To check that Crypto Policies settings are configured correctly, ensure that the <tt>CRYPTO_POLICY</tt> variable is either commented or not set at all - in the <tt>/etc/sysconfig/sshd</tt>. + in the <tt>{{{ sshd_sysconfig }}}</tt>. rationale: |- Overriding the system crypto policy makes the behavior of the SSH service violate expectations, @@ -34,23 +35,23 @@ references: srg: SRG-OS-000250-GPOS-00093 stigid@ol8: OL08-00-010287 -ocil_clause: 'the CRYPTO_POLICY variable is set or is not commented out in the /etc/sysconfig/sshd' +ocil_clause: 'the CRYPTO_POLICY variable is set or is not commented out in {{{ sshd_sysconfig }}}' ocil: |- Verify that sshd isn't configured to ignore the system wide cryptographic policy. Check that the <tt>CRYPTO_POLICY</tt> variable is not set or is commented out in the - <tt>/etc/sysconfig/sshd</tt>. + <tt>{{{ sshd_sysconfig }}}</tt>. Run the following command: - $ sudo grep CRYPTO_POLICY /etc/sysconfig/sshd + $ sudo grep CRYPTO_POLICY {{{ sshd_sysconfig }}} fixtext: |- Configure OpenSSH to not ignore the system wide cryptographic policy. Run the following command: - $ sudo sed -i "/^\s*CRYPTO_POLICY.*$/Id" /etc/sysconfig/sshd + $ sudo sed -i "/^\s*CRYPTO_POLICY.*$/Id" {{{ sshd_sysconfig }}} srg_requirement: |- {{{ full_name }}} must implement approved encryption in the OpenSSH package. diff --git a/linux_os/guide/system/software/integrity/crypto/harden_ssh_client_crypto_policy/bash/shared.sh b/linux_os/guide/system/software/integrity/crypto/harden_ssh_client_crypto_policy/bash/shared.sh index 61cd291a5c59..bbc1f53d7c8d 100644 --- a/linux_os/guide/system/software/integrity/crypto/harden_ssh_client_crypto_policy/bash/shared.sh +++ b/linux_os/guide/system/software/integrity/crypto/harden_ssh_client_crypto_policy/bash/shared.sh @@ -1,7 +1,8 @@ # platform = multi_platform_all #the file starts with 02 so that it is loaded before the 05-redhat.conf which activates configuration provided by system vide crypto policy -file="/etc/ssh/ssh_config.d/02-ospp.conf" +{{% set sshc_crypto_policy_config = ssh_client_config_dir ~ "/02-ospp.conf" %}} +file="{{{ sshc_crypto_policy_config }}}" echo -e "Match final all\n\ RekeyLimit 512M 1h\n\ GSSAPIAuthentication no\n\ diff --git a/linux_os/guide/system/software/integrity/crypto/harden_ssh_client_crypto_policy/oval/shared.xml b/linux_os/guide/system/software/integrity/crypto/harden_ssh_client_crypto_policy/oval/shared.xml index f1227c5ef087..8700fda2e8be 100644 --- a/linux_os/guide/system/software/integrity/crypto/harden_ssh_client_crypto_policy/oval/shared.xml +++ b/linux_os/guide/system/software/integrity/crypto/harden_ssh_client_crypto_policy/oval/shared.xml @@ -4,6 +4,7 @@ #}} {{%- set suffix_id_default_not_overriden = "_default_not_overriden" -%}} {{%- set common_prefix_regex = "^Match final all(?:.*\n)*?\s*" -%}} +{{%- set sshc_crypto_policy_config = ssh_client_config_dir ~ "/02-ospp.conf" -%}} @@ -131,43 +132,43 @@ <def-group> <definition class="compliance" id="harden_ssh_client_crypto_policy" version="3"> - {{{ oval_metadata("Ensure the ssh client ciphers are configured correctly in /etc/ssh/ssh_config.d/02-ospp.conf", rule_title=rule_title) }}} + {{{ oval_metadata("Ensure the ssh client ciphers are configured correctly in " ~ sshc_crypto_policy_config, rule_title=rule_title) }}} <criteria comment="SSH client is configured correctly" operator="AND"> - {{{ hsccp_oval_line_in_file_criterion(path='/etc/ssh/ssh_config.d/02-ospp.conf', parameter='Match') }}} - {{{ hsccp_oval_line_in_file_criterion(path='/etc/ssh/ssh_config.d/02-ospp.conf', parameter='RekeyLimit') }}} - {{{ hsccp_oval_line_in_file_criterion(path='/etc/ssh/ssh_config.d/02-ospp.conf', parameter='GSSAPIAuthentication') }}} - {{{ hsccp_oval_line_in_file_criterion(path='/etc/ssh/ssh_config.d/02-ospp.conf', parameter='Ciphers') }}} - {{{ hsccp_oval_line_in_file_criterion(path='/etc/ssh/ssh_config.d/02-ospp.conf', parameter='PubkeyAcceptedKeyTypes') }}} - {{{ hsccp_oval_line_in_file_criterion(path='/etc/ssh/ssh_config.d/02-ospp.conf', parameter='MACs') }}} - {{{ hsccp_oval_line_in_file_criterion(path='/etc/ssh/ssh_config.d/02-ospp.conf', parameter='KexAlgorithms') }}} + {{{ hsccp_oval_line_in_file_criterion(path=sshc_crypto_policy_config, parameter='Match') }}} + {{{ hsccp_oval_line_in_file_criterion(path=sshc_crypto_policy_config, parameter='RekeyLimit') }}} + {{{ hsccp_oval_line_in_file_criterion(path=sshc_crypto_policy_config, parameter='GSSAPIAuthentication') }}} + {{{ hsccp_oval_line_in_file_criterion(path=sshc_crypto_policy_config, parameter='Ciphers') }}} + {{{ hsccp_oval_line_in_file_criterion(path=sshc_crypto_policy_config, parameter='PubkeyAcceptedKeyTypes') }}} + {{{ hsccp_oval_line_in_file_criterion(path=sshc_crypto_policy_config, parameter='MACs') }}} + {{{ hsccp_oval_line_in_file_criterion(path=sshc_crypto_policy_config, parameter='KexAlgorithms') }}} </criteria> </definition> - {{{ hsccp_oval_line_in_file_test(path='/etc/ssh/ssh_config.d/02-ospp.conf', parameter='Match', missing_parameter_pass=false) }}} - {{{ hsccp_oval_line_in_file_object(path='/etc/ssh/ssh_config.d/02-ospp.conf', parameter='Match', separator_regex='[\s]+', missing_parameter_pass=false) }}} + {{{ hsccp_oval_line_in_file_test(path=sshc_crypto_policy_config, parameter='Match', missing_parameter_pass=false) }}} + {{{ hsccp_oval_line_in_file_object(path=sshc_crypto_policy_config, parameter='Match', separator_regex='[\s]+', missing_parameter_pass=false) }}} {{{ hsccp_oval_line_in_file_state(parameter='Match', value='final all') }}} - {{{ hsccp_oval_line_in_file_test(path='/etc/ssh/ssh_config.d/02-ospp.conf', parameter='RekeyLimit', missing_parameter_pass=false) }}} - {{{ hsccp_oval_line_in_file_object(path='/etc/ssh/ssh_config.d/02-ospp.conf', parameter='RekeyLimit', separator_regex='[\s]+', missing_parameter_pass=false, prefix_regex=common_prefix_regex) }}} + {{{ hsccp_oval_line_in_file_test(path=sshc_crypto_policy_config, parameter='RekeyLimit', missing_parameter_pass=false) }}} + {{{ hsccp_oval_line_in_file_object(path=sshc_crypto_policy_config, parameter='RekeyLimit', separator_regex='[\s]+', missing_parameter_pass=false, prefix_regex=common_prefix_regex) }}} {{{ hsccp_oval_line_in_file_state(parameter='RekeyLimit', value='512M 1h') }}} - {{{ hsccp_oval_line_in_file_test(path='/etc/ssh/ssh_config.d/02-ospp.conf', parameter='GSSAPIAuthentication', missing_parameter_pass=false) }}} - {{{ hsccp_oval_line_in_file_object(path='/etc/ssh/ssh_config.d/02-ospp.conf', parameter='GSSAPIAuthentication', separator_regex='[\s]+', missing_parameter_pass=false, prefix_regex=common_prefix_regex) }}} + {{{ hsccp_oval_line_in_file_test(path=sshc_crypto_policy_config, parameter='GSSAPIAuthentication', missing_parameter_pass=false) }}} + {{{ hsccp_oval_line_in_file_object(path=sshc_crypto_policy_config, parameter='GSSAPIAuthentication', separator_regex='[\s]+', missing_parameter_pass=false, prefix_regex=common_prefix_regex) }}} {{{ hsccp_oval_line_in_file_state(parameter='GSSAPIAuthentication', value='no') }}} - {{{ hsccp_oval_line_in_file_test(path='/etc/ssh/ssh_config.d/02-ospp.conf', parameter='Ciphers', missing_parameter_pass=false) }}} - {{{ hsccp_oval_line_in_file_object(path='/etc/ssh/ssh_config.d/02-ospp.conf', parameter='Ciphers', separator_regex='[\s]+', missing_parameter_pass=false, prefix_regex=common_prefix_regex) }}} + {{{ hsccp_oval_line_in_file_test(path=sshc_crypto_policy_config, parameter='Ciphers', missing_parameter_pass=false) }}} + {{{ hsccp_oval_line_in_file_object(path=sshc_crypto_policy_config, parameter='Ciphers', separator_regex='[\s]+', missing_parameter_pass=false, prefix_regex=common_prefix_regex) }}} {{{ hsccp_oval_line_in_file_state(parameter='Ciphers', value='aes256-ctr,aes256-cbc,aes128-ctr,aes128-cbc') }}} - {{{ hsccp_oval_line_in_file_test(path='/etc/ssh/ssh_config.d/02-ospp.conf', parameter='PubkeyAcceptedKeyTypes', missing_parameter_pass=false) }}} - {{{ hsccp_oval_line_in_file_object(path='/etc/ssh/ssh_config.d/02-ospp.conf', parameter='PubkeyAcceptedKeyTypes', separator_regex='[\s]+', missing_parameter_pass=false, prefix_regex=common_prefix_regex) }}} + {{{ hsccp_oval_line_in_file_test(path=sshc_crypto_policy_config, parameter='PubkeyAcceptedKeyTypes', missing_parameter_pass=false) }}} + {{{ hsccp_oval_line_in_file_object(path=sshc_crypto_policy_config, parameter='PubkeyAcceptedKeyTypes', separator_regex='[\s]+', missing_parameter_pass=false, prefix_regex=common_prefix_regex) }}} {{{ hsccp_oval_line_in_file_state(parameter='PubkeyAcceptedKeyTypes', value='ssh-rsa,ecdsa-sha2-nistp384,ecdsa-sha2-nistp256') }}} - {{{ hsccp_oval_line_in_file_test(path='/etc/ssh/ssh_config.d/02-ospp.conf', parameter='MACs', missing_parameter_pass=false) }}} - {{{ hsccp_oval_line_in_file_object(path='/etc/ssh/ssh_config.d/02-ospp.conf', parameter='MACs', separator_regex='[\s]+', missing_parameter_pass=false, prefix_regex=common_prefix_regex) }}} + {{{ hsccp_oval_line_in_file_test(path=sshc_crypto_policy_config, parameter='MACs', missing_parameter_pass=false) }}} + {{{ hsccp_oval_line_in_file_object(path=sshc_crypto_policy_config, parameter='MACs', separator_regex='[\s]+', missing_parameter_pass=false, prefix_regex=common_prefix_regex) }}} {{{ hsccp_oval_line_in_file_state(parameter='MACs', value='hmac-sha2-512,hmac-sha2-256') }}} - {{{ hsccp_oval_line_in_file_test(path='/etc/ssh/ssh_config.d/02-ospp.conf', parameter='KexAlgorithms', missing_parameter_pass=false) }}} - {{{ hsccp_oval_line_in_file_object(path='/etc/ssh/ssh_config.d/02-ospp.conf', parameter='KexAlgorithms', separator_regex='[\s]+', missing_parameter_pass=false, prefix_regex=common_prefix_regex) }}} + {{{ hsccp_oval_line_in_file_test(path=sshc_crypto_policy_config, parameter='KexAlgorithms', missing_parameter_pass=false) }}} + {{{ hsccp_oval_line_in_file_object(path=sshc_crypto_policy_config, parameter='KexAlgorithms', separator_regex='[\s]+', missing_parameter_pass=false, prefix_regex=common_prefix_regex) }}} {{{ hsccp_oval_line_in_file_state(parameter='KexAlgorithms', value='ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group14-sha1') }}} </def-group> diff --git a/linux_os/guide/system/software/integrity/crypto/harden_ssh_client_crypto_policy/rule.yml b/linux_os/guide/system/software/integrity/crypto/harden_ssh_client_crypto_policy/rule.yml index 4d50c3ceca6e..2e7e19c30ae8 100644 --- a/linux_os/guide/system/software/integrity/crypto/harden_ssh_client_crypto_policy/rule.yml +++ b/linux_os/guide/system/software/integrity/crypto/harden_ssh_client_crypto_policy/rule.yml @@ -1,10 +1,12 @@ documentation_complete: true +{{% set sshc_config_dir = ssh_client_config_dir %}} +{{% set sshc_crypto_policy_config = ssh_client_config_dir ~ "/02-ospp.conf" %}} title: 'Harden SSH client Crypto Policy' description: |- Crypto Policies are means of enforcing certain cryptographic settings for selected applications including OpenSSH client. - To override the system wide crypto policy for Openssh client, place a file in the <tt>/etc/ssh/ssh_config.d/</tt> so that it is loaded before the <tt>05-redhat.conf</tt>. In this case it is file named <tt>02-ospp.conf</tt> containing parameters which need to be changed with respect to the crypto policy. + To override the system wide crypto policy for Openssh client, place a file in the <tt>{{{ sshc_config_dir }}}</tt> directory so that it is loaded before the <tt>05-redhat.conf</tt>. In this case it is the <tt>{{{ sshc_crypto_policy_config }}}</tt> file containing parameters which need to be changed with respect to the crypto policy. This rule checks if the file exists and if it contains required parameters and values which modify the Crypto Policy. During the parsing process, as soon as Openssh client parses some configuration option and its value, it remembers it and ignores any subsequent overrides. The customization mechanism provided by crypto policies appends eventual customizations at the end of the system wide crypto policy. Therefore, if the crypto policy customization overrides some parameter which is already configured in the system wide crypto policy, the SSH client will not honor that customized parameter. @@ -28,7 +30,7 @@ ocil_clause: 'Crypto Policy for OpenSSH Client is not configured according to CC ocil: |- To verify if the OpenSSH Client uses defined Crypto Policy, run: - <pre>$ cat /etc/ssh/ssh_config.d/02-ospp.conf</pre> + <pre>$ cat {{{ sshc_crypto_policy_config }}}</pre> and verify that the line matches <pre>Match final all</pre> <pre>RekeyLimit 512M 1h</pre> diff --git a/linux_os/guide/system/software/integrity/fips/fips_custom_stig_sub_policy/rule.yml b/linux_os/guide/system/software/integrity/fips/fips_custom_stig_sub_policy/rule.yml index 6e77c605a64b..d812375e6e5a 100644 --- a/linux_os/guide/system/software/integrity/fips/fips_custom_stig_sub_policy/rule.yml +++ b/linux_os/guide/system/software/integrity/fips/fips_custom_stig_sub_policy/rule.yml @@ -11,6 +11,7 @@ rationale: |- severity: medium identifiers: + cce@rhel8: CCE-86493-4 cce@rhel9: CCE-86570-9 references: diff --git a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_scan_notification/rule.yml b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_scan_notification/rule.yml index eb4520986a98..1b959ae04a4a 100644 --- a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_scan_notification/rule.yml +++ b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_scan_notification/rule.yml @@ -32,6 +32,7 @@ identifiers: cce@rhel10: CCE-90177-7 cce@sle12: CCE-83048-9 cce@sle15: CCE-91214-7 + cce@sle16: CCE-96460-1 cce@slmicro5: CCE-93722-7 cce@slmicro6: CCE-94730-9 diff --git a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_verify_acls/rule.yml b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_verify_acls/rule.yml index 0525db7b3921..6563fe6a637b 100644 --- a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_verify_acls/rule.yml +++ b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_verify_acls/rule.yml @@ -32,6 +32,7 @@ identifiers: cce@rhel10: CCE-89640-7 cce@sle12: CCE-83150-3 cce@sle15: CCE-85623-7 + cce@sle16: CCE-96372-8 cce@slmicro5: CCE-93742-5 cce@slmicro6: CCE-95052-7 diff --git a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_verify_ext_attributes/rule.yml b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_verify_ext_attributes/rule.yml index 1f681250134a..35ed5b595891 100644 --- a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_verify_ext_attributes/rule.yml +++ b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_verify_ext_attributes/rule.yml @@ -32,6 +32,7 @@ identifiers: cce@rhel10: CCE-89625-8 cce@sle12: CCE-83151-1 cce@sle15: CCE-85624-5 + cce@sle16: CCE-96620-0 cce@slmicro5: CCE-93743-3 cce@slmicro6: CCE-95053-5 diff --git a/linux_os/guide/system/software/prefer_64bit_os/rule.yml b/linux_os/guide/system/software/prefer_64bit_os/rule.yml index 59cf1d282ec8..ae680e70e632 100644 --- a/linux_os/guide/system/software/prefer_64bit_os/rule.yml +++ b/linux_os/guide/system/software/prefer_64bit_os/rule.yml @@ -21,6 +21,7 @@ identifiers: cce@rhel10: CCE-90578-6 cce@sle12: CCE-91504-1 cce@sle15: CCE-91195-8 + cce@sle16: CCE-96208-4 ocil_clause: the installed operating system is 32-bit but the CPU supports operation in 64-bit diff --git a/linux_os/guide/system/software/sudo/directory_groupowner_etc_sudoersd/rule.yml b/linux_os/guide/system/software/sudo/directory_groupowner_etc_sudoersd/rule.yml index 7f1dc1ddb307..ca8efcd5e8b9 100644 --- a/linux_os/guide/system/software/sudo/directory_groupowner_etc_sudoersd/rule.yml +++ b/linux_os/guide/system/software/sudo/directory_groupowner_etc_sudoersd/rule.yml @@ -17,6 +17,7 @@ identifiers: cce@rhel9: CCE-86351-4 cce@rhel10: CCE-87598-9 cce@sle15: CCE-92503-2 + cce@sle16: CCE-96050-0 ocil_clause: '{{{ ocil_clause_file_group_owner(file="/etc/sudoers.d", group="root") }}}' diff --git a/linux_os/guide/system/software/sudo/directory_owner_etc_sudoersd/rule.yml b/linux_os/guide/system/software/sudo/directory_owner_etc_sudoersd/rule.yml index 3183986c551a..1a87f6ee8fca 100644 --- a/linux_os/guide/system/software/sudo/directory_owner_etc_sudoersd/rule.yml +++ b/linux_os/guide/system/software/sudo/directory_owner_etc_sudoersd/rule.yml @@ -17,6 +17,7 @@ identifiers: cce@rhel9: CCE-86357-1 cce@rhel10: CCE-89589-6 cce@sle15: CCE-92512-3 + cce@sle16: CCE-96623-4 ocil_clause: '{{{ ocil_clause_file_owner(file="/etc/sudoers.d", owner="root") }}}' diff --git a/linux_os/guide/system/software/sudo/directory_permissions_etc_sudoersd/rule.yml b/linux_os/guide/system/software/sudo/directory_permissions_etc_sudoersd/rule.yml index da1a48a14465..652eef8152eb 100644 --- a/linux_os/guide/system/software/sudo/directory_permissions_etc_sudoersd/rule.yml +++ b/linux_os/guide/system/software/sudo/directory_permissions_etc_sudoersd/rule.yml @@ -17,6 +17,7 @@ identifiers: cce@rhel9: CCE-86360-5 cce@rhel10: CCE-89200-0 cce@sle15: CCE-92525-5 + cce@sle16: CCE-96110-2 ocil_clause: '{{{ ocil_clause_file_permissions(file="/etc/sudoers.d", perms="0750") }}}' diff --git a/linux_os/guide/system/software/sudo/file_groupowner_etc_sudoers/rule.yml b/linux_os/guide/system/software/sudo/file_groupowner_etc_sudoers/rule.yml index cfe3d033707d..a4f8eced4463 100644 --- a/linux_os/guide/system/software/sudo/file_groupowner_etc_sudoers/rule.yml +++ b/linux_os/guide/system/software/sudo/file_groupowner_etc_sudoers/rule.yml @@ -16,6 +16,7 @@ identifiers: cce@rhel8: CCE-86413-2 cce@rhel9: CCE-86414-0 cce@rhel10: CCE-89613-4 + cce@sle16: CCE-96285-2 ocil_clause: '{{{ ocil_clause_file_group_owner(file="/etc/sudoers", group="root") }}}' diff --git a/linux_os/guide/system/software/sudo/file_owner_etc_sudoers/rule.yml b/linux_os/guide/system/software/sudo/file_owner_etc_sudoers/rule.yml index a1e02385222c..913068677c86 100644 --- a/linux_os/guide/system/software/sudo/file_owner_etc_sudoers/rule.yml +++ b/linux_os/guide/system/software/sudo/file_owner_etc_sudoers/rule.yml @@ -16,6 +16,7 @@ identifiers: cce@rhel8: CCE-86416-5 cce@rhel9: CCE-86417-3 cce@rhel10: CCE-87065-9 + cce@sle16: CCE-96512-9 ocil_clause: '{{{ ocil_clause_file_owner(file="/etc/sudoers", owner="root") }}}' diff --git a/linux_os/guide/system/software/sudo/file_permissions_etc_sudoers/rule.yml b/linux_os/guide/system/software/sudo/file_permissions_etc_sudoers/rule.yml index d1e594c490d7..c6c7752ce18a 100644 --- a/linux_os/guide/system/software/sudo/file_permissions_etc_sudoers/rule.yml +++ b/linux_os/guide/system/software/sudo/file_permissions_etc_sudoers/rule.yml @@ -16,6 +16,7 @@ identifiers: cce@rhel8: CCE-86419-9 cce@rhel9: CCE-86424-9 cce@rhel10: CCE-90690-9 + cce@sle16: CCE-96318-1 ocil_clause: '{{{ ocil_clause_file_permissions(file="/etc/sudoers", perms="0440") }}}' diff --git a/linux_os/guide/system/software/sudo/sudo_add_env_reset/rule.yml b/linux_os/guide/system/software/sudo/sudo_add_env_reset/rule.yml index ee1af2c63369..6918afa2ea0f 100644 --- a/linux_os/guide/system/software/sudo/sudo_add_env_reset/rule.yml +++ b/linux_os/guide/system/software/sudo/sudo_add_env_reset/rule.yml @@ -24,7 +24,7 @@ identifiers: cce@rhel10: CCE-90747-7 cce@sle12: CCE-91492-9 cce@sle15: CCE-91184-2 - + cce@sle16: CCE-96178-9 ocil_clause: 'env_reset is not enabled in sudo' diff --git a/linux_os/guide/system/software/sudo/sudo_add_ignore_dot/rule.yml b/linux_os/guide/system/software/sudo/sudo_add_ignore_dot/rule.yml index 3202a1efc830..9c4003d3e523 100644 --- a/linux_os/guide/system/software/sudo/sudo_add_ignore_dot/rule.yml +++ b/linux_os/guide/system/software/sudo/sudo_add_ignore_dot/rule.yml @@ -24,7 +24,7 @@ identifiers: cce@rhel10: CCE-90743-6 cce@sle12: CCE-91493-7 cce@sle15: CCE-91185-9 - + cce@sle16: CCE-96048-4 ocil_clause: 'ignore_dot is not enabled in sudo' diff --git a/linux_os/guide/system/software/sudo/sudo_add_noexec/rule.yml b/linux_os/guide/system/software/sudo/sudo_add_noexec/rule.yml index 8c77ea2e3d79..93ee04d74015 100644 --- a/linux_os/guide/system/software/sudo/sudo_add_noexec/rule.yml +++ b/linux_os/guide/system/software/sudo/sudo_add_noexec/rule.yml @@ -21,6 +21,7 @@ identifiers: cce@rhel10: CCE-89119-2 cce@sle12: CCE-91494-5 cce@sle15: CCE-91186-7 + cce@sle16: CCE-96653-1 ocil_clause: 'noexec is not enabled in sudo' diff --git a/linux_os/guide/system/software/sudo/sudo_add_requiretty/rule.yml b/linux_os/guide/system/software/sudo/sudo_add_requiretty/rule.yml index ffce5a30d2c9..ace4a8de296d 100644 --- a/linux_os/guide/system/software/sudo/sudo_add_requiretty/rule.yml +++ b/linux_os/guide/system/software/sudo/sudo_add_requiretty/rule.yml @@ -21,6 +21,7 @@ identifiers: cce@rhel10: CCE-90076-1 cce@sle12: CCE-91496-0 cce@sle15: CCE-91188-3 + cce@sle16: CCE-95927-0 ocil_clause: 'requiretty is not enabled in sudo' diff --git a/linux_os/guide/system/software/sudo/sudo_add_umask/rule.yml b/linux_os/guide/system/software/sudo/sudo_add_umask/rule.yml index 03f2ed524dc6..ea5f13d80676 100644 --- a/linux_os/guide/system/software/sudo/sudo_add_umask/rule.yml +++ b/linux_os/guide/system/software/sudo/sudo_add_umask/rule.yml @@ -24,7 +24,7 @@ identifiers: cce@rhel8: CCE-83860-7 cce@sle12: CCE-91498-6 cce@sle15: CCE-91189-1 - + cce@sle16: CCE-96241-5 ocil_clause: 'umask is not set with the appropriate value for sudo' diff --git a/linux_os/guide/system/software/sudo/sudo_dedicated_group/rule.yml b/linux_os/guide/system/software/sudo/sudo_dedicated_group/rule.yml index f04cfbfe2502..0fd5f740e5e3 100644 --- a/linux_os/guide/system/software/sudo/sudo_dedicated_group/rule.yml +++ b/linux_os/guide/system/software/sudo/sudo_dedicated_group/rule.yml @@ -26,6 +26,7 @@ identifiers: cce@rhel10: CCE-89208-3 cce@sle12: CCE-91500-9 cce@sle15: CCE-91191-7 + cce@sle16: CCE-96236-5 ocil_clause: '{{{ ocil_clause_file_group_owner(file="/usr/bin/sudo", group=xccdf_value("var_sudo_dedicated_group")) }}}' diff --git a/linux_os/guide/system/software/sudo/sudoers_explicit_command_args/rule.yml b/linux_os/guide/system/software/sudo/sudoers_explicit_command_args/rule.yml index 95798eda09f1..ed93aa6d2aef 100644 --- a/linux_os/guide/system/software/sudo/sudoers_explicit_command_args/rule.yml +++ b/linux_os/guide/system/software/sudo/sudoers_explicit_command_args/rule.yml @@ -27,6 +27,7 @@ identifiers: cce@rhel10: CCE-90002-7 cce@sle12: CCE-91501-7 cce@sle15: CCE-91192-5 + cce@sle16: CCE-95946-0 ocil_clause: '/etc/sudoers file contains user specifications that allow execution of commands with any arguments' diff --git a/linux_os/guide/system/software/sudo/sudoers_no_command_negation/rule.yml b/linux_os/guide/system/software/sudo/sudoers_no_command_negation/rule.yml index f956dbc51fb9..9c15e34b9897 100644 --- a/linux_os/guide/system/software/sudo/sudoers_no_command_negation/rule.yml +++ b/linux_os/guide/system/software/sudo/sudoers_no_command_negation/rule.yml @@ -26,6 +26,7 @@ identifiers: cce@rhel10: CCE-90660-2 cce@sle12: CCE-91502-5 cce@sle15: CCE-91193-3 + cce@sle16: CCE-95859-5 ocil_clause: '/etc/sudoers file contains rules that define the set of allowed commands using negation' diff --git a/linux_os/guide/system/software/sudo/sudoers_no_root_target/rule.yml b/linux_os/guide/system/software/sudo/sudoers_no_root_target/rule.yml index b48bd38dbd19..ebd11afe383b 100644 --- a/linux_os/guide/system/software/sudo/sudoers_no_root_target/rule.yml +++ b/linux_os/guide/system/software/sudo/sudoers_no_root_target/rule.yml @@ -20,6 +20,7 @@ identifiers: cce@rhel10: CCE-90532-3 cce@sle12: CCE-91503-3 cce@sle15: CCE-91194-1 + cce@sle16: CCE-96440-3 # The second part of the sentence explaining what got wrong. # ... Is it the case that <YOUR ocil_clause> diff --git a/linux_os/guide/system/software/updating/ensure_redhat_gpgkey_installed/ansible/shared.yml b/linux_os/guide/system/software/updating/ensure_redhat_gpgkey_installed/ansible/shared.yml index 8080f0c6ced3..514841546662 100644 --- a/linux_os/guide/system/software/updating/ensure_redhat_gpgkey_installed/ansible/shared.yml +++ b/linux_os/guide/system/software/updating/ensure_redhat_gpgkey_installed/ansible/shared.yml @@ -40,19 +40,31 @@ {{% endif %}} -- name: "{{{ rule_title }}}: Set Fact - Valid fingerprints" +{{% if "rhel" in families and major_version_ordinal >= 10 %}} +- name: "{{{ rule_title }}}: Set Fact - Valid fingerprints (without PQC)" + ansible.builtin.set_fact: + gpg_valid_fingerprints: + - "{{{ release_key_fingerprint }}}" + - "{{{ auxiliary_key_fingerprint }}}" + when: ansible_distribution_version is version('10.1', '<') + +- name: "{{{ rule_title }}}: Set Fact - Valid fingerprints (with PQC)" ansible.builtin.set_fact: gpg_valid_fingerprints: - "{{{ release_key_fingerprint }}}" - "{{{ auxiliary_key_fingerprint }}}" -{{% if "rhel" in families and major_version_ordinal >= 10 %}} - "{{{ pqc_key_fingerprint }}}" + when: ansible_distribution_version is version('10.1', '>=') +{{% else %}} +- name: "{{{ rule_title }}}: Set Fact - Valid fingerprints" + ansible.builtin.set_fact: + gpg_valid_fingerprints: + - "{{{ release_key_fingerprint }}}" + - "{{{ auxiliary_key_fingerprint }}}" {{% endif %}} - name: "{{{ rule_title }}}: Import RedHat GPG key" - ansible.builtin.rpm_key: - state: present - key: /etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release + ansible.builtin.command: rpm --import /etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release when: - gpg_key_directory_permission.stat.mode <= '0755' - (gpg_installed_fingerprints | difference(gpg_valid_fingerprints)) | length == 0 diff --git a/linux_os/guide/system/software/updating/ensure_redhat_gpgkey_installed/bash/shared.sh b/linux_os/guide/system/software/updating/ensure_redhat_gpgkey_installed/bash/shared.sh index 53931cd4009d..5fdb792b79cd 100644 --- a/linux_os/guide/system/software/updating/ensure_redhat_gpgkey_installed/bash/shared.sh +++ b/linux_os/guide/system/software/updating/ensure_redhat_gpgkey_installed/bash/shared.sh @@ -25,13 +25,16 @@ then # No CRC error, safe to proceed if [ "${GPG_RESULT}" -eq "0" ] then + # If $REDHAT_RELEASE_KEY file doesn't contain any keys with unknown fingerprint, import it {{% if "rhel" in families and major_version_ordinal >= 10 %}} - echo "${GPG_OUT[*]}" | grep -vE "${REDHAT_RELEASE_FINGERPRINT}|${REDHAT_AUXILIARY_FINGERPRINT}|${REDHAT_PQC_FINGERPRINT}" || { + if {{{ bash_os_linux_conditional("rhel", expected_ver="10.1", op=">=") | trim }}} + then + echo "${GPG_OUT[*]}" | grep -vE "${REDHAT_RELEASE_FINGERPRINT}|${REDHAT_AUXILIARY_FINGERPRINT}|${REDHAT_PQC_FINGERPRINT}" || rpm --import "${REDHAT_RELEASE_KEY}" + else + echo "${GPG_OUT[*]}" | grep -vE "${REDHAT_RELEASE_FINGERPRINT}|${REDHAT_AUXILIARY_FINGERPRINT}" || rpm --import "${REDHAT_RELEASE_KEY}" + fi {{% else %}} - echo "${GPG_OUT[*]}" | grep -vE "${REDHAT_RELEASE_FINGERPRINT}|${REDHAT_AUXILIARY_FINGERPRINT}" || { + echo "${GPG_OUT[*]}" | grep -vE "${REDHAT_RELEASE_FINGERPRINT}|${REDHAT_AUXILIARY_FINGERPRINT}" || rpm --import "${REDHAT_RELEASE_KEY}" {{% endif %}} - # If $REDHAT_RELEASE_KEY file doesn't contain any keys with unknown fingerprint, import it - rpm --import "${REDHAT_RELEASE_KEY}" - } fi fi diff --git a/linux_os/guide/system/software/updating/ensure_redhat_gpgkey_installed/oval/shared.xml b/linux_os/guide/system/software/updating/ensure_redhat_gpgkey_installed/oval/shared.xml index 6871feba83b3..52461f678900 100644 --- a/linux_os/guide/system/software/updating/ensure_redhat_gpgkey_installed/oval/shared.xml +++ b/linux_os/guide/system/software/updating/ensure_redhat_gpgkey_installed/oval/shared.xml @@ -13,8 +13,13 @@ <criterion comment="package gpg-pubkey-{{{ aux_pkg_version }}}-{{{ aux_pkg_release }}} is installed" test_ref="test_redhat_package_gpgkey-{{{ aux_pkg_version }}}-{{{ aux_pkg_release }}}_installed" /> {{% if "rhel" in families and major_version_ordinal >= 10 %}} - <criterion comment="package gpg-pubkey-{{{ pqc_pkg_version }}}-{{{ pqc_pkg_release }}} is installed" - test_ref="test_redhat_package_gpgkey-{{{ pqc_pkg_version }}}-{{{ pqc_pkg_release }}}_installed" /> + <criteria comment="If RHEL is 10.1 or newer then PQC key must be installed" operator="OR"> + <criterion comment="RHEL is older than 10.1" test_ref="test_{{{ rule_id }}}_rhel_is_10_1_or_newer" negate="true" /> + <criteria comment="RHEL is 10.1 or newer AND PQC is installed" operator="AND"> + <criterion comment="RHEL is 10.1 or newer" test_ref="test_{{{ rule_id }}}_rhel_is_10_1_or_newer" /> + <criterion comment="package gpg-pubkey-{{{ pqc_pkg_version }}}-{{{ pqc_pkg_release }}} is installed" test_ref="test_redhat_package_gpgkey-{{{ pqc_pkg_version }}}-{{{ pqc_pkg_release }}}_installed" /> + </criteria> + </criteria> {{% endif %}} </criteria> {{%- if centos_major_version %}} @@ -88,5 +93,22 @@ </linux:rpminfo_state> {{%- endif %}} +{{% if "rhel" in families and major_version_ordinal >= 10 %}} + <ind:textfilecontent54_test check="all" comment="VERSION_ID in os-release is greater than or equal 10.1" id="test_{{{ rule_id }}}_rhel_is_10_1_or_newer" version="1"> + <ind:object object_ref="obj_{{{ rule_id }}}_rhel_is_10_1_or_newer" /> + <ind:state state_ref="state_{{{ rule_id }}}_rhel_is_10_1_or_newer" /> + </ind:textfilecontent54_test> + + <ind:textfilecontent54_object id="obj_{{{ rule_id }}}_rhel_is_10_1_or_newer" version="1"> + <ind:filepath>/etc/os-release</ind:filepath> + <ind:pattern operation="pattern match">^VERSION_ID=["']?([\w.]+)["']?$</ind:pattern> + <ind:instance operation="greater than or equal" datatype="int">1</ind:instance> + </ind:textfilecontent54_object> + + <ind:textfilecontent54_state id="state_{{{ rule_id }}}_rhel_is_10_1_or_newer" version="1"> + <ind:subexpression operation="greater than or equal" datatype="version">10.1</ind:subexpression> + </ind:textfilecontent54_state> +{{% endif %}} + </def-group> {{% endif %}} diff --git a/product_properties/10-audit-binaries.yml b/product_properties/10-audit-binaries.yml index 9fa2da7022e7..c0f332940794 100644 --- a/product_properties/10-audit-binaries.yml +++ b/product_properties/10-audit-binaries.yml @@ -11,9 +11,13 @@ default: - /sbin/audispd {{% endif %}} - /sbin/augenrules - {{% if 'rhel' in product or product == 'sle16' %}} + {{% if 'rhel' in product or product == 'sle16' or 'ubuntu' in product %}} - /sbin/audisp-syslog {{% endif %}} + {{% if 'ubuntu' in product %}} + - /sbin/audisp-remote + - /sbin/audispd-zos-remote + {{% endif %}} overrides: {{% if product == 'sle15' %}} audit_binaries: diff --git a/products/anolis23/profiles/standard.profile b/products/anolis23/profiles/standard.profile index 2cf3bfda5a31..69e8d39628fc 100644 --- a/products/anolis23/profiles/standard.profile +++ b/products/anolis23/profiles/standard.profile @@ -369,12 +369,14 @@ selections: ## 4.1-ensure-message-of-the-day-is-configured-properly ### Level 1 - banner_etc_motd - - login_banner_text=cis_banners + - motd_banner_text=cis_banners + - motd_banner_contents=cis_default ## 4.2-ensure-local-login-warning-banner-is-configured-properly ### Level 1 - banner_etc_issue - login_banner_text=cis_banners + - login_banner_contents=cis_default ## 4.3-ensure-remote-login-warning-banner-is-configured-properly ### Level 1 diff --git a/products/anolis8/profiles/standard.profile b/products/anolis8/profiles/standard.profile index b60cba9e23d0..91f13490b1ab 100644 --- a/products/anolis8/profiles/standard.profile +++ b/products/anolis8/profiles/standard.profile @@ -369,12 +369,14 @@ selections: ## 4.1-ensure-message-of-the-day-is-configured-properly ### Level 1 - banner_etc_motd - - login_banner_text=cis_banners + - motd_banner_text=cis_banners + - motd_banner_contents=cis_default ## 4.2-ensure-local-login-warning-banner-is-configured-properly ### Level 1 - banner_etc_issue - login_banner_text=cis_banners + - login_banner_contents=cis_default ## 4.3-ensure-remote-login-warning-banner-is-configured-properly ### Level 1 diff --git a/products/bascontrol22d4/CMakeLists.txt b/products/bascontrol22d4/CMakeLists.txt new file mode 100644 index 000000000000..53f23a29ba13 --- /dev/null +++ b/products/bascontrol22d4/CMakeLists.txt @@ -0,0 +1,6 @@ +# Sometimes our users will try to do: "cd bascontrol22d4; cmake ." That needs to error in a nice way. +if("${CMAKE_SOURCE_DIR}" STREQUAL "${CMAKE_CURRENT_SOURCE_DIR}") + message(FATAL_ERROR "cmake has to be used on the root CMakeLists.txt, see the Building ComplianceAsCode section in the Developer Guide!") +endif() + +ssg_build_product("bascontrol22d4") diff --git a/products/bascontrol22d4/guide/benchmark.yml b/products/bascontrol22d4/guide/benchmark.yml new file mode 100644 index 000000000000..f875507f9b5a --- /dev/null +++ b/products/bascontrol22d4/guide/benchmark.yml @@ -0,0 +1,54 @@ +--- +documentation_complete: true + +title: Guide to the Secure Configuration of {{{ full_name }}} + +status: draft + +description: | + This guide presents a catalog of security-relevant + configuration settings for {{{ full_name }}}. It is a rendering of + content structured in the eXtensible Configuration Checklist Description Format (XCCDF) + in order to support security automation. The SCAP content is + is available in the <tt>scap-security-guide</tt> package which is developed at + {{{ weblink(link="https://www.open-scap.org/security-policies/scap-security-guide") }}}. + <br/><br/> + Providing system administrators with such guidance informs them how to securely + configure systems under their control in a variety of network roles. Policy + makers and baseline creators can use this catalog of settings, with its + associated references to higher-level security control catalogs, in order to + assist them in security baseline creation. This guide is a <em>catalog, not a + checklist</em>, and satisfaction of every item is not likely to be possible or + sensible in many operational scenarios. However, the XCCDF format enables + granular selection and adjustment of settings, and their association with OVAL + and OCIL content provides an automated checking capability. Transformations of + this document, and its associated automated checking content, are capable of + providing baselines that meet a diverse set of policy objectives. Some example + XCCDF <em>Profiles</em>, which are selections of items that form checklists and + can be used as baselines, are available with this guide. They can be + processed, in an automated fashion, with tools that support the Security + Content Automation Protocol (SCAP). The DISA STIG for {{{ full_name }}}, + which provides required settings for US Department of Defense systems, is + one example of a baseline created from this guidance. + +notice: + id: terms_of_use + description: | + Do not attempt to implement any of the settings in + this guide without first testing them in a non-operational environment. The + creators of this guidance assume no responsibility whatsoever for its use by + other parties, and makes no guarantees, expressed or implied, about its + quality, reliability, or any other characteristic. + +front-matter: | + # BASCONSTROL22D-$ Benchmark + The SCAP Security Guide Project<br/> + {{{ weblink(link="https://www.open-scap.org/security-policies/scap-security-guide") }}} + +rear-matter: | + Red Hat and Red Hat Enterprise Linux are either registered + trademarks or trademarks of Red Hat, Inc. in the United States and other + countries. All other names are registered trademarks or trademarks of their + respective companies. + +version: 0.9 diff --git a/products/bascontrol22d4/product.yml b/products/bascontrol22d4/product.yml new file mode 100644 index 000000000000..16fa4d0d30ba --- /dev/null +++ b/products/bascontrol22d4/product.yml @@ -0,0 +1,17 @@ +product: bascontrol22d4 +full_name: Contemporary Controls BAScontrol22D BACnet/IP Sedona Unitary Controller 4 +type: product + +benchmark_id: BASCONTROL22D-4 +benchmark_root: "./guide" + +components_root: "../../components" + +profiles_root: "./profiles" + +cpes_root: "../../shared/applicability" +cpes: + - bascontrol22d4: + name: "cpe:/a:bascontrol22d:4" + title: "Contemporary Controls BAScontrol22D BACnet/IP Sedona Unitary Controller 4" + check_id: installed_app_is_bascontrol22d4 diff --git a/products/bascontrol22d4/profiles/standard.profile b/products/bascontrol22d4/profiles/standard.profile new file mode 100644 index 000000000000..452bbd66ea13 --- /dev/null +++ b/products/bascontrol22d4/profiles/standard.profile @@ -0,0 +1,9 @@ +documentation_complete: true + +title: 'Standard System Security Profile for Contemporary Controls BAScontrol22D BACnet/IP Sedona Unitary Controller 4' + +description: |- + This profile contains rules to ensure standard security baseline + of a Contemporary Controls BAScontrol22D BACnet/IP Sedona Unitary Controller 4 system. + +#selections: diff --git a/products/fedora/profiles/ospp.profile b/products/fedora/profiles/ospp.profile index 601f0e2375ec..ea79c4506a7e 100644 --- a/products/fedora/profiles/ospp.profile +++ b/products/fedora/profiles/ospp.profile @@ -103,11 +103,14 @@ selections: - rsyslog_remote_loghost - auditd_audispd_encrypt_sent_records - login_banner_text=usgcb_default + - login_banner_contents=usgcb_default - sshd_enable_warning_banner - banner_etc_issue - sshd_rekey_limit - dconf_gnome_banner_enabled - dconf_gnome_login_banner_text + - dconf_login_banner_text=usgcb_default + - dconf_login_banner_contents=usgcb_default - audit_rules_login_events_faillock - audit_rules_login_events_lastlog - audit_rules_login_events_tallylog diff --git a/products/ocp4/profiles/cis-1-7.profile b/products/ocp4/profiles/cis-1-7.profile index 9ca64c32198a..f26be121c46d 100644 --- a/products/ocp4/profiles/cis-1-7.profile +++ b/products/ocp4/profiles/cis-1-7.profile @@ -5,6 +5,8 @@ title: 'CIS Red Hat OpenShift Container Platform 4 Benchmark' platform: ocp4 +status: deprecated + metadata: SMEs: - rhmdnd diff --git a/products/ocp4/profiles/cis-1-9.profile b/products/ocp4/profiles/cis-1-9.profile new file mode 100644 index 000000000000..21109f3e7a1a --- /dev/null +++ b/products/ocp4/profiles/cis-1-9.profile @@ -0,0 +1,37 @@ +--- +documentation_complete: true + +title: 'CIS Red Hat OpenShift Container Platform 4 Benchmark' + +platform: ocp4 + +metadata: + SMEs: + - rhmdnd + - Vincent056 + - yuumasato + version: 1.9.0 + +description: |- + This profile defines a baseline that aligns to the Center for Internet Security® + Red Hat OpenShift Container Platform 4 Benchmark™, V1.9.0. + + This profile includes Center for Internet Security® + Red Hat OpenShift Container Platform 4 CIS Benchmarks™ content. + + Note that this part of the profile is meant to run on the Platform that + Red Hat OpenShift Container Platform 4 runs on top of. + + This profile is applicable to OpenShift versions 4.12 and greater. + +filter_rules: '"ocp4-node" not in platform and "ocp4-master-node" not in platform and "ocp4-node-on-sdn" + not in platform and "ocp4-node-on-ovn" not in platform' + +selections: + - cis_ocp_190:all + ### Variables + - var_openshift_audit_profile=WriteRequestBodies + ### Helper Rules + ### This is a helper rule to fetch the required api resource for detecting OCP version + - version_detect_in_ocp + - version_detect_in_hypershift diff --git a/products/ocp4/profiles/cis-node-1-7.profile b/products/ocp4/profiles/cis-node-1-7.profile index bba8260fec3b..3e7a89d6bae4 100644 --- a/products/ocp4/profiles/cis-node-1-7.profile +++ b/products/ocp4/profiles/cis-node-1-7.profile @@ -5,6 +5,8 @@ title: 'CIS Red Hat OpenShift Container Platform 4 Benchmark' platform: ocp4-node +status: deprecated + metadata: SMEs: - rhmdnd diff --git a/products/ocp4/profiles/cis-node-1-9.profile b/products/ocp4/profiles/cis-node-1-9.profile new file mode 100644 index 000000000000..27ded73fe163 --- /dev/null +++ b/products/ocp4/profiles/cis-node-1-9.profile @@ -0,0 +1,31 @@ +--- +documentation_complete: true + +title: 'CIS Red Hat OpenShift Container Platform 4 Benchmark' + +platform: ocp4-node + +metadata: + SMEs: + - rhmdnd + - Vincent056 + - yuumasato + version: 1.9.0 + +description: |- + This profile defines a baseline that aligns to the Center for Internet Security® + Red Hat OpenShift Container Platform 4 Benchmark™, V1.9.0. + + This profile includes Center for Internet Security® + Red Hat OpenShift Container Platform 4 CIS Benchmarks™ content. + + Note that this part of the profile is meant to run on the Operating System that + Red Hat OpenShift Container Platform 4 runs on top of. + + This profile is applicable to OpenShift versions 4.12 and greater. + +filter_rules: '"ocp4-node" in platform or "ocp4-master-node" in platform or "ocp4-node-on-sdn" in platform + or "ocp4-node-on-ovn" in platform' + +selections: + - cis_ocp_190:all diff --git a/products/ocp4/profiles/cis-node.profile b/products/ocp4/profiles/cis-node.profile index bd1ce3bfce8a..90d8cf879591 100644 --- a/products/ocp4/profiles/cis-node.profile +++ b/products/ocp4/profiles/cis-node.profile @@ -10,11 +10,11 @@ metadata: - rhmdnd - Vincent056 - yuumasato - version: 1.7.0 + version: 1.9.0 description: |- This profile defines a baseline that aligns to the Center for Internet Security® - Red Hat OpenShift Container Platform 4 Benchmark™, V1.7. + Red Hat OpenShift Container Platform 4 Benchmark™, V1.9.0. This profile includes Center for Internet Security® Red Hat OpenShift Container Platform 4 CIS Benchmarks™ content. @@ -24,4 +24,4 @@ description: |- This profile is applicable to OpenShift versions 4.12 and greater. -extends: cis-node-1-7 +extends: cis-node-1-9 diff --git a/products/ocp4/profiles/cis.profile b/products/ocp4/profiles/cis.profile index e46d12ad28c1..f63649d5437f 100644 --- a/products/ocp4/profiles/cis.profile +++ b/products/ocp4/profiles/cis.profile @@ -10,11 +10,11 @@ metadata: - rhmdnd - Vincent056 - yuumasato - version: 1.7.0 + version: 1.9.0 description: |- This profile defines a baseline that aligns to the Center for Internet Security® - Red Hat OpenShift Container Platform 4 Benchmark™, V1.7. + Red Hat OpenShift Container Platform 4 Benchmark™, V1.9.0. This profile includes Center for Internet Security® Red Hat OpenShift Container Platform 4 CIS Benchmarks™ content. @@ -24,4 +24,4 @@ description: |- This profile is applicable to OpenShift versions 4.12 and greater. -extends: cis-1-7 +extends: cis-1-9 diff --git a/products/ol7/profiles/ncp.profile b/products/ol7/profiles/ncp.profile index 2acb9c798f04..426901de8641 100644 --- a/products/ol7/profiles/ncp.profile +++ b/products/ol7/profiles/ncp.profile @@ -36,6 +36,7 @@ extends: ospp selections: - installed_OS_is_vendor_supported - login_banner_text=usgcb_default + - login_banner_contents=usgcb_default - inactivity_timeout_value=15_minutes - var_password_pam_minlen=15 - accounts_password_all_shadowed @@ -323,6 +324,8 @@ selections: - dconf_gnome_disable_wifi_notification - dconf_gnome_enable_smartcard_auth - dconf_gnome_login_banner_text + - dconf_login_banner_text=usgcb_default + - dconf_login_banner_contents=usgcb_default - dconf_gnome_login_retries - dconf_gnome_remote_access_credential_prompt - dconf_gnome_remote_access_encryption diff --git a/products/ol7/profiles/stig.profile b/products/ol7/profiles/stig.profile index 133832c72af2..27085939d81a 100644 --- a/products/ol7/profiles/stig.profile +++ b/products/ol7/profiles/stig.profile @@ -8,6 +8,7 @@ description: |- selections: - login_banner_text=dod_banners + - login_banner_contents=dod_default - inactivity_timeout_value=15_minutes - var_screensaver_lock_delay=5_seconds - sshd_idle_timeout_value=10_minutes @@ -54,6 +55,8 @@ selections: - dconf_db_up_to_date - dconf_gnome_banner_enabled - dconf_gnome_login_banner_text + - dconf_login_banner_text=dod_default + - dconf_login_banner_contents=dod_default - banner_etc_issue - dconf_gnome_screensaver_lock_enabled - dconf_gnome_screensaver_lock_locked diff --git a/products/ol8/profiles/stig.profile b/products/ol8/profiles/stig.profile index fba0400ef38b..622bfa8a1e6b 100644 --- a/products/ol8/profiles/stig.profile +++ b/products/ol8/profiles/stig.profile @@ -1,7 +1,7 @@ documentation_complete: true metadata: - version: V2R6 + version: V2R7 reference: https://www.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux @@ -9,7 +9,7 @@ title: 'DISA STIG for Oracle Linux 8' description: |- This profile contains configuration checks that align to the - DISA STIG for Oracle Linux 8 V2R6. + DISA STIG for Oracle Linux 8 V2R7. selections: ### Variables @@ -39,7 +39,7 @@ selections: - var_password_pam_retry=3 - var_password_pam_minlen=15 - sshd_approved_macs=stig_extended - - sshd_approved_ciphers=stig_extended + - sshd_approved_ciphers=stig_ol8 - sshd_idle_timeout_value=10_minutes - var_accounts_authorized_local_users_regex=ol8 - var_accounts_passwords_pam_faillock_deny=3 @@ -61,6 +61,9 @@ selections: - var_auditd_disk_full_action=ol8 - var_sssd_certificate_verification_digest_function=sha1 - login_banner_text=dod_banners + - login_banner_contents=dod_default + - dconf_login_banner_text=dod_banners + - dconf_login_banner_contents=dod_default - var_authselect_profile=sssd - var_multiple_time_servers=stig @@ -408,9 +411,6 @@ selections: # OL08-00-010650 - mount_option_nosuid_remote_filesystems - # OL08-00-010660 - - accounts_user_dot_no_world_writable_programs - # OL08-00-010670 - service_kdump_disabled @@ -532,7 +532,11 @@ selections: # OL08-00-020035 - logind_session_timeout - - var_logind_session_timeout=15_minutes + - var_logind_session_timeout=10_minutes + + # OL08-00-020040 + - accounts_tmout + - var_accounts_tmout=10_min # OL08-00-020043 - vlock_installed @@ -542,6 +546,7 @@ selections: # OL08-00-020060 - dconf_gnome_screensaver_idle_delay + - inactivity_timeout_value=10_minutes # OL08-00-020080 - dconf_gnome_screensaver_user_locks @@ -651,9 +656,6 @@ selections: # OL08-00-020331, OL08-00-020332 - no_empty_passwords - # OL08-00-020340 - - display_login_attempts - # OL08-00-020350 - sshd_print_last_log diff --git a/products/ol8/profiles/stig_gui.profile b/products/ol8/profiles/stig_gui.profile index 8d26c7dd0d98..109fd4d08f8c 100644 --- a/products/ol8/profiles/stig_gui.profile +++ b/products/ol8/profiles/stig_gui.profile @@ -1,13 +1,13 @@ documentation_complete: true metadata: - version: V2R6 + version: V2R7 title: 'DISA STIG with GUI for Oracle Linux 8' description: |- This profile contains configuration checks that align to the - DISA STIG with GUI for Oracle Linux V2R6. + DISA STIG with GUI for Oracle Linux V2R7. Warning: The installation and use of a Graphical User Interface (GUI) increases your attack vector and decreases your overall security posture. If diff --git a/products/ol9/profiles/stig.profile b/products/ol9/profiles/stig.profile index 883b970b43a8..adbe70ed2e64 100644 --- a/products/ol9/profiles/stig.profile +++ b/products/ol9/profiles/stig.profile @@ -2,7 +2,7 @@ documentation_complete: true metadata: - version: V1R3 + version: V1R4 reference: https://www.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux @@ -10,7 +10,7 @@ title: 'DISA STIG for Oracle Linux 9' description: |- This profile contains configuration checks that align to the - DISA STIG for Oracle Linux 9 V1R3. + DISA STIG for Oracle Linux 9 V1R4. selections: - stig_ol9:all diff --git a/products/ol9/profiles/stig_gui.profile b/products/ol9/profiles/stig_gui.profile index 178e85a21e57..4f2b8b948abb 100644 --- a/products/ol9/profiles/stig_gui.profile +++ b/products/ol9/profiles/stig_gui.profile @@ -1,7 +1,7 @@ documentation_complete: true metadata: - version: V1R3 + version: V1R4 reference: https://www.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux @@ -9,7 +9,7 @@ title: 'DISA STIG with GUI for Oracle Linux 9' description: |- This profile contains configuration checks that align to the - DISA STIG for Oracle Linux 9 V1R3. + DISA STIG for Oracle Linux 9 V1R4. Warning: The installation and use of a Graphical User Interface (GUI) increases your attack vector and decreases your overall security posture. If diff --git a/products/openembedded/profiles/expanded.profile b/products/openembedded/profiles/expanded.profile index 13db15a9530b..a43e6745f40c 100644 --- a/products/openembedded/profiles/expanded.profile +++ b/products/openembedded/profiles/expanded.profile @@ -112,8 +112,10 @@ selections: - service_dovecot_disabled - banner_etc_motd - motd_banner_text=cis_banners + - motd_banner_contents=cis_default - banner_etc_issue - login_banner_text=cis_banners + - login_banner_contents=cis_default - file_groupowner_etc_motd - file_owner_etc_motd - file_permissions_etc_motd diff --git a/products/openembedded/profiles/standard.profile b/products/openembedded/profiles/standard.profile index 37547a454e83..d183617a264b 100644 --- a/products/openembedded/profiles/standard.profile +++ b/products/openembedded/profiles/standard.profile @@ -107,8 +107,10 @@ selections: - service_dovecot_disabled - banner_etc_motd - motd_banner_text=cis_banners + - motd_banner_contents=cis_default - banner_etc_issue - login_banner_text=cis_banners + - login_banner_contents=cis_default - file_groupowner_etc_motd - file_owner_etc_motd - file_permissions_etc_motd diff --git a/products/rhel10/controls/cis_rhel10.yml b/products/rhel10/controls/cis_rhel10.yml index 8269196f2993..9ab136c4be7a 100644 --- a/products/rhel10/controls/cis_rhel10.yml +++ b/products/rhel10/controls/cis_rhel10.yml @@ -366,9 +366,14 @@ controls: levels: - l1_server - l1_workstation - status: manual - related_rules: + status: partial + rules: - ensure_redhat_gpgkey_installed + notes: > + In CIS Benchmark, the requirement is manual, because of GPG keys for 3rd party repositories. + But, add the rule ensure_redhat_gpgkey_installed to the profile because the requirement 1.2.1.2 + adds ensure_gpgcheck_never_disabled which requires GPG key checking. If the Red Hat + GPG key wouldn't be installed, people won't be able to install any RPM package using dnf. - id: 1.2.1.2 title: Ensure gpgcheck is configured (Automated) @@ -706,7 +711,8 @@ controls: rules: - dconf_gnome_banner_enabled - dconf_gnome_login_banner_text - - login_banner_text=cis_banners + - dconf_login_banner_text=cis_banners + - dconf_login_banner_contents=cis_default - id: 1.8.2 title: Ensure GDM disable-user-list is configured (Automated) @@ -817,6 +823,8 @@ controls: - l1_workstation status: automated rules: + - service_dnsmasq_disabled + related_rules: - package_dnsmasq_removed - id: 2.1.7 diff --git a/products/rhel10/profiles/default.profile b/products/rhel10/profiles/default.profile index 4d9b46867bc6..3be6b3d8376a 100644 --- a/products/rhel10/profiles/default.profile +++ b/products/rhel10/profiles/default.profile @@ -45,3 +45,4 @@ selections: - file_etc_security_opasswd - sshd_use_strong_macs - configure_ssh_crypto_policy + - package_dnsmasq_removed diff --git a/products/rhel8/controls/cis_rhel8.yml b/products/rhel8/controls/cis_rhel8.yml index cbe5d4d6454e..69773b6030d3 100644 --- a/products/rhel8/controls/cis_rhel8.yml +++ b/products/rhel8/controls/cis_rhel8.yml @@ -379,9 +379,14 @@ controls: levels: - l1_server - l1_workstation - status: manual - related_rules: + status: partial + rules: - ensure_redhat_gpgkey_installed + notes: > + In CIS Benchmark, the requirement is manual, because of GPG keys for 3rd party repositories. + But, add the rule ensure_redhat_gpgkey_installed to the profile because the requirement 1.2.1.2 + adds ensure_gpgcheck_never_disabled which requires GPG key checking. If the Red Hat + GPG key wouldn't be installed, people won't be able to install any RPM package using dnf. - id: 1.2.1.2 title: Ensure gpgcheck is configured (Automated) @@ -740,7 +745,8 @@ controls: rules: - dconf_gnome_banner_enabled - dconf_gnome_login_banner_text - - login_banner_text=cis_banners + - dconf_login_banner_text=cis_banners + - dconf_login_banner_contents=cis_default - id: 1.8.2 title: Ensure GDM disable-user-list is configured (Automated) @@ -860,6 +866,8 @@ controls: - l1_workstation status: automated rules: + - service_dnsmasq_disabled + related_rules: - package_dnsmasq_removed - id: 2.1.7 diff --git a/products/rhel8/controls/stig_rhel8.yml b/products/rhel8/controls/stig_rhel8.yml index b70ea1d7eab9..4c2de6146d37 100644 --- a/products/rhel8/controls/stig_rhel8.yml +++ b/products/rhel8/controls/stig_rhel8.yml @@ -2,7 +2,7 @@ policy: Red Hat Enterprise Linux 8 Security Technical Implementation Guide title: Red Hat Enterprise Linux 8 Security Technical Implementation Guide id: stig_rhel8 -version: V2R5 +version: V2R6 source: https://www.cyber.mil/stigs/downloads reference_type: stigid product: rhel8 @@ -67,17 +67,12 @@ controls: - var_auditd_disk_full_action=rhel8 - var_sssd_certificate_verification_digest_function=sha1 - login_banner_text=dod_banners + - login_banner_contents=dod_default + - dconf_login_banner_text=dod_banners + - dconf_login_banner_contents=dod_default - var_authselect_profile=sssd - var_multiple_time_servers=stig - var_time_service_set_maxpoll=18_hours - # Enable / Configure FIPS - - enable_fips_mode - - var_system_crypto_policy=fips - - configure_crypto_policy - - configure_bind_crypto_policy - - configure_libreswan_crypto_policy - - configure_kerberos_crypto_policy - - enable_dracut_fips_module # Other needed rules - enable_authselect @@ -97,24 +92,23 @@ controls: - security_patches_up_to_date status: automated + - id: RHEL-08-010015 + levels: + - high + title: RHEL 8 must have the crypto-policies package installed. + rules: + - package_crypto-policies_installed + status: automated + - id: RHEL-08-010020 levels: - high - title: 'RHEL 8 must implement NIST FIPS-validated cryptography for the following: To provision - digital signatures, to generate cryptographic hashes, and to protect data requiring data-at-rest - protections in accordance with applicable federal laws, Executive Orders, directives, policies, - regulations, and standards.' + title: RHEL 8 must implement a FIPS 140-3-compliant systemwide cryptographic policy. rules: - - configure_bind_crypto_policy - configure_crypto_policy - - configure_kerberos_crypto_policy - - configure_libreswan_crypto_policy - - enable_dracut_fips_module - - enable_fips_mode - fips_crypto_subpolicy - - harden_sshd_ciphers_openssh_conf_crypto_policy - - harden_sshd_macs_openssh_conf_crypto_policy - - sysctl_crypto_fips_enabled + - fips_custom_stig_sub_policy + - var_system_crypto_policy=fips_stig status: automated - id: RHEL-08-010030 @@ -338,54 +332,62 @@ controls: - file_groupowner_var_log status: automated - - id: RHEL-08-010290 + - id: RHEL-08-010270 levels: - - medium - title: The RHEL 8 SSH server must be configured to use only Message Authentication Codes (MACs) - employing FIPS 140-3 validated cryptographic hash algorithms. + - high + title: RHEL 8 cryptographic policy must not be overridden. rules: - - harden_sshd_macs_opensshserver_conf_crypto_policy + - configure_crypto_policy status: automated - - id: RHEL-08-010291 + - id: RHEL-08-010275 levels: - medium - title: The RHEL 8 operating system must implement DOD-approved encryption to protect the confidentiality - of SSH server connections. + title: RHEL 8 must implement DOD-approved encryption in the bind package. rules: - - harden_sshd_ciphers_opensshserver_conf_crypto_policy + - configure_bind_crypto_policy status: automated - - id: RHEL-08-010292 + - id: RHEL-08-010280 levels: - - low - title: RHEL 8 must ensure the SSH server uses strong entropy. + - medium + title: RHEL 8 IP tunnels must use FIPS 140-3-approved cryptographic algorithms. rules: - - sshd_use_strong_rng + - configure_libreswan_crypto_policy status: automated - - id: RHEL-08-010293 + - id: RHEL-08-010290 levels: - medium - title: The RHEL 8 operating system must implement DoD-approved encryption in the OpenSSL package. + title: The RHEL 8 SSH server must be configured to use only Message Authentication Codes (MACs) + employing FIPS 140-3 validated cryptographic hash algorithms. + notes: This is implemented by a special STIG subpolicy. rules: - - configure_openssl_crypto_policy + - configure_crypto_policy + - fips_crypto_subpolicy + - fips_custom_stig_sub_policy + - var_system_crypto_policy=fips_stig status: automated - - id: RHEL-08-010294 + - id: RHEL-08-010291 levels: - medium - title: The RHEL 8 operating system must implement DoD-approved TLS encryption in the OpenSSL package. + title: The RHEL 8 operating system must implement DOD-approved encryption to protect the confidentiality + of SSH server connections. + notes: This is implemented by a special STIG subpolicy. rules: - - configure_openssl_tls_crypto_policy + - configure_crypto_policy + - fips_crypto_subpolicy + - fips_custom_stig_sub_policy + - var_system_crypto_policy=fips_stig status: automated - - id: RHEL-08-010295 + - id: RHEL-08-010292 levels: - - medium - title: The RHEL 8 operating system must implement DoD-approved TLS encryption in the GnuTLS package. + - low + title: RHEL 8 must ensure the SSH server uses strong entropy. rules: - - configure_gnutls_tls_crypto_policy + - sshd_use_strong_rng status: automated - id: RHEL-08-010300 @@ -807,14 +809,6 @@ controls: - mount_option_nosuid_remote_filesystems status: automated - - id: RHEL-08-010660 - levels: - - medium - title: Local RHEL 8 initialization files must not execute world-writable programs. - rules: - - accounts_user_dot_no_world_writable_programs - status: automated - - id: RHEL-08-010670 levels: - medium @@ -975,6 +969,7 @@ controls: equivalent). rules: - partition_for_home + - accounts_user_interactive_home_directory_on_separate_partition status: automated - id: RHEL-08-010820 @@ -1375,14 +1370,6 @@ controls: - sshd_disable_empty_passwords status: automated - - id: RHEL-08-020340 - levels: - - low - title: RHEL 8 must display the date and time of the last successful account logon upon logon. - rules: - - display_login_attempts - status: automated - - id: RHEL-08-020350 levels: - medium @@ -1418,6 +1405,16 @@ controls: - accounts_umask_etc_profile status: automated + - id: RHEL-08-020353 + levels: + - medium + title: RHEL 8 must automatically exit interactive command shell user sessions after 10 minutes of inactivity. + rules: + - accounts_tmout + - var_accounts_tmout=10_min + status: automated + + - id: RHEL-08-030000 levels: - medium @@ -2810,14 +2807,6 @@ controls: - sshd_set_idle_timeout status: automated - - id: RHEL-08-010287 - levels: - - medium - title: The RHEL 8 SSH daemon must be configured to use system-wide crypto policies. - rules: - - configure_ssh_crypto_policy - status: automated - - id: RHEL-08-010472 levels: - low @@ -3159,14 +3148,6 @@ controls: - selinux_user_login_roles status: automated - - id: RHEL-08-040342 - levels: - - medium - title: RHEL 8 SSH server must be configured to use only FIPS-validated key exchange algorithms. - rules: - - sshd_use_approved_kex_ordered_stig - status: automated - - id: RHEL-08-010019 levels: - medium @@ -3204,20 +3185,26 @@ controls: - id: RHEL-08-010296 levels: - medium - title: RHEL 8 SSH client must be configured to use only Message Authentication Codes (MACs) employing - FIPS 140-3 validated cryptographic hash algorithms. + title: The RHEL 8 SSH client must be configured to use only DOD-approved Message Authentication Codes (MACs) employing FIPS 140-3-validated cryptographic hash algorithms to protect the confidentiality of SSH client connections. + notes: This is implemented by a special STIG subpolicy. rules: - - harden_sshd_ciphers_openssh_conf_crypto_policy - - harden_sshd_macs_openssh_conf_crypto_policy + - configure_crypto_policy + - fips_crypto_subpolicy + - fips_custom_stig_sub_policy + - var_system_crypto_policy=fips_stig status: automated - id: RHEL-08-010297 levels: - medium - title: RHEL 8 SSH client must be configured to use only ciphers employing FIPS 140-3 validated - cryptographic hash algorithms. - rules: [] - status: pending + title: The RHEL 8 SSH client must be configured to use only DOD-approved encryption ciphers employing FIPS 140-3-validated cryptographic hash algorithms to protect the confidentiality of SSH client connections. + notes: This is implemented by a special STIG subpolicy. + rules: + - configure_crypto_policy + - fips_crypto_subpolicy + - fips_custom_stig_sub_policy + - var_system_crypto_policy=fips_stig + status: automated - id: RHEL-08-010455 levels: diff --git a/products/rhel8/kickstart/ssg-rhel8-anssi_bp28_enhanced-ks.cfg b/products/rhel8/kickstart/ssg-rhel8-anssi_bp28_enhanced-ks.cfg index 1b95e71705f9..069855e80d26 100644 --- a/products/rhel8/kickstart/ssg-rhel8-anssi_bp28_enhanced-ks.cfg +++ b/products/rhel8/kickstart/ssg-rhel8-anssi_bp28_enhanced-ks.cfg @@ -80,7 +80,7 @@ zerombr # The following partition layout scheme assumes disk of size 20GB or larger # Modify size of partitions appropriately to reflect actual machine's hardware -# +# # Remove Linux partitions from the system prior to creating new ones (optional) # --linux erase all Linux partitions # --initlabel initialize the disk label to the default based on the underlying architecture @@ -95,15 +95,15 @@ part pv.01 --grow --size=1 volgroup VolGroup pv.01 # Create particular logical volumes (optional) -logvol / --fstype=xfs --name=root --vgname=VolGroup --size=3192 --grow +logvol / --fstype=xfs --name=root --vgname=VolGroup --size=1024 --grow # Ensure /usr Located On Separate Partition -logvol /usr --fstype=xfs --name=usr --vgname=VolGroup --size=6536 --fsoptions="nodev" +logvol /usr --fstype=xfs --name=usr --vgname=VolGroup --size=6667 --fsoptions="nodev" # Ensure /opt Located On Separate Partition -logvol /opt --fstype=xfs --name=opt --vgname=VolGroup --size=512 --fsoptions="nodev,nosuid" +logvol /opt --fstype=xfs --name=opt --vgname=VolGroup --size=128 --fsoptions="nodev,nosuid" # Ensure /srv Located On Separate Partition -logvol /srv --fstype=xfs --name=srv --vgname=VolGroup --size=512 --fsoptions="nodev,nosuid" +logvol /srv --fstype=xfs --name=srv --vgname=VolGroup --size=128 --fsoptions="nodev,nosuid" # Ensure /home Located On Separate Partition -logvol /home --fstype=xfs --name=home --vgname=VolGroup --size=512 --fsoptions="nodev,nosuid" +logvol /home --fstype=xfs --name=home --vgname=VolGroup --size=128 --fsoptions="nodev,nosuid" # Ensure /tmp Located On Separate Partition logvol /tmp --fstype=xfs --name=tmp --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid,noexec" # Ensure /var/tmp Located On Separate Partition @@ -118,17 +118,17 @@ logvol swap --name=swap --vgname=VolGroup --size=2016 # The OpenSCAP installer add-on is used to apply SCAP (Security Content Automation Protocol) # content - security policies - on the installed system.This add-on has been enabled by default -# since Red Hat Enterprise Linux 7.2. When enabled, the packages necessary to provide this +# since Red Hat Enterprise Linux 7.2. When enabled, the packages necessary to provide this # functionality will automatically be installed. However, by default, no policies are enforced, # meaning that no checks are performed during or after installation unless specifically configured. -# +# # Important # Applying a security policy is not necessary on all systems. This screen should only be used # when a specific policy is mandated by your organization rules or government regulations. # Unlike most other commands, this add-on does not accept regular options, but uses key-value # pairs in the body of the %addon definition instead. These pairs are whitespace-agnostic. # Values can be optionally enclosed in single quotes (') or double quotes ("). -# +# # For more details and configuration options see # https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/performing_an_advanced_rhel_8_installation/kickstart-commands-and-options-reference_installing-rhel-as-an-experienced-user#addon-org_fedora_oscap_kickstart-commands-for-addons-supplied-with-the-rhel-installation-program %addon org_fedora_oscap diff --git a/products/rhel8/kickstart/ssg-rhel8-anssi_bp28_high-ks.cfg b/products/rhel8/kickstart/ssg-rhel8-anssi_bp28_high-ks.cfg index 7b57de148d7f..3477225767b6 100644 --- a/products/rhel8/kickstart/ssg-rhel8-anssi_bp28_high-ks.cfg +++ b/products/rhel8/kickstart/ssg-rhel8-anssi_bp28_high-ks.cfg @@ -84,7 +84,7 @@ zerombr # The following partition layout scheme assumes disk of size 20GB or larger # Modify size of partitions appropriately to reflect actual machine's hardware -# +# # Remove Linux partitions from the system prior to creating new ones (optional) # --linux erase all Linux partitions # --initlabel initialize the disk label to the default based on the underlying architecture @@ -99,15 +99,15 @@ part pv.01 --grow --size=1 volgroup VolGroup pv.01 # Create particular logical volumes (optional) -logvol / --fstype=xfs --name=root --vgname=VolGroup --size=3192 --grow +logvol / --fstype=xfs --name=root --vgname=VolGroup --size=1024 --grow # Ensure /usr Located On Separate Partition -logvol /usr --fstype=xfs --name=usr --vgname=VolGroup --size=6536 --fsoptions="nodev" +logvol /usr --fstype=xfs --name=usr --vgname=VolGroup --size=6667 --fsoptions="nodev" # Ensure /opt Located On Separate Partition -logvol /opt --fstype=xfs --name=opt --vgname=VolGroup --size=512 --fsoptions="nodev,nosuid" +logvol /opt --fstype=xfs --name=opt --vgname=VolGroup --size=128 --fsoptions="nodev,nosuid" # Ensure /srv Located On Separate Partition -logvol /srv --fstype=xfs --name=srv --vgname=VolGroup --size=512 --fsoptions="nodev,nosuid" +logvol /srv --fstype=xfs --name=srv --vgname=VolGroup --size=128 --fsoptions="nodev,nosuid" # Ensure /home Located On Separate Partition -logvol /home --fstype=xfs --name=home --vgname=VolGroup --size=512 --fsoptions="nodev,nosuid" +logvol /home --fstype=xfs --name=home --vgname=VolGroup --size=128 --fsoptions="nodev,nosuid,noexec" # Ensure /tmp Located On Separate Partition logvol /tmp --fstype=xfs --name=tmp --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid,noexec" # Ensure /var/tmp Located On Separate Partition @@ -123,17 +123,17 @@ logvol swap --name=swap --vgname=VolGroup --size=2016 # The OpenSCAP installer add-on is used to apply SCAP (Security Content Automation Protocol) # content - security policies - on the installed system.This add-on has been enabled by default -# since Red Hat Enterprise Linux 7.2. When enabled, the packages necessary to provide this +# since Red Hat Enterprise Linux 7.2. When enabled, the packages necessary to provide this # functionality will automatically be installed. However, by default, no policies are enforced, # meaning that no checks are performed during or after installation unless specifically configured. -# +# # Important # Applying a security policy is not necessary on all systems. This screen should only be used # when a specific policy is mandated by your organization rules or government regulations. # Unlike most other commands, this add-on does not accept regular options, but uses key-value # pairs in the body of the %addon definition instead. These pairs are whitespace-agnostic. # Values can be optionally enclosed in single quotes (') or double quotes ("). -# +# # For more details and configuration options see # https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/performing_an_advanced_rhel_8_installation/kickstart-commands-and-options-reference_installing-rhel-as-an-experienced-user#addon-org_fedora_oscap_kickstart-commands-for-addons-supplied-with-the-rhel-installation-program %addon org_fedora_oscap diff --git a/products/rhel8/kickstart/ssg-rhel8-anssi_bp28_intermediary-ks.cfg b/products/rhel8/kickstart/ssg-rhel8-anssi_bp28_intermediary-ks.cfg index 9080117a63c3..5789b94da59d 100644 --- a/products/rhel8/kickstart/ssg-rhel8-anssi_bp28_intermediary-ks.cfg +++ b/products/rhel8/kickstart/ssg-rhel8-anssi_bp28_intermediary-ks.cfg @@ -81,7 +81,7 @@ zerombr # The following partition layout scheme assumes disk of size 20GB or larger # Modify size of partitions appropriately to reflect actual machine's hardware -# +# # Remove Linux partitions from the system prior to creating new ones (optional) # --linux erase all Linux partitions # --initlabel initialize the disk label to the default based on the underlying architecture @@ -96,15 +96,15 @@ part pv.01 --grow --size=1 volgroup VolGroup pv.01 # Create particular logical volumes (optional) -logvol / --fstype=xfs --name=root --vgname=VolGroup --size=3192 --grow +logvol / --fstype=xfs --name=root --vgname=VolGroup --size=1024 --grow # Ensure /usr Located On Separate Partition -logvol /usr --fstype=xfs --name=usr --vgname=VolGroup --size=6536 --fsoptions="nodev" +logvol /usr --fstype=xfs --name=usr --vgname=VolGroup --size=6667 --fsoptions="nodev" # Ensure /opt Located On Separate Partition -logvol /opt --fstype=xfs --name=opt --vgname=VolGroup --size=512 --fsoptions="nodev,nosuid" +logvol /opt --fstype=xfs --name=opt --vgname=VolGroup --size=128 --fsoptions="nodev,nosuid" # Ensure /srv Located On Separate Partition -logvol /srv --fstype=xfs --name=srv --vgname=VolGroup --size=512 --fsoptions="nodev,nosuid" +logvol /srv --fstype=xfs --name=srv --vgname=VolGroup --size=128 --fsoptions="nodev,nosuid" # Ensure /home Located On Separate Partition -logvol /home --fstype=xfs --name=home --vgname=VolGroup --size=512 --fsoptions="nodev,nosuid,noexec" +logvol /home --fstype=xfs --name=home --vgname=VolGroup --size=128 --fsoptions="nodev,nosuid,noexec" # Ensure /tmp Located On Separate Partition logvol /tmp --fstype=xfs --name=tmp --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid,noexec" # Ensure /var/tmp Located On Separate Partition @@ -119,17 +119,17 @@ logvol swap --name=swap --vgname=VolGroup --size=2016 # The OpenSCAP installer add-on is used to apply SCAP (Security Content Automation Protocol) # content - security policies - on the installed system.This add-on has been enabled by default -# since Red Hat Enterprise Linux 7.2. When enabled, the packages necessary to provide this +# since Red Hat Enterprise Linux 7.2. When enabled, the packages necessary to provide this # functionality will automatically be installed. However, by default, no policies are enforced, # meaning that no checks are performed during or after installation unless specifically configured. -# +# # Important # Applying a security policy is not necessary on all systems. This screen should only be used # when a specific policy is mandated by your organization rules or government regulations. # Unlike most other commands, this add-on does not accept regular options, but uses key-value # pairs in the body of the %addon definition instead. These pairs are whitespace-agnostic. # Values can be optionally enclosed in single quotes (') or double quotes ("). -# +# # For more details and configuration options see # https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/performing_an_advanced_rhel_8_installation/kickstart-commands-and-options-reference_installing-rhel-as-an-experienced-user#addon-org_fedora_oscap_kickstart-commands-for-addons-supplied-with-the-rhel-installation-program %addon org_fedora_oscap diff --git a/products/rhel8/profiles/default.profile b/products/rhel8/profiles/default.profile index 8b3cd0016da6..7e7401a04ac7 100644 --- a/products/rhel8/profiles/default.profile +++ b/products/rhel8/profiles/default.profile @@ -731,3 +731,11 @@ selections: - package_xorg-x11-server-common_removed - accounts_users_netrc_file_permissions - journald_forward_to_syslog + - harden_sshd_ciphers_opensshserver_conf_crypto_policy + - harden_sshd_macs_opensshserver_conf_crypto_policy + - sysctl_crypto_fips_enabled + - configure_gnutls_tls_crypto_policy + - configure_openssl_tls_crypto_policy + - sshd_use_approved_kex_ordered_stig + - accounts_user_dot_no_world_writable_programs + - package_dnsmasq_removed diff --git a/products/rhel8/profiles/rht-ccp.profile b/products/rhel8/profiles/rht-ccp.profile index 4e67d3893c0c..cff0b644c55a 100644 --- a/products/rhel8/profiles/rht-ccp.profile +++ b/products/rhel8/profiles/rht-ccp.profile @@ -27,6 +27,7 @@ selections: - var_password_pam_difok=3 - var_password_pam_unix_remember=5 - var_accounts_user_umask=077 + - login_banner_contents=usgcb_default - login_banner_text=usgcb_default - partition_for_tmp - partition_for_var diff --git a/products/rhel8/profiles/stig.profile b/products/rhel8/profiles/stig.profile index 0369365b5d48..093b78a38b73 100644 --- a/products/rhel8/profiles/stig.profile +++ b/products/rhel8/profiles/stig.profile @@ -2,7 +2,7 @@ documentation_complete: true metadata: - version: V2R5 + version: V2R6 SMEs: - mab879 - ggbecker @@ -13,7 +13,7 @@ title: 'DISA STIG for Red Hat Enterprise Linux 8' description: |- This profile contains configuration checks that align to the - DISA STIG for Red Hat Enterprise Linux 8 V2R5. + DISA STIG for Red Hat Enterprise Linux 8 V2R6. In addition to being applicable to Red Hat Enterprise Linux 8, this configuration baseline is applicable to the operating system tier of diff --git a/products/rhel8/profiles/stig_gui.profile b/products/rhel8/profiles/stig_gui.profile index 6d3e322442a5..56f1126f614b 100644 --- a/products/rhel8/profiles/stig_gui.profile +++ b/products/rhel8/profiles/stig_gui.profile @@ -2,7 +2,7 @@ documentation_complete: true metadata: - version: V2R5 + version: V2R6 SMEs: - mab879 - ggbecker @@ -13,7 +13,7 @@ title: 'DISA STIG with GUI for Red Hat Enterprise Linux 8' description: |- This profile contains configuration checks that align to the - DISA STIG with GUI for Red Hat Enterprise Linux 8 V2R5. + DISA STIG with GUI for Red Hat Enterprise Linux 8 V2R6. In addition to being applicable to Red Hat Enterprise Linux 8, this configuration baseline is applicable to the operating system tier of diff --git a/products/rhel9/controls/ccn_rhel9.yml b/products/rhel9/controls/ccn_rhel9.yml index 6f0dcc2928f3..84a168b77395 100644 --- a/products/rhel9/controls/ccn_rhel9.yml +++ b/products/rhel9/controls/ccn_rhel9.yml @@ -635,11 +635,17 @@ controls: - banner_etc_issue - banner_etc_issue_net - banner_etc_motd + - motd_banner_text=cis_banners + - motd_banner_contents=cis_default - dconf_gnome_banner_enabled - dconf_gnome_login_banner_text + - dconf_login_banner_text=cis_banners + - dconf_login_banner_contents=cis_default - sshd_enable_warning_banner_net - login_banner_text=cis_banners + - login_banner_contents=cis_default - remote_login_banner_text=cis_banners + - remote_login_banner_contents=cis_default - id: A.11.SEC-RHEL5 title: Network Acess to the System is Controlled diff --git a/products/rhel9/controls/cis_rhel9.yml b/products/rhel9/controls/cis_rhel9.yml index f73fbd1f6d79..d96d8ad21fed 100644 --- a/products/rhel9/controls/cis_rhel9.yml +++ b/products/rhel9/controls/cis_rhel9.yml @@ -361,9 +361,14 @@ controls: levels: - l1_server - l1_workstation - status: manual - related_rules: + status: partial + rules: - ensure_redhat_gpgkey_installed + notes: > + In CIS Benchmark, the requirement is manual, because of GPG keys for 3rd party repositories. + But, add the rule ensure_redhat_gpgkey_installed to the profile because the requirement 1.2.1.2 + adds ensure_gpgcheck_never_disabled which requires GPG key checking. If the Red Hat + GPG key wouldn't be installed, people won't be able to install any RPM package using dnf. - id: 1.2.1.2 title: Ensure gpgcheck is globally activated (Automated) @@ -690,7 +695,8 @@ controls: rules: - dconf_gnome_banner_enabled - dconf_gnome_login_banner_text - - login_banner_text=cis_banners + - dconf_login_banner_text=cis_banners + - dconf_login_banner_contents=cis_default - id: 1.8.3 title: Ensure GDM disable-user-list option is enabled (Automated) @@ -819,6 +825,8 @@ controls: - l1_workstation status: automated rules: + - service_dnsmasq_disabled + related_rules: - package_dnsmasq_removed - id: 2.1.6 diff --git a/products/rhel9/controls/stig_rhel9.yml b/products/rhel9/controls/stig_rhel9.yml index 03d14b620735..554496291306 100644 --- a/products/rhel9/controls/stig_rhel9.yml +++ b/products/rhel9/controls/stig_rhel9.yml @@ -3,7 +3,7 @@ policy: 'Red Hat Enterprise Linux 9 Security Technical Implementation Guide' title: 'Red Hat Enterprise Linux 9 Security Technical Implementation Guide' id: stig_rhel9 source: https://www.cyber.mil/stigs/downloads/ -version: V2R4 +version: V2R7 reference_type: stigid product: rhel9 @@ -25,6 +25,8 @@ controls: - medium rules: - dconf_gnome_login_banner_text + - dconf_login_banner_text=dod_banners + - dconf_login_banner_contents=dod_default - id: RHEL-09-211010 levels: - high @@ -49,6 +51,7 @@ controls: rules: - banner_etc_issue - login_banner_text=dod_banners + - login_banner_contents=dod_default status: automated - id: RHEL-09-211030 @@ -1303,7 +1306,7 @@ controls: title: All RHEL 9 world-writable directories must be owned by root, sys, bin, or an application user. rules: - - dir_perms_world_writable_root_owned + - dir_perms_world_writable_system_owned status: automated - id: RHEL-09-232245 @@ -1766,23 +1769,6 @@ controls: - sshd_enable_pam status: automated - - id: RHEL-09-255055 - levels: - - medium - title: RHEL 9 SSH daemon must be configured to use system-wide crypto policies. - rules: - - file_sshd_50_redhat_exists - - sshd_include_crypto_policy - status: automated - - - id: RHEL-09-255060 - levels: - - medium - title: RHEL 9 must implement DOD-approved encryption ciphers to protect the confidentiality of - SSH client connections. - rules: - - sshd_include_crypto_policy - status: automated - id: RHEL-09-255064 title: The RHEL 9 SSH client must be configured to use only DOD-approved encryption ciphers employing FIPS 140-3 validated cryptographic hash algorithms to protect the confidentiality of SSH client @@ -1795,9 +1781,10 @@ controls: - id: RHEL-09-255065 levels: - medium - title: RHEL 9 must implement DOD-approved encryption ciphers to protect the confidentiality of - SSH server connections. + title: The RHEL 9 SSH server must be configured to use only DOD-approved encryption ciphers employing + FIPS 140-3 validated cryptographic hash algorithms to protect the confidentiality of SSH server connections. rules: + - sshd_include_crypto_policy - harden_sshd_ciphers_opensshserver_conf_crypto_policy - sshd_approved_ciphers=stig_rhel9 status: automated @@ -1872,6 +1859,7 @@ controls: - medium title: RHEL 9 SSH server configuration file must be group-owned by root. rules: + - file_sshd_50_redhat_exists - file_groupowner_sshd_config - directory_groupowner_sshd_config_d - file_groupowner_sshd_drop_in_config @@ -1882,6 +1870,7 @@ controls: - medium title: RHEL 9 SSH server configuration file must be owned by root. rules: + - file_sshd_50_redhat_exists - file_owner_sshd_config - directory_owner_sshd_config_d - file_owner_sshd_drop_in_config @@ -2087,9 +2076,10 @@ controls: - id: RHEL-09-271065 levels: - medium - title: RHEL 9 must automatically lock graphical user sessions after 15 minutes of inactivity. + title: RHEL 9 must automatically lock graphical user sessions after 10 minutes of inactivity. rules: - dconf_gnome_screensaver_idle_delay + - inactivity_timeout_value=10_minutes status: automated - id: RHEL-09-271070 @@ -2495,7 +2485,7 @@ controls: title: RHEL 9 must terminate idle user sessions. rules: - logind_session_timeout - - var_logind_session_timeout=15_minutes + - var_logind_session_timeout=10_minutes status: automated - id: RHEL-09-431010 @@ -3280,14 +3270,6 @@ controls: roles appointed by the ISSM) to select which auditable events are to be audited. rules: - file_permissions_audit_configuration - status: automated - - - id: RHEL-09-653115 - levels: - - medium - title: RHEL 9 /etc/audit/auditd.conf file must have 0640 or less permissive to prevent unauthorized - access. - rules: - file_permissions_etc_audit_auditd status: automated @@ -3484,6 +3466,16 @@ controls: - audit_rules_privileged_commands_crontab status: automated + - id: RHEL-09-654097 + levels: + - medium + title: RHEL 9 must audit any script or executable called by cron as root or by any privileged user. + rules: + - audit_rules_etc_cron_d + - audit_rules_var_spool_cron + status: automated + + - id: RHEL-09-654100 levels: - medium @@ -3820,7 +3812,7 @@ controls: - id: RHEL-09-672020 levels: - medium - title: RHEL 9 crypto policy must not be overridden. + title: RHEL 9 cryptographic policy must not be overridden. notes: Rules for this control are intentionally not implemented. Checking whether files under /etc/crypto-policies/back-ends/ are symlinks is not an appropriate way to verify the consistency of the system's cryptographic settings. The suggested fix mentioned in the STIG does not fully satisfy its own requirements, as it also symlinks the nss.config file. @@ -3830,16 +3822,6 @@ controls: More information can be found at https://docs.redhat.com/en/documentation/red_hat_enterprise_linux/9/html/security_hardening/switching-rhel-to-fips-mode_security-hardening status: pending - - id: RHEL-09-672025 - levels: - - medium - title: RHEL 9 must use mechanisms meeting the requirements of applicable federal laws, executive - orders, directives, policies, regulations, standards, and guidance for authentication to a - cryptographic module. - rules: - - configure_kerberos_crypto_policy - status: automated - - id: RHEL-09-672030 levels: - high diff --git a/products/rhel9/kickstart/ssg-rhel9-anssi_bp28_enhanced-ks.cfg b/products/rhel9/kickstart/ssg-rhel9-anssi_bp28_enhanced-ks.cfg index 5b170c0a635f..48dbcf396ce8 100644 --- a/products/rhel9/kickstart/ssg-rhel9-anssi_bp28_enhanced-ks.cfg +++ b/products/rhel9/kickstart/ssg-rhel9-anssi_bp28_enhanced-ks.cfg @@ -80,7 +80,7 @@ zerombr # The following partition layout scheme assumes disk of size 20GB or larger # Modify size of partitions appropriately to reflect actual machine's hardware -# +# # Remove Linux partitions from the system prior to creating new ones (optional) # --linux erase all Linux partitions # --initlabel initialize the disk label to the default based on the underlying architecture @@ -95,15 +95,15 @@ part pv.01 --grow --size=1 volgroup VolGroup pv.01 # Create particular logical volumes (optional) -logvol / --fstype=xfs --name=root --vgname=VolGroup --size=3192 --grow +logvol / --fstype=xfs --name=root --vgname=VolGroup --size=1024 --grow # Ensure /usr Located On Separate Partition -logvol /usr --fstype=xfs --name=usr --vgname=VolGroup --size=5000 --fsoptions="nodev" +logvol /usr --fstype=xfs --name=usr --vgname=VolGroup --size=6667 --fsoptions="nodev" # Ensure /opt Located On Separate Partition -logvol /opt --fstype=xfs --name=opt --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid" +logvol /opt --fstype=xfs --name=opt --vgname=VolGroup --size=128 --fsoptions="nodev,nosuid" # Ensure /srv Located On Separate Partition -logvol /srv --fstype=xfs --name=srv --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid" +logvol /srv --fstype=xfs --name=srv --vgname=VolGroup --size=128 --fsoptions="nodev,nosuid" # Ensure /home Located On Separate Partition -logvol /home --fstype=xfs --name=home --vgname=VolGroup --size=1024 --fsoptions="nodev,noexec,nosuid" +logvol /home --fstype=xfs --name=home --vgname=VolGroup --size=128 --fsoptions="nodev,noexec,nosuid" # Ensure /tmp Located On Separate Partition logvol /tmp --fstype=xfs --name=tmp --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid,noexec" # Ensure /var/tmp Located On Separate Partition @@ -118,17 +118,17 @@ logvol swap --name=swap --vgname=VolGroup --size=2016 # The OpenSCAP installer add-on is used to apply SCAP (Security Content Automation Protocol) # content - security policies - on the installed system.This add-on has been enabled by default -# since Red Hat Enterprise Linux 7.2. When enabled, the packages necessary to provide this +# since Red Hat Enterprise Linux 7.2. When enabled, the packages necessary to provide this # functionality will automatically be installed. However, by default, no policies are enforced, # meaning that no checks are performed during or after installation unless specifically configured. -# +# # Important # Applying a security policy is not necessary on all systems. This screen should only be used # when a specific policy is mandated by your organization rules or government regulations. # Unlike most other commands, this add-on does not accept regular options, but uses key-value # pairs in the body of the %addon definition instead. These pairs are whitespace-agnostic. # Values can be optionally enclosed in single quotes (') or double quotes ("). -# +# # For more details and configuration options see # https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html-single/performing_an_advanced_rhel_9_installation/index#addon-com_redhat_oscap_kickstart-commands-for-addons-supplied-with-the-rhel-installation-program %addon com_redhat_oscap diff --git a/products/rhel9/kickstart/ssg-rhel9-anssi_bp28_high-ks.cfg b/products/rhel9/kickstart/ssg-rhel9-anssi_bp28_high-ks.cfg index 2bd43b2fa6cf..bbb3a2cadf90 100644 --- a/products/rhel9/kickstart/ssg-rhel9-anssi_bp28_high-ks.cfg +++ b/products/rhel9/kickstart/ssg-rhel9-anssi_bp28_high-ks.cfg @@ -84,7 +84,7 @@ zerombr # The following partition layout scheme assumes disk of size 20GB or larger # Modify size of partitions appropriately to reflect actual machine's hardware -# +# # Remove Linux partitions from the system prior to creating new ones (optional) # --linux erase all Linux partitions # --initlabel initialize the disk label to the default based on the underlying architecture @@ -99,15 +99,15 @@ part pv.01 --grow --size=1 volgroup VolGroup pv.01 # Create particular logical volumes (optional) -logvol / --fstype=xfs --name=root --vgname=VolGroup --size=3192 --grow +logvol / --fstype=xfs --name=root --vgname=VolGroup --size=1024 --grow # Ensure /usr Located On Separate Partition -logvol /usr --fstype=xfs --name=usr --vgname=VolGroup --size=5000 --fsoptions="nodev" +logvol /usr --fstype=xfs --name=usr --vgname=VolGroup --size=6667 --fsoptions="nodev" # Ensure /opt Located On Separate Partition -logvol /opt --fstype=xfs --name=opt --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid" +logvol /opt --fstype=xfs --name=opt --vgname=VolGroup --size=128 --fsoptions="nodev,nosuid" # Ensure /srv Located On Separate Partition -logvol /srv --fstype=xfs --name=srv --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid" +logvol /srv --fstype=xfs --name=srv --vgname=VolGroup --size=128 --fsoptions="nodev,nosuid" # Ensure /home Located On Separate Partition -logvol /home --fstype=xfs --name=home --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid,noexec" +logvol /home --fstype=xfs --name=home --vgname=VolGroup --size=128 --fsoptions="nodev,nosuid,noexec" # Ensure /tmp Located On Separate Partition logvol /tmp --fstype=xfs --name=tmp --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid,noexec" # Ensure /var/tmp Located On Separate Partition @@ -122,17 +122,17 @@ logvol swap --name=swap --vgname=VolGroup --size=2016 # The OpenSCAP installer add-on is used to apply SCAP (Security Content Automation Protocol) # content - security policies - on the installed system.This add-on has been enabled by default -# since Red Hat Enterprise Linux 7.2. When enabled, the packages necessary to provide this +# since Red Hat Enterprise Linux 7.2. When enabled, the packages necessary to provide this # functionality will automatically be installed. However, by default, no policies are enforced, # meaning that no checks are performed during or after installation unless specifically configured. -# +# # Important # Applying a security policy is not necessary on all systems. This screen should only be used # when a specific policy is mandated by your organization rules or government regulations. # Unlike most other commands, this add-on does not accept regular options, but uses key-value # pairs in the body of the %addon definition instead. These pairs are whitespace-agnostic. # Values can be optionally enclosed in single quotes (') or double quotes ("). -# +# # For more details and configuration options see # https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html-single/performing_an_advanced_rhel_9_installation/index#addon-com_redhat_oscap_kickstart-commands-for-addons-supplied-with-the-rhel-installation-program %addon com_redhat_oscap diff --git a/products/rhel9/kickstart/ssg-rhel9-anssi_bp28_intermediary-ks.cfg b/products/rhel9/kickstart/ssg-rhel9-anssi_bp28_intermediary-ks.cfg index 4feee55f0f8c..d5649e10ece3 100644 --- a/products/rhel9/kickstart/ssg-rhel9-anssi_bp28_intermediary-ks.cfg +++ b/products/rhel9/kickstart/ssg-rhel9-anssi_bp28_intermediary-ks.cfg @@ -80,7 +80,7 @@ zerombr # The following partition layout scheme assumes disk of size 20GB or larger # Modify size of partitions appropriately to reflect actual machine's hardware -# +# # Remove Linux partitions from the system prior to creating new ones (optional) # --linux erase all Linux partitions # --initlabel initialize the disk label to the default based on the underlying architecture @@ -95,15 +95,15 @@ part pv.01 --grow --size=1 volgroup VolGroup pv.01 # Create particular logical volumes (optional) -logvol / --fstype=xfs --name=root --vgname=VolGroup --size=3192 --grow +logvol / --fstype=xfs --name=root --vgname=VolGroup --size=1024 --grow # Ensure /usr Located On Separate Partition -logvol /usr --fstype=xfs --name=usr --vgname=VolGroup --size=5000 --fsoptions="nodev" +logvol /usr --fstype=xfs --name=usr --vgname=VolGroup --size=6667 --fsoptions="nodev" # Ensure /opt Located On Separate Partition -logvol /opt --fstype=xfs --name=opt --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid" +logvol /opt --fstype=xfs --name=opt --vgname=VolGroup --size=128 --fsoptions="nodev,nosuid" # Ensure /srv Located On Separate Partition -logvol /srv --fstype=xfs --name=srv --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid" +logvol /srv --fstype=xfs --name=srv --vgname=VolGroup --size=128 --fsoptions="nodev,nosuid" # Ensure /home Located On Separate Partition -logvol /home --fstype=xfs --name=home --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid,noexec" +logvol /home --fstype=xfs --name=home --vgname=VolGroup --size=128 --fsoptions="nodev,nosuid,noexec" # Ensure /tmp Located On Separate Partition logvol /tmp --fstype=xfs --name=tmp --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid,noexec" # Ensure /var/tmp Located On Separate Partition @@ -118,17 +118,17 @@ logvol swap --name=swap --vgname=VolGroup --size=2016 # The OpenSCAP installer add-on is used to apply SCAP (Security Content Automation Protocol) # content - security policies - on the installed system.This add-on has been enabled by default -# since Red Hat Enterprise Linux 7.2. When enabled, the packages necessary to provide this +# since Red Hat Enterprise Linux 7.2. When enabled, the packages necessary to provide this # functionality will automatically be installed. However, by default, no policies are enforced, # meaning that no checks are performed during or after installation unless specifically configured. -# +# # Important # Applying a security policy is not necessary on all systems. This screen should only be used # when a specific policy is mandated by your organization rules or government regulations. # Unlike most other commands, this add-on does not accept regular options, but uses key-value # pairs in the body of the %addon definition instead. These pairs are whitespace-agnostic. # Values can be optionally enclosed in single quotes (') or double quotes ("). -# +# # For more details and configuration options see # https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html-single/performing_an_advanced_rhel_9_installation/index#addon-com_redhat_oscap_kickstart-commands-for-addons-supplied-with-the-rhel-installation-program %addon com_redhat_oscap diff --git a/products/rhel9/kickstart/ssg-rhel9-bsi-ks.cfg b/products/rhel9/kickstart/ssg-rhel9-bsi-ks.cfg index e696055b9140..68a69d4d0d9c 100644 --- a/products/rhel9/kickstart/ssg-rhel9-bsi-ks.cfg +++ b/products/rhel9/kickstart/ssg-rhel9-bsi-ks.cfg @@ -97,16 +97,16 @@ part pv.01 --grow --size=1 volgroup VolGroup pv.01 # Create particular logical volumes (optional) -logvol / --fstype=xfs --name=root --vgname=VolGroup --size=4272 +logvol / --fstype=xfs --name=root --vgname=VolGroup --size=1024 --grow # Ensure /usr Located On Separate Partition # partition_for_usr -logvol /usr --fstype=xfs --name=usr --vgname=VolGroup --size=5000 --fsoptions="nodev" +logvol /usr --fstype=xfs --name=usr --vgname=VolGroup --size=6667 --fsoptions="nodev" # Ensure /opt Located On Separate Partition # partition_for_opt -logvol /opt --fstype=xfs --name=opt --vgname=VolGroup --size=1024 +logvol /opt --fstype=xfs --name=opt --vgname=VolGroup --size=128 # Ensure /home Located On Separate Partition # partition_for_home -logvol /home --fstype=xfs --name=home --vgname=VolGroup --size=1024 --fsoptions="nodev" +logvol /home --fstype=xfs --name=home --vgname=VolGroup --size=512 --fsoptions="nodev" # Ensure /tmp Located On Separate Partition # partition_for_tmp logvol /tmp --fstype=xfs --name=tmp --vgname=VolGroup --size=1024 --fsoptions="nodev,noexec,nosuid" @@ -115,7 +115,7 @@ logvol /tmp --fstype=xfs --name=tmp --vgname=VolGroup --size=1024 --fsoptions="n logvol /var/tmp --fstype=xfs --name=vartmp --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid,noexec" # Ensure /var Located On Separate Partition # partition_for_var -logvol /var --fstype=xfs --name=var --vgname=VolGroup --size=3072 +logvol /var --fstype=xfs --name=var --vgname=VolGroup --size=4096 # Ensure /var/log Located On Separate Partition # partition_for_var_log logvol /var/log --fstype=xfs --name=varlog --vgname=VolGroup --size=1024 diff --git a/products/rhel9/kickstart/ssg-rhel9-ccn_intermediate-ks.cfg b/products/rhel9/kickstart/ssg-rhel9-ccn_intermediate-ks.cfg index 263be16f4566..73e367ce22dc 100644 --- a/products/rhel9/kickstart/ssg-rhel9-ccn_intermediate-ks.cfg +++ b/products/rhel9/kickstart/ssg-rhel9-ccn_intermediate-ks.cfg @@ -94,7 +94,7 @@ part pv.01 --grow --size=1 volgroup VolGroup pv.01 # Create particular logical volumes (optional) -logvol / --fstype=xfs --name=root --vgname=VolGroup --size=9728 --grow +logvol / --fstype=xfs --name=root --vgname=VolGroup --size=1024 --grow # Ensure /home Located On Separate Partition logvol /home --fstype=xfs --name=home --vgname=VolGroup --size=1024 --fsoptions="nodev" # Ensure /tmp Located On Separate Partition @@ -111,17 +111,17 @@ logvol swap --name=swap --vgname=VolGroup --size=2016 # The OpenSCAP installer add-on is used to apply SCAP (Security Content Automation Protocol) # content - security policies - on the installed system.This add-on has been enabled by default -# since Red Hat Enterprise Linux 7.2. When enabled, the packages necessary to provide this +# since Red Hat Enterprise Linux 7.2. When enabled, the packages necessary to provide this # functionality will automatically be installed. However, by default, no policies are enforced, # meaning that no checks are performed during or after installation unless specifically configured. -# +# # Important # Applying a security policy is not necessary on all systems. This screen should only be used # when a specific policy is mandated by your organization rules or government regulations. # Unlike most other commands, this add-on does not accept regular options, but uses key-value # pairs in the body of the %addon definition instead. These pairs are whitespace-agnostic. # Values can be optionally enclosed in single quotes (') or double quotes ("). -# +# # For more details and configuration options see # https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html-single/performing_an_advanced_rhel_9_installation/index#addon-com_redhat_oscap_kickstart-commands-for-addons-supplied-with-the-rhel-installation-program %addon com_redhat_oscap diff --git a/products/rhel9/kickstart/ssg-rhel9-pci-dss-ks.cfg b/products/rhel9/kickstart/ssg-rhel9-pci-dss-ks.cfg index 55a0a069cac0..cbb5ce7e2dcb 100644 --- a/products/rhel9/kickstart/ssg-rhel9-pci-dss-ks.cfg +++ b/products/rhel9/kickstart/ssg-rhel9-pci-dss-ks.cfg @@ -78,7 +78,7 @@ zerombr # The following partition layout scheme assumes disk of size 20GB or larger # Modify size of partitions appropriately to reflect actual machine's hardware -# +# # Remove Linux partitions from the system prior to creating new ones (optional) # --linux erase all Linux partitions # --initlabel initialize the disk label to the default based on the underlying architecture @@ -93,32 +93,32 @@ part pv.01 --grow --size=1 volgroup VolGroup pv.01 # Create particular logical volumes (optional) -logvol / --fstype=xfs --name=root --vgname=VolGroup --size=5120 --grow +logvol / --fstype=xfs --name=root --vgname=VolGroup --size=1024 --grow # CCE-26557-9: Ensure /home Located On Separate Partition -logvol /home --fstype=xfs --name=home --vgname=VolGroup --size=1024 --fsoptions="nodev" +logvol /home --fstype=xfs --name=home --vgname=VolGroup --size=512 --fsoptions="nodev" # CCE-26435-8: Ensure /tmp Located On Separate Partition logvol /tmp --fstype=xfs --name=tmp --vgname=VolGroup --size=1024 --fsoptions="nodev,noexec,nosuid" # CCE-26639-5: Ensure /var Located On Separate Partition -logvol /var --fstype=xfs --name=var --vgname=VolGroup --size=3072 --fsoptions="nodev" +logvol /var --fstype=xfs --name=var --vgname=VolGroup --size=4096 --fsoptions="nodev" # CCE-26215-4: Ensure /var/log Located On Separate Partition -logvol /var/log --fstype=xfs --name=varlog --vgname=VolGroup --size=1024 --fsoptions="nodev" +logvol /var/log --fstype=xfs --name=varlog --vgname=VolGroup --size=512 --fsoptions="nodev" # CCE-26436-6: Ensure /var/log/audit Located On Separate Partition logvol /var/log/audit --fstype=xfs --name=varlogaudit --vgname=VolGroup --size=512 --fsoptions="nodev" logvol swap --name=swap --vgname=VolGroup --size=2016 # The OpenSCAP installer add-on is used to apply SCAP (Security Content Automation Protocol) # content - security policies - on the installed system.This add-on has been enabled by default -# since Red Hat Enterprise Linux 7.2. When enabled, the packages necessary to provide this +# since Red Hat Enterprise Linux 7.2. When enabled, the packages necessary to provide this # functionality will automatically be installed. However, by default, no policies are enforced, # meaning that no checks are performed during or after installation unless specifically configured. -# +# # Important # Applying a security policy is not necessary on all systems. This screen should only be used # when a specific policy is mandated by your organization rules or government regulations. # Unlike most other commands, this add-on does not accept regular options, but uses key-value # pairs in the body of the %addon definition instead. These pairs are whitespace-agnostic. # Values can be optionally enclosed in single quotes (') or double quotes ("). -# +# # For more details and configuration options see # https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html-single/performing_an_advanced_rhel_9_installation/index#addon-com_redhat_oscap_kickstart-commands-for-addons-supplied-with-the-rhel-installation-program %addon com_redhat_oscap diff --git a/products/rhel9/profiles/default.profile b/products/rhel9/profiles/default.profile index 20b0a150da0c..f817322dbdab 100644 --- a/products/rhel9/profiles/default.profile +++ b/products/rhel9/profiles/default.profile @@ -13,6 +13,7 @@ description: |- is to keep a rule in the product's XCCDF Benchmark. selections: + - configure_kerberos_crypto_policy - sshd_use_strong_kex - sebool_nfsd_anon_write - sebool_squid_connect_any @@ -591,3 +592,4 @@ selections: - audit_rules_login_events_tallylog - configure_ssh_crypto_policy - accounts_user_dot_no_world_writable_programs + - package_dnsmasq_removed diff --git a/products/rhel9/profiles/stig.profile b/products/rhel9/profiles/stig.profile index 25ec12884fcc..d2d156f5325f 100644 --- a/products/rhel9/profiles/stig.profile +++ b/products/rhel9/profiles/stig.profile @@ -2,7 +2,7 @@ documentation_complete: true metadata: - version: V2R6 + version: V2R7 SMEs: - mab879 - ggbecker @@ -13,7 +13,7 @@ title: 'DISA STIG for Red Hat Enterprise Linux 9' description: |- This profile contains configuration checks that align to the - DISA STIG for Red Hat Enterprise Linux 9 V2R6. + DISA STIG for Red Hat Enterprise Linux 9 V2R7. In addition to being applicable to Red Hat Enterprise Linux 9, this configuration baseline is applicable to the operating system tier of diff --git a/products/rhel9/profiles/stig_gui.profile b/products/rhel9/profiles/stig_gui.profile index 84f6010b8bce..f4dd8575e3db 100644 --- a/products/rhel9/profiles/stig_gui.profile +++ b/products/rhel9/profiles/stig_gui.profile @@ -2,7 +2,7 @@ documentation_complete: true metadata: - version: V2R6 + version: V2R7 SMEs: - mab879 - ggbecker @@ -13,7 +13,7 @@ title: 'DISA STIG with GUI for Red Hat Enterprise Linux 9' description: |- This profile contains configuration checks that align to the - DISA STIG for Red Hat Enterprise Linux 9 V2R6. + DISA STIG for Red Hat Enterprise Linux 9 V2R7. In addition to being applicable to Red Hat Enterprise Linux 9, this configuration baseline is applicable to the operating system tier of diff --git a/products/rhv4/profiles/rhvh-stig.profile b/products/rhv4/profiles/rhvh-stig.profile index ec2dd7bdbfb5..a0c8bc01d309 100644 --- a/products/rhv4/profiles/rhvh-stig.profile +++ b/products/rhv4/profiles/rhvh-stig.profile @@ -17,6 +17,7 @@ description: |- selections: - installed_OS_is_FIPS_certified - login_banner_text=dod_banners + - login_banner_contents=dod_default - inactivity_timeout_value=15_minutes - var_password_pam_minlen=15 - accounts_password_pam_minlen diff --git a/products/sle12/profiles/stig.profile b/products/sle12/profiles/stig.profile index 33b341569721..60a154b79dfa 100644 --- a/products/sle12/profiles/stig.profile +++ b/products/sle12/profiles/stig.profile @@ -1,7 +1,7 @@ documentation_complete: true metadata: - version: V3R3 + version: V3R4 SMEs: - svet-se - rumch-se @@ -13,7 +13,7 @@ title: 'DISA STIG for SUSE Linux Enterprise 12' description: |- This profile contains configuration checks that align to the - DISA STIG for SUSE Linux Enterprise 12 V3R3. + DISA STIG for SUSE Linux Enterprise 12 V3R4. selections: - sshd_approved_macs=stig @@ -32,6 +32,9 @@ selections: - var_password_pam_ucredit=1 - var_accounts_maximum_age_login_defs=60 - login_banner_text=dod_banners + - login_banner_contents=dod_default + - dconf_login_banner_text=dod_banners + - dconf_login_banner_contents=dod_default # # Note: must configure "var_accounts_authorized_local_users_regex" when # "accounts_authorized_local_users" rule is enabled @@ -176,7 +179,6 @@ selections: - dir_system_commands_root_owned - disable_ctrlaltdel_reboot - disallow_bypass_password_sudo - - display_login_attempts - enable_dconf_user_profile - encrypt_partitions - ensure_gpgcheck_globally_activated diff --git a/products/sle15/profiles/pcs-hardening-sap.profile b/products/sle15/profiles/pcs-hardening-sap.profile index 63231a2b3b34..22c9e487becf 100644 --- a/products/sle15/profiles/pcs-hardening-sap.profile +++ b/products/sle15/profiles/pcs-hardening-sap.profile @@ -5,7 +5,7 @@ metadata: SMEs: - esampson -reference: +reference: title: 'Hardening for Public Cloud Image of SUSE Linux Enterprise Server (SLES) for SAP Applications 15' @@ -24,8 +24,9 @@ selections: - var_apparmor_mode=complain - motd_banner_text=cis_banners - login_banner_text=cis_banners + - login_banner_contents=cis_default - remote_login_banner_text=cis_banners - - login_banner_text=cis_default + - remote_login_banner_contents=cis_default - var_multiple_time_servers=suse - var_multiple_time_pools=suse - var_postfix_inet_interfaces=loopback-only diff --git a/products/sle15/profiles/pcs-hardening.profile b/products/sle15/profiles/pcs-hardening.profile index 69da010c6d09..0bfc746d362c 100644 --- a/products/sle15/profiles/pcs-hardening.profile +++ b/products/sle15/profiles/pcs-hardening.profile @@ -5,7 +5,7 @@ metadata: SMEs: - esampson -reference: +reference: title: 'Public Cloud Hardening for SUSE Linux Enterprise 15' @@ -31,6 +31,9 @@ selections: - var_password_pam_delay=4000000 #- login_banner_text=dod_banners - login_banner_text=cis_banners + - login_banner_contents=cis_default + - motd_banner_text=cis_banners + - motd_banner_contents=cis_default # # Note: must configure "var_accounts_authorized_local_users_regex" when # "accounts_authorized_local_users" rule is enabled @@ -410,7 +413,7 @@ selections: #- package_net-snmp_removed #- package_telnet_removed #- package_telnet-server_removed - #### OTHER + #### OTHER #### can't do at image build time #- accounts_authorized_local_users #- accounts_max_concurrent_login_sessions diff --git a/products/sle15/profiles/stig.profile b/products/sle15/profiles/stig.profile index 309c043b17a3..37233d8004c5 100644 --- a/products/sle15/profiles/stig.profile +++ b/products/sle15/profiles/stig.profile @@ -1,7 +1,7 @@ documentation_complete: true metadata: - version: V2R5 + version: V2R6 SMEs: - svet-se - rumch-se @@ -13,7 +13,7 @@ title: 'DISA STIG for SUSE Linux Enterprise 15' description: |- This profile contains configuration checks that align to the - DISA STIG for SUSE Linux Enterprise 15 V2R5. + DISA STIG for SUSE Linux Enterprise 15 V2R6. selections: @@ -31,6 +31,9 @@ selections: - var_accounts_maximum_age_login_defs=60 - var_password_pam_delay=4000000 - login_banner_text=dod_banners + - login_banner_contents=dod_default + - dconf_login_banner_text=dod_banners + - dconf_login_banner_contents=dod_default # # Note: must configure "var_accounts_authorized_local_users_regex" when # "accounts_authorized_local_users" rule is enabled @@ -191,7 +194,6 @@ selections: - disable_ctrlaltdel_reboot - disable_ctrlaltdel_reboot - disallow_bypass_password_sudo - - display_login_attempts - enable_dconf_user_profile - encrypt_partitions - ensure_gpgcheck_globally_activated diff --git a/products/sle16/profiles/anssi_bp28_enhanced.profile b/products/sle16/profiles/anssi_bp28_enhanced.profile new file mode 100644 index 000000000000..d93e440d079a --- /dev/null +++ b/products/sle16/profiles/anssi_bp28_enhanced.profile @@ -0,0 +1,76 @@ +--- +documentation_complete: true + +metadata: + SMEs: + - svet-se + - teacup-on-rockingchair + +title: 'ANSSI-BP-028 (enhanced)' + +description: |- + This profile contains configurations that align to ANSSI-BP-028 v2.0 at the enhanced hardening level. + + ANSSI is the French National Information Security Agency, and stands for Agence nationale de la sécurité des systèmes d'information. + ANSSI-BP-028 is a configuration recommendation for GNU/Linux systems. + + A copy of the ANSSI-BP-028 can be found at the ANSSI website: + https://www.ssi.gouv.fr/administration/guide/recommandations-de-securite-relatives-a-un-systeme-gnulinux/ + + An English version of the ANSSI-BP-028 can also be found at the ANSSI website: + https://messervices.cyber.gouv.fr/guides/en-configuration-recommendations-gnulinux-system + +selections: + - anssi:all:enhanced + - var_multiple_time_servers=suse + - var_multiple_time_pools=suse + - var_sudo_dedicated_group=root + - accounts_password_pam_pwhistory_remember + - set_password_hashing_min_rounds_logindefs + - '!cracklib_accounts_password_pam_dcredit' + - '!cracklib_accounts_password_pam_lcredit' + - '!cracklib_accounts_password_pam_minlen' + - '!cracklib_accounts_password_pam_ocredit' + - '!cracklib_accounts_password_pam_ucredit' + - '!accounts_password_pam_unix_rounds_system_auth' + - '!accounts_passwords_pam_tally2_deny_root' + - '!accounts_passwords_pam_tally2_unlock_time' + - '!accounts_passwords_pam_tally2' + - '!aide_periodic_cron_checking' + - '!all_apparmor_profiles_enforced' + - '!apparmor_configured' + - '!audit_rules_immutable' + - '!dnf-automatic_apply_updates' + - '!dnf-automatic_security_updates_only' + - '!enable_authselect' + - '!ensure_almalinux_gpgkey_installed' + - '!ensure_oracle_gpgkey_installed' + - '!ensure_redhat_gpgkey_installed' + - '!file_groupowner_user_cfg' + - '!file_owner_user_cfg' + - '!file_permissions_sudo' + - '!file_permissions_user_cfg' + - '!grub2_enable_apparmor' + - '!kernel_config_arm64_sw_ttbr0_pan' + - '!kernel_config_gcc_plugin_latent_entropy' + - '!kernel_config_gcc_plugin_randstruct' + - '!kernel_config_gcc_plugin_stackleak' + - '!kernel_config_gcc_plugin_structleak_byref_all' + - '!kernel_config_gcc_plugin_structleak' + - '!kernel_config_legacy_vsyscall_emulate' + - '!kernel_config_modify_ldt_syscall' + - '!kernel_config_refcount_full' + - '!kernel_config_slab_merge_default' + - '!ldap_client_start_tls' + - '!ldap_client_tls_cacertpath' + - '!no_nis_in_nsswitch' + - '!package_apparmor_installed' + - '!package_dnf-automatic_installed' + - '!package_dracut-fips-aesni_installed' + - '!package_pam_apparmor_installed' + - '!package_rsh_removed' + - '!package_rsh-server_removed' + - '!package_ypbind_removed' + - '!package_ypserv_removed' + - '!sebool_secure_mode_insmod' + - '!timer_dnf-automatic_enabled' diff --git a/products/sle16/profiles/anssi_bp28_high.profile b/products/sle16/profiles/anssi_bp28_high.profile new file mode 100644 index 000000000000..c0c4fd81912c --- /dev/null +++ b/products/sle16/profiles/anssi_bp28_high.profile @@ -0,0 +1,76 @@ +--- +documentation_complete: true + +metadata: + SMEs: + - svet-se + - teacup-on-rockingchair + +title: 'ANSSI-BP-028 (high)' + +description: |- + This profile contains configurations that align to ANSSI-BP-028 v2.0 at the high hardening level. + + ANSSI is the French National Information Security Agency, and stands for Agence nationale de la sécurité des systèmes d'information. + ANSSI-BP-028 is a configuration recommendation for GNU/Linux systems. + + A copy of the ANSSI-BP-028 can be found at the ANSSI website: + https://www.ssi.gouv.fr/administration/guide/recommandations-de-securite-relatives-a-un-systeme-gnulinux/ + + An English version of the ANSSI-BP-028 can also be found at the ANSSI website: + https://messervices.cyber.gouv.fr/guides/en-configuration-recommendations-gnulinux-system + +selections: + - anssi:all:high + - var_multiple_time_servers=suse + - var_multiple_time_pools=suse + - var_sudo_dedicated_group=root + - accounts_password_pam_pwhistory_remember + - set_password_hashing_min_rounds_logindefs + - '!cracklib_accounts_password_pam_dcredit' + - '!cracklib_accounts_password_pam_lcredit' + - '!cracklib_accounts_password_pam_minlen' + - '!cracklib_accounts_password_pam_ocredit' + - '!cracklib_accounts_password_pam_ucredit' + - '!accounts_password_pam_unix_rounds_system_auth' + - '!accounts_passwords_pam_tally2_deny_root' + - '!accounts_passwords_pam_tally2_unlock_time' + - '!accounts_passwords_pam_tally2' + - '!aide_periodic_cron_checking' + - '!all_apparmor_profiles_enforced' + - '!apparmor_configured' + - '!audit_rules_immutable' + - '!dnf-automatic_apply_updates' + - '!dnf-automatic_security_updates_only' + - '!enable_authselect' + - '!ensure_almalinux_gpgkey_installed' + - '!ensure_oracle_gpgkey_installed' + - '!ensure_redhat_gpgkey_installed' + - '!file_groupowner_user_cfg' + - '!file_owner_user_cfg' + - '!file_permissions_sudo' + - '!file_permissions_user_cfg' + - '!grub2_enable_apparmor' + - '!kernel_config_arm64_sw_ttbr0_pan' + - '!kernel_config_gcc_plugin_latent_entropy' + - '!kernel_config_gcc_plugin_randstruct' + - '!kernel_config_gcc_plugin_stackleak' + - '!kernel_config_gcc_plugin_structleak_byref_all' + - '!kernel_config_gcc_plugin_structleak' + - '!kernel_config_legacy_vsyscall_emulate' + - '!kernel_config_modify_ldt_syscall' + - '!kernel_config_refcount_full' + - '!kernel_config_slab_merge_default' + - '!ldap_client_start_tls' + - '!ldap_client_tls_cacertpath' + - '!no_nis_in_nsswitch' + - '!package_apparmor_installed' + - '!package_dnf-automatic_installed' + - '!package_dracut-fips-aesni_installed' + - '!package_pam_apparmor_installed' + - '!package_rsh_removed' + - '!package_rsh-server_removed' + - '!package_ypbind_removed' + - '!package_ypserv_removed' + - '!sebool_secure_mode_insmod' + - '!timer_dnf-automatic_enabled' diff --git a/products/sle16/profiles/anssi_bp28_intermediary.profile b/products/sle16/profiles/anssi_bp28_intermediary.profile new file mode 100644 index 000000000000..5fbf1d3ee013 --- /dev/null +++ b/products/sle16/profiles/anssi_bp28_intermediary.profile @@ -0,0 +1,76 @@ +--- +documentation_complete: true + +metadata: + SMEs: + - svet-se + - teacup-on-rockingchair + +title: 'ANSSI-BP-028 (intermediary)' + +description: |- + This profile contains configurations that align to ANSSI-BP-028 v2.0 at the intermediary hardening level. + + ANSSI is the French National Information Security Agency, and stands for Agence nationale de la sécurité des systèmes d'information. + ANSSI-BP-028 is a configuration recommendation for GNU/Linux systems. + + A copy of the ANSSI-BP-028 can be found at the ANSSI website: + https://www.ssi.gouv.fr/administration/guide/recommandations-de-securite-relatives-a-un-systeme-gnulinux/ + + An English version of the ANSSI-BP-028 can also be found at the ANSSI website: + https://messervices.cyber.gouv.fr/guides/en-configuration-recommendations-gnulinux-system + +selections: + - anssi:all:intermediary + - var_multiple_time_servers=suse + - var_multiple_time_pools=suse + - var_sudo_dedicated_group=root + - accounts_password_pam_pwhistory_remember + - set_password_hashing_min_rounds_logindefs + - '!cracklib_accounts_password_pam_dcredit' + - '!cracklib_accounts_password_pam_lcredit' + - '!cracklib_accounts_password_pam_minlen' + - '!cracklib_accounts_password_pam_ocredit' + - '!cracklib_accounts_password_pam_ucredit' + - '!accounts_password_pam_unix_rounds_system_auth' + - '!accounts_passwords_pam_tally2_deny_root' + - '!accounts_passwords_pam_tally2_unlock_time' + - '!accounts_passwords_pam_tally2' + - '!aide_periodic_cron_checking' + - '!all_apparmor_profiles_enforced' + - '!apparmor_configured' + - '!audit_rules_immutable' + - '!dnf-automatic_apply_updates' + - '!dnf-automatic_security_updates_only' + - '!enable_authselect' + - '!ensure_almalinux_gpgkey_installed' + - '!ensure_oracle_gpgkey_installed' + - '!ensure_redhat_gpgkey_installed' + - '!file_groupowner_user_cfg' + - '!file_owner_user_cfg' + - '!file_permissions_sudo' + - '!file_permissions_user_cfg' + - '!grub2_enable_apparmor' + - '!kernel_config_arm64_sw_ttbr0_pan' + - '!kernel_config_gcc_plugin_latent_entropy' + - '!kernel_config_gcc_plugin_randstruct' + - '!kernel_config_gcc_plugin_stackleak' + - '!kernel_config_gcc_plugin_structleak_byref_all' + - '!kernel_config_gcc_plugin_structleak' + - '!kernel_config_legacy_vsyscall_emulate' + - '!kernel_config_modify_ldt_syscall' + - '!kernel_config_refcount_full' + - '!kernel_config_slab_merge_default' + - '!ldap_client_start_tls' + - '!ldap_client_tls_cacertpath' + - '!no_nis_in_nsswitch' + - '!package_apparmor_installed' + - '!package_dnf-automatic_installed' + - '!package_dracut-fips-aesni_installed' + - '!package_pam_apparmor_installed' + - '!package_rsh_removed' + - '!package_rsh-server_removed' + - '!package_ypbind_removed' + - '!package_ypserv_removed' + - '!sebool_secure_mode_insmod' + - '!timer_dnf-automatic_enabled' diff --git a/products/sle16/profiles/anssi_bp28_minimal.profile b/products/sle16/profiles/anssi_bp28_minimal.profile new file mode 100644 index 000000000000..441229a07086 --- /dev/null +++ b/products/sle16/profiles/anssi_bp28_minimal.profile @@ -0,0 +1,76 @@ +--- +documentation_complete: true + +metadata: + SMEs: + - svet-se + - teacup-on-rockingchair + +title: 'ANSSI-BP-028 (minimal)' + +description: |- + This profile contains configurations that align to ANSSI-BP-028 v2.0 at the minimal hardening level. + + ANSSI is the French National Information Security Agency, and stands for Agence nationale de la sécurité des systèmes d'information. + ANSSI-BP-028 is a configuration recommendation for GNU/Linux systems. + + A copy of the ANSSI-BP-028 can be found at the ANSSI website: + https://www.ssi.gouv.fr/administration/guide/recommandations-de-securite-relatives-a-un-systeme-gnulinux/ + + An English version of the ANSSI-BP-028 can also be found at the ANSSI website: + https://messervices.cyber.gouv.fr/guides/en-configuration-recommendations-gnulinux-system + +selections: + - anssi:all:minimal + - var_multiple_time_servers=suse + - var_multiple_time_pools=suse + - var_sudo_dedicated_group=root + - accounts_password_pam_pwhistory_remember + - set_password_hashing_min_rounds_logindefs + - '!cracklib_accounts_password_pam_dcredit' + - '!cracklib_accounts_password_pam_lcredit' + - '!cracklib_accounts_password_pam_minlen' + - '!cracklib_accounts_password_pam_ocredit' + - '!cracklib_accounts_password_pam_ucredit' + - '!accounts_password_pam_unix_rounds_system_auth' + - '!accounts_passwords_pam_tally2_deny_root' + - '!accounts_passwords_pam_tally2_unlock_time' + - '!accounts_passwords_pam_tally2' + - '!aide_periodic_cron_checking' + - '!all_apparmor_profiles_enforced' + - '!apparmor_configured' + - '!audit_rules_immutable' + - '!dnf-automatic_apply_updates' + - '!dnf-automatic_security_updates_only' + - '!enable_authselect' + - '!ensure_almalinux_gpgkey_installed' + - '!ensure_oracle_gpgkey_installed' + - '!ensure_redhat_gpgkey_installed' + - '!file_groupowner_user_cfg' + - '!file_owner_user_cfg' + - '!file_permissions_sudo' + - '!file_permissions_user_cfg' + - '!grub2_enable_apparmor' + - '!kernel_config_arm64_sw_ttbr0_pan' + - '!kernel_config_gcc_plugin_latent_entropy' + - '!kernel_config_gcc_plugin_randstruct' + - '!kernel_config_gcc_plugin_stackleak' + - '!kernel_config_gcc_plugin_structleak_byref_all' + - '!kernel_config_gcc_plugin_structleak' + - '!kernel_config_legacy_vsyscall_emulate' + - '!kernel_config_modify_ldt_syscall' + - '!kernel_config_refcount_full' + - '!kernel_config_slab_merge_default' + - '!ldap_client_start_tls' + - '!ldap_client_tls_cacertpath' + - '!no_nis_in_nsswitch' + - '!package_apparmor_installed' + - '!package_dnf-automatic_installed' + - '!package_dracut-fips-aesni_installed' + - '!package_pam_apparmor_installed' + - '!package_rsh_removed' + - '!package_rsh-server_removed' + - '!package_ypbind_removed' + - '!package_ypserv_removed' + - '!sebool_secure_mode_insmod' + - '!timer_dnf-automatic_enabled' diff --git a/products/slmicro5/profiles/stig.profile b/products/slmicro5/profiles/stig.profile index f5024ff753bd..33560c324eee 100644 --- a/products/slmicro5/profiles/stig.profile +++ b/products/slmicro5/profiles/stig.profile @@ -1,7 +1,7 @@ documentation_complete: true metadata: - version: V1R2 + version: V1R3 SMEs: - svet-se - rumch-se @@ -13,7 +13,7 @@ title: 'DISA STIG for SUSE Linux Enterprise Micro (SLEM) 5' description: |- This profile contains configuration checks that align to the - DISA STIG for SUSE Linux Enterprise Micro (SLEM) 5 V1R2. + DISA STIG for SUSE Linux Enterprise Micro (SLEM) 5 V1R3. selections: - stig_slmicro5:all diff --git a/products/ubuntu2204/profiles/default.profile b/products/ubuntu2204/profiles/default.profile index 982095129892..54a33e3d1ac9 100644 --- a/products/ubuntu2204/profiles/default.profile +++ b/products/ubuntu2204/profiles/default.profile @@ -582,8 +582,7 @@ selections: - sudo_add_use_pty - sudo_custom_logfile - sudo_remove_no_authenticate - - sudo_require_authentication - - sudo_require_reauthentication + - sudo_remove_nopasswd - sysctl_fs_suid_dumpable - sysctl_kernel_dmesg_restrict - sysctl_kernel_randomize_va_space diff --git a/products/ubuntu2204/profiles/stig.profile b/products/ubuntu2204/profiles/stig.profile index 0a7b4bf2fb2e..ccc40b0a53b3 100644 --- a/products/ubuntu2204/profiles/stig.profile +++ b/products/ubuntu2204/profiles/stig.profile @@ -2,7 +2,7 @@ documentation_complete: true metadata: - version: V2R3 + version: V2R7 SMEs: - mpurg - dodys @@ -11,11 +11,11 @@ metadata: reference: https://www.cyber.mil/stigs/downloads -title: 'Canonical Ubuntu 22.04 LTS Security Technical Implementation Guide (STIG) V2R3' +title: 'Canonical Ubuntu 22.04 LTS Security Technical Implementation Guide (STIG) V2R7' description: |- This profile contains configuration checks that align to the - DISA STIG for Canonical Ubuntu 22.04 LTS V2R3. + DISA STIG for Canonical Ubuntu 22.04 LTS V2R7. selections: - stig_ubuntu2204:all diff --git a/pyproject.toml b/pyproject.toml index 3acf91a4a68b..6290304e2901 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -11,7 +11,7 @@ dependencies = [ "Jinja2", "setuptools" ] -requires-python = ">= 3" +requires-python = ">=3.6" maintainers = [ {name = "Gabriel Gaspar Becker", email = "ggasparb@redhat.com"}, {name = "Jan Cerny", email = "jcerny@redhat.com"}, diff --git a/requirements.txt b/requirements.txt index bcca1c6c2aaf..5c95ce49307e 100644 --- a/requirements.txt +++ b/requirements.txt @@ -15,6 +15,6 @@ pycompliance prometheus_client # used in utils/oscal requests -compliance-trestle==3.11.0 +compliance-trestle==3.12.0 pyopenssl>=23.2.0 pcre2 diff --git a/ruff.toml b/ruff.toml index d5e89e0e13c1..266d8054ff15 100644 --- a/ruff.toml +++ b/ruff.toml @@ -1,9 +1,10 @@ line-length = 99 indent-width = 4 -target-version = "py39" +target-version = "py37" [lint] select = [ + "B", # flake8-bugbear "F", # Pyflakes "E", # pycodestyle "W", # pycodestyle diff --git a/shared/applicability/oval/installed_app_is_bascontrol22d4.xml b/shared/applicability/oval/installed_app_is_bascontrol22d4.xml new file mode 100644 index 000000000000..bef7e8324fea --- /dev/null +++ b/shared/applicability/oval/installed_app_is_bascontrol22d4.xml @@ -0,0 +1,28 @@ +<def-group> + <definition class="inventory" + id="installed_app_is_bascontrol22d" version="4"> + <metadata> + <title>Mozilla Firefox + + Mozilla Firefox + + + The application installed on the system is firefox. + + + + + + + + + + + + firefox + + + diff --git a/shared/checks/oval/audit_rules_auditctl.xml b/shared/checks/oval/audit_rules_auditctl.xml index b08adf438882..27a4e5489599 100644 --- a/shared/checks/oval/audit_rules_auditctl.xml +++ b/shared/checks/oval/audit_rules_auditctl.xml @@ -18,7 +18,7 @@ -{{% if product in ['rhel10', 'ol10'] %}} +{{% if product in ['fedora', 'rhel10', 'ol10'] %}} /usr/lib/systemd/system/audit-rules.service ^ExecStart=\/sbin\/auditctl.*$ {{% else %}} diff --git a/shared/checks/oval/audit_rules_augenrules.xml b/shared/checks/oval/audit_rules_augenrules.xml index 7d651e43a0fb..7533f88e2866 100644 --- a/shared/checks/oval/audit_rules_augenrules.xml +++ b/shared/checks/oval/audit_rules_augenrules.xml @@ -18,7 +18,7 @@ - {{% if product in ['rhel10', 'ol10'] %}} + {{% if product in ['fedora', 'rhel10', 'ol10'] %}} /usr/lib/systemd/system/audit-rules.service ^ExecStart=(\/usr|)?\/sbin\/augenrules.*$ {{% else %}} diff --git a/shared/macros/10-ansible.jinja b/shared/macros/10-ansible.jinja index 33417159b0a1..69ed975ad8c4 100644 --- a/shared/macros/10-ansible.jinja +++ b/shared/macros/10-ansible.jinja @@ -198,7 +198,7 @@ value: :code:`Setting={{ varname1 }}` (but case-sensitive values). We also specify the validation program here; -t specifies test and -f allows Ansible to pass a file at a different path. - Set set a parameter in /etc/sshd_config or /etc/ssh/sshd_config.d/ + Set a parameter in ``sshd_main_config_file`` or ``sshd_config_dir``. :parameter msg: Message to be set as Task Title, if not set the rule's title will be used instead :type msg: str @@ -206,17 +206,20 @@ value: :code:`Setting={{ varname1 }}` :type parameter: str :parameter value: The value to set :type value: str -:parameter config_is_distributed: If true, will ok look in /etc/ssh/sshd_config.d +:parameter config_is_distributed: If true, use ``sshd_config_dir`` for configuration :type config_is_distributed: str :parameter config_basename: Filename of configuration file when using distributed configuration :type config_basename: str #}} -{{%- macro ansible_sshd_set(msg='', parameter='', value='', config_is_distributed="false", config_basename="00-complianceascode-hardening.conf", rule_title=None) %}} +{{%- macro ansible_sshd_set(msg='', parameter='', value='', config_is_distributed="false", config_basename="", rule_title=None) %}} +{{%- set sshd_main_config = sshd_main_config_file -%}} +{{%- set sshd_drop_in_dir = sshd_config_dir -%}} +{{%- set sshd_base_dir = sshd_config_base_dir -%}} {{% if product in ["ol8", "ol9"] %}} - name: "Find sshd_config included files" ansible.builtin.shell: |- - included_files=$(grep -oP "^\s*(?i)include.*" /etc/ssh/sshd_config | sed -e 's/\s*Include\s*//i' | sed -e 's|^[^/]|/etc/ssh/&|') + included_files=$(grep -oP "^\s*(?i)include.*" {{{ sshd_main_config }}} | sed -e 's/\s*Include\s*//i' | sed -e 's|^[^/]|{{{ sshd_base_dir }}}/&|') [[ -n $included_files ]] && ls $included_files || true register: sshd_config_included_files @@ -229,9 +232,10 @@ value: :code:`Setting={{ varname1 }}` {{% endif %}} {{%- if config_is_distributed == "true" %}} -{{% set config_dir = "/etc/ssh/sshd_config.d" %}} -{{% set config_file = "/etc/ssh/sshd_config.d" ~ "/" ~ config_basename %}} -{{{ ansible_set_config_file_dir(msg, config_file="/etc/ssh/sshd_config", config_dir=config_dir, set_file=config_file, parameter=parameter, separator_regex="\s+", value=value, prefix_regex="(?i)^\s*", create='yes', validate='/usr/sbin/sshd -t -f %s', insert_after='', insert_before="BOF", rule_title=rule_title) }}} +{{% set hardening_config_basename = config_basename or sshd_hardening_config_basename %}} +{{% set config_dir = sshd_drop_in_dir %}} +{{% set config_file = sshd_drop_in_dir ~ "/" ~ hardening_config_basename %}} +{{{ ansible_set_config_file_dir(msg, config_file=sshd_main_config, config_dir=config_dir, set_file=config_file, parameter=parameter, separator_regex="\s+", value=value, prefix_regex="(?i)^\s*", create='yes', validate='/usr/sbin/sshd -t -f %s', insert_after='', insert_before="BOF", rule_title=rule_title) }}} - name: {{{ rule_title }}} - set file mode for {{{ config_file }}} ansible.builtin.file: path: {{{ config_file }}} @@ -240,7 +244,7 @@ value: :code:`Setting={{ varname1 }}` modification_time: preserve access_time: preserve {{%- else %}} -{{{ ansible_set_config_file(msg, "/etc/ssh/sshd_config", parameter, value=value, create="yes", prefix_regex='(?i)^\s*', validate="/usr/sbin/sshd -t -f %s", insert_before="BOF", rule_title=rule_title) }}} +{{{ ansible_set_config_file(msg, sshd_main_config, parameter, value=value, create="yes", prefix_regex='(?i)^\s*', validate="/usr/sbin/sshd -t -f %s", insert_before="BOF", rule_title=rule_title) }}} {{%- endif %}} {{%- endmacro %}} @@ -2353,3 +2357,154 @@ Part of the grub2_bootloader_argument_absent template. ansible.builtin.shell: find /etc/rsyslog.d -type f -name "*.conf" -exec sed -i '/^{{{ start_pattern }}}/,/{{{ end_pattern }}}/d' {} + changed_when: true {{%- endmacro -%}} + +{{# +Macro for enabling dconf user profile in /etc/dconf/profile/ + +The macro adds the following lines to the profile: +--- +user-db:user +system-db: +--- +If the profile exists but does not contain the above lines, the +lines will be inserted at the beginning of the profile. + +:param profile: name of dconf profile (e.g. user, gdm) +:type profile: str +:param database: name of dconf database (e.g. local, gdm) +:type database: str +#}} +{{% macro ansible_enable_dconf_user_profile(profile, database) -%}} + +- name: "Configure GNOME3 DConf User Profile" + ansible.builtin.lineinfile: + path: "/etc/dconf/profile/{{{ profile }}}" + line: "{{ item }}" + create: yes + state: present + loop: + - "user-db:user" + - "system-db:{{{ database }}}" + register: dconf_user_profile_blockinfile + +- name: Dconf Update + ansible.builtin.command: dconf update + when: dconf_user_profile_blockinfile is changed +{{%- endmacro -%}} + + +{{# + + Set a sshd configuration parameter to a value for system with /usr - located default config + +:parameter msg: Message to be set as Task Title, if not set the rule's title will be used instead +:type msg: str +:parameter parameter: Parameter to set +:type parameter: str +:parameter value: The value to set +:type value: str +:param copy_defaults: If true default sshd configuration in /usr/etc/ssh/sshd_config will be +copied onto /etc/ssh/sshd_config, if /etc/ssh/sshd_config does not exist +:type copy_defaults: bool +:parameter config_basename: drop-in filename of sshd configuration file +:type config_basename: str + +#}} +{{%- macro ansible_sshd_set_usr(msg='', parameter='', value='', copy_defaults=true, config_basename="00-complianceascode-hardening.conf", rule_title=None) %}} +{{%- set sshd_config_path = "/etc/ssh/sshd_config" %}} +{{%- set sshd_usr_config_path = "/usr/etc/ssh/sshd_config" %}} +{{%- set sshd_config_dir = "/etc/ssh/sshd_config.d" -%}} +{{%- set sshd_usr_config_dir = "/usr/etc/ssh/sshd_config.d" -%}} +{{%- set ssh_paths = ['/etc/ssh/sshd_config.d', '/usr/etc/ssh/sshd_config.d'] -%}} +{{%- set config_file = "/etc/ssh/sshd_config.d/" ~ config_basename -%}} +{{%- set new_line = parameter + ' ' + value -%}} +{{%- set line_regex = "(?i)^\s*" + "{{ \"" + parameter + "\"| regex_escape }}" + "\s+" -%}} +{{%- set dir_parameter = "sshd_config_d_has_parameter" -%}} +{{%- set lineinfile_items = "{{ " + dir_parameter + ".files }}" -%}} + +- name: {{{ rule_title }}} - Copy default {{{ sshd_usr_config_path }}} to {{{ sshd_config_path }}} + ansible.builtin.copy: + src: {{{ sshd_usr_config_path }}} + dest: {{{ sshd_config_path }}} + force: no + mode: '0600' +- name: {{{ rule_title }}} - Check if the parameter {{{ parameter }}} is configured in sshd configuration(s) + ansible.builtin.find: + paths: + - '/etc/ssh' + - '/usr/etc/ssh' + - {{{ sshd_config_dir }}} + - {{{ sshd_usr_config_dir }}} + contains: {{{ line_regex }}} + patterns: + - '*.conf' + - 'sshd_config' + register: _sshd_config_has_parameter +- name: {{{ rule_title }}} - Check if the parameter {{{ parameter }}} is configured correctly in sshd configuration(s) + ansible.builtin.find: + paths: + - '/etc/ssh' + - '/usr/etc/ssh' + - {{{ sshd_config_dir }}} + - {{{ sshd_usr_config_dir }}} + contains: {{{ line_regex ~ value ~ "$" }}} + patterns: + - '*.conf' + - 'sshd_config' + register: _sshd_config_correctly +- name: '{{{ msg or rule_title }}}' + block: + {{{ ansible_lineinfile( + "Deduplicate values from " + sshd_config_path, + sshd_config_path, + regex=line_regex, + insensitive='false', + create='no', + state='absent')|indent }}} + {{{ ansible_lineinfile( + "Deduplicate values from " + sshd_usr_config_path, + sshd_usr_config_path, + regex=line_regex, + insensitive='false', + create='no', + state='absent')|indent }}} + - name: "{{{ rule_title }}} - Check if the parameter {{{ parameter }}} is present in {{{ sshd_config_dir }}} and in {{{ sshd_usr_config_dir }}}" + ansible.builtin.find: + paths: {{{ ssh_paths }}} + recurse: 'yes' + follow: 'no' + contains: '(?i)^\s*{{ "{{{ parameter }}}"| regex_escape }}\s+' + register: {{{ dir_parameter }}} + {{{ ansible_lineinfile( + "Remove parameter from files in " + sshd_config_dir, + path="{{ item.path }}", + regex=line_regex, + state="absent", + with_items=lineinfile_items)|indent}}} + {{{ ansible_lineinfile( + "Remove parameter from files in " + sshd_usr_config_dir, + path="{{ item.path }}", + regex=line_regex, + state="absent", + with_items=lineinfile_items)|indent }}} + {{{ ansible_lineinfile( + "Insert correct line to " + config_file, + config_file, + regex=line_regex, + insensitive='false', + new_line=new_line, + create='yes', + state='present', + validate='/usr/sbin/sshd -t -f %s', + insert_after='', + insert_before="BOF" )|indent }}} + when: _sshd_config_correctly.matched == 0 or _sshd_config_has_parameter.matched != 1 + +- name: {{{ rule_title }}} - set file mode for {{{ config_file }}} + ansible.builtin.file: + path: {{{ config_file }}} + mode: '0600' + state: touch + modification_time: preserve + access_time: preserve +{{%- endmacro %}} diff --git a/shared/macros/10-bash.jinja b/shared/macros/10-bash.jinja index 7a92cfd8cdb7..f41a8eb87bf2 100644 --- a/shared/macros/10-bash.jinja +++ b/shared/macros/10-bash.jinja @@ -173,8 +173,9 @@ test "$(stat -c %d:%i /)" != "$(stat -c %d:%i /proc/1/root/.)" #}} {{%- macro bash_sshd_config_set(parameter, value, rule_id=None) -%}} +{{%- set sshd_config_path = sshd_main_config_file -%}} {{{ set_config_file( - path="/etc/ssh/sshd_config", + path=sshd_config_path, parameter=parameter, value=value, create=true, @@ -201,14 +202,15 @@ test "$(stat -c %d:%i /)" != "$(stat -c %d:%i /proc/1/root/.)" :type config_basename: str #}} -{{% macro bash_sshd_remediation(parameter, value, config_is_distributed="false", config_basename="00-complianceascode-hardening.conf", rule_id=None) -%}} -{{%- set sshd_config_path = "/etc/ssh/sshd_config" %}} -{{%- set sshd_config_dir = "/etc/ssh/sshd_config.d" -%}} +{{% macro bash_sshd_remediation(parameter, value, config_is_distributed="false", config_basename="", rule_id=None) -%}} +{{%- set sshd_config_path = sshd_main_config_file %}} +{{%- set sshd_drop_in_dir = sshd_config_dir -%}} +{{%- set sshd_base_dir = sshd_config_base_dir -%}} {{% if product in ["ol8", "ol9"] %}} # Find the include keyword, extract from the line the glob expression representing included files. -# And if it is a relative path prepend '/etc/ssh/' -included_files=$(grep -oP "^\s*(?i)include.*" /etc/ssh/sshd_config | sed -e 's/\s*include\s*//I' | sed -e 's|^[^/]|/etc/ssh/&|') +# And if it is a relative path prepend '{{{ sshd_base_dir }}}/' +included_files=$(grep -oP "^\s*(?i)include.*" {{{ sshd_config_path }}} | sed -e 's/\s*include\s*//I' | sed -e 's|^[^/]|{{{ sshd_base_dir }}}/&|') for included_file in ${included_files} ; do {{{ lineinfile_absent("$included_file", "^\s*" ~ parameter, insensitive=true, rule_id=rule_id) | indent(4) }}} done @@ -216,15 +218,15 @@ done {{%- if config_is_distributed == "true" %}} {{%- set prefix_regex = "^\s*" -%}} {{%- set separator_regex = "\s\+" -%}} -{{%- set hardening_config_basename = config_basename %}} +{{%- set hardening_config_basename = config_basename or sshd_hardening_config_basename %}} {{%- set line_regex = prefix_regex ~ parameter ~ separator_regex %}} -mkdir -p {{{ sshd_config_dir }}} -touch {{{ sshd_config_dir }}}/{{{ hardening_config_basename }}} -chmod 0600 {{{ sshd_config_dir }}}/{{{ hardening_config_basename }}} +mkdir -p {{{ sshd_drop_in_dir }}} +touch {{{ sshd_drop_in_dir }}}/{{{ hardening_config_basename }}} +chmod 0600 {{{ sshd_drop_in_dir }}}/{{{ hardening_config_basename }}} {{{ lineinfile_absent(sshd_config_path, line_regex, insensitive=true, rule_id=rule_id) }}} -{{{ lineinfile_absent_in_directory(sshd_config_dir, line_regex, insensitive=true, filename_glob="*.conf") }}} +{{{ lineinfile_absent_in_directory(sshd_drop_in_dir, line_regex, insensitive=true, filename_glob="*.conf") }}} {{{ set_config_file( - path=sshd_config_dir ~ "/" ~ hardening_config_basename, + path=sshd_drop_in_dir ~ "/" ~ hardening_config_basename, parameter=parameter, value=value, create=true, @@ -500,7 +502,9 @@ fi {{%- elif pkg_manager == "apt_get" -%}} DEBIAN_FRONTEND=noninteractive apt-get -o DPkg::Lock::Timeout=60 remove -y "{{{ package }}}" {{%- elif pkg_manager == "zypper" -%}} -zypper remove -y "{{{ package }}}" +if rpm -q --quiet "{{{ package }}}" ; then + zypper remove -y "{{{ package }}}" +fi {{%- else -%}} {{{ die("Can't generate a remediation for " + pkg_manager) }}} {{%- endif -%}} @@ -807,7 +811,7 @@ pam_file="/etc/pam.d/common-auth" if ! grep -qE '^\s*auth\s+required\s+pam_faillock\.so\s+preauth.*$' "$pam_file" ; then {{% if product in ['sle15', 'sle16'] %}} # insert before pam_unix.so - sed -i --follow-symlinks '/^auth.*required.*pam_unix\.so.*/i auth required pam_faillock.so preauth' "$pam_file" + sed -i --follow-symlinks '/^auth.*pam_unix\.so.*/i auth required pam_faillock.so preauth' "$pam_file" {{% else %}} # insert at the top sed -i --follow-symlinks '/^# here are the per-package modules/i auth required pam_faillock.so preauth' "$pam_file" @@ -844,6 +848,19 @@ if ! grep -qE '^\s*account\s+required\s+pam_faillock\.so.*$' "$pam_file" ; then echo 'account required pam_faillock.so' >> "$pam_file" {{% endif %}} fi + +{{% if product in ['sle15', 'sle16'] %}} +{{{ + bash_ensure_pam_module_configuration( + '/etc/pam.d/common-auth', + 'auth', + '\[success=1 default=ignore\]', + 'pam_unix.so', + '', + '', + '') +}}} +{{% endif %}} {{% elif 'ubuntu' in product %}} conf_name=cac_faillock @@ -2253,23 +2270,23 @@ for f in $(echo -n "{{{ files }}}"); do fi # find key in section and change value - if grep -qzosP "[[:space:]]*\[{{{ section }}}\]([^\n\[]*\n+)+?[[:space:]]*{{{ key }}}" "$f"; then - if ! grep -qPz "{{{ key }}}={{{ value }}}" "$f"; then + if grep -qzosP "(?m)^[[:space:]]*\[{{{ section }}}\]([^\n\[]*\n+)+?[[:space:]]*{{{ key }}}" "$f"; then + if ! grep -qzosP "(?m)^[[:space:]]*{{{ key }}}[[:space:]]*=[[:space:]]*{{{ value }}}" "$f"; then {{% if no_quotes %}} - sed -i "s/{{{ key }}}[^(\n)]*/{{{ key }}}={{{ value | replace("/", "\/") }}}/" "$f" + sed -i "/^[[:space:]]*{{{ key }}}/s/\([[:blank:]]*=[[:blank:]]*\).*/\1{{{ value | replace("/", "\/") }}}/" "$f" {{% else %}} - sed -i 's/{{{ key }}}[^(\n)]*/{{{ key }}}="{{{ value | replace("/", "\/") }}}"/' "$f" + sed -i '/^[[:space:]]*{{{ key }}}/s/\([[:blank:]]*=[[:blank:]]*\).*/\1"{{{ value | replace("/", "\/") }}}"/' "$f" {{% endif %}} fi found=true # find section and add key = value to it - elif grep -qs "[[:space:]]*\[{{{ section }}}\]" "$f"; then + elif grep -qs "^[[:space:]]*\[{{{ section }}}\]" "$f"; then {{% if no_quotes %}} - sed -i "/[[:space:]]*\[{{{ section }}}\]/a {{{ key }}}={{{ value | replace("/", "\/") }}}" "$f" + sed -i "/^[[:space:]]*\[{{{ section }}}\]/a {{{ key }}}={{{ value | replace("/", "\/") }}}" "$f" {{% else %}} - sed -i '/[[:space:]]*\[{{{ section }}}\]/a {{{ key }}}="{{{ value | replace ("/", "\/") }}}"' "$f" + sed -i '/^[[:space:]]*\[{{{ section }}}\]/a {{{ key }}}="{{{ value | replace ("/", "\/") }}}"' "$f" {{% endif %}} found=true fi @@ -2746,3 +2763,53 @@ This macro creates a Bash conditional which checks the system architecture in /p {{%- macro bash_arch_conditional(arch) -%}} ( grep -sqE "^.*\.{{{ arch }}}$" /proc/sys/kernel/osrelease || grep -sqE "^{{{ arch }}}$" /proc/sys/kernel/arch; ) {{%- endmacro -%}} + + +{{# + Set a sshd configuration parameter to a value for system with default configuration in /usr subdir + +:parameter parameter: Parameter to set +:type parameter: str +:parameter value: The value to set +:type value: str +:param copy_defaults: If true default sshd configuration in /usr/etc/ssh/sshd_config will be +copied onto /etc/ssh/sshd_config, if /etc/ssh/sshd_config does not exist +:type copy_defaults: bool +:parameter config_basename: drop-in filename of sshd configuration file +:type config_basename: str + +#}} +{{% macro bash_sshd_remediation_usr(parameter, value, copy_defaults="true", config_basename="00-complianceascode-hardening.conf", rule_id=None) -%}} +{{%- set sshd_config_path = "/etc/ssh/sshd_config" %}} +{{%- set sshd_config_dir = "/etc/ssh/sshd_config.d" -%}} +{{%- set sshd_usr_config_path = "/usr/etc/ssh/sshd_config" %}} +{{%- set sshd_usr_config_dir = "/usr/etc/ssh/sshd_config.d" -%}} +{{%- set prefix_regex = "^\s*" -%}} +{{%- set separator_regex = "\s\+" -%}} +{{%- set hardening_config_basename = config_basename %}} +{{%- set line_regex = prefix_regex ~ parameter ~ separator_regex %}} + +if ! [ -e "{{{ sshd_config_path }}}" ] ; then + cp "{{{ sshd_usr_config_path }}}" "{{{ sshd_config_path }}}" +fi + +mkdir -p {{{ sshd_config_dir }}} +touch {{{ sshd_config_dir }}}/{{{ hardening_config_basename }}} +chmod 0600 {{{ sshd_config_dir }}}/{{{ hardening_config_basename }}} +{{{ lineinfile_absent(sshd_config_path, line_regex, insensitive=true, rule_id=rule_id) }}} +{{{ lineinfile_absent_in_directory(sshd_config_dir, line_regex, insensitive=true, filename_glob="*.conf") }}} +{{{ lineinfile_absent(sshd_usr_config_path, line_regex, insensitive=true, rule_id=rule_id) }}} +{{{ lineinfile_absent_in_directory(sshd_usr_config_dir, line_regex, insensitive=true, filename_glob="*.conf") }}} +{{{ set_config_file( + path=sshd_config_dir ~ "/" ~ hardening_config_basename, + parameter=parameter, + value=value, + create=true, + insert_after="", + insert_before="BOF", + insensitive=true, + separator=" ", + separator_regex=separator_regex, + prefix_regex=prefix_regex, rule_id=rule_id) + }}} +{{%- endmacro %}} diff --git a/shared/macros/10-fixtext.jinja b/shared/macros/10-fixtext.jinja index 1ecca316fe66..ebba0ef3a26b 100644 --- a/shared/macros/10-fixtext.jinja +++ b/shared/macros/10-fixtext.jinja @@ -233,10 +233,12 @@ The audit daemon must be restarted for the changes to take effect. #}} {{%- macro fixtext_sshd_lineinfile(parameter, value, config_is_distributed) -%}} +{{%- set sshd_main_config = sshd_main_config_file -%}} +{{%- set sshd_hardening_config = sshd_config_dir ~ "/" ~ sshd_hardening_config_basename -%}} {{%- if config_is_distributed -%}} -{{%- set path = "/etc/ssh/sshd_config.d/00-complianceascode-hardening.conf" -%}} +{{%- set path = sshd_hardening_config -%}} {{%- else -%}} -{{%- set path = "/etc/ssh/sshd_config" -%}} +{{%- set path = sshd_main_config -%}} {{%- endif -%}} To configure the system add or modify the following line in "{{{ path }}}". diff --git a/shared/macros/10-ocil.jinja b/shared/macros/10-ocil.jinja index ab94d0956921..76759bdde775 100644 --- a/shared/macros/10-ocil.jinja +++ b/shared/macros/10-ocil.jinja @@ -26,10 +26,12 @@ $ oc get {{% if all_namespaces %}}--all-namespaces{{% elif namespace %}}-n {{{ n {{% macro sshd_config_file() %}} + {{% set sshd_main_config = sshd_main_config_file %}} + {{% set sshd_hardening_config = sshd_config_dir ~ "/" ~ sshd_hardening_config_basename %}} {{% if sshd_distributed_config == "true" %}} - /etc/ssh/sshd_config.d/00-complianceascode-hardening.conf: + {{{ sshd_hardening_config }}}: {{% else %}} - /etc/ssh/sshd_config: + {{{ sshd_main_config }}}: {{% endif %}} {{%- endmacro %}} @@ -509,14 +511,17 @@ ocil_clause: "the required value is not set" #}} {{% macro ocil_sshd_option(default, option, value) -%}} + {{% set sshd_main_config = sshd_main_config_file %}} + {{% set sshd_hardening_config = sshd_config_dir ~ "/" ~ sshd_hardening_config_basename %}} + {{% set sshd_reinforce_defaults_config = sshd_config_dir ~ "/01-complianceascode-reinforce-os-defaults.conf" %}} To determine how the SSH daemon's {{{ option }}} option is set, run the following command: {{% if sshd_distributed_config == "true" %}} - 
$ sudo grep -i {{{ option }}} /etc/ssh/sshd_config.d/00-complianceascode-hardening.conf
+ 
$ sudo grep -i {{{ option }}} {{{ sshd_hardening_config }}}
{{% if default == "yes" -%}} - 
$ sudo grep -i {{{ option }}} /etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf
+ 
$ sudo grep -i {{{ option }}} {{{ sshd_reinforce_defaults_config }}}
{{%- endif %}} {{% else %}} - 
$ sudo grep -i {{{ option }}} /etc/ssh/sshd_config
+ 
$ sudo grep -i {{{ option }}} {{{ sshd_main_config }}}
{{% endif %}} If a line indicating {{{ value }}} is returned, then the required value is set. {{%- endmacro %}} diff --git a/shared/macros/10-oval.jinja b/shared/macros/10-oval.jinja index 6466728189db..784d659e94fd 100644 --- a/shared/macros/10-oval.jinja +++ b/shared/macros/10-oval.jinja @@ -1034,16 +1034,17 @@ Generates the :code:`` tag for OVAL check using correct product platfo #}} {{%- macro sshd_oval_check(parameter, value, missing_parameter_pass, config_is_distributed, runtime_check="false", xccdf_variable="", datatype="", rule_id=None, rule_title=None) -%}} -{{%- set sshd_config_path = "/etc/ssh/sshd_config" %}} -{{%- set sshd_config_dir = "/etc/ssh/sshd_config.d" -%}} +{{%- set sshd_main_config = sshd_main_config_file %}} +{{%- set sshd_drop_in_dir = sshd_config_dir -%}} +{{%- set sshd_base_dir = sshd_config_base_dir -%}} {{%- set sshd_runtime_path = "/tmp/runtime/sshd_effective_config" -%}} {{%- if xccdf_variable -%}} -{{%- set description = "Ensure '" ~ parameter ~ "' is configured with value configured in " ~ xccdf_variable ~ " variable in " ~ sshd_config_path %}} +{{%- set description = "Ensure '" ~ parameter ~ "' is configured with value configured in " ~ xccdf_variable ~ " variable in " ~ sshd_main_config %}} {{%- else -%}} -{{%- set description = "Ensure '" ~ parameter ~ "' is configured with value '" ~ value ~ "' in " ~ sshd_config_path %}} +{{%- set description = "Ensure '" ~ parameter ~ "' is configured with value '" ~ value ~ "' in " ~ sshd_main_config %}} {{%- endif -%}} {{%- if config_is_distributed == "true" %}} -{{%- set description = description ~ " or in " ~ sshd_config_dir -%}} +{{%- set description = description ~ " or in " ~ sshd_drop_in_dir -%}} {{%- endif %}} {{%- set case_insensitivity_kwargs = dict(prefix_regex="^[ \\t]*(?i)", separator_regex = "(?-i)[ \\t]+") -%}} @@ -1081,10 +1082,10 @@ Generates the :code:`` tag for OVAL check using correct product platfo {{%- endif %}} {{%- if runtime_check != "true" %}} - - {{{- oval_line_in_file_criterion(sshd_config_path, parameter, avoid_conflicting=true, rule_id=rule_id) | indent(12)}}} + + {{{- oval_line_in_file_criterion(sshd_main_config, parameter, avoid_conflicting=true, rule_id=rule_id) | indent(12)}}} {{%- if config_is_distributed == "true" %}} - {{{- oval_line_in_directory_criterion(sshd_config_dir, parameter, avoid_conflicting=true, rule_id=rule_id) | indent(12) }}} + {{{- oval_line_in_directory_criterion(sshd_drop_in_dir, parameter, avoid_conflicting=true, rule_id=rule_id) | indent(12) }}} {{%- endif %}} {{% if product in ["ol8", "ol9"] %}} {{{- oval_line_in_file_criterion("sshd_config included", parameter, id_stem=rule_id ~ "_sshd_included_files", avoid_conflicting=true, rule_id=rule_id) | indent(12)}}} @@ -1105,11 +1106,11 @@ Generates the :code:`` tag for OVAL check using correct product platfo {{% endif %}} {{% if product in ["ol8", "ol9"] %}} - {{{ oval_line_in_file_object(sshd_config_path, parameter="include", id_stem="sshd_include_value_" ~ rule_id, rule_id=rule_id, ** case_insensitivity_kwargs)| indent (2) }}} + {{{ oval_line_in_file_object(sshd_main_config, parameter="include", id_stem="sshd_include_value_" ~ rule_id, rule_id=rule_id, ** case_insensitivity_kwargs)| indent (2) }}} - ^(/etc/ssh/(?!/))? + ^({{{ sshd_base_dir }}}/(?!/))? @@ -1136,8 +1137,8 @@ Generates the :code:`` tag for OVAL check using correct product platfo {{% endif %}} - {{{ oval_line_in_file_test(sshd_config_path, parameter, avoid_conflicting=true, rule_id=rule_id) | indent (2) }}} - {{{ oval_line_in_file_object(sshd_config_path, parameter=parameter, rule_id=rule_id, ** case_insensitivity_kwargs)| indent (2) }}} + {{{ oval_line_in_file_test(sshd_main_config, parameter, avoid_conflicting=true, rule_id=rule_id) | indent (2) }}} + {{{ oval_line_in_file_object(sshd_main_config, parameter=parameter, rule_id=rule_id, ** case_insensitivity_kwargs)| indent (2) }}} {{%- if xccdf_variable -%}} {{{ oval_line_in_file_state_xccdf_variable(xccdf_variable, datatype=datatype, rule_id=rule_id) }}} {{%- else -%}} @@ -1145,8 +1146,8 @@ Generates the :code:`` tag for OVAL check using correct product platfo {{%- endif -%}} {{%- if config_is_distributed == "true" %}} - {{{ oval_line_in_directory_test(sshd_config_dir, parameter, avoid_conflicting=true, rule_id=rule_id) | indent (2) }}} - {{{ oval_line_in_directory_object(sshd_config_dir, parameter=parameter, rule_id=rule_id, ** case_insensitivity_kwargs) | indent (2) }}} + {{{ oval_line_in_directory_test(sshd_drop_in_dir, parameter, avoid_conflicting=true, rule_id=rule_id) | indent (2) }}} + {{{ oval_line_in_directory_object(sshd_drop_in_dir, parameter=parameter, rule_id=rule_id, ** case_insensitivity_kwargs) | indent (2) }}} {{%- if xccdf_variable -%}} {{{ oval_line_in_directory_state_xccdf_variable(xccdf_variable, datatype, rule_id=rule_id) | indent (2) }}} {{%- else -%}} @@ -1878,3 +1879,150 @@ Macro generates an OVAL test definition to verify that a specified audit tool is {{%- endmacro -%}} + + +{{# + Create a full OVAL check for an sshd parameter and value in /etc/ssh/sshd_config or /usr/etc/ssh/sshd_config. + Including /etc/ssh/sshd_config.d/*.conf and /usr/etc/ssh/sshd_config.d/*.conf (default on SUSE Linux Enterprise Server 16) + +:param parameter: Parameter to check +:type parameter: str +:param value: Value to check +:type value: str +:param missing_parameter_pass: If true, the check will pass if the parameter missing. +:type missing_parameter_pass: bool +:param xccdf_variable: the name of an XCCDF variable carrying the value, this conflicts with the value parameter +:type xccdf_variable: str +:param datatype: a data type of the value +:type datatype: str + +#}} +{{%- macro sshd_oval_check_usr(parameter, value, missing_parameter_pass, xccdf_variable="", datatype="", rule_id=None, rule_title=None) -%}} +{{%- set sshd_config_path = "/etc/ssh/sshd_config" %}} +{{%- set sshd_usr_config_path = "/usr/etc/ssh/sshd_config" -%}} +{{%- set sshd_config_dir = "/etc/ssh/sshd_config.d" -%}} +{{%- set sshd_usr_config_dir = "/usr/etc/ssh/sshd_config.d" -%}} +{{%- if xccdf_variable -%}} +{{%- set description = "Ensure '" ~ parameter ~ "' is configured with value configured in " ~ xccdf_variable ~ " variable in " ~ sshd_config_path %}} +{{%- else -%}} +{{%- set description = "Ensure '" ~ parameter ~ "' is configured with value '" ~ value ~ "' in " ~ sshd_config_path -%}} +{{%- endif -%}} +{{%- set description = description ~ " or in " ~ sshd_config_dir -%}} +{{%- set description = description ~ " or in " ~ sshd_usr_config_path -%}} +{{%- set description = description ~ " or in " ~ sshd_usr_config_dir -%}} +{{%- set case_insensitivity_kwargs = dict(prefix_regex="^[ \\t]*(?i)", separator_regex = "(?-i)[ \\t]+") -%}} + + + + {{{ oval_metadata(description, rule_title=rule_title) }}} + + + + + + + + + + + + + {{{ oval_line_in_file_criterion(sshd_config_path, parameter, avoid_conflicting=true, rule_id=rule_id) | indent(12)}}} + {{{ oval_line_in_directory_criterion(sshd_config_dir, parameter, avoid_conflicting=true, rule_id=rule_id) | indent(12) }}} + {{{ oval_line_in_file_criterion(sshd_usr_config_dir, parameter, id_stem=rule_id ~ "_sshd_usr_config_dir") | indent(12) }}} + + {{%- if not missing_parameter_pass -%}} + + {{%- endif -%}} + + + + + + + + + + + {{{ oval_line_in_file_criterion(sshd_usr_config_path, parameter, avoid_conflicting=true, id_stem=rule_id ~ "_sshd_usr_config_path") | indent(12)}}} + {{{ oval_line_in_directory_criterion(sshd_config_dir, parameter, avoid_conflicting=true, rule_id=rule_id) | indent(12) }}} + {{{ oval_line_in_file_criterion(sshd_usr_config_dir, parameter, id_stem=rule_id ~ "_sshd_usr_config_dir") | indent(12) }}} + + {{%- if not missing_parameter_pass -%}} + + {{%- endif -%}} + + + + + + + {{{ oval_config_file_exists_test(sshd_config_path, rule_id=rule_id) }}} + {{{ oval_config_file_exists_object(sshd_config_path, rule_id=rule_id) }}} + + {{{ oval_line_in_file_test(sshd_config_path, parameter, avoid_conflicting=true, rule_id=rule_id) | indent (2) }}} + {{{ oval_line_in_file_object(sshd_config_path, parameter=parameter, rule_id=rule_id, ** case_insensitivity_kwargs)| indent (2) }}} + + {{{ oval_line_in_directory_test(sshd_config_dir, parameter, avoid_conflicting=true, rule_id=rule_id) | indent (2) }}} + {{{ oval_line_in_directory_object(sshd_config_dir, parameter=parameter, rule_id=rule_id, ** case_insensitivity_kwargs) | indent (2) }}} + {{%- if xccdf_variable -%}} + {{{ oval_line_in_file_define_variable(xccdf_variable, datatype) }}} + {{{ oval_line_in_file_state_xccdf_variable(xccdf_variable, datatype=datatype, rule_id=rule_id) }}} + {{{ oval_line_in_directory_state_xccdf_variable(xccdf_variable, datatype, rule_id=rule_id) | indent (2) }}} + {{{ oval_line_in_file_state_xccdf_variable(var_name=xccdf_variable, datatype=datatype, id_stem=rule_id ~ "_sshd_usr_config_path") | indent (2) }}} + {{{ oval_line_in_file_state_xccdf_variable(var_name=xccdf_variable, datatype=datatype, id_stem=rule_id ~ "_sshd_usr_config_dir") | indent (2) }}} + {{%- else -%}} + {{{ oval_line_in_file_state(value, rule_id=rule_id) | indent (2) }}} + {{{ oval_line_in_directory_state(value, rule_id=rule_id) | indent (2) }}} + {{{ oval_line_in_file_state(value, id_stem=rule_id ~ "_sshd_usr_config_path") | indent (2) }}} + {{{ oval_line_in_file_state(value, id_stem=rule_id ~ "_sshd_usr_config_dir") | indent (2) }}} + {{%- endif -%}} + + {{{ oval_line_in_file_test(sshd_usr_config_path, parameter, avoid_conflicting=true, id_stem=rule_id ~ "_sshd_usr_config_path") | indent (2) }}} + {{{ oval_line_in_file_object(sshd_usr_config_path, parameter=parameter, id_stem=rule_id ~ "_sshd_usr_config_path", ** case_insensitivity_kwargs)| indent (2) }}} + {{{ oval_line_in_file_test(sshd_usr_config_dir, parameter, avoid_conflicting=true, id_stem=rule_id ~ "_sshd_usr_config_dir") | indent (2) }}} + {{{ oval_line_in_file_object(sshd_usr_config_dir, parameter=parameter, filename_regex=".*\.conf$", id_stem=rule_id ~ "_sshd_usr_config_dir", ** case_insensitivity_kwargs) | indent (2) }}} + + {{%- if not missing_parameter_pass -%}} + + + + obj_{{{ rule_id }}} + obj_{{{ rule_id }}}_config_dir + + + obj_{{{ rule_id }}}_sshd_usr_config_dir + + + + + + + + + + + + obj_{{{ rule_id }}}_config_dir + + + obj_{{{ rule_id }}}_sshd_usr_config_path + obj_{{{ rule_id }}}_sshd_usr_config_dir + + + + + + + + {{%- endif -%}} + +{{%- endmacro -%}} diff --git a/shared/macros/20-test-scenarios.jinja b/shared/macros/20-test-scenarios.jinja index 53bfe16e7338..87015c86b9f8 100644 --- a/shared/macros/20-test-scenarios.jinja +++ b/shared/macros/20-test-scenarios.jinja @@ -15,6 +15,23 @@ This macro changes the configuration of the audit service so that it looks like {{%- endmacro -%}} +{{# +This macro changes the configuration of the audit service so that it looks like augenrules is used to load rules. +#}} + +{{%- macro setup_augenrules_environment () -%}} + {{% if product in ["fedora", "ol10", "rhel10"] %}} + sed -i "s%^ExecStart=.*%ExecStart=/sbin/augenrules%" /usr/lib/systemd/system/audit-rules.service + {{% else %}} + {{% if product == "sle15" %}} + sed -i "s%^#ExecStartPost=.*%ExecStartPost=-/sbin/augenrules%" /usr/lib/systemd/system/auditd.service + {{% else %}} + sed -i "s%^ExecStartPost=.*%ExecStartPost=-/sbin/augenrules%" /usr/lib/systemd/system/auditd.service + {{% endif %}} + {{% endif %}} +{{%- endmacro -%}} + + {{# This macro is used by pam_account_password_faillock template to initialize the external variable and parameter value to a desired state. diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt index f1dff1792b67..3681684fcdf0 100644 --- a/shared/references/cce-redhat-avail.txt +++ b/shared/references/cce-redhat-avail.txt @@ -1,14 +1,9 @@ -CCE-86459-5 -CCE-86461-1 -CCE-86465-2 CCE-86466-0 CCE-86468-6 -CCE-86469-4 CCE-86482-7 CCE-86483-5 CCE-86484-3 CCE-86492-6 -CCE-86493-4 CCE-86494-2 CCE-86497-5 CCE-86498-3 @@ -2345,8 +2340,4 @@ CCE-90705-5 CCE-90706-3 CCE-90707-1 CCE-90710-5 -CCE-90711-3 CCE-90715-4 -CCE-90720-4 -CCE-90721-2 -CCE-90722-0 diff --git a/shared/references/cce-sle16-avail.txt b/shared/references/cce-sle16-avail.txt index 85d8169d528f..f0e358f3e7e6 100644 --- a/shared/references/cce-sle16-avail.txt +++ b/shared/references/cce-sle16-avail.txt @@ -1,84 +1,49 @@ CCE-95718-3 -CCE-95719-1 CCE-95720-9 -CCE-95722-5 -CCE-95723-3 -CCE-95724-1 CCE-95725-8 -CCE-95726-6 -CCE-95727-4 -CCE-95729-0 CCE-95730-8 CCE-95731-6 CCE-95732-4 -CCE-95733-2 CCE-95735-7 -CCE-95736-5 -CCE-95737-3 -CCE-95738-1 CCE-95741-5 -CCE-95742-3 CCE-95751-4 CCE-95752-2 -CCE-95753-0 CCE-95754-8 CCE-95755-5 -CCE-95756-3 CCE-95758-9 CCE-95759-7 -CCE-95760-5 -CCE-95761-3 -CCE-95762-1 CCE-95766-2 CCE-95767-0 CCE-95768-8 CCE-95770-4 CCE-95772-0 -CCE-95774-6 CCE-95775-3 -CCE-95777-9 CCE-95779-5 CCE-95781-1 CCE-95785-2 CCE-95786-0 -CCE-95787-8 -CCE-95788-6 CCE-95789-4 CCE-95790-2 CCE-95791-0 -CCE-95794-4 CCE-95798-5 -CCE-95799-3 CCE-95800-9 CCE-95802-5 CCE-95803-3 CCE-95804-1 -CCE-95806-6 -CCE-95807-4 CCE-95808-2 -CCE-95810-8 CCE-95813-2 -CCE-95814-0 CCE-95815-7 -CCE-95816-5 CCE-95819-9 -CCE-95822-3 CCE-95823-1 CCE-95824-9 CCE-95826-4 -CCE-95827-2 CCE-95829-8 -CCE-95831-4 CCE-95832-2 CCE-95833-0 CCE-95834-8 CCE-95836-3 CCE-95838-9 CCE-95839-7 -CCE-95841-3 -CCE-95842-1 -CCE-95847-0 -CCE-95848-8 CCE-95849-6 CCE-95852-0 CCE-95853-8 @@ -86,58 +51,40 @@ CCE-95854-6 CCE-95856-1 CCE-95857-9 CCE-95858-7 -CCE-95859-5 CCE-95860-3 CCE-95861-1 -CCE-95862-9 -CCE-95863-7 CCE-95864-5 -CCE-95865-2 CCE-95867-8 CCE-95868-6 CCE-95869-4 CCE-95870-2 CCE-95871-0 -CCE-95872-8 CCE-95875-1 CCE-95876-9 CCE-95877-7 CCE-95878-5 -CCE-95879-3 CCE-95881-9 CCE-95883-5 -CCE-95884-3 CCE-95887-6 CCE-95890-0 CCE-95892-6 CCE-95894-2 CCE-95896-7 -CCE-95897-5 CCE-95899-1 CCE-95901-5 CCE-95904-9 CCE-95906-4 CCE-95907-2 CCE-95908-0 -CCE-95909-8 -CCE-95910-6 CCE-95912-2 CCE-95913-0 CCE-95914-8 -CCE-95915-5 CCE-95916-3 CCE-95917-1 -CCE-95918-9 -CCE-95919-7 CCE-95920-5 -CCE-95922-1 CCE-95923-9 -CCE-95924-7 CCE-95925-4 CCE-95926-2 -CCE-95927-0 -CCE-95928-8 -CCE-95929-6 CCE-95930-4 CCE-95932-0 CCE-95934-6 @@ -145,19 +92,14 @@ CCE-95935-3 CCE-95937-9 CCE-95938-7 CCE-95939-5 -CCE-95940-3 CCE-95941-1 CCE-95943-7 -CCE-95945-2 -CCE-95946-0 CCE-95947-8 CCE-95948-6 CCE-95949-4 -CCE-95950-2 CCE-95951-0 CCE-95952-8 CCE-95953-6 -CCE-95955-1 CCE-95956-9 CCE-95957-7 CCE-95958-5 @@ -165,7 +107,6 @@ CCE-95960-1 CCE-95962-7 CCE-95963-5 CCE-95964-3 -CCE-95966-8 CCE-95967-6 CCE-95969-2 CCE-95970-0 @@ -176,17 +117,11 @@ CCE-95976-7 CCE-95977-5 CCE-95978-3 CCE-95979-1 -CCE-95980-9 -CCE-95981-7 CCE-95984-1 CCE-95986-6 -CCE-95987-4 CCE-95988-2 -CCE-95989-0 CCE-95990-8 CCE-95991-6 -CCE-95993-2 -CCE-95994-0 CCE-95995-7 CCE-95997-3 CCE-95998-1 @@ -198,11 +133,7 @@ CCE-96004-7 CCE-96006-2 CCE-96009-6 CCE-96011-2 -CCE-96015-3 -CCE-96017-9 CCE-96022-9 -CCE-96023-7 -CCE-96025-2 CCE-96026-0 CCE-96028-6 CCE-96029-4 @@ -212,39 +143,23 @@ CCE-96034-4 CCE-96035-1 CCE-96036-9 CCE-96037-7 -CCE-96038-5 -CCE-96039-3 CCE-96040-1 CCE-96041-9 CCE-96042-7 CCE-96044-3 CCE-96045-0 CCE-96046-8 -CCE-96048-4 -CCE-96050-0 CCE-96051-8 -CCE-96054-2 -CCE-96055-9 CCE-96056-7 -CCE-96057-5 CCE-96059-1 -CCE-96060-9 CCE-96061-7 -CCE-96062-5 -CCE-96064-1 -CCE-96065-8 CCE-96067-4 -CCE-96069-0 CCE-96070-8 CCE-96071-6 CCE-96073-2 -CCE-96076-5 CCE-96078-1 CCE-96079-9 -CCE-96081-5 CCE-96082-3 -CCE-96083-1 -CCE-96085-6 CCE-96086-4 CCE-96087-2 CCE-96091-4 @@ -253,15 +168,12 @@ CCE-96093-0 CCE-96095-5 CCE-96097-1 CCE-96098-9 -CCE-96099-7 CCE-96100-3 CCE-96103-7 CCE-96104-5 CCE-96105-2 -CCE-96106-0 CCE-96108-6 CCE-96109-4 -CCE-96110-2 CCE-96111-0 CCE-96112-8 CCE-96113-6 @@ -275,26 +187,18 @@ CCE-96121-9 CCE-96124-3 CCE-96125-0 CCE-96126-8 -CCE-96129-2 -CCE-96130-0 -CCE-96132-6 CCE-96136-7 CCE-96137-5 -CCE-96138-3 CCE-96139-1 -CCE-96140-9 CCE-96143-3 -CCE-96146-6 CCE-96147-4 CCE-96149-0 CCE-96150-8 CCE-96151-6 CCE-96153-2 CCE-96154-0 -CCE-96157-3 CCE-96159-9 CCE-96160-7 -CCE-96161-5 CCE-96162-3 CCE-96163-1 CCE-96164-9 @@ -304,92 +208,56 @@ CCE-96167-2 CCE-96168-0 CCE-96170-6 CCE-96173-0 -CCE-96174-8 CCE-96175-5 CCE-96176-3 -CCE-96177-1 -CCE-96178-9 CCE-96179-7 CCE-96180-5 CCE-96181-3 CCE-96182-1 CCE-96184-7 CCE-96186-2 -CCE-96187-0 -CCE-96189-6 -CCE-96190-4 CCE-96191-2 -CCE-96192-0 -CCE-96193-8 -CCE-96194-6 -CCE-96195-3 -CCE-96196-1 CCE-96197-9 CCE-96198-7 -CCE-96199-5 CCE-96200-1 CCE-96204-3 CCE-96205-0 CCE-96206-8 -CCE-96208-4 CCE-96209-2 -CCE-96211-8 CCE-96214-2 CCE-96216-7 CCE-96219-1 -CCE-96220-9 CCE-96222-5 CCE-96223-3 CCE-96224-1 CCE-96225-8 -CCE-96227-4 CCE-96228-2 -CCE-96229-0 CCE-96230-8 CCE-96231-6 CCE-96233-2 -CCE-96235-7 -CCE-96236-5 CCE-96237-3 CCE-96238-1 CCE-96240-7 -CCE-96241-5 -CCE-96245-6 -CCE-96246-4 CCE-96248-0 CCE-96249-8 CCE-96250-6 CCE-96251-4 -CCE-96252-2 CCE-96253-0 -CCE-96255-5 -CCE-96256-3 CCE-96258-9 -CCE-96259-7 CCE-96260-5 CCE-96261-3 CCE-96264-7 -CCE-96265-4 CCE-96267-0 -CCE-96268-8 CCE-96269-6 CCE-96270-4 -CCE-96274-6 -CCE-96275-3 CCE-96277-9 -CCE-96278-7 CCE-96280-3 CCE-96281-1 -CCE-96285-2 -CCE-96288-6 CCE-96289-4 CCE-96291-0 CCE-96292-8 -CCE-96293-6 -CCE-96294-4 CCE-96296-9 CCE-96297-7 -CCE-96298-5 CCE-96302-5 CCE-96303-3 CCE-96304-1 @@ -401,14 +269,11 @@ CCE-96311-6 CCE-96312-4 CCE-96313-2 CCE-96316-5 -CCE-96318-1 CCE-96319-9 CCE-96320-7 -CCE-96321-5 CCE-96322-3 CCE-96324-9 CCE-96326-4 -CCE-96327-2 CCE-96331-4 CCE-96332-2 CCE-96333-0 @@ -417,9 +282,7 @@ CCE-96336-3 CCE-96337-1 CCE-96338-9 CCE-96339-7 -CCE-96340-5 CCE-96343-9 -CCE-96344-7 CCE-96345-4 CCE-96346-2 CCE-96347-0 @@ -428,85 +291,44 @@ CCE-96349-6 CCE-96351-2 CCE-96352-0 CCE-96354-6 -CCE-96355-3 -CCE-96356-1 CCE-96357-9 -CCE-96358-7 -CCE-96359-5 -CCE-96361-1 CCE-96362-9 -CCE-96363-7 -CCE-96366-0 -CCE-96367-8 CCE-96369-4 -CCE-96370-2 -CCE-96371-0 -CCE-96372-8 CCE-96374-4 CCE-96375-1 CCE-96379-3 CCE-96380-1 -CCE-96383-5 CCE-96387-6 CCE-96389-2 -CCE-96390-0 CCE-96392-6 -CCE-96394-2 CCE-96395-9 -CCE-96396-7 -CCE-96397-5 CCE-96399-1 CCE-96400-7 CCE-96401-5 CCE-96402-3 CCE-96403-1 -CCE-96404-9 -CCE-96405-6 -CCE-96407-2 -CCE-96408-0 CCE-96410-6 -CCE-96411-4 CCE-96412-2 CCE-96413-0 -CCE-96414-8 CCE-96415-5 CCE-96417-1 CCE-96418-9 CCE-96419-7 CCE-96421-3 -CCE-96423-9 CCE-96424-7 CCE-96425-4 CCE-96426-2 CCE-96427-0 -CCE-96428-8 -CCE-96430-4 -CCE-96431-2 CCE-96432-0 -CCE-96438-7 CCE-96439-5 -CCE-96440-3 -CCE-96441-1 -CCE-96444-5 -CCE-96445-2 -CCE-96446-0 -CCE-96447-8 -CCE-96448-6 CCE-96449-4 -CCE-96450-2 -CCE-96452-8 CCE-96454-4 CCE-96455-1 -CCE-96456-9 CCE-96459-3 -CCE-96460-1 CCE-96461-9 -CCE-96462-7 CCE-96463-5 -CCE-96464-3 CCE-96466-8 CCE-96469-2 -CCE-96470-0 CCE-96471-8 CCE-96472-6 CCE-96474-2 @@ -523,79 +345,51 @@ CCE-96492-4 CCE-96493-2 CCE-96494-0 CCE-96495-7 -CCE-96496-5 CCE-96497-3 CCE-96498-1 CCE-96502-0 -CCE-96503-8 CCE-96504-6 CCE-96507-9 CCE-96508-7 -CCE-96510-3 CCE-96511-1 -CCE-96512-9 -CCE-96513-7 -CCE-96514-5 CCE-96515-2 CCE-96517-8 CCE-96518-6 -CCE-96519-4 CCE-96520-2 CCE-96523-6 CCE-96524-4 CCE-96525-1 -CCE-96527-7 CCE-96528-5 -CCE-96529-3 CCE-96530-1 -CCE-96533-5 CCE-96536-8 CCE-96537-6 CCE-96538-4 CCE-96539-2 -CCE-96540-0 CCE-96542-6 CCE-96543-4 CCE-96545-9 CCE-96546-7 CCE-96548-3 -CCE-96549-1 -CCE-96551-7 CCE-96552-5 CCE-96553-3 CCE-96554-1 -CCE-96555-8 -CCE-96557-4 CCE-96558-2 CCE-96559-0 -CCE-96560-8 CCE-96561-6 CCE-96562-4 CCE-96563-2 CCE-96564-0 CCE-96565-7 -CCE-96566-5 -CCE-96569-9 -CCE-96570-7 -CCE-96571-5 CCE-96572-3 -CCE-96573-1 -CCE-96574-9 -CCE-96575-6 CCE-96577-2 CCE-96580-6 -CCE-96582-2 CCE-96583-0 CCE-96586-3 CCE-96587-1 CCE-96588-9 -CCE-96589-7 CCE-96590-5 CCE-96594-7 -CCE-96595-4 CCE-96596-2 -CCE-96597-0 -CCE-96599-6 CCE-96600-2 CCE-96601-0 CCE-96602-8 @@ -603,63 +397,28 @@ CCE-96603-6 CCE-96605-1 CCE-96607-7 CCE-96608-5 -CCE-96609-3 CCE-96610-1 -CCE-96612-7 CCE-96613-5 CCE-96614-3 -CCE-96615-0 -CCE-96618-4 CCE-96619-2 -CCE-96620-0 CCE-96621-8 -CCE-96622-6 -CCE-96623-4 -CCE-96624-2 -CCE-96626-7 CCE-96628-3 -CCE-96629-1 CCE-96630-9 -CCE-96632-5 -CCE-96633-3 CCE-96635-8 CCE-96636-6 CCE-96637-4 CCE-96638-2 -CCE-96640-8 -CCE-96642-4 CCE-96643-2 CCE-96644-0 CCE-96645-7 CCE-96647-3 -CCE-96648-1 -CCE-96649-9 CCE-96651-5 CCE-96652-3 -CCE-96653-1 CCE-96655-6 -CCE-96656-4 CCE-96657-2 CCE-96659-8 CCE-96662-2 -CCE-96663-0 -CCE-96664-8 -CCE-96665-5 -CCE-96666-3 -CCE-96668-9 -CCE-96669-7 -CCE-96671-3 -CCE-96672-1 -CCE-96674-7 -CCE-96676-2 -CCE-96679-6 -CCE-96680-4 -CCE-96682-0 -CCE-96684-6 CCE-96685-3 CCE-96687-9 CCE-96689-5 CCE-96690-3 -CCE-96692-9 -CCE-96693-7 -CCE-96696-0 diff --git a/shared/references/disa-stig-ol8-v2r6-xccdf-manual.xml b/shared/references/disa-stig-ol8-v2r7-xccdf-manual.xml similarity index 81% rename from shared/references/disa-stig-ol8-v2r6-xccdf-manual.xml rename to shared/references/disa-stig-ol8-v2r7-xccdf-manual.xml index 00942589bb06..b0668a886a3d 100644 --- a/shared/references/disa-stig-ol8-v2r6-xccdf-manual.xml +++ b/shared/references/disa-stig-ol8-v2r7-xccdf-manual.xml @@ -1,4 +1,4 @@ -acceptedOracle Linux 8 Security Technical Implementation GuideThis Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DOD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.DISASTIG.DOD.MILRelease: 6 Benchmark Date: 01 Oct 20253.5.11.10.02I - Mission Critical Classified<ProfileDescription></ProfileDescription>I - Mission Critical Public<ProfileDescription></ProfileDescription>I - Mission Critical Sensitive<ProfileDescription></ProfileDescription>II - Mission Support Classified<ProfileDescription></ProfileDescription>II - Mission Support Public<ProfileDescription></ProfileDescription>II - Mission Support Sensitive<ProfileDescription></ProfileDescription>III - Administrative Classified<ProfileDescription></ProfileDescription>III - Administrative Public<ProfileDescription></ProfileDescription>III - Administrative Sensitive<ProfileDescription></ProfileDescription>SRG-OS-000037-GPOS-00015<GroupDescription></GroupDescription>OL08-00-030180The OL 8 audit package must be installed.<VulnDiscussion>Without establishing what type of events occurred and their source, location, and outcome, it would be difficult to establish, correlate, and investigate the events leading up to an outage or attack. +acceptedOracle Linux 8 Security Technical Implementation GuideThis Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DOD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.DISASTIG.DOD.MILRelease: 7 Benchmark Date: 05 Jan 20263.5.21.10.02I - Mission Critical Classified<ProfileDescription></ProfileDescription>I - Mission Critical Sensitive<ProfileDescription></ProfileDescription>II - Mission Support Public<ProfileDescription></ProfileDescription>III - Administrative Classified<ProfileDescription></ProfileDescription>III - Administrative Sensitive<ProfileDescription></ProfileDescription>I - Mission Critical Public<ProfileDescription></ProfileDescription>II - Mission Support Classified<ProfileDescription></ProfileDescription>II - Mission Support Sensitive<ProfileDescription></ProfileDescription>III - Administrative Public<ProfileDescription></ProfileDescription>SRG-OS-000780-GPOS-00240<GroupDescription></GroupDescription>OL09-00-000001The OL 9 operating system must implement cryptographic mechanisms to prevent unauthorized modification of all information at rest.<VulnDiscussion>Operating systems handling data requiring "data at rest" protections must employ cryptographic mechanisms to prevent unauthorized disclosure and modification of the information at rest. +acceptedOracle Linux 9 Security Technical Implementation GuideThis Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DOD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.DISASTIG.DOD.MILRelease: 4 Benchmark Date: 05 Jan 20263.5.21.10.01I - Mission Critical Classified<ProfileDescription></ProfileDescription>I - Mission Critical Sensitive<ProfileDescription></ProfileDescription>II - Mission Support Public<ProfileDescription></ProfileDescription>III - Administrative Classified<ProfileDescription></ProfileDescription>III - Administrative Sensitive<ProfileDescription></ProfileDescription>I - Mission Critical Public<ProfileDescription></ProfileDescription>II - Mission Support Classified<ProfileDescription></ProfileDescription>II - Mission Support Sensitive<ProfileDescription></ProfileDescription>III - Administrative Public<ProfileDescription></ProfileDescription>SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-09-211010RHEL 9 must be a vendor-supported release.<VulnDiscussion>An operating system release is considered "supported" if the vendor continues to provide security patches for the product. With an unsupported release, it will not be possible to resolve security issues discovered in the system software. +acceptedRed Hat Enterprise Linux 9 Security Technical Implementation GuideThis Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DOD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.DISASTIG.DOD.MILRelease: 7 Benchmark Date: 05 Jan 20263.5.21.10.02I - Mission Critical Classified<ProfileDescription></ProfileDescription>I - Mission Critical Public<ProfileDescription></ProfileDescription>I - Mission Critical Sensitive<ProfileDescription></ProfileDescription>II - Mission Support Classified<ProfileDescription></ProfileDescription>II - Mission Support Public<ProfileDescription></ProfileDescription>II - Mission Support Sensitive<ProfileDescription></ProfileDescription>III - Administrative Classified<ProfileDescription></ProfileDescription>III - Administrative Public<ProfileDescription></ProfileDescription>III - Administrative Sensitive<ProfileDescription></ProfileDescription>SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-09-211010RHEL 9 must be a vendor-supported release.<VulnDiscussion>An operating system release is considered "supported" if the vendor continues to provide security patches for the product. With an unsupported release, it will not be possible to resolve security issues discovered in the system software. -Red Hat offers the Extended Update Support (EUS) add-on to a Red Hat Enterprise Linux subscription, for a fee, for those customers who wish to standardize on a specific minor release for an extended period.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 9DISADPMS TargetRed Hat Enterprise Linux 95551CCI-000366Upgrade to a supported version of RHEL 9.Verify that the version or RHEL 9 is vendor supported with the following command: +End Of Life dates for Red Hat Linux 9 releases are as follows: +Current end of Full Support for Red Hat Linux 9 is 31 May 2027. +Current end of Maintenance Support for Red Hat Linux 9 is 31 May 3032. +Current end of Extended Life Cycle Support (ELS) for Red Hat Linux 9 is 31 May 2035.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 9DISADPMS TargetRed Hat Enterprise Linux 95551CCI-000366Upgrade to a supported version of RHEL 9.Verify the version or RHEL 9 is vendor supported with the following command: $ cat /etc/redhat-release -Red Hat Enterprise Linux release 9.2 (Plow) +Red Hat Enterprise Linux release 9.6 (Plow) If the installed version of RHEL 9 is not supported, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-09-211015RHEL 9 vendor packaged system security patches and updates must be installed and up to date.<VulnDiscussion>Installing software updates is a fundamental mitigation against the exploitation of publicly known vulnerabilities. If the most recent security patches and updates are not installed, unauthorized users may take advantage of weaknesses in the unpatched software. The lack of prompt attention to patching could result in a system compromise.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 9DISADPMS TargetRed Hat Enterprise Linux 95551CCI-000366Install RHEL 9 security patches and updates at the organizationally defined frequency. If system updates are installed via a centralized repository that is configured on the system, all updates can be installed with the following command: @@ -99,19 +102,24 @@ $ systemctl is-active systemd-journald active -If the systemd-journald service is not active, this is a finding.SRG-OS-000324-GPOS-00125<GroupDescription></GroupDescription>RHEL-09-211045The systemd Ctrl-Alt-Delete burst key sequence in RHEL 9 must be disabled.<VulnDiscussion>A locally logged-on user who presses Ctrl-Alt-Delete when at the console can reboot the system. If accidentally pressed, as could happen in the case of a mixed OS environment, this can create the risk of short-term loss of availability of systems due to unintentional reboot. In a graphical user environment, risk of unintentional reboot from the Ctrl-Alt-Delete sequence is reduced because the user will be prompted before any action is taken. +If the systemd-journald service is not active, this is a finding.SRG-OS-000324-GPOS-00125<GroupDescription></GroupDescription>RHEL-09-211045The systemd Ctrl-Alt-Delete burst key sequence in RHEL 9 must be disabled.<VulnDiscussion>A locally logged-on user who presses Ctrl-Alt-Delete when at the console can reboot the system. If accidentally pressed, as could happen in the case of a mixed OS environment, this can create the risk of short-term loss of availability of systems due to unintentional reboot. In a graphical user environment, risk of unintentional reboot from the Ctrl-Alt-Delete sequence is reduced because the user will be prompted before any action is taken. -Satisfies: SRG-OS-000324-GPOS-00125, SRG-OS-000480-GPOS-00227</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 9DISADPMS TargetRed Hat Enterprise Linux 95551CCI-002235Configure the system to disable the CtrlAltDelBurstAction by added or modifying the following line in the "/etc/systemd/system.conf" configuration file: +Satisfies: SRG-OS-000324-GPOS-00125, SRG-OS-000480-GPOS-00227</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 9DISADPMS TargetRed Hat Enterprise Linux 95551CCI-002235Configure RHEL 9 to disable the CtrlAltDelBurstAction by adding it to a drop file in a "/etc/systemd/system.conf.d/" configuration file: + +If no drop file exists, create one with the following command: + +$ sudo mkdir -p /etc/systemd/system.conf.d && sudo vi /etc/systemd/system.conf.d/55-CtrlAltDel-BurstAction + +Edit the file to contain the setting by adding the following text: CtrlAltDelBurstAction=none Reload the daemon for this change to take effect. -$ sudo systemctl daemon-reloadVerify RHEL 9 is configured to not reboot the system when Ctrl-Alt-Delete is pressed seven times within two seconds with the following command: +$ sudo systemctl daemon-reloadVerify RHEL 9 is configured to not reboot the system when Ctrl-Alt-Delete is pressed seven times within two seconds with the following command: -$ grep -i ctrl /etc/systemd/system.conf - -CtrlAltDelBurstAction=none +$ sudo grep -iR CtrlAltDelBurstAction /etc/systemd/system* +/etc/systemd/system.conf.d/55-CtrlAltDel-BurstAction:CtrlAltDelBurstAction=none If the "CtrlAltDelBurstAction" is not set to "none", commented out, or is missing, this is a finding.SRG-OS-000324-GPOS-00125<GroupDescription></GroupDescription>RHEL-09-211050The x86 Ctrl-Alt-Delete key sequence must be disabled on RHEL 9.<VulnDiscussion>A locally logged-on user who presses Ctrl-Alt-Delete when at the console can reboot the system. If accidentally pressed, as could happen in the case of a mixed OS environment, this can create the risk of short-term loss of availability of systems due to unintentional reboot. In a graphical user environment, risk of unintentional reboot from the Ctrl-Alt-Delete sequence is reduced because the user will be prompted before any action is taken. @@ -139,7 +147,7 @@ debug-shell.service Loaded: masked (Reason: Unit debug-shell.service is masked.) Active: inactive (dead) -If the "debug-shell.service" is loaded and not masked, this is a finding.SRG-OS-000080-GPOS-00048<GroupDescription></GroupDescription>RHEL-09-212010RHEL 9 must require a boot loader superuser password.<VulnDiscussion>To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DOD-approved PKIs, all DOD systems (e.g., web servers and web portals) must be properly configured to incorporate access control methods that do not rely solely on the possession of a certificate for access. Successful authentication must not automatically give an entity access to an asset or security boundary. Authorization procedures and controls must be implemented to ensure each authenticated entity also has a validated and current authorization. Authorization is the process of determining whether an entity, once authenticated, is permitted to access a specific asset. Information systems use access control policies and enforcement mechanisms to implement this requirement. +If the "debug-shell.service" is loaded and not masked, this is a finding.SRG-OS-000080-GPOS-00048<GroupDescription></GroupDescription>RHEL-09-212010RHEL 9 must require a boot loader superuser password.<VulnDiscussion>To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DOD-approved PKIs, all DOD systems (e.g., web servers and web portals) must be properly configured to incorporate access control methods that do not rely solely on the possession of a certificate for access. Successful authentication must not automatically give an entity access to an asset or security boundary. Authorization procedures and controls must be implemented to ensure each authenticated entity also has a validated and current authorization. Authorization is the process of determining whether an entity, once authenticated, is permitted to access a specific asset. Information systems use access control policies and enforcement mechanisms to implement this requirement. Password protection on the boot loader configuration ensures users with physical access cannot trivially alter important bootloader settings. These include which kernel to use, and whether to enter single-user mode.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 9DISADPMS TargetRed Hat Enterprise Linux 95551CCI-000213Configure RHEL 9 to require a grub bootloader password for the grub superuser account. @@ -170,7 +178,7 @@ Check that the current GRUB 2 configuration disables the ability of systemd to s $ sudo grubby --info=ALL | grep args | grep 'systemd.confirm_spawn' -If any output is returned, this is a finding.SRG-OS-000080-GPOS-00048<GroupDescription></GroupDescription>RHEL-09-212020RHEL 9 must require a unique superusers name upon booting into single-user and maintenance modes.<VulnDiscussion>Having a nondefault grub superuser username makes password-guessing attacks less effective.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 9DISADPMS TargetRed Hat Enterprise Linux 95551CCI-000213Configure RHEL 9 to have a unique username for the grub superuser account. +If any output is returned, this is a finding.SRG-OS-000080-GPOS-00048<GroupDescription></GroupDescription>RHEL-09-212020RHEL 9 must require a unique superusers name upon booting into single-user and maintenance modes.<VulnDiscussion>Having a nondefault grub superuser username makes password-guessing attacks less effective.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 9DISADPMS TargetRed Hat Enterprise Linux 95551CCI-000213Configure RHEL 9 to have a unique username for the grub superuser account. Edit the "/etc/grub.d/01_users" file and add or modify the following lines with a nondefault username for the superuser account: @@ -320,7 +328,7 @@ $ grep audit /etc/default/grub GRUB_CMDLINE_LINUX="audit=1" -If "audit" is not set to "1", is missing, or is commented out, this is a finding.SRG-OS-000132-GPOS-00067<GroupDescription></GroupDescription>RHEL-09-213010RHEL 9 must restrict access to the kernel message buffer.<VulnDiscussion>Preventing unauthorized information transfers mitigates the risk of information, including encrypted representations of information, produced by the actions of prior users/roles (or the actions of processes acting on behalf of prior users/roles) from being available to any current users/roles (or current processes) that obtain access to shared system resources (e.g., registers, main memory, hard disks) after those resources have been released back to information systems. The control of information in shared resources is also commonly referred to as object reuse and residual information protection. +If "audit" is not set to "1", is missing, or is commented out, this is a finding.SRG-OS-000132-GPOS-00067<GroupDescription></GroupDescription>RHEL-09-213010RHEL 9 must restrict access to the kernel message buffer.<VulnDiscussion>Preventing unauthorized information transfers mitigates the risk of information, including encrypted representations of information, produced by the actions of prior users/roles (or the actions of processes acting on behalf of prior users/roles) from being available to any current users/roles (or current processes) that obtain access to shared system resources (e.g., registers, main memory, hard disks) after those resources have been released back to information systems. The control of information in shared resources is also commonly referred to as object reuse and residual information protection. This requirement generally applies to the design of an information technology product, but it can also apply to the configuration of particular information system components that are, or use, such products. This can be verified by acceptance/validation processes in DOD or other government agencies. @@ -328,7 +336,7 @@ There may be shared resources with configurable protections (e.g., files in stor Restricting access to the kernel message buffer limits access to only root. This prevents attackers from gaining additional system information as a nonprivileged user. -The sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of the directories in which they reside. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored. +The sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographical order, regardless of the directories in which they reside. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored. /etc/sysctl.d/*.conf /run/sysctl.d/*.conf @@ -337,41 +345,25 @@ The sysctl --system command will load settings from all system configuration fil /lib/sysctl.d/*.conf /etc/sysctl.conf -Satisfies: SRG-OS-000132-GPOS-00067, SRG-OS-000138-GPOS-00069</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 9DISADPMS TargetRed Hat Enterprise Linux 95551CCI-001082CCI-001090Configure RHEL 9 to restrict access to the kernel message buffer. +Satisfies: SRG-OS-000132-GPOS-00067, SRG-OS-000138-GPOS-00069</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 9DISADPMS TargetRed Hat Enterprise Linux 95551CCI-001082CCI-001090Configure RHEL 9 to restrict access to the kernel message buffer. -Add or edit the following line in a system configuration file, in the "/etc/sysctl.d/" directory: +Create a drop-in if it does not already exist: -kernel.dmesg_restrict = 1 +$ sudo vi /etc/sysctl.d/99-dmesg_restrict.conf -Remove any configurations that conflict with the above from the following locations: -/run/sysctl.d/*.conf -/usr/local/lib/sysctl.d/*.conf -/usr/lib/sysctl.d/*.conf -/lib/sysctl.d/*.conf -/etc/sysctl.conf -/etc/sysctl.d/*.conf +Add the following to the file: +kernel.dmesg_restrict = 1 -Load settings from all system configuration files with the following command: +Reload settings from all system configuration files with the following command: -$ sudo sysctl --systemVerify RHEL 9 is configured to restrict access to the kernel message buffer with the following commands: +$ sudo sysctl --systemVerify RHEL 9 is configured to restrict access to the kernel message buffer. -Check the status of the kernel.dmesg_restrict kernel parameter. +Check the status of the "kernel.dmesg_restrict" kernel parameter with the following command: $ sudo sysctl kernel.dmesg_restrict - kernel.dmesg_restrict = 1 -If "kernel.dmesg_restrict" is not set to "1" or is missing, this is a finding. - -Check that the configuration files are present to enable this kernel parameter. - -$ sudo grep -r kernel.dmesg_restrict /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf /etc/sysctl.d/*.conf - -/etc/sysctl.d/99-sysctl.conf:kernel.dmesg_restrict = 1 - -If "kernel.dmesg_restrict" is not set to "1", is missing, or commented out, this is a finding. - -If conflicting results are returned, this is a finding.SRG-OS-000132-GPOS-00067<GroupDescription></GroupDescription>RHEL-09-213015RHEL 9 must prevent kernel profiling by nonprivileged users.<VulnDiscussion>Preventing unauthorized information transfers mitigates the risk of information, including encrypted representations of information, produced by the actions of prior users/roles (or the actions of processes acting on behalf of prior users/roles) from being available to any current users/roles (or current processes) that obtain access to shared system resources (e.g., registers, main memory, hard disks) after those resources have been released back to information systems. The control of information in shared resources is also commonly referred to as object reuse and residual information protection. +If "kernel.dmesg_restrict" is not set to "1" or is missing, this is a finding.SRG-OS-000132-GPOS-00067<GroupDescription></GroupDescription>RHEL-09-213015RHEL 9 must prevent kernel profiling by nonprivileged users.<VulnDiscussion>Preventing unauthorized information transfers mitigates the risk of information, including encrypted representations of information, produced by the actions of prior users/roles (or the actions of processes acting on behalf of prior users/roles) from being available to any current users/roles (or current processes) that obtain access to shared system resources (e.g., registers, main memory, hard disks) after those resources have been released back to information systems. The control of information in shared resources is also commonly referred to as object reuse and residual information protection. This requirement generally applies to the design of an information technology product, but it can also apply to the configuration of particular information system components that are, or use, such products. This can be verified by acceptance/validation processes in DOD or other government agencies. @@ -379,7 +371,7 @@ There may be shared resources with configurable protections (e.g., files in stor Setting the kernel.perf_event_paranoid kernel parameter to "2" prevents attackers from gaining additional system information as a nonprivileged user. -The sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of the directories in which they reside. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored. +The sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographical order, regardless of the directories in which they reside. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored. /etc/sysctl.d/*.conf /run/sysctl.d/*.conf @@ -388,45 +380,29 @@ The sysctl --system command will load settings from all system configuration fil /lib/sysctl.d/*.conf /etc/sysctl.conf -Satisfies: SRG-OS-000132-GPOS-00067, SRG-OS-000138-GPOS-00069</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 9DISADPMS TargetRed Hat Enterprise Linux 95551CCI-001082CCI-001090Configure RHEL 9 to prevent kernel profiling by nonprivileged users. +Satisfies: SRG-OS-000132-GPOS-00067, SRG-OS-000138-GPOS-00069</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 9DISADPMS TargetRed Hat Enterprise Linux 95551CCI-001082CCI-001090Configure RHEL 9 to prevent kernel profiling by nonprivileged users. + +Create a drop-in if it does not already exist: -Add or edit the following line in a system configuration file, in the "/etc/sysctl.d/" directory: +$ sudo vi /etc/sysctl.d/99-kernel_perf_event_paranoid.conf +Add the following to the file: kernel.perf_event_paranoid = 2 -Remove any configurations that conflict with the above from the following locations: -/run/sysctl.d/*.conf -/usr/local/lib/sysctl.d/*.conf -/usr/lib/sysctl.d/*.conf -/lib/sysctl.d/*.conf -/etc/sysctl.conf -/etc/sysctl.d/*.conf +Reload settings from all system configuration files with the following command: -Load settings from all system configuration files with the following command: +$ sudo sysctl --systemVerify RHEL 9 is configured to prevent kernel profiling by nonprivileged users. -$ sudo sysctl --systemVerify RHEL 9 is configured to prevent kernel profiling by nonprivileged users with the following commands: - -Check the status of the kernel.perf_event_paranoid kernel parameter. +Check the status of the "kernel.perf_event_paranoid" kernel parameter. $ sudo sysctl kernel.perf_event_paranoid - kernel.perf_event_paranoid = 2 -If "kernel.perf_event_paranoid" is not set to "2" or is missing, this is a finding. - -Check that the configuration files are present to enable this kernel parameter. - -$ sudo grep -r kernel.perf_event_paranoid /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf /etc/sysctl.d/*.conf - -/etc/sysctl.d/99-sysctl.conf:kernel.perf_event_paranoid = 2 - -If "kernel.perf_event_paranoid" is not set to "2", is missing, or commented out, this is a finding. - -If conflicting results are returned, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-09-213020RHEL 9 must prevent the loading of a new kernel for later execution.<VulnDiscussion>Changes to any software components can have significant effects on the overall security of the operating system. This requirement ensures the software has not been tampered with and that it has been provided by a trusted vendor. +If "kernel.perf_event_paranoid" is not set to "2" or is missing, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-09-213020RHEL 9 must prevent the loading of a new kernel for later execution.<VulnDiscussion>Changes to any software components can have significant effects on the overall security of the operating system. This requirement ensures the software has not been tampered with and that it has been provided by a trusted vendor. Disabling kexec_load prevents an unsigned kernel image (that could be a windows kernel or modified vulnerable kernel) from being loaded. Kexec can be used subvert the entire secureboot process and should be avoided at all costs especially since it can load unsigned kernel images. -The sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of the directories in which they reside. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored. +The sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographical order, regardless of the directories in which they reside. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored. /etc/sysctl.d/*.conf /run/sysctl.d/*.conf @@ -435,41 +411,27 @@ The sysctl --system command will load settings from all system configuration fil /lib/sysctl.d/*.conf /etc/sysctl.conf -Satisfies: SRG-OS-000480-GPOS-00227, SRG-OS-000366-GPOS-00153</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 9DISADPMS TargetRed Hat Enterprise Linux 95551CCI-003992CCI-001749Add or edit the following line in a system configuration file in the "/etc/sysctl.d/" directory: +Satisfies: SRG-OS-000480-GPOS-00227, SRG-OS-000366-GPOS-00153</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 9DISADPMS TargetRed Hat Enterprise Linux 95551CCI-003992CCI-001749Configure RHEL 9 to disable kernel image loading. -kernel.kexec_load_disabled = 1 +Create a drop-in if it does not already exist: -Remove any configurations that conflict with the above from the following locations: -/run/sysctl.d/*.conf -/usr/local/lib/sysctl.d/*.conf -/usr/lib/sysctl.d/*.conf -/lib/sysctl.d/*.conf -/etc/sysctl.conf -/etc/sysctl.d/*.conf - -Load settings from all system configuration files with the following command: - -$ sudo sysctl --systemVerify RHEL 9 is configured to disable kernel image loading. - -Check the status of the kernel.kexec_load_disabled kernel parameter. - -$ sudo sysctl kernel.kexec_load_disabled +$ sudo vi /etc/sysctl.d/99-kernel_kexec_load_disabled.conf +Add the following to the file: kernel.kexec_load_disabled = 1 -If "kernel.kexec_load_disabled" is not set to "1" or is missing, this is a finding. +Reload settings from all system configuration files with the following command: -Check that the configuration files are present to enable this kernel parameter. +$ sudo sysctl --systemVerify RHEL 9 is configured to disable kernel image loading. -$ sudo grep -r kernel.kexec_load_disabled /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf /etc/sysctl.d/*.conf +Check the status of the "kernel.kexec_load_disabled" kernel parameter with the following command: -/etc/sysctl.d/99-sysctl.conf:kernel.kexec_load_disabled = 1 +$ sudo sysctl kernel.kexec_load_disabled +kernel.kexec_load_disabled = 1 -If "kernel.kexec_load_disabled" is not set to "1", is missing, or commented out, this is a finding. +If "kernel.kexec_load_disabled" is not set to "1" or is missing, this is a finding.SRG-OS-000132-GPOS-00067<GroupDescription></GroupDescription>RHEL-09-213025RHEL 9 must restrict exposed kernel pointer addresses access.<VulnDiscussion>It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. -If conflicting results are returned, this is a finding.SRG-OS-000132-GPOS-00067<GroupDescription></GroupDescription>RHEL-09-213025RHEL 9 must restrict exposed kernel pointer addresses access.<VulnDiscussion>It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. - -The sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of the directories in which they reside. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored. +The sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographical order, regardless of the directories in which they reside. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored. /etc/sysctl.d/*.conf /run/sysctl.d/*.conf @@ -478,43 +440,31 @@ The sysctl --system command will load settings from all system configuration fil /lib/sysctl.d/*.conf /etc/sysctl.conf -Satisfies: SRG-OS-000132-GPOS-00067, SRG-OS-000433-GPOS-00192, SRG-OS-000480-GPOS-00227</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 9DISADPMS TargetRed Hat Enterprise Linux 95551CCI-001082CCI-002824Configure RHEL 9 to restrict exposed kernel pointer addresses access by adding the following line to a file in the "/etc/sysctl.d" directory: - -kernel.kptr_restrict = 1 - -Remove any configurations that conflict with the above from the following locations: -/run/sysctl.d/*.conf -/usr/local/lib/sysctl.d/*.conf -/usr/lib/sysctl.d/*.conf -/lib/sysctl.d/*.conf -/etc/sysctl.conf -/etc/sysctl.d/*.conf - -The system configuration files need to be reloaded for the changes to take effect. To reload the contents of the files, run the following command: +Satisfies: SRG-OS-000132-GPOS-00067, SRG-OS-000433-GPOS-00192, SRG-OS-000480-GPOS-00227</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 9DISADPMS TargetRed Hat Enterprise Linux 95551CCI-001082CCI-002824Configure RHEL 9 to restrict exposed kernel pointer addresses access. -$ sudo sysctl --systemVerify RHEL 9 restricts exposed kernel pointer addresses access with the following commands: +Create a drop-in if it does not already exist: -$ sudo sysctl kernel.kptr_restrict +$ sudo vi /etc/sysctl.d/99-kernel_kptr_restrict.conf +Add the following to the file: kernel.kptr_restrict = 1 -If the returned line does not have a value of "1" or "2", or a line is not returned, this is a finding. - -Check that the configuration files are present to enable this network parameter. +Reload settings from all system configuration files with the following command: -$ sudo grep -r kernel.kptr_restrict /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf /etc/sysctl.d/*.conf +$ sudo sysctl --systemVerify RHEL 9 is configured to restrict exposed kernel pointer address access. -/etc/sysctl.d/99-sysctl.conf: kernel.kptr_restrict = 1 +Verify the runtime status of the "kernel.kptr_restrict" kernel parameter with the following command: -If "kernel.kptr_restrict" is not set to "1" or "2", is missing, or commented out, this is a finding. +$ sudo sysctl kernel.kptr_restrict +kernel.kptr_restrict = 1 -If conflicting results are returned, this is a finding.SRG-OS-000312-GPOS-00123<GroupDescription></GroupDescription>RHEL-09-213030RHEL 9 must enable kernel parameters to enforce discretionary access control on hardlinks.<VulnDiscussion>Discretionary Access Control (DAC) is based on the notion that individual users are "owners" of objects and therefore have discretion over who should be authorized to access the object and in which mode (e.g., read or write). Ownership is usually acquired as a consequence of creating the object or via specified ownership assignment. DAC allows the owner to determine who will have access to objects they control. An example of DAC includes user-controlled file permissions. +If "kernel.kptr_restrict" is not set to "1" or is missing, this is a finding.SRG-OS-000312-GPOS-00123<GroupDescription></GroupDescription>RHEL-09-213030RHEL 9 must enable kernel parameters to enforce discretionary access control (DAC) on hardlinks.<VulnDiscussion>DAC is based on the notion that individual users are "owners" of objects and therefore have discretion over who should be authorized to access the object and in which mode (e.g., read or write). Ownership is usually acquired as a consequence of creating the object or via specified ownership assignment. DAC allows the owner to determine who will have access to objects they control. An example of DAC includes user-controlled file permissions. When discretionary access control policies are implemented, subjects are not constrained with regard to what actions they can take with information for which they have already been granted access. Thus, subjects that have been granted access to information are not prevented from passing (i.e., the subjects have the discretion to pass) the information to other subjects or objects. A subject that is constrained in its operation by Mandatory Access Control policies is still able to operate under the less rigorous constraints of this requirement. Thus, while Mandatory Access Control imposes constraints preventing a subject from passing information to another subject operating at a different sensitivity level, this requirement permits the subject to pass the information to any subject at the same sensitivity level. The policy is bounded by the information system boundary. Once the information is passed outside the control of the information system, additional means may be required to ensure the constraints remain in effect. While the older, more traditional definitions of discretionary access control require identity-based access control, that limitation is not required for this use of discretionary access control. By enabling the fs.protected_hardlinks kernel parameter, users can no longer create soft or hard links to files they do not own. Disallowing such hardlinks mitigate vulnerabilities based on insecure file system accessed by privileged programs, avoiding an exploitation vector exploiting unsafe use of open() or creat(). -The sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of the directories in which they reside. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored. +The sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographical order, regardless of the directories in which they reside. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored. /etc/sysctl.d/*.conf /run/sysctl.d/*.conf @@ -523,45 +473,31 @@ The sysctl --system command will load settings from all system configuration fil /lib/sysctl.d/*.conf /etc/sysctl.conf -Satisfies: SRG-OS-000312-GPOS-00122, SRG-OS-000312-GPOS-00123, SRG-OS-000312-GPOS-00124, SRG-OS-000324-GPOS-00125</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 9DISADPMS TargetRed Hat Enterprise Linux 95551CCI-002165CCI-002235Add or edit the following line in a system configuration file in the "/etc/sysctl.d/" directory: - -fs.protected_hardlinks = 1 - -Remove any configurations that conflict with the above from the following locations: -/run/sysctl.d/*.conf -/usr/local/lib/sysctl.d/*.conf -/usr/lib/sysctl.d/*.conf -/lib/sysctl.d/*.conf -/etc/sysctl.conf -/etc/sysctl.d/*.conf - -Load settings from all system configuration files with the following command: +Satisfies: SRG-OS-000312-GPOS-00122, SRG-OS-000312-GPOS-00123, SRG-OS-000312-GPOS-00124, SRG-OS-000324-GPOS-00125</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 9DISADPMS TargetRed Hat Enterprise Linux 95551CCI-002165CCI-002235Configure RHEL 9 to enable DAC on hardlinks. -$ sudo sysctl --systemVerify RHEL 9 is configured to enable DAC on hardlinks. +Create a drop-in if it does not already exist: -Check the status of the fs.protected_hardlinks kernel parameter. - -$ sudo sysctl fs.protected_hardlinks +$ sudo vi /etc/sysctl.d/99-fs_protected_hardlinks.conf +Add the following to the file: fs.protected_hardlinks = 1 -If "fs.protected_hardlinks" is not set to "1" or is missing, this is a finding. - -Check that the configuration files are present to enable this kernel parameter. +Reload settings from all system configuration files with the following command: -$ sudo grep -r fs.protected_hardlinks /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf /etc/sysctl.d/*.conf +$ sudo sysctl --systemVerify RHEL 9 is configured to enable DAC on hardlinks. -/etc/sysctl.d/99-sysctl.conf:fs.protected_hardlinks = 1 +Check the status of the "fs.protected_hardlinks" kernel parameter with the following command: -If "fs.protected_hardlinks" is not set to "1", is missing, or commented out, this is a finding. +$ sudo sysctl fs.protected_hardlinks +fs.protected_hardlinks = 1 -If conflicting results are returned, this is a finding.SRG-OS-000312-GPOS-00123<GroupDescription></GroupDescription>RHEL-09-213035RHEL 9 must enable kernel parameters to enforce discretionary access control on symlinks.<VulnDiscussion>Discretionary Access Control (DAC) is based on the notion that individual users are "owners" of objects and therefore have discretion over who should be authorized to access the object and in which mode (e.g., read or write). Ownership is usually acquired as a consequence of creating the object or via specified ownership assignment. DAC allows the owner to determine who will have access to objects they control. An example of DAC includes user-controlled file permissions. +If "fs.protected_hardlinks" is not set to "1" or is missing, this is a finding.SRG-OS-000312-GPOS-00123<GroupDescription></GroupDescription>RHEL-09-213035RHEL 9 must enable kernel parameters to enforce discretionary access (DAC) control on symlinks.<VulnDiscussion>DAC is based on the notion that individual users are "owners" of objects and therefore have discretion over who should be authorized to access the object and in which mode (e.g., read or write). Ownership is usually acquired as a consequence of creating the object or via specified ownership assignment. DAC allows the owner to determine who will have access to objects they control. An example of DAC includes user-controlled file permissions. When discretionary access control policies are implemented, subjects are not constrained with regard to what actions they can take with information for which they have already been granted access. Thus, subjects that have been granted access to information are not prevented from passing (i.e., the subjects have the discretion to pass) the information to other subjects or objects. A subject that is constrained in its operation by Mandatory Access Control policies is still able to operate under the less rigorous constraints of this requirement. Thus, while Mandatory Access Control imposes constraints preventing a subject from passing information to another subject operating at a different sensitivity level, this requirement permits the subject to pass the information to any subject at the same sensitivity level. The policy is bounded by the information system boundary. Once the information is passed outside the control of the information system, additional means may be required to ensure the constraints remain in effect. While the older, more traditional definitions of discretionary access control require identity-based access control, that limitation is not required for this use of discretionary access control. By enabling the fs.protected_symlinks kernel parameter, symbolic links are permitted to be followed only when outside a sticky world-writable directory, or when the UID of the link and follower match, or when the directory owner matches the symlink's owner. Disallowing such symlinks helps mitigate vulnerabilities based on insecure file system accessed by privileged programs, avoiding an exploitation vector exploiting unsafe use of open() or creat(). -The sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of the directories in which they reside. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored. +The sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographical order, regardless of the directories in which they reside. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored. /etc/sysctl.d/*.conf /run/sysctl.d/*.conf @@ -570,82 +506,52 @@ The sysctl --system command will load settings from all system configuration fil /lib/sysctl.d/*.conf /etc/sysctl.conf -Satisfies: SRG-OS-000312-GPOS-00122, SRG-OS-000312-GPOS-00123, SRG-OS-000312-GPOS-00124, SRG-OS-000324-GPOS-00125</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 9DISADPMS TargetRed Hat Enterprise Linux 95551CCI-002165CCI-002235Configure RHEL 9 to enable DAC on symlinks. +Satisfies: SRG-OS-000312-GPOS-00122, SRG-OS-000312-GPOS-00123, SRG-OS-000312-GPOS-00124, SRG-OS-000324-GPOS-00125</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 9DISADPMS TargetRed Hat Enterprise Linux 95551CCI-002165CCI-002235Configure RHEL 9 to enable DAC on symlinks with the following: -Add or edit the following line in a system configuration file in the "/etc/sysctl.d/" directory: +Create a drop-in if it does not already exist: -fs.protected_symlinks = 1 +$ sudo vi /etc/sysctl.d/99-fs_protected_symlinks.conf -Remove any configurations that conflict with the above from the following locations: -/run/sysctl.d/*.conf -/usr/local/lib/sysctl.d/*.conf -/usr/lib/sysctl.d/*.conf -/lib/sysctl.d/*.conf -/etc/sysctl.conf -/etc/sysctl.d/*.conf +Add the following to the file: +fs.protected_symlinks = 1 -Load settings from all system configuration files with the following command: +Reload settings from all system configuration files with the following command: -$ sudo sysctl --systemVerify RHEL 9 is configured to enable DAC on symlinks. +$ sudo sysctl --systemVerify RHEL 9 is configured to enable DAC on symlinks. -Check the status of the fs.protected_symlinks kernel parameter. +Check the status of the "fs.protected_symlinks" kernel parameter with the following command: $ sudo sysctl fs.protected_symlinks - fs.protected_symlinks = 1 -If "fs.protected_symlinks" is not set to "1" or is missing, this is a finding. - -Check that the configuration files are present to enable this kernel parameter. - -$ sudo grep -r fs.protected_symlinks /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf /etc/sysctl.d/*.conf +If "fs.protected_symlinks" is not set to "1" or is missing, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-09-213040RHEL 9 must disable the kernel.core_pattern.<VulnDiscussion>A core dump includes a memory image taken at the time the operating system terminates an application. The memory image could contain sensitive data and is generally useful only for developers trying to debug problems. -/etc/sysctl.d/99-sysctl.conf:fs.protected_symlinks = 1 - -If "fs.protected_symlinks" is not set to "1", is missing, or commented out, this is a finding. - -If conflicting results are returned, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-09-213040RHEL 9 must disable the kernel.core_pattern.<VulnDiscussion>It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore, may remain unsecured. They increase the risk to the platform by providing additional attack vectors. - -The sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of the directories in which they reside. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored. +The sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographical order, regardless of the directories in which they reside. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored. /etc/sysctl.d/*.conf /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf -/etc/sysctl.conf</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 9DISADPMS TargetRed Hat Enterprise Linux 95551CCI-000366Configure RHEL 9 to disable storing core dumps. +/etc/sysctl.conf</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 9DISADPMS TargetRed Hat Enterprise Linux 95551CCI-000366Configure RHEL 9 to disable storing core dumps. + +Create a drop-in if it does not already exist: -Add or edit the following line in a system configuration file in the "/etc/sysctl.d/" directory: +$ sudo vi /etc/sysctl.d/99-kernel_core_pattern.conf +Add the following to the file: kernel.core_pattern = |/bin/false -Remove any configurations that conflict with the above from the following locations: -/run/sysctl.d/*.conf -/usr/local/lib/sysctl.d/*.conf -/usr/lib/sysctl.d/*.conf -/lib/sysctl.d/*.conf -/etc/sysctl.conf -/etc/sysctl.d/*.conf +Reload settings from all system configuration files with the following command: -The system configuration files must reloaded for the changes to take effect. To reload the contents of the files, run the following command: +$ sudo sysctl --systemVerify RHEL 9 disables storing core dumps. -$ sudo sysctl --systemVerify RHEL 9 disables storing core dumps with the following commands: +Check the status of the "kernel.core_pattern" kernel parameter with the following command: $ sudo sysctl kernel.core_pattern - kernel.core_pattern = |/bin/false -If the returned line does not have a value of "|/bin/false", or a line is not returned and the need for core dumps is not documented with the information system security officer (ISSO) as an operational requirement, this is a finding. - -Check that the configuration files are present to enable this kernel parameter. - -$ sudo grep -r kernel.core_pattern /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf /etc/sysctl.d/*.conf - -/etc/sysctl.d/99-sysctl.conf:kernel.core_pattern = |/bin/false - -If "kernel.core_pattern" is not set to "|/bin/false", is missing, or commented out, this is a finding. - -If conflicting results are returned, this is a finding.SRG-OS-000095-GPOS-00049<GroupDescription></GroupDescription>RHEL-09-213045RHEL 9 must be configured to disable the Asynchronous Transfer Mode kernel module.<VulnDiscussion>Disabling Asynchronous Transfer Mode (ATM) protects the system against exploitation of any flaws in its implementation.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 9DISADPMS TargetRed Hat Enterprise Linux 95551CCI-000381To configure the system to prevent the atm kernel module from being loaded, add the following line to the file /etc/modprobe.d/atm.conf (or create atm.conf if it does not exist): +If "kernel.core_pattern" is not set to "|/bin/false", or a line is not returned and the need for core dumps is not documented with the information system security officer (ISSO) as an operational requirement, this is a finding.SRG-OS-000095-GPOS-00049<GroupDescription></GroupDescription>RHEL-09-213045RHEL 9 must be configured to disable the Asynchronous Transfer Mode kernel module.<VulnDiscussion>Disabling Asynchronous Transfer Mode (ATM) protects the system against exploitation of any flaws in its implementation.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 9DISADPMS TargetRed Hat Enterprise Linux 95551CCI-000381To configure the system to prevent the atm kernel module from being loaded, add the following line to the file /etc/modprobe.d/atm.conf (or create atm.conf if it does not exist): install atm /bin/false blacklist atmVerify that RHEL 9 disables the ability to load the ATM kernel module with the following command: @@ -703,11 +609,11 @@ $ grep -r tipc /etc/modprobe.conf /etc/modprobe.d/* install tipc /bin/false blacklist tipc -If the command does not return any output, or the lines are commented out, and use of tipc is not documented with the information system security officer (ISSO) as an operational requirement, this is a finding.SRG-OS-000433-GPOS-00193<GroupDescription></GroupDescription>RHEL-09-213070RHEL 9 must implement address space layout randomization (ASLR) to protect its memory from unauthorized code execution.<VulnDiscussion>Some adversaries launch attacks with the intent of executing code in nonexecutable regions of memory or in memory locations that are prohibited. Security safeguards employed to protect memory include, for example, data execution prevention and address space layout randomization. Data execution prevention safeguards can be either hardware-enforced or software-enforced with hardware providing the greater strength of mechanism. +If the command does not return any output, or the lines are commented out, and use of tipc is not documented with the information system security officer (ISSO) as an operational requirement, this is a finding.SRG-OS-000433-GPOS-00193<GroupDescription></GroupDescription>RHEL-09-213070RHEL 9 must implement address space layout randomization (ASLR) to protect its memory from unauthorized code execution.<VulnDiscussion>Some adversaries launch attacks with the intent of executing code in nonexecutable regions of memory or in memory locations that are prohibited. Security safeguards employed to protect memory include, for example, data execution prevention and address space layout randomization. Data execution prevention safeguards can be either hardware-enforced or software-enforced with hardware providing the greater strength of mechanism. Examples of attacks are buffer overflow attacks. -The sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of the directories in which they reside. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored. +The sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographical order, regardless of the directories in which they reside. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored. /etc/sysctl.d/*.conf /run/sysctl.d/*.conf @@ -716,41 +622,27 @@ The sysctl --system command will load settings from all system configuration fil /lib/sysctl.d/*.conf /etc/sysctl.conf -Satisfies: SRG-OS-000433-GPOS-00193, SRG-OS-000480-GPOS-00227</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 9DISADPMS TargetRed Hat Enterprise Linux 95551CCI-002824Configure RHEL 9 to implement virtual address space randomization. +Satisfies: SRG-OS-000433-GPOS-00193, SRG-OS-000480-GPOS-00227</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 9DISADPMS TargetRed Hat Enterprise Linux 95551CCI-002824Configure RHEL 9 to implement ASLR. -Add or edit the following line in a system configuration file in the "/etc/sysctl.d/" directory: +Create the drop-in if it does not already exist: -kernel.randomize_va_space=2 - -Remove any configurations that conflict with the above from the following locations: -/run/sysctl.d/*.conf -/usr/local/lib/sysctl.d/*.conf -/usr/lib/sysctl.d/*.conf -/lib/sysctl.d/*.conf -/etc/sysctl.conf -/etc/sysctl.d/*.conf - -Issue the following command to make the changes take effect: - -$ sudo sysctl --systemVerify RHEL 9 implements ASLR with the following command: - -$ sudo sysctl kernel.randomize_va_space +$ sudo vi /etc/sysctl.d/99-kernel_randomize_va_space.conf +Add the following line to the file: kernel.randomize_va_space = 2 -If "kernel.randomize_va_space" is not set to "2", this is a finding. +Reload settings from all system configuration files with the following command: -Check that the configuration files are present to enable this kernel parameter. +$ sudo sysctl --systemVerify RHEL 9 is implementing ASLR. -$ sudo grep -r kernel.randomize_va_space /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf /etc/sysctl.d/*.conf +Check the status of the "kernel.randomize_va_space" kernel parameter with the following command: -/etc/sysctl.d/99-sysctl.conf:kernel.randomize_va_space = 2 +$ sudo sysctl kernel.randomize_va_space +kernel.randomize_va_space = 2 -If "kernel.randomize_va_space" is not set to "2", is missing, or commented out, this is a finding. +If "kernel.randomize_va_space" is not set to "2" or is missing, this is a finding.SRG-OS-000132-GPOS-00067<GroupDescription></GroupDescription>RHEL-09-213075RHEL 9 must disable access to network bpf system call from nonprivileged processes.<VulnDiscussion>It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore, may remain unsecured. They increase the risk to the platform by providing additional attack vectors. -If conflicting results are returned, this is a finding.SRG-OS-000132-GPOS-00067<GroupDescription></GroupDescription>RHEL-09-213075RHEL 9 must disable access to network bpf system call from nonprivileged processes.<VulnDiscussion>It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore, may remain unsecured. They increase the risk to the platform by providing additional attack vectors. - -The sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of the directories in which they reside. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored. +The sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographical order, regardless of the directories in which they reside. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored. /etc/sysctl.d/*.conf /run/sysctl.d/*.conf @@ -759,37 +651,25 @@ The sysctl --system command will load settings from all system configuration fil /lib/sysctl.d/*.conf /etc/sysctl.conf -Satisfies: SRG-OS-000132-GPOS-00067, SRG-OS-000480-GPOS-00227</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 9DISADPMS TargetRed Hat Enterprise Linux 95551CCI-001082Configure RHEL 9 to prevent privilege escalation through the kernel by disabling access to the bpf syscall by adding the following line to a file in the "/etc/sysctl.d" directory: - -kernel.unprivileged_bpf_disabled = 1 - -Remove any configurations that conflict with the above from the following locations: -/run/sysctl.d/*.conf -/usr/local/lib/sysctl.d/*.conf -/usr/lib/sysctl.d/*.conf -/lib/sysctl.d/*.conf -/etc/sysctl.conf -/etc/sysctl.d/*.conf - -The system configuration files must be reloaded for the changes to take effect. To reload the contents of the files, run the following command: +Satisfies: SRG-OS-000132-GPOS-00067, SRG-OS-000480-GPOS-00227</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 9DISADPMS TargetRed Hat Enterprise Linux 95551CCI-001082Configure RHEL 9 to prevent privilege escalation through the kernel by disabling access to the bpf system call. -$ sudo sysctl --systemVerify RHEL 9 prevents privilege escalation through the kernel by disabling access to the bpf syscall with the following commands: +Create the drop-in file if it does not already exist: -$ sudo sysctl kernel.unprivileged_bpf_disabled +$ sudo vi /etc/sysctl.d/99-kernel_unprivileged_bpf_disabled.conf +Add the following line to the file: kernel.unprivileged_bpf_disabled = 1 -If the returned line does not have a value of "1", or a line is not returned, this is a finding. +Reload settings from all system configuration files with the following command: -Check that the configuration files are present to enable this network parameter. +$ sudo sysctl --systemVerify RHEL 9 prevents privilege escalation through the kernel by disabling access to the bpf system call. -$ sudo grep -r kernel.unprivileged_bpf_disabled /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf /etc/sysctl.d/*.conf +Check the status of the "kernel.unprivileged_bpf_disabled" kernel parameter with the following command: -/etc/sysctl.d/99-sysctl.conf: kernel.unprivileged_bpf_disabled = 1 - -If "kernel.unprivileged_bpf_disabled" is not set to "1", is missing, or commented out, this is a finding. +$ sysctl kernel.unprivileged_bpf_disabled +kernel.unprivileged_bpf_disabled = 1 -If conflicting results are returned, this is a finding.SRG-OS-000132-GPOS-00067<GroupDescription></GroupDescription>RHEL-09-213080RHEL 9 must restrict usage of ptrace to descendant processes.<VulnDiscussion>It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore, may remain unsecured. They increase the risk to the platform by providing additional attack vectors. +If "kernel.unprivileged_bpf_disabled" is not set to "1", or is missing, this is a finding.SRG-OS-000132-GPOS-00067<GroupDescription></GroupDescription>RHEL-09-213080RHEL 9 must restrict usage of ptrace to descendant processes.<VulnDiscussion>It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore, may remain unsecured. They increase the risk to the platform by providing additional attack vectors. The sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of the directories in which they reside. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored. @@ -800,37 +680,25 @@ The sysctl --system command will load settings from all system configuration fil /lib/sysctl.d/*.conf /etc/sysctl.conf -Satisfies: SRG-OS-000132-GPOS-00067, SRG-OS-000480-GPOS-00227</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 9DISADPMS TargetRed Hat Enterprise Linux 95551CCI-001082Configure RHEL 9 to restrict usage of ptrace to descendant processes by adding the following line to a file in the "/etc/sysctl.d" directory: +Satisfies: SRG-OS-000132-GPOS-00067, SRG-OS-000480-GPOS-00227</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 9DISADPMS TargetRed Hat Enterprise Linux 95551CCI-001082Configure RHEL 9 to restrict the usage of ptrace to descendant processes. -kernel.yama.ptrace_scope = 1 +Create the drop-in if it doesn't already exist: -Remove any configurations that conflict with the above from the following locations: -/run/sysctl.d/*.conf -/usr/local/lib/sysctl.d/*.conf -/usr/lib/sysctl.d/*.conf -/lib/sysctl.d/*.conf -/etc/sysctl.conf -/etc/sysctl.d/*.conf - -The system configuration files must be reloaded for the changes to take effect. To reload the contents of the files, run the following command: - -$ sudo sysctl --systemVerify RHEL 9 restricts usage of ptrace to descendant processes with the following commands: - -$ sudo sysctl kernel.yama.ptrace_scope +$ sudo vi /etc/sysctl.d/99-kernel_yama.ptrace_scope.conf +Add the following line to the file: kernel.yama.ptrace_scope = 1 -If the returned line does not have a value of "1", or a line is not returned, this is a finding. +Reload settings from all system configuration files with the following command: -Check that the configuration files are present to enable this network parameter. +$ sudo sysctl --systemVerify RHEL 9 restricts the usage of ptrace to descendant processes. -$ sudo grep -r kernel.yama.ptrace_scope /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf /etc/sysctl.d/*.conf +Check the status of the "kernel.yama.ptrace_scope" kernel parameter with the following command: -/etc/sysctl.d/99-sysctl.conf: kernel.yama.ptrace_scope = 1 - -If "kernel.yama.ptrace_scope" is not set to "1", is missing, or commented out, this is a finding. +$ sysctl kernel.yama.ptrace_scope +kernel.yama.ptrace_scope = 1 -If conflicting results are returned, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-09-213085RHEL 9 must disable core dump backtraces.<VulnDiscussion>A core dump includes a memory image taken at the time the operating system terminates an application. The memory image could contain sensitive data and is generally useful only for developers or system operators trying to debug problems. +If the network parameter "kernel.yama.ptrace_scope" is not equal to "1", or nothing is returned, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-09-213085RHEL 9 must disable core dump backtraces.<VulnDiscussion>A core dump includes a memory image taken at the time the operating system terminates an application. The memory image could contain sensitive data and is generally useful only for developers or system operators trying to debug problems. Enabling core dumps on production systems is not recommended; however, there may be overriding operational requirements to enable advanced debugging. Permitting temporary enablement of core dumps during such situations must be reviewed through local needs and policy.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 9DISADPMS TargetRed Hat Enterprise Linux 95551CCI-000366Configure the operating system to disable core dump backtraces. @@ -856,21 +724,25 @@ $ grep -i storage /etc/systemd/coredump.conf Storage=none -If the "Storage" item is missing or commented out, or the value is anything other than "none", and the need for core dumps is not documented with the information system security officer (ISSO) as an operational requirement for all domains that have the "core" item assigned, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-09-213095RHEL 9 must disable core dumps for all users.<VulnDiscussion>A core dump includes a memory image taken at the time the operating system terminates an application. The memory image could contain sensitive data and is generally useful only for developers trying to debug problems.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 9DISADPMS TargetRed Hat Enterprise Linux 95551CCI-000366Configure the operating system to disable core dumps for all users. +If the "Storage" item is missing or commented out, or the value is anything other than "none", and the need for core dumps is not documented with the information system security officer (ISSO) as an operational requirement for all domains that have the "core" item assigned, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-09-213095RHEL 9 must disable core dumps for all users.<VulnDiscussion>A core dump includes a memory image taken at the time the operating system terminates an application. The memory image could contain sensitive data and is generally useful only for developers trying to debug problems.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 9DISADPMS TargetRed Hat Enterprise Linux 95551CCI-000366Configure RHEL 9 to disable core dumps for all users. Add the following line to the top of the /etc/security/limits.conf or in a single ".conf" file defined in /etc/security/limits.d/: -* hard core 0Note: If kernel dumps are disabled in accordance with RHEL-09-213040, this requirement is not applicable. +* hard core 0 + +Remove or comment out any entries for users or groups with a value set to anything other than "0".Note: If kernel dumps are disabled in accordance with RHEL-09-213040, this requirement is not applicable. Verify RHEL 9 disables core dumps for all users by issuing the following command: -$ grep -r -s core /etc/security/limits.conf /etc/security/limits.d/*.conf +$ grep -rs core /etc/security/limits.conf /etc/security/limits.d/*.conf /etc/security/limits.conf:* hard core 0 This can be set as a global domain (with the * wildcard) but may be set differently for multiple domains. -If the "core" item is missing or commented out, or the value is anything other than "0", and the need for core dumps is not documented with the information system security officer (ISSO) as an operational requirement for all domains that have the "core" item assigned, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-09-213100RHEL 9 must disable acquiring, saving, and processing core dumps.<VulnDiscussion>A core dump includes a memory image taken at the time the operating system terminates an application. The memory image could contain sensitive data and is generally useful only for developers trying to debug problems.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 9DISADPMS TargetRed Hat Enterprise Linux 95551CCI-000366Configure the system to disable the systemd-coredump.socket with the following command: +If the "core" item is missing or commented out, or the value is anything other than "0", and the need for core dumps is not documented with the information system security officer (ISSO) as an operational requirement for all domains that have the "core" item assigned, this is a finding. + +If entries exist for users or groups with a value set to anything other than "0", this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-09-213100RHEL 9 must disable acquiring, saving, and processing core dumps.<VulnDiscussion>A core dump includes a memory image taken at the time the operating system terminates an application. The memory image could contain sensitive data and is generally useful only for developers trying to debug problems.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 9DISADPMS TargetRed Hat Enterprise Linux 95551CCI-000366Configure the system to disable the systemd-coredump.socket with the following command: $ sudo systemctl mask --now systemd-coredump.socket @@ -888,46 +760,36 @@ systemd-coredump.socket Loaded: masked (Reason: Unit systemd-coredump.socket is masked.) Active: inactive (dead) -If the "systemd-coredump.socket" is loaded and not masked, and the need for core dumps is not documented with the information system security officer (ISSO) as an operational requirement, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-09-213105RHEL 9 must disable the use of user namespaces.<VulnDiscussion>It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore, may remain unsecured. They increase the risk to the platform by providing additional attack vectors. +If the "systemd-coredump.socket" is loaded and not masked, and the need for core dumps is not documented with the information system security officer (ISSO) as an operational requirement, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-09-213105RHEL 9 must disable the use of user namespaces.<VulnDiscussion>It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore, may remain unsecured. They increase the risk to the platform by providing additional attack vectors. -The sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of the directories in which they reside. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored. +The sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographical order, regardless of the directories in which they reside. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored. /etc/sysctl.d/*.conf /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf -/etc/sysctl.conf</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 9DISADPMS TargetRed Hat Enterprise Linux 95551CCI-000366Configure RHEL 9 to disable the use of user namespaces by adding the following line to a file in the "/etc/sysctl.d" directory: - -user.max_user_namespaces = 0 - -Remove any configurations that conflict with the above from the following locations: -/run/sysctl.d/*.conf -/usr/local/lib/sysctl.d/*.conf -/usr/lib/sysctl.d/*.conf -/lib/sysctl.d/*.conf -/etc/sysctl.conf -/etc/sysctl.d/*.conf +/etc/sysctl.conf</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 9DISADPMS TargetRed Hat Enterprise Linux 95551CCI-000366Configure RHEL 9 to disable the use of user namespaces. -The system configuration files must be reloaded for the changes to take effect. To reload the contents of the files, run the following command: +Create the drop-in if it does not already exist: -$ sudo sysctl --systemVerify RHEL 9 disables the use of user namespaces with the following commands: +$ sudo vi /etc/sysctl.d/99-user_max_user_namespaces.conf -$ sudo sysctl user.max_user_namespaces +Add the following line to the file: user.max_user_namespaces = 0 -If the returned line does not have a value of "0", or a line is not returned, this is a finding. +Reload settings from all system configuration files with the following command: -Check that the configuration files are present to enable this network parameter. +$ sudo sysctl --systemVerify RHEL 9 disables the use of user namespaces. -$ sudo grep -r user.max_user_namespaces /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf /etc/sysctl.d/*.conf +Check the status of the "user.max_user_namespaces" parameter with the following command: -/etc/sysctl.d/99-sysctl.conf: user.max_user_namespaces = 0 +$ sudo sysctl user.max_user_namespaces -If "user.max_user_namespaces" is not set to "0", is missing, or commented out, this is a finding. +user.max_user_namespaces = 0 -If conflicting results are returned, this is a finding. +If "user.max_user_namespaces" is not set to "0" or is missing, this is a finding. If the use of namespaces is operationally required and documented with the information system security manager (ISSM), it is not a finding.SRG-OS-000433-GPOS-00192<GroupDescription></GroupDescription>RHEL-09-213110RHEL 9 must implement nonexecutable data to protect its memory from unauthorized code execution.<VulnDiscussion>ExecShield uses the segmentation feature on all x86 systems to prevent execution in memory higher than a certain address. It writes an address as a limit in the code segment descriptor, to control where code can be executed, on a per-process basis. When the kernel places a process's memory regions such as the stack and heap higher than this address, the hardware prevents execution in that address range. This is enabled by default on the latest Red Hat and Fedora systems if supported by the hardware. @@ -1048,19 +910,22 @@ localpkg_gpgcheck=1 If "localpkg_gpgcheck" is not set to "1", or if the option is missing or commented out, ask the system administrator how the GPG signatures of local software packages are being verified. -If there is no process to verify GPG signatures that is approved by the organization, this is a finding.SRG-OS-000366-GPOS-00153<GroupDescription></GroupDescription>RHEL-09-214025RHEL 9 must have GPG signature verification enabled for all software repositories.<VulnDiscussion>Changes to any software components can have significant effects on the overall security of the operating system. This requirement ensures the software has not been tampered with and that it has been provided by a trusted vendor. +If there is no process to verify GPG signatures that is approved by the organization, this is a finding.SRG-OS-000366-GPOS-00153<GroupDescription></GroupDescription>RHEL-09-214025RHEL 9 must have GPG signature verification enabled for all software repositories.<VulnDiscussion>Changes to any software components can have significant effects on the overall security of the operating system. This requirement ensures the software has not been tampered with and that it has been provided by a trusted vendor. All software packages must be signed with a cryptographic key recognized and approved by the organization. Verifying the authenticity of software prior to installation validates the integrity of the software package received from a vendor. This verifies the software has not been tampered with and that it has been provided by a trusted vendor.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 9DISADPMS TargetRed Hat Enterprise Linux 95551CCI-003992CCI-001749Configure all software repositories defined in "/etc/yum.repos.d/" to have "gpgcheck" enabled: -$ sudo sed -i 's/gpgcheck\s*=.*/gpgcheck=1/g' /etc/yum.repos.d/*Verify that all software repositories defined in "/etc/yum.repos.d/" have been configured with "gpgcheck" enabled: +$ sudo sed -i 's/gpgcheck\s*=.*/gpgcheck=1/g' /etc/yum.repos.d/*Verify all software repositories defined in "/etc/yum.repos.d/" have been configured with "gpgcheck" enabled: $ grep -w gpgcheck /etc/yum.repos.d/*.repo | more -gpgcheck = 1 +/etc/yum.repos.d/redhat.repo:gpgcheck = 1 -If "gpgcheck" is not set to "1" for all returned lines, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-09-214030RHEL 9 must be configured so that the cryptographic hashes of system files match vendor values.<VulnDiscussion>The hashes of important files such as system executables should match the information given by the RPM database. Executables with erroneous hashes could be a sign of nefarious activity on the system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 9DISADPMS TargetRed Hat Enterprise Linux 95551CCI-000366Configure RHEL 9 so that the cryptographic hashes of system files match vendor values. +For all listed repos, if "gpgcheck" is not set to "1", or if the option is missing or commented out, ask the system administrator how the GPG signatures of local software packages are being verified. + +If there is no process to verify GPG signatures that is approved by the organization, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-09-214030RHEL 9 must be configured so that the cryptographic hashes of system files match vendor values.<VulnDiscussion>The hashes of important files such as system executables should match the information given by the RPM database. Executables with erroneous hashes could be a sign of nefarious activity on the system. +If the Check Text command returns results from third-party software vendors, it is an indication that the vendor is not implementing their rpm packages correctly and this must be corrected by the software vendor.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 9DISADPMS TargetRed Hat Enterprise Linux 95551CCI-000366Configure RHEL 9 so that the cryptographic hashes of system files match vendor values. Given output from the check command, identify the package that provides the output and reinstall it. The following trimmed example output shows a package that has failed verification, been identified, and been reinstalled: @@ -1076,7 +941,7 @@ $ sudo dnf -y reinstall gzip [...] $ sudo rpm -Va --noconfig | awk '$1 ~ /..5/ && $2 != "c"' -[no output]Verify that RHEL 9 is configured so that the cryptographic hashes of system files match vendor values. +[no output]Verify RHEL 9 is configured so that the cryptographic hashes of system files match vendor values. List files on the system that have file hashes different from what is expected by the RPM database with the following command: @@ -1168,7 +1033,7 @@ $ dnf list --installed telnet-server Error: No matching Packages to list -If the "telnet-server" package is installed, this is a finding.SRG-OS-000095-GPOS-00049<GroupDescription></GroupDescription>RHEL-09-215045RHEL 9 must not have the gssproxy package installed.<VulnDiscussion>It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore, may remain unsecured. They increase the risk to the platform by providing additional attack vectors. +If the "telnet-server" package is installed, this is a finding.SRG-OS-000095-GPOS-00049<GroupDescription></GroupDescription>RHEL-09-215045RHEL 9 must not have the gssproxy package installed.<VulnDiscussion>It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore, may remain unsecured. They increase the risk to the platform by providing additional attack vectors. Operating systems are capable of providing a wide variety of functions and services. Some of the functions and services provided by default may not be necessary to support essential organizational operations (e.g., key missions, functions). @@ -1176,7 +1041,9 @@ The gssproxy package is a proxy for GSS API credential handling and could expose Satisfies: SRG-OS-000095-GPOS-00049, SRG-OS-000480-GPOS-00227</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 9DISADPMS TargetRed Hat Enterprise Linux 95551CCI-000381Remove the gssproxy package with the following command: -$ sudo dnf remove gssproxyVerify that the gssproxy package is not installed with the following command: +$ sudo dnf remove gssproxyNote: If NFS mounts are authorized and in use on the system, this control is not applicable. + +Verify the gssproxy package is not installed with the following command: $ dnf list --installed gssproxy @@ -1210,17 +1077,45 @@ $ dnf list --installed tuned Error: No matching Packages to list -If the "tuned" package is installed and is not documented with the information system security officer (ISSO) as an operational requirement, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-09-215060RHEL 9 must not have a Trivial File Transfer Protocol (TFTP) server package installed.<VulnDiscussion>Removing the "tftp-server" package decreases the risk of the accidental (or intentional) activation of tftp services. +If the "tuned" package is installed and is not documented with the information system security officer (ISSO) as an operational requirement, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-09-215060The Trivial File Transfer Protocol (TFTP) server must not be installed unless it is required, and if required, the RHEL 9 TFTP daemon must be configured to operate in secure mode.<VulnDiscussion>Removing the "tftp-server" package decreases the risk of the accidental (or intentional) activation of tftp services. + +If TFTP is required for operational support (such as transmission of router configurations), its use must be documented with the information systems security manager (ISSM), restricted to only authorized personnel, and have access control rules established. + +Restricting TFTP to a specific directory prevents remote users from copying, transferring, or overwriting system files.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 9DISADPMS TargetRed Hat Enterprise Linux 95551CCI-000366Configure RHEL 9 so that TFTP operates in secure mode if installed. + +If TFTP server is not required, remove it with the following command: +$ sudo dnf -y remove tftp-server -If TFTP is required for operational support (such as transmission of router configurations), its use must be documented with the information systems security manager (ISSM), restricted to only authorized personnel, and have access control rules established.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 9DISADPMS TargetRed Hat Enterprise Linux 95551CCI-000366The "tftp-server" package can be removed with the following command: +Configure the TFTP daemon to operate in secure mode with the following command: +$ sudo systemctl edit tftp.service -$ sudo dnf remove tftp-serverVerify that RHEL 9 does not have a "tftp-server" package installed with the following command: +In the editor, enter: +[Service] +ExecStart=/usr/sbin/in.tftpd -s /var/lib/tftpboot + +After making changes, reload the systemd daemon and restart the TFTP service as follows: + +$ sudo systemctl daemon-reload +$ sudo systemctl restart tftp.service + +If the "-s" option is not present in the "ExecStart" line or if the line is missing, this is a finding.Verify if TFTP is installed, it is configured to operate in secure mode. + +Note: If TFTP is not required, it must not be installed. If TFTP is not installed, this rule is not applicable. + +Check to see if TFTP server is installed with the following command: $ sudo dnf list --installed tftp-server -Error: No matching Packages to list +Updating Subscription Management repositories. +Installed Packages +tftp-server.x86_64 5.2-38.el9 @rhel-9-for-x86_64-appstream-rpms + +Verify the TFTP daemon, if tftp.server is installed, is configured to operate in secure mode with the following command: + +$ grep -i execstart /usr/lib/systemd/system/tftp.service +ExecStart=/usr/sbin/in.tftpd -s /var/lib/tftpboot -If the "tftp-server" package is installed, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-09-215065RHEL 9 must not have the quagga package installed.<VulnDiscussion>Quagga is a network routing software suite providing implementations of Open Shortest Path First (OSPF), Routing Information Protocol (RIP), Border Gateway Protocol (BGP) for Unix and Linux platforms. +Note: The "-s" option ensures the TFTP server only serves files from the specified directory, which is a security measure to prevent unauthorized access to other parts of the file system.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-09-215065RHEL 9 must not have the quagga package installed.<VulnDiscussion>Quagga is a network routing software suite providing implementations of Open Shortest Path First (OSPF), Routing Information Protocol (RIP), Border Gateway Protocol (BGP) for Unix and Linux platforms. If there is no need to make the router software available, removing it provides a safeguard against its activation.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 9DISADPMS TargetRed Hat Enterprise Linux 95551CCI-000366Remove the quagga package with the following command: @@ -1443,9 +1338,9 @@ $ mount | grep '\s/boot\s' /dev/sda1 on /boot type xfs (rw,nosuid,relatime,seclabe,attr2,inode64,noquota) -If the /boot file system does not have the "nosuid" option set, this is a finding.SRG-OS-000368-GPOS-00154<GroupDescription></GroupDescription>RHEL-09-231105RHEL 9 must prevent files with the setuid and setgid bit set from being executed on the /boot/efi directory.<VulnDiscussion>The "nosuid" mount option causes the system not to execute "setuid" and "setgid" files with owner privileges. This option must be used for mounting any file system not containing approved "setuid" and "setguid" files. Executing files from untrusted file systems increases the opportunity for nonprivileged users to attain unauthorized administrative access. +If the /boot file system does not have the "nosuid" option set, this is a finding.SRG-OS-000368-GPOS-00154<GroupDescription></GroupDescription>RHEL-09-231105RHEL 9 must prevent files with the setuid and setgid bit set from being executed on the /boot/efi directory.<VulnDiscussion>The "nosuid" mount option causes the system not to execute "setuid" and "setgid" files with owner privileges. This option must be used for mounting any file system not containing approved "setuid" and "setguid" files. Executing files from untrusted file systems increases the opportunity for nonprivileged users to attain unauthorized administrative access. -Satisfies: SRG-OS-000368-GPOS-00154, SRG-OS-000480-GPOS-00227</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 9DISADPMS TargetRed Hat Enterprise Linux 95551CCI-001764Modify "/etc/fstab" to use the "nosuid" option on the "/boot/efi" directory.Note: For systems that use BIOS, this requirement is not applicable. +Satisfies: SRG-OS-000368-GPOS-00154, SRG-OS-000480-GPOS-00227</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 9DISADPMS TargetRed Hat Enterprise Linux 95551CCI-001764Modify "/etc/fstab" to use the "nosuid" option on the "/boot/efi" directory.Note: For systems that use vfat file systems and for systems that use BIOS, this requirement is not applicable. Verify the /boot/efi directory is mounted with the "nosuid" option with the following command: @@ -1455,60 +1350,58 @@ $ mount | grep '\s/boot/efi\s' If the /boot/efi file system does not have the "nosuid" option set, this is a finding. -Note: This control is not applicable to vfat file systems.SRG-OS-000368-GPOS-00154<GroupDescription></GroupDescription>RHEL-09-231110RHEL 9 must mount /dev/shm with the nodev option.<VulnDiscussion>The "nodev" mount option causes the system to not interpret character or block special devices. Executing character or block special devices from untrusted file systems increases the opportunity for nonprivileged users to attain unauthorized administrative access. +Note: This control is not applicable to vfat file systems.SRG-OS-000368-GPOS-00154<GroupDescription></GroupDescription>RHEL-09-231110RHEL 9 must mount /dev/shm with the nodev option.<VulnDiscussion>The "nodev" mount option causes the system to not interpret character or block special devices. Executing character or block special devices from untrusted file systems increases the opportunity for nonprivileged users to attain unauthorized administrative access. -The only legitimate location for device files is the "/dev" directory located on the root partition, with the exception of chroot jails if implemented.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 9DISADPMS TargetRed Hat Enterprise Linux 95551CCI-001764Modify "/etc/fstab" to use the "nodev" option on the "/dev/shm" file system.Verify "/dev/shm" is mounted with the "nodev" option with the following command: +The only legitimate location for device files is the "/dev" directory located on the root partition, with the exception of chroot jails if implemented.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 9DISADPMS TargetRed Hat Enterprise Linux 95551CCI-001764Configure "/dev/shm" to mount with the "nodev" option. -$ mount | grep /dev/shm +Modify "/etc/fstab" to use the "nodev" option on the "/dev/shm" file system. -tmpfs on /dev/shm type tmpfs (rw,nodev,nosuid,noexec,seclabel) +To reload all implicit mount units and update the dependency graph so that new options will apply correctly at next remount, run the following command: -If the /dev/shm file system is mounted without the "nodev" option, this is a finding.SRG-OS-000368-GPOS-00154<GroupDescription></GroupDescription>RHEL-09-231115RHEL 9 must mount /dev/shm with the noexec option.<VulnDiscussion>The "noexec" mount option causes the system to not execute binary files. This option must be used for mounting any file system not containing approved binary files, as they may be incompatible. Executing files from untrusted file systems increases the opportunity for nonprivileged users to attain unauthorized administrative access.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 9DISADPMS TargetRed Hat Enterprise Linux 95551CCI-001764Configure "/dev/shm" to mount with the "noexec" option. +$ sudo systemctl daemon-reload -Determine how /dev/shm is managed. +Use the following command to apply the changes immediately without a reboot: -$ systemctl status systemd-tmpfiles-setup -If "active", systemd is managing temporary files (including /dev/shm). -Otherwise, /etc/fstab is managing temporary files. +$ sudo mount -o remount /dev/shmVerify "/dev/shm" is mounted with the "nodev" option with the following command: -If systemd is managing /dev/shm, use the following commands to add the noexec option to the mount: - If /etc/tmpfiles.d does not exist, create it: - $ sudo mkdir -p /etc/tmpfiles.d +$ findmnt /dev/shm - Add a configuration file with the appropriate options for /dev/shm as follows: - $ echo 'd /dev/shm 1777 root root 10d' | sudo tee /etc/tmpfiles.d/dev-shm.conf - $ echo 'x /dev/shm' | sudo tee -a /etc/tmpfiles.d/dev-shm.conf +TARGET SOURCE FSTYPE OPTIONS +/dev/shm tmpfs tmpfs rw,nodev,nosuid,noexec,seclabel - Apply new mount options with the following commands: - $ sudo systemctl mask tmp.mount - Created symlink /etc/systemd/system/tmp.mount ? /dev/null. +If the mount options for /dev/shm does not include nodev, this is a finding.SRG-OS-000368-GPOS-00154<GroupDescription></GroupDescription>RHEL-09-231115RHEL 9 must mount /dev/shm with the noexec option.<VulnDiscussion>The "noexec" mount option causes the system to not execute binary files. This option must be used for mounting any file system not containing approved binary files, as they may be incompatible. Executing files from untrusted file systems increases the opportunity for nonprivileged users to attain unauthorized administrative access.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 9DISADPMS TargetRed Hat Enterprise Linux 95551CCI-001764Configure "/dev/shm" to mount with the "noexec" option. - $ echo 'tmpfs /dev/shm tmpfs rw,nodev,nosuid,noexec,seclabel 0 0' | sudo tee -a /etc/fstab - $ sudo mount -o remount /dev/shm - $ sudo systemctl daemon-reload +Modify "/etc/fstab" to use the "noexec" option on the "/dev/shm" file system. -If /dev/shm is managed by /etc/fstab, use the following commands to add the noexec option to the mount: - $ sudo vi /etc/fstab +To reload all implicit mount units and update the dependency graph so that new options will apply correctly at next remount, run the following command: - Add or modify the following line: - tmpfs /dev/shm tmpfs rw,nodev,nosuid,noexec,seclabel 0 0 +$ sudo systemctl daemon-reload - Remount /dev/shm: - $ sudo mount -o remount /dev/shm +Use the following command to apply the changes immediately without a reboot: -Note: Although systemd manages tmpfs mounts by default, administrators can override settings by adding entries to /etc/fstab. Either approach is acceptable.Verify "/dev/shm" is mounted with the "noexec" option with the following command: +$ sudo mount -o remount /dev/shmVerify "/dev/shm" is mounted with the "noexec" option with the following command: $ findmnt /dev/shm -TARGET SOURCE FSTYPE OPTIONS -/dev/shm tmpfs tmpfs rw,nodev,nosuid,noexec,seclabel 0 0 -If the /dev/shm file system is mounted without the "noexec" option, this is a finding.SRG-OS-000368-GPOS-00154<GroupDescription></GroupDescription>RHEL-09-231120RHEL 9 must mount /dev/shm with the nosuid option.<VulnDiscussion>The "nosuid" mount option causes the system to not execute "setuid" and "setgid" files with owner privileges. This option must be used for mounting any file system not containing approved "setuid" and "setguid" files. Executing files from untrusted file systems increases the opportunity for nonprivileged users to attain unauthorized administrative access.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 9DISADPMS TargetRed Hat Enterprise Linux 95551CCI-001764Modify "/etc/fstab" to use the "nosuid" option on the "/dev/shm" file system.Verify "/dev/shm" is mounted with the "nosuid" option with the following command: +/dev/shm tmpfs tmpfs rw,nodev,nosuid,noexec,seclabel -$ mount | grep /dev/shm +If the mount options for /dev/shm does not include noexec, this is a finding.SRG-OS-000368-GPOS-00154<GroupDescription></GroupDescription>RHEL-09-231120RHEL 9 must mount /dev/shm with the nosuid option.<VulnDiscussion>The "nosuid" mount option causes the system to not execute "setuid" and "setgid" files with owner privileges. This option must be used for mounting any file system not containing approved "setuid" and "setguid" files. Executing files from untrusted file systems increases the opportunity for nonprivileged users to attain unauthorized administrative access.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 9DISADPMS TargetRed Hat Enterprise Linux 95551CCI-001764Configure "/dev/shm" to mount with the "nosuid" option. + +Modify "/etc/fstab" to use the "nosuid" option on the "/dev/shm" file system. + +To reload all implicit mount units and update the dependency graph so that new options will apply correctly at next remount, run the following command: + +$ sudo systemctl daemon-reload -tmpfs on /dev/shm type tmpfs (rw,nodev,nosuid,noexec,seclabel) +Use the following command to apply the changes immediately without a reboot: -If the /dev/shm file system is mounted without the "nosuid" option, this is a finding.SRG-OS-000368-GPOS-00154<GroupDescription></GroupDescription>RHEL-09-231125RHEL 9 must mount /tmp with the nodev option.<VulnDiscussion>The "nodev" mount option causes the system to not interpret character or block special devices. Executing character or block special devices from untrusted file systems increases the opportunity for nonprivileged users to attain unauthorized administrative access. +$ sudo mount -o remount /dev/shmVerify "/dev/shm" is mounted with the "nosuid" option with the following command: + +$ findmnt /dev/shm + +/dev/shm tmpfs tmpfs rw,nodev,nosuid,noexec,seclabel + +If the mount options for /dev/shm does not include nosuid, this is a finding.SRG-OS-000368-GPOS-00154<GroupDescription></GroupDescription>RHEL-09-231125RHEL 9 must mount /tmp with the nodev option.<VulnDiscussion>The "nodev" mount option causes the system to not interpret character or block special devices. Executing character or block special devices from untrusted file systems increases the opportunity for nonprivileged users to attain unauthorized administrative access. The only legitimate location for device files is the "/dev" directory located on the root partition, with the exception of chroot jails if implemented.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 9DISADPMS TargetRed Hat Enterprise Linux 95551CCI-001764Modify "/etc/fstab" to use the "nodev" option on the "/tmp" directory.Verify "/tmp" is mounted with the "nodev" option: @@ -1658,9 +1551,11 @@ $ grep -r cramfs /etc/modprobe.conf /etc/modprobe.d/* install cramfs /bin/false blacklist cramfs -If the command does not return any output or the lines are commented out, and use of cramfs is not documented with the information system security officer (ISSO) as an operational requirement, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-09-231200RHEL 9 must prevent special devices on non-root local partitions.<VulnDiscussion>The "nodev" mount option causes the system to not interpret character or block special devices. Executing character or block special devices from untrusted file systems increases the opportunity for nonprivileged users to attain unauthorized administrative access. +If the command does not return any output or the lines are commented out, and use of cramfs is not documented with the information system security officer (ISSO) as an operational requirement, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-09-231200RHEL 9 must prevent special devices on non-root local partitions.<VulnDiscussion>The "nodev" mount option causes the system to not interpret character or block special devices. Executing character or block special devices from untrusted file systems increases the opportunity for nonprivileged users to attain unauthorized administrative access. + +The only legitimate location for device files is the "/dev" directory located on the root partition, with the exception of chroot jails if implemented.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 9DISADPMS TargetRed Hat Enterprise Linux 95551CCI-000366Configure the "/etc/fstab" to use the "nodev" option on all non-root local partitions.Note: This control is not applicable to vfat file systems. -The only legitimate location for device files is the "/dev" directory located on the root partition, with the exception of chroot jails if implemented.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 9DISADPMS TargetRed Hat Enterprise Linux 95551CCI-000366Configure the "/etc/fstab" to use the "nodev" option on all non-root local partitions.Verify all non-root local partitions are mounted with the "nodev" option with the following command: +Verify all non-root local partitions are mounted with the "nodev" option with the following command: $ sudo mount | grep '^/dev\S* on /\S' | grep --invert-match 'nodev' @@ -2125,19 +2020,19 @@ root /etc/cron.monthly root /etc/crontab root /etc/cron.weekly -If any crontab is not group owned by root, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-09-232240All RHEL 9 world-writable directories must be owned by root, sys, bin, or an application user.<VulnDiscussion>If a world-writable directory is not owned by root, sys, bin, or an application user identifier (UID), unauthorized users may be able to modify files created by others. +If any crontab is not group owned by root, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-09-232240All RHEL 9 world-writable directories must be owned by root, sys, bin, or an application user.<VulnDiscussion>If a world-writable directory is not owned by root, sys, bin, or an application user identifier (UID), unauthorized users may be able to modify files created by others. The only authorized public directories are those temporary directories supplied with the system or those designed to be temporary file repositories. The setting is normally reserved for directories used by the system and by users for temporary file storage, (e.g., /tmp), and for directories requiring global read/write access. -Satisfies: SRG-OS-000480-GPOS-00227, SRG-OS-000138-GPOS-00069</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 9DISADPMS TargetRed Hat Enterprise Linux 95551CCI-001090Configure all public directories to be owned by root or a system account to prevent unauthorized and unintended information transferred via shared system resources. +Satisfies: SRG-OS-000480-GPOS-00227, SRG-OS-000138-GPOS-00069</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 9DISADPMS TargetRed Hat Enterprise Linux 95551CCI-001090Configure all RHEL 9 public directories to be owned by root or a system account to prevent unauthorized and unintended information transferred via shared system resources. -Set the owner of all public directories as root or a system account using the command, replace "[Public Directory]" with any directory path not owned by root or a system account: +Use the following command template to set ownership of public directories to root or a system account: -$ sudo chown root [Public Directory]Verify that world writable directories are owned by root, a system account, or an application account with the following command. It will discover and print world-writable directories that are not owned by root. Run it once for each local partition [PART]: +$ sudo chown [root or system account] [Public Directory]Verify RHEL 9 world writable directories are owned by root, a system account, or an application account with the following command: -$ sudo find PART -xdev -type d -perm -0002 -uid +0 -print +$ sudo find / -xdev -type d -perm -0002 -uid +999 -exec stat -c "%U, %u, %A, %n" {} \; 2>/dev/null -If there is output, this is a finding.SRG-OS-000138-GPOS-00069<GroupDescription></GroupDescription>RHEL-09-232245A sticky bit must be set on all RHEL 9 public directories.<VulnDiscussion>Preventing unauthorized information transfers mitigates the risk of information, including encrypted representations of information, produced by the actions of prior users/roles (or the actions of processes acting on behalf of prior users/roles) from being available to any current users/roles (or current processes) that obtain access to shared system resources (e.g., registers, main memory, hard disks) after those resources have been released back to information systems. The control of information in shared resources is also commonly referred to as object reuse and residual information protection. +If there is output that indicates world-writable directories are owned by any account other than root or an approved system account, this is a finding.SRG-OS-000138-GPOS-00069<GroupDescription></GroupDescription>RHEL-09-232245A sticky bit must be set on all RHEL 9 public directories.<VulnDiscussion>Preventing unauthorized information transfers mitigates the risk of information, including encrypted representations of information, produced by the actions of prior users/roles (or the actions of processes acting on behalf of prior users/roles) from being available to any current users/roles (or current processes) that obtain access to shared system resources (e.g., registers, main memory, hard disks) after those resources have been released back to information systems. The control of information in shared resources is also commonly referred to as object reuse and residual information protection. This requirement generally applies to the design of an information technology product, but it can also apply to the configuration of particular information system components that are, or use, such products. This can be verified by acceptance/validation processes in DOD or other government agencies.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 9DISADPMS TargetRed Hat Enterprise Linux 95551CCI-001090Configure all world-writable directories to have the sticky bit set to prevent unauthorized and unintended information transferred via shared system resources. @@ -2305,48 +2200,36 @@ $ sudo ip link set dev <devicename> multicast off promisc offSRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-09-251045RHEL 9 must enable hardening for the Berkeley Packet Filter just-in-time compiler.<VulnDiscussion>It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. +If network interfaces are found on the system in promiscuous mode and their use has not been approved by the ISSO and documented, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-09-251045RHEL 9 must enable hardening for the Berkeley Packet Filter just-in-time compiler.<VulnDiscussion>It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. Enabling hardening for the Berkeley Packet Filter (BPF) Just-in-time (JIT) compiler aids in mitigating JIT spraying attacks. Setting the value to "2" enables JIT hardening for all users. -The sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of the directories in which they reside. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored. +The sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographical order, regardless of the directories in which they reside. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored. /etc/sysctl.d/*.conf /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf -/etc/sysctl.conf</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 9DISADPMS TargetRed Hat Enterprise Linux 95551CCI-000366Configure RHEL 9 to enable hardening for the BPF JIT compiler by adding the following line to a file, in the "/etc/sysctl.d" directory: +/etc/sysctl.conf</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 9DISADPMS TargetRed Hat Enterprise Linux 95551CCI-000366Configure RHEL 9 to enable hardening for the BPF JIT compiler. -net.core.bpf_jit_harden = 2 +Create the drop-in file if it does not already exist: -Remove any configurations that conflict with the above from the following locations: -/run/sysctl.d/*.conf -/usr/local/lib/sysctl.d/*.conf -/usr/lib/sysctl.d/*.conf -/lib/sysctl.d/*.conf -/etc/sysctl.conf -/etc/sysctl.d/*.conf - -The system configuration files must be reloaded for the changes to take effect. To reload the contents of the files, run the following command: - -$ sudo sysctl --systemVerify RHEL 9 enables hardening for the BPF JIT with the following commands: - -$ sudo sysctl net.core.bpf_jit_harden +$ sudo vi /etc/sysctl.d/99-net_core-bpf_jit_harden.conf +Add the following line to the file: net.core.bpf_jit_harden = 2 -If the returned line does not have a value of "2", or a line is not returned, this is a finding. +Reload settings from all system configuration files with the following command: -Check that the configuration files are present to enable this network parameter. +$ sudo sysctl --systemVerify RHEL 9 enables hardening for the BPF JIT compiler. -$ sudo grep -r net.core.bpf_jit_harden /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf /etc/sysctl.d/*.conf +Check the status of the "net.core.bpf_jit_harden" parameter with the following command: -/etc/sysctl.d/99-sysctl.conf: net.core.bpf_jit_harden = 2 - -If "net.core.bpf_jit_harden" is not set to "2", is missing or commented out, this is a finding. +$ sudo sysctl net.core.bpf_jit_harden +net.core.bpf_jit_harden = 2 -If conflicting results are returned, this is a finding.SRG-OS-000355-GPOS-00143<GroupDescription></GroupDescription>RHEL-09-252010RHEL 9 must have the chrony package installed.<VulnDiscussion>Inaccurate time stamps make it more difficult to correlate events and can lead to an inaccurate analysis. Determining the correct time a particular event occurred on a system is critical when conducting forensic analysis and investigating system events. Sources outside the configured acceptable allowance (drift) may be inaccurate.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 9DISADPMS TargetRed Hat Enterprise Linux 95551CCI-004923CCI-001891The chrony package can be installed with the following command: +If "net.core.bpf_jit_harden" is not equal to "2" or is missing, this is a finding.SRG-OS-000355-GPOS-00143<GroupDescription></GroupDescription>RHEL-09-252010RHEL 9 must have the chrony package installed.<VulnDiscussion>Inaccurate time stamps make it more difficult to correlate events and can lead to an inaccurate analysis. Determining the correct time a particular event occurred on a system is critical when conducting forensic analysis and investigating system events. Sources outside the configured acceptable allowance (drift) may be inaccurate.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 9DISADPMS TargetRed Hat Enterprise Linux 95551CCI-004923CCI-001891The chrony package can be installed with the following command: $ sudo dnf install chronyVerify that RHEL 9 has the chrony package installed with the following command: @@ -2522,7 +2405,7 @@ $ sudo rm /[path]/[to]/[file]/.shostsSRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-09-253010RHEL 9 must be configured to use TCP syncookies.<VulnDiscussion>Preventing unauthorized information transfers mitigates the risk of information, including encrypted representations of information, produced by the actions of prior users/roles (or the actions of processes acting on behalf of prior users/roles) from being available to any current users/roles (or current processes) that obtain access to shared system resources (e.g., registers, main memory, hard disks) after those resources have been released back to information systems. The control of information in shared resources is also commonly referred to as object reuse and residual information protection. +If a ".shosts" file is found, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-09-253010RHEL 9 must be configured to use TCP syncookies.<VulnDiscussion>Preventing unauthorized information transfers mitigates the risk of information, including encrypted representations of information, produced by the actions of prior users/roles (or the actions of processes acting on behalf of prior users/roles) from being available to any current users/roles (or current processes) that obtain access to shared system resources (e.g., registers, main memory, hard disks) after those resources have been released back to information systems. The control of information in shared resources is also commonly referred to as object reuse and residual information protection. This requirement generally applies to the design of an information technology product, but it can also apply to the configuration of particular information system components that are, or use, such products. This can be verified by acceptance/validation processes in DOD or other government agencies. @@ -2530,7 +2413,7 @@ There may be shared resources with configurable protections (e.g., files in stor Restricting access to the kernel message buffer limits access to only root. This prevents attackers from gaining additional system information as a nonprivileged user. -The sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of the directories in which they reside. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored. +The sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographical order, regardless of the directories in which they reside. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored. /etc/sysctl.d/*.conf /run/sysctl.d/*.conf @@ -2539,127 +2422,79 @@ The sysctl --system command will load settings from all system configuration fil /lib/sysctl.d/*.conf /etc/sysctl.conf -Satisfies: SRG-OS-000480-GPOS-00227, SRG-OS-000420-GPOS-00186, SRG-OS-000142-GPOS-00071</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 9DISADPMS TargetRed Hat Enterprise Linux 95551CCI-001095CCI-002385Configure RHEL 9 to use TCP syncookies. +Satisfies: SRG-OS-000480-GPOS-00227, SRG-OS-000420-GPOS-00186, SRG-OS-000142-GPOS-00071</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 9DISADPMS TargetRed Hat Enterprise Linux 95551CCI-001095CCI-002385Configure RHEL 9 to use TCP syncookies. -Add or edit the following line in a system configuration file in the "/etc/sysctl.d/" directory: +Create a configuration file if it does not already exist: -net.ipv4.tcp_syncookies = 1 - -Remove any configurations that conflict with the above from the following locations: -/run/sysctl.d/*.conf -/usr/local/lib/sysctl.d/*.conf -/usr/lib/sysctl.d/*.conf -/lib/sysctl.d/*.conf -/etc/sysctl.conf -/etc/sysctl.d/*.conf +$ sudo vi /etc/sysctl.d/99-ipv4_tcp_syncookies.conf -Load settings from all system configuration files with the following command: +Add the following line to the file: +net.ipv4.tcp_syncookies = 1 -$ sudo sysctl --systemVerify RHEL 9 is configured to use IPv4 TCP syncookies. +Reload settings from all system configuration files with the following command: -Determine if syncookies are used with the following command: +$ sudo sysctl --systemVerify RHEL 9 is configured to use IPv4 TCP syncookies. -Check the status of TCP syncookies. +Check the value of all "tcp_syncookies" variables with the following command: $ sudo sysctl net.ipv4.tcp_syncookies - net.ipv4.tcp_syncookies = 1 -Check that the configuration files are present to enable this kernel parameter. - -$ sudo grep -r kernel.dmesg_restrict /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf /etc/sysctl.d/*.conf - -/etc/sysctl.d/99-sysctl.conf:net.ipv4.tcp_syncookies = 1 +If the network parameter "ipv4.tcp_syncookies" is not equal to "1" or nothing is returned, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-09-253015RHEL 9 must ignore Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirect messages.<VulnDiscussion>ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages modify the host's route table and are unauthenticated. An illicit ICMP redirect message could result in a man-in-the-middle attack. -If "net.ipv4.tcp_syncookies" is not set to "1", is missing, or commented out, this is a finding. - -If conflicting results are returned, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-09-253015RHEL 9 must ignore Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirect messages.<VulnDiscussion>ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages modify the host's route table and are unauthenticated. An illicit ICMP redirect message could result in a man-in-the-middle attack. - -The sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of the directories in which they reside. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored. +The sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographical order, regardless of the directories in which they reside. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored. /etc/sysctl.d/*.conf /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf -/etc/sysctl.conf</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 9DISADPMS TargetRed Hat Enterprise Linux 95551CCI-000366Configure RHEL 9 to ignore IPv4 ICMP redirect messages. +/etc/sysctl.conf</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 9DISADPMS TargetRed Hat Enterprise Linux 95551CCI-000366Configure RHEL 9 to ignore IPv4 ICMP redirect messages. -Add or edit the following line in a system configuration file, in the "/etc/sysctl.d/" directory: +Create a configuration file if it does not already exist: -net.ipv4.conf.all.accept_redirects = 0 +$ sudo vi /etc/sysctl.d/99-ipv4_accept_redirects.conf -Remove any configurations that conflict with the above from the following locations: -/run/sysctl.d/*.conf -/usr/local/lib/sysctl.d/*.conf -/usr/lib/sysctl.d/*.conf -/lib/sysctl.d/*.conf -/etc/sysctl.conf -/etc/sysctl.d/*.conf +Add the following line to the file: +net.ipv4.conf.all.accept_redirects = 0 -Load settings from all system configuration files with the following command: +Reload settings from all system configuration files with the following command: -$ sudo sysctl --systemVerify RHEL 9 ignores IPv4 ICMP redirect messages. +$ sudo sysctl --systemVerify RHEL 9 will not accept IPv4 ICMP redirect messages. -Check the value of the "accept_redirects" variables with the following command: +Check the value of all "net.ipv4.conf.all.accept_redirects" variables with the following command: $ sudo sysctl net.ipv4.conf.all.accept_redirects - net.ipv4.conf.all.accept_redirects = 0 -If the returned line does not have a value of "0", a line is not returned, or the line is commented out, this is a finding. - -Check that the configuration files are present to enable this network parameter. +If "net.ipv4.conf.all.accept_redirects" is not set to "0" or is missing, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-09-253020RHEL 9 must not forward Internet Protocol version 4 (IPv4) source-routed packets.<VulnDiscussion>Source-routed packets allow the source of the packet to suggest that routers forward the packet along a different path than configured on the router, which can be used to bypass network security measures. This requirement applies only to the forwarding of source-routed traffic, such as when forwarding is enabled and the system is functioning as a router. -$ sudo grep -r net.ipv4.conf.all.accept_redirects /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf /etc/sysctl.d/*.conf - -/etc/sysctl.d/99-sysctl.conf: net.ipv4.conf.all.accept_redirects = 0 - -If "net.ipv4.conf.all.accept_redirects" is not set to "0", is missing, or commented out, this is a finding. - -If conflicting results are returned, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-09-253020RHEL 9 must not forward Internet Protocol version 4 (IPv4) source-routed packets.<VulnDiscussion>Source-routed packets allow the source of the packet to suggest that routers forward the packet along a different path than configured on the router, which can be used to bypass network security measures. This requirement applies only to the forwarding of source-routed traffic, such as when forwarding is enabled and the system is functioning as a router. - -The sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of which of the directories they reside in. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored. +The sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographical order, regardless of which of the directories in which they reside. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored. /etc/sysctl.d/*.conf /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf -/etc/sysctl.conf</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 9DISADPMS TargetRed Hat Enterprise Linux 95551CCI-000366Configure RHEL 9 to not forward IPv4 source-routed packets. +/etc/sysctl.conf</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 9DISADPMS TargetRed Hat Enterprise Linux 95551CCI-000366Configure RHEL 9 to ignore IPv4 source-routed packets. -Add or edit the following line in a system configuration file, in the "/etc/sysctl.d/" directory: +Create a configuration file if it does not already exist: -net.ipv4.conf.all.accept_source_route=0 +$ sudo vi /etc/sysctl.d/99-ipv4_accept_source.conf -Remove any configurations that conflict with the above from the following locations: -/run/sysctl.d/*.conf -/usr/local/lib/sysctl.d/*.conf -/usr/lib/sysctl.d/*.conf -/lib/sysctl.d/*.conf -/etc/sysctl.conf -/etc/sysctl.d/*.conf +Add the following line to the file: +net.ipv4.conf.all.accept_source_route = 0 -Load settings from all system configuration files with the following command: +Reload settings from all system configuration files with the following command: -$ sudo sysctl --systemVerify RHEL 9 does not accept IPv4 source-routed packets. +$ sudo sysctl --systemVerify RHEL 9 will not accept IPv4 source-routed packets. -Check the value of the accept source route variable with the following command: +Check the value of the "accept_source_route" variable with the following command: $ sudo sysctl net.ipv4.conf.all.accept_source_route - net.ipv4.conf.all.accept_source_route = 0 -If the returned line does not have a value of "0", a line is not returned, or the line is commented out, this is a finding. - -Check that the configuration files are present to enable this network parameter. - -$ sudo grep -r net.ipv4.conf.all.accept_source_route /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf /etc/sysctl.d/*.conf - -/etc/sysctl.d/99-sysctl.conf: net.ipv4.conf.all.accept_source_route = 0 - -If "net.ipv4.conf.all.accept_source_route" is not set to "0", is missing or commented out, this is a finding. - -If conflicting results are returned, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-09-253025RHEL 9 must log IPv4 packets with impossible addresses.<VulnDiscussion>The presence of "martian" packets (which have impossible addresses) as well as spoofed packets, source-routed packets, and redirects could be a sign of nefarious network activity. Logging these packets enables this activity to be detected. +If "net.ipv4.conf.all.accept_source_route" is not set to "0" or is missing, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-09-253025RHEL 9 must log IPv4 packets with impossible addresses.<VulnDiscussion>The presence of "martian" packets (which have impossible addresses) as well as spoofed packets, source-routed packets, and redirects could be a sign of nefarious network activity. Logging these packets enables this activity to be detected. Preventing unauthorized information transfers mitigates the risk of information, including encrypted representations of information, produced by the actions of prior users/roles (or the actions of processes acting on behalf of prior users/roles) from being available to any current users/roles (or current processes) that obtain access to shared system resources (e.g., registers, main memory, hard disks) after those resources have been released back to information systems. The control of information in shared resources is also commonly referred to as object reuse and residual information protection. @@ -2669,40 +2504,32 @@ There may be shared resources with configurable protections (e.g., files in stor Restricting access to the kernel message buffer limits access to only root. This prevents attackers from gaining additional system information as a nonprivileged user. -The sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of the directories in which they reside. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored. +The sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographical order, regardless of the directories in which they reside. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored. /etc/sysctl.d/*.conf /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf -/etc/sysctl.conf</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 9DISADPMS TargetRed Hat Enterprise Linux 95551CCI-000366Configure RHEL 9 to log martian packets on IPv4 interfaces. +/etc/sysctl.conf</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 9DISADPMS TargetRed Hat Enterprise Linux 95551CCI-000366Configure RHEL 9 to log martian packets on IPv4 interfaces. + +Create a configuration file if it does not already exist: -Add or edit the following line in a single system configuration file in the "/etc/sysctl.d/" directory: +$ sudo vi /etc/sysctl.d/99-ipv4_log_martians.conf +Add the following line to the file: net.ipv4.conf.all.log_martians=1 -Load settings from all system configuration files with the following command: +Reload settings from all system configuration files with the following command: -$ sudo sysctl --systemVerify RHEL 9 logs IPv4 martian packets. +$ sudo sysctl --systemVerify RHEL 9 logs IPv4 martian packets. -Check the value of the accept source route variable with the following command: +Check the value of the "log_martians" variable with the following command: $ sudo sysctl net.ipv4.conf.all.log_martians - net.ipv4.conf.all.log_martians = 1 -If the returned line does not have a value of "1", a line is not returned, or the line is commented out, this is a finding. - -Check that the configuration files are present to enable this network parameter. - -$ sudo grep -r net.ipv4.conf.all.log_martians /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf /etc/sysctl.d/*.conf - -/etc/sysctl.d/99-sysctl.conf:net.ipv4.conf.all.log_martians = 1 - -If "net.ipv4.conf.all.log_martians" is not set to "1" or is missing, this is a finding. - -If conflicting results are returned, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-09-253030RHEL 9 must log IPv4 packets with impossible addresses by default.<VulnDiscussion>The presence of "martian" packets (which have impossible addresses) as well as spoofed packets, source-routed packets, and redirects could be a sign of nefarious network activity. Logging these packets enables this activity to be detected. +If "net.ipv4.conf.all.log_martians" is not set to "1" or is missing, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-09-253030RHEL 9 must log IPv4 packets with impossible addresses by default.<VulnDiscussion>The presence of "martian" packets (which have impossible addresses) as well as spoofed packets, source-routed packets, and redirects could be a sign of nefarious network activity. Logging these packets enables this activity to be detected. Preventing unauthorized information transfers mitigates the risk of information, including encrypted representations of information, produced by the actions of prior users/roles (or the actions of processes acting on behalf of prior users/roles) from being available to any current users/roles (or current processes) that obtain access to shared system resources (e.g., registers, main memory, hard disks) after those resources have been released back to information systems. The control of information in shared resources is also commonly referred to as object reuse and residual information protection. @@ -2712,167 +2539,115 @@ There may be shared resources with configurable protections (e.g., files in stor Restricting access to the kernel message buffer limits access to only root. This prevents attackers from gaining additional system information as a nonprivileged user. -The sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of the directories in which they reside. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored. +The sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographical order, regardless of the directories in which they reside. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored. /etc/sysctl.d/*.conf /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf -/etc/sysctl.conf</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 9DISADPMS TargetRed Hat Enterprise Linux 95551CCI-000366Configure RHEL 9 to log martian packets on IPv4 interfaces by default. +/etc/sysctl.conf</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 9DISADPMS TargetRed Hat Enterprise Linux 95551CCI-000366Configure RHEL 9 to log martian packets on IPv4 interfaces by default. -Add or edit the following line in a single system configuration file in the "/etc/sysctl.d/" directory: +Create a configuration file if it does not already exist: -net.ipv4.conf.default.log_martians = 1 +$ sudo vi /etc/sysctl.d/99-ipv4_log_martians.conf -Load settings from all system configuration files with the following command: +Add the following line to the file: +net.ipv4.conf.default.log_martians=1 -$ sudo sysctl --systemVerify RHEL 9 logs IPv4 martian packets by default. +Reload settings from all system configuration files with the following command: -Check the value of the accept source route variable with the following command: +$ sudo sysctl --systemVerify RHEL 9 logs IPv4 martian packets by default. -$ sudo sysctl net.ipv4.conf.default.log_martians +Check the value of the "default.log_martians" variable with the following command: +$ sudo sysctl net.ipv4.conf.default.log_martians net.ipv4.conf.default.log_martians = 1 -If the returned line does not have a value of "1", a line is not returned, or the line is commented out, this is a finding. - -Check that the configuration files are present to enable this network parameter. - -$ sudo grep -r net.ipv4.conf.default.log_martians /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf /etc/sysctl.d/*.conf +If "net.ipv4.conf.default.log_martians" is not set to "1" or is missing, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-09-253035RHEL 9 must use reverse path filtering on all IPv4 interfaces.<VulnDiscussion>Enabling reverse path filtering drops packets with source addresses that should not have been able to be received on the interface on which they were received. It must not be used on systems that are routers for complicated networks, but is helpful for end hosts and routers serving small networks. -/etc/sysctl.d/99-sysctl.conf:net.ipv4.conf.default.log_martians = 1 - -If "net.ipv4.conf.default.log_martians" is not set to "1" or is missing, this is a finding. - -If conflicting results are returned, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-09-253035RHEL 9 must use reverse path filtering on all IPv4 interfaces.<VulnDiscussion>Enabling reverse path filtering drops packets with source addresses that should not have been able to be received on the interface on which they were received. It must not be used on systems that are routers for complicated networks, but is helpful for end hosts and routers serving small networks. - -The sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of the directories in which they reside. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored. +The sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographical order, regardless of the directories in which they reside. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored. /etc/sysctl.d/*.conf /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf -/etc/sysctl.conf</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 9DISADPMS TargetRed Hat Enterprise Linux 95551CCI-000366Configure RHEL 9 to use reverse path filtering on all IPv4 interfaces by adding the following line to a file in the "/etc/sysctl.d" directory: - -net.ipv4.conf.all.rp_filter = 1 - -Remove any configurations that conflict with the above from the following locations: -/run/sysctl.d/*.conf -/usr/local/lib/sysctl.d/*.conf -/usr/lib/sysctl.d/*.conf -/lib/sysctl.d/*.conf -/etc/sysctl.conf -/etc/sysctl.d/*.conf - -The system configuration files must be reloaded for the changes to take effect. To reload the contents of the files, run the following command: +/etc/sysctl.conf</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 9DISADPMS TargetRed Hat Enterprise Linux 95551CCI-000366Configure RHEL 9 to use reverse path filtering on all IPv4 interfaces. -$ sudo sysctl --systemVerify RHEL 9 uses reverse path filtering on all IPv4 interfaces with the following commands: +Create a configuration file if it does not already exist: -$ sudo sysctl net.ipv4.conf.all.rp_filter +$ sudo vi /etc/sysctl.d/99-ipv4_rp_filter.conf +Add the following line to the file: net.ipv4.conf.all.rp_filter = 1 -If the returned line does not have a value of "1" or "2", or a line is not returned, this is a finding. - -Check that the configuration files are present to enable this network parameter. +Reload settings from all system configuration files with the following command: -$ sudo grep -r net.ipv4.conf.all.rp_filter /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf /etc/sysctl.d/*.conf +$ sudo sysctl --systemVerify RHEL 9 uses reverse path filtering on all IPv4 interfaces. -/etc/sysctl.d/99-sysctl.conf: net.ipv4.conf.all.rp_filter = 1 +Check the value of the "rp_filter" variable with the following command: -If "net.ipv4.conf.all.rp_filter" is not set to "1" or "2", is missing, or commented out, this is a finding. +$ sudo sysctl net.ipv4.conf.all.rp_filter +net.ipv4.conf.all.rp_filter = 1 -If conflicting results are returned, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-09-253040RHEL 9 must prevent IPv4 Internet Control Message Protocol (ICMP) redirect messages from being accepted.<VulnDiscussion>ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages modify the host's route table and are unauthenticated. An illicit ICMP redirect message could result in a man-in-the-middle attack. +If "net.ipv4.conf.all.rp_filter" is not set to "1" or is missing, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-09-253040RHEL 9 must prevent IPv4 Internet Control Message Protocol (ICMP) redirect messages from being accepted.<VulnDiscussion>ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages modify the host's route table and are unauthenticated. An illicit ICMP redirect message could result in a man-in-the-middle attack. This feature of the IPv4 protocol has few legitimate uses. It must be disabled unless absolutely required. -The sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of the directories in which they reside. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored. +The sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographical order, regardless of the directories in which they reside. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored. /etc/sysctl.d/*.conf /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf -/lib/sysctl.d/*.conf -/etc/sysctl.conf</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 9DISADPMS TargetRed Hat Enterprise Linux 95551CCI-000366Configure RHEL 9 to prevent IPv4 ICMP redirect messages from being accepted. - -Add or edit the following line in a system configuration file in the "/etc/sysctl.d/" directory: - -net.ipv4.conf.default.accept_redirects = 0 - -Remove any configurations that conflict with the above from the following locations: -/run/sysctl.d/*.conf -/usr/local/lib/sysctl.d/*.conf -/usr/lib/sysctl.d/*.conf -/lib/sysctl.d/*.conf -/etc/sysctl.conf -/etc/sysctl.d/*.conf - -Load settings from all system configuration files with the following command: - -$ sudo sysctl --systemVerify RHEL 9 will not accept IPv4 ICMP redirect messages. +/lib/sysctl.d/*.conf +/etc/sysctl.conf</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 9DISADPMS TargetRed Hat Enterprise Linux 95551CCI-000366Configure RHEL 9 to prevent IPv4 ICMP redirect messages from being accepted. -Check the value of the default "accept_redirects" variables with the following command: +Create a configuration file if it does not already exist: -$ sudo sysctl net.ipv4.conf.default.accept_redirects +$ sudo vi /etc/sysctl.d/99-ipv4_accept_redirects.conf +Add the following line to the file: net.ipv4.conf.default.accept_redirects = 0 -If the returned line does not have a value of "0", a line is not returned, or the line is commented out, this is a finding. +Reload settings from all system configuration files with the following command: -Check that the configuration files are present to enable this network parameter. +$ sudo sysctl --systemVerify RHEL 9 will not accept IPv4 ICMP redirect messages. -$ sudo grep -r net.ipv4.conf.default.accept_redirects /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf /etc/sysctl.d/*.conf +Check the value of the default "accept_redirects" variable with the following command: -/etc/sysctl.d/99-sysctl.conf: net.ipv4.conf.default.accept_redirects = 0 - -If "net.ipv4.conf.default.accept_redirects" is not set to "0", is missing, or commented out, this is a finding. +$ sudo sysctl net.ipv4.conf.default.accept_redirects +net.ipv4.conf.default.accept_redirects = 0 -If conflicting results are returned, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-09-253045RHEL 9 must not forward IPv4 source-routed packets by default.<VulnDiscussion>Source-routed packets allow the source of the packet to suggest routers forward the packet along a different path than configured on the router, which can be used to bypass network security measures. This requirement applies only to the forwarding of source-routed traffic, such as when forwarding is enabled and the system is functioning as a router. +If "net.ipv4.conf.default.accept_redirects" is not set to "0" or is missing, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-09-253045RHEL 9 must not forward IPv4 source-routed packets by default.<VulnDiscussion>Source-routed packets allow the source of the packet to suggest routers forward the packet along a different path than configured on the router, which can be used to bypass network security measures. This requirement applies only to the forwarding of source-routed traffic, such as when forwarding is enabled and the system is functioning as a router. -The sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of the directories in which they reside. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored. +The sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographical order, regardless of the directories in which they reside. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored. /etc/sysctl.d/*.conf /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf -/etc/sysctl.conf</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 9DISADPMS TargetRed Hat Enterprise Linux 95551CCI-000366Configure RHEL 9 to not forward IPv4 source-routed packets by default. +/etc/sysctl.conf</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 9DISADPMS TargetRed Hat Enterprise Linux 95551CCI-000366Configure RHEL 9 to not forward IPv4 source-routed packets by default. -Add or edit the following line in a system configuration file in the "/etc/sysctl.d/" directory: +Create a configuration file if it does not already exist: -net.ipv4.conf.default.accept_source_route=0 +$ sudo vi /etc/sysctl.d/99-ipv4_accept_source_route.conf -Remove any configurations that conflict with the above from the following locations: -/run/sysctl.d/*.conf -/usr/local/lib/sysctl.d/*.conf -/usr/lib/sysctl.d/*.conf -/lib/sysctl.d/*.conf -/etc/sysctl.conf -/etc/sysctl.d/*.conf +Add the following line to the file: +net.ipv4.conf.default.accept_source_route = 0 -Load settings from all system configuration files with the following command: +Reload settings from all system configuration files with the following command: -$ sudo sysctl --systemVerify RHEL 9 does not accept IPv4 source-routed packets by default. +$ sudo sysctl --systemVerify RHEL 9 does not accept IPv4 source-routed packets by default. -Check the value of the accept source route variable with the following command: +Check the value of the "accept source route" variable with the following command: $ sudo sysctl net.ipv4.conf.default.accept_source_route - net.ipv4.conf.default.accept_source_route = 0 -If the returned line does not have a value of "0", a line is not returned, or the line is commented out, this is a finding. - -Check that the configuration files are present to enable this network parameter. - -$ sudo grep -r net.ipv4.conf.default.accept_source_route /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf /etc/sysctl.d/*.conf - -/etc/sysctl.d/99-sysctl.conf: net.ipv4.conf.default.accept_source_route = 0 - -If "net.ipv4.conf.default.accept_source_route" is not set to "0", is missing, or commented out, this is a finding. - -If conflicting results are returned, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-09-253050RHEL 9 must use a reverse-path filter for IPv4 network traffic when possible by default.<VulnDiscussion>Enabling reverse path filtering drops packets with source addresses that should not have been able to be received on the interface on which they were received. It must not be used on systems that are routers for complicated networks, but is helpful for end hosts and routers serving small networks. +If "net.ipv4.conf.default.accept_source_route" is not set to "0" or is missing, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-09-253050RHEL 9 must use a reverse-path filter for IPv4 network traffic when possible by default.<VulnDiscussion>Enabling reverse path filtering drops packets with source addresses that should not have been able to be received on the interface on which they were received. It must not be used on systems that are routers for complicated networks, but is helpful for end hosts and routers serving small networks. The sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of the directories in which they reside. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored. @@ -2881,544 +2656,371 @@ The sysctl --system command will load settings from all system configuration fil /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf -/etc/sysctl.conf</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 9DISADPMS TargetRed Hat Enterprise Linux 95551CCI-000366Configure RHEL 9 to use reverse path filtering on IPv4 interfaces by default. - -Add or edit the following line in a single system configuration file in the "/etc/sysctl.d/" directory: - -net.ipv4.conf.default.rp_filter = 1 - -Load settings from all system configuration files with the following command: +/etc/sysctl.conf</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 9DISADPMS TargetRed Hat Enterprise Linux 95551CCI-000366Configure RHEL 9 to use reverse path filtering on IPv4 interfaces by default. -$ sudo sysctl --systemVerify RHEL 9 uses reverse path filtering on IPv4 interfaces with the following commands: +Create a configuration file if it does not already exist: -$ sudo sysctl net.ipv4.conf.default.rp_filter +$ sudo vi /etc/sysctl.d/ipv4_rp_filter.conf +Add the following line to the file: net.ipv4.conf.default.rp_filter = 1 -If the returned line does not have a value of "1", or a line is not returned, this is a finding. +Reload settings from all system configuration files with the following command: -Check that the configuration files are present to enable this network parameter. +$ sudo sysctl --systemVerify RHEL 9 uses reverse path filtering on IPv4 interfaces. -$ sudo grep -r net.ipv4.conf.default.rp_filter /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf /etc/sysctl.d/*.conf +Check the value of the "net.ipv4.conf.default.rp_filter" with the following command: -/etc/sysctl.d/99-sysctl.conf:net.ipv4.conf.default.rp_filter = 1 - -If "net.ipv4.conf.default.rp_filter" is not set to "1" or is missing, this is a finding. +$ sudo sysctl net.ipv4.conf.default.rp_filter +net.ipv4.conf.default.rp_filter = 1 -If conflicting results are returned, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-09-253055RHEL 9 must not respond to Internet Control Message Protocol (ICMP) echoes sent to a broadcast address.<VulnDiscussion>Responding to broadcast (ICMP) echoes facilitates network mapping and provides a vector for amplification attacks. +If the returned line does not have a value of "1", or a line is not returned, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-09-253055RHEL 9 must not respond to Internet Control Message Protocol (ICMP) echoes sent to a broadcast address.<VulnDiscussion>Responding to broadcast (ICMP) echoes facilitates network mapping and provides a vector for amplification attacks. Ignoring ICMP echo requests (pings) sent to broadcast or multicast addresses makes the system slightly more difficult to enumerate on the network. There are notable differences between Internet Protocol version 4 (IPv4) and Internet Protocol version 6 (IPv6). IPv6 does not implement the same method of broadcast as IPv4. Instead, IPv6 uses multicast addressing to the all-hosts multicast group. Refer to RFC4294 for an explanation of "IPv6 Node Requirements", which resulted in this difference between IPv4 and IPv6. -The sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of the directories in which they reside. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored. +The sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographical order, regardless of the directories in which they reside. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored. /etc/sysctl.d/*.conf /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf -/etc/sysctl.conf</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 9DISADPMS TargetRed Hat Enterprise Linux 95551CCI-000366Configure RHEL 9 to not respond to IPv4 ICMP echoes sent to a broadcast address. +/etc/sysctl.conf</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 9DISADPMS TargetRed Hat Enterprise Linux 95551CCI-000366Configure RHEL 9 to ignore IPv4 ICMP echoes sent to a broadcast address. -Add or edit the following line in a system configuration file in the "/etc/sysctl.d/" directory: +Create a configuration file if it does not already exist: -net.ipv4.icmp_echo_ignore_broadcasts=1 +$ sudo vi /etc/sysctl.d/ipv4_icmp_echo_ignore_broadcasts.conf -Remove any configurations that conflict with the above from the following locations: -/run/sysctl.d/*.conf -/usr/local/lib/sysctl.d/*.conf -/usr/lib/sysctl.d/*.conf -/lib/sysctl.d/*.conf -/etc/sysctl.conf -/etc/sysctl.d/*.conf +Add the following line to the file: +net.ipv4.icmp_echo_ignore_broadcasts = 1 -Load settings from all system configuration files with the following command: +Reload settings from all system configuration files with the following command: -$ sudo sysctl --systemVerify RHEL 9 does not respond to ICMP echoes sent to a broadcast address. +$ sudo sysctl --systemVerify RHEL 9 ignores ICMP echoes sent to a broadcast address. Check the value of the "icmp_echo_ignore_broadcasts" variable with the following command: $ sudo sysctl net.ipv4.icmp_echo_ignore_broadcasts - net.ipv4.icmp_echo_ignore_broadcasts = 1 -If the returned line does not have a value of "1", a line is not returned, or the retuned line is commented out, this is a finding. - -Check that the configuration files are present to enable this network parameter. +If "net.ipv4.icmp_echo_ignore_broadcasts" is not set to "1" or is missing, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-09-253060RHEL 9 must limit the number of bogus Internet Control Message Protocol (ICMP) response errors logs.<VulnDiscussion>Some routers will send responses to broadcast frames that violate RFC-1122, which fills up a log file system with many useless error messages. An attacker may take advantage of this and attempt to flood the logs with bogus error logs. Ignoring bogus ICMP error responses reduces log size, although some activity would not be logged. -$ sudo grep -r net.ipv4.icmp_echo_ignore_broadcasts /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf /etc/sysctl.d/*.conf - -/etc/sysctl.d/99-sysctl.conf: net.ipv4.icmp_echo_ignore_broadcasts = 1 - -If "net.ipv4.icmp_echo_ignore_broadcasts" is not set to "1", is missing, or commented out, this is a finding. - -If conflicting results are returned, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-09-253060RHEL 9 must limit the number of bogus Internet Control Message Protocol (ICMP) response errors logs.<VulnDiscussion>Some routers will send responses to broadcast frames that violate RFC-1122, which fills up a log file system with many useless error messages. An attacker may take advantage of this and attempt to flood the logs with bogus error logs. Ignoring bogus ICMP error responses reduces log size, although some activity would not be logged. - -The sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of the directories in which they reside. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored. +The sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographical order, regardless of the directories in which they reside. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored. /etc/sysctl.d/*.conf /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf -/etc/sysctl.conf</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 9DISADPMS TargetRed Hat Enterprise Linux 95551CCI-000366Configure RHEL 9 to not log bogus ICMP errors: - -Add or edit the following line in a single system configuration file in the "/etc/sysctl.d/" directory: - -net.ipv4.icmp_ignore_bogus_error_responses = 1 +/etc/sysctl.conf</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 9DISADPMS TargetRed Hat Enterprise Linux 95551CCI-000366Configure RHEL 9 to not log bogus ICMP errors: -Load settings from all system configuration files with the following command: - -$ sudo sysctl --systemThe runtime status of the net.ipv4.icmp_ignore_bogus_error_responses kernel parameter can be queried by running the following command: +Create a configuration file if it does not already exist: -$ sudo sysctl net.ipv4.icmp_ignore_bogus_error_responses +$ sudo vi /etc/sysctl.d/ipv4_icmp_ignore_bogus_error_responses.conf +Add the following line to the file: net.ipv4.icmp_ignore_bogus_error_responses = 1 -If "net.ipv4.icmp_ignore_bogus_error_responses" is not set to "1", this is a finding. +Reload settings from all system configuration files with the following command: -Check that the configuration files are present to enable this network parameter. +$ sudo sysctl --systemVerify RHEL 9 limits the number of bogus Internet Control Message Protocol (ICMP) response errors logs. -$ sudo grep -r net.ipv4.icmp_ignore_bogus_error_response /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf /etc/sysctl.d/*.conf +Check the value of the "net.ipv4.icmp_ignore_bogus_error_response" variables with the following command: -/etc/sysctl.d/99-sysctl.conf:net.ipv4.icmp_ignore_bogus_error_responses = 1 - -If "net.ipv4.icmp_ignore_bogus_error_response" is not set to "1" or is missing, this is a finding. +$ sudo sysctl net.ipv4.icmp_ignore_bogus_error_responses +net.ipv4.icmp_ignore_bogus_error_responses = 1 -If conflicting results are returned, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-09-253065RHEL 9 must not send Internet Control Message Protocol (ICMP) redirects.<VulnDiscussion>ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages contain information from the system's route table possibly revealing portions of the network topology. +If "net.ipv4.icmp_ignore_bogus_error_response" is not set to "1" or is missing, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-09-253065RHEL 9 must not send Internet Control Message Protocol (ICMP) redirects.<VulnDiscussion>ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages contain information from the system's route table possibly revealing portions of the network topology. The ability to send ICMP redirects is only appropriate for systems acting as routers. -The sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of the directories in which they reside. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored. +The sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographical order, regardless of the directories in which they reside. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored. /etc/sysctl.d/*.conf /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf -/etc/sysctl.conf</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 9DISADPMS TargetRed Hat Enterprise Linux 95551CCI-000366Configure RHEL 9 to not allow interfaces to perform IPv4 ICMP redirects. +/etc/sysctl.conf</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 9DISADPMS TargetRed Hat Enterprise Linux 95551CCI-000366Configure RHEL 9 to not allow interfaces to perform IPv4 ICMP redirects. -Add or edit the following line in a system configuration file in the "/etc/sysctl.d/" directory: +Create a configuration file if it does not already exist: -net.ipv4.conf.all.send_redirects=0 +$ sudo vi /etc/sysctl.d/ipv4_send_redirects.conf -Remove any configurations that conflict with the above from the following locations: -/run/sysctl.d/*.conf -/usr/local/lib/sysctl.d/*.conf -/usr/lib/sysctl.d/*.conf -/lib/sysctl.d/*.conf -/etc/sysctl.conf -/etc/sysctl.d/*.conf +Add the following line to the file: +net.ipv4.conf.all.send_redirects = 0 -Load settings from all system configuration files with the following command: +Reload settings from all system configuration files with the following command: -$ sudo sysctl --systemVerify RHEL 9 does not IPv4 ICMP redirect messages. +$ sudo sysctl --systemVerify RHEL 9 does not IPv4 ICMP redirect messages. Check the value of the "all send_redirects" variables with the following command: $ sudo sysctl net.ipv4.conf.all.send_redirects - net.ipv4.conf.all.send_redirects = 0 -If the returned line does not have a value of "0", or a line is not returned, this is a finding. - -Check that the configuration files are present to enable this network parameter. - -$ sudo grep -r net.ipv4.conf.all.send_redirects /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf /etc/sysctl.d/*.conf +If "net.ipv4.conf.all.send_redirects" is not set to "0" and is not documented with the information system security officer (ISSO) as an operational requirement or is missing, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-09-253070RHEL 9 must not allow interfaces to perform Internet Control Message Protocol (ICMP) redirects by default.<VulnDiscussion>ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages contain information from the system's route table possibly revealing portions of the network topology. The ability to send ICMP redirects is only appropriate for systems acting as routers. -/etc/sysctl.d/99-sysctl.conf: net.ipv4.conf.all.send_redirects = 0 +The sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographical order, regardless of the directories in which they reside. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored. -If "net.ipv4.conf.all.send_redirects" is not set to "0", is missing or commented out, this is a finding. - -If conflicting results are returned, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-09-253070RHEL 9 must not allow interfaces to perform Internet Control Message Protocol (ICMP) redirects by default.<VulnDiscussion>ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages contain information from the system's route table possibly revealing portions of the network topology. +/etc/sysctl.d/*.conf +/run/sysctl.d/*.conf +/usr/local/lib/sysctl.d/*.conf +/usr/lib/sysctl.d/*.conf +/lib/sysctl.d/*.conf +/etc/sysctl.conf</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 9DISADPMS TargetRed Hat Enterprise Linux 95551CCI-000366Configure RHEL 9 to not allow interfaces to perform Internet Protocol version 4 (IPv4) ICMP redirects by default. -The ability to send ICMP redirects is only appropriate for systems acting as routers.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 9DISADPMS TargetRed Hat Enterprise Linux 95551CCI-000366Configure RHEL 9 to not allow interfaces to perform Internet Protocol version 4 (IPv4) ICMP redirects by default. +Create a configuration file if it does not already exist: -Add or edit the following line in a single system configuration file, in the "/etc/sysctl.d/" directory: +$ sudo vi /etc/sysctl.d/ipv4_send_redirect.conf +Add the following line to the file: net.ipv4.conf.default.send_redirects = 0 Load settings from all system configuration files with the following command: -$ sudo sysctl --systemVerify RHEL 9 does not allow interfaces to perform Internet Protocol version 4 (IPv4) ICMP redirects by default. - -Check the value of the "default send_redirects" variables with the following command: +$ sudo sysctl --systemCheck the value of the "default send_redirects" variables with the following command: $ sudo sysctl net.ipv4.conf.default.send_redirects - net.ipv4.conf.default.send_redirects=0 -If the returned line does not have a value of "0", or a line is not returned, this is a finding. +If "net.ipv4.conf.default.send_redirects" is not set to "0" and is not documented with the information system security officer (ISSO) as an operational requirement or is missing, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-09-253075RHEL 9 must not enable IPv4 packet forwarding unless the system is a router.<VulnDiscussion>Routing protocol daemons are typically used on routers to exchange network topology information with other routers. If this capability is used when not required, system network information may be unnecessarily transmitted across the network. -Check that the configuration files are present to enable this network parameter. - -$ sudo /usr/lib/systemd/systemd-sysctl --cat-config | egrep -v '^(#|;)' | grep -F net.ipv4.conf.default.send_redirects | tail -1 - -net.ipv4.conf.default.send_redirects = 0 - -If "net.ipv4.conf.default.send_redirects" is not set to "0" and is not documented with the information system security officer (ISSO) as an operational requirement or is missing, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-09-253075RHEL 9 must not enable IPv4 packet forwarding unless the system is a router.<VulnDiscussion>Routing protocol daemons are typically used on routers to exchange network topology information with other routers. If this capability is used when not required, system network information may be unnecessarily transmitted across the network. - -The sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of the directories in which they reside. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored. +The sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographical order, regardless of the directories in which they reside. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored. /etc/sysctl.d/*.conf /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf -/etc/sysctl.conf</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 9DISADPMS TargetRed Hat Enterprise Linux 95551CCI-000366Configure RHEL 9 to not allow IPv4 packet forwarding, unless the system is a router. +/etc/sysctl.conf</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 9DISADPMS TargetRed Hat Enterprise Linux 95551CCI-000366Configure RHEL 9 to not allow IPv4 packet forwarding, unless the system is a router. -Add or edit the following line in a system configuration file in the "/etc/sysctl.d/" directory: +Create a configuration file if it does not already exist: -net.ipv4.conf.all.forwarding=0 +$ sudo vi /etc/sysctl.d/ipv4_forwarding.conf -Remove any configurations that conflict with the above from the following locations: -/run/sysctl.d/*.conf -/usr/local/lib/sysctl.d/*.conf -/usr/lib/sysctl.d/*.conf -/lib/sysctl.d/*.conf -/etc/sysctl.conf -/etc/sysctl.d/*.conf +Add the following line to the file: +net.ipv4.conf.all.forwarding = 0 -Load settings from all system configuration files with the following command: +Reload settings from all system configuration files with the following command: -$ sudo sysctl --systemVerify RHEL 9 is not performing IPv4 packet forwarding, unless the system is a router. +$ sudo sysctl --systemVerify RHEL 9 is not performing IPv4 packet forwarding unless the system is a router. -Check that IPv4 forwarding is disabled using the following command: +Check that "net.ipv4.conf.all.forwarding" is disabled using the following command: $ sudo sysctl net.ipv4.conf.all.forwarding - net.ipv4.conf.all.forwarding = 0 -If the IPv4 forwarding value is not "0" and is not documented with the information system security officer (ISSO) as an operational requirement, this is a finding. - -Check that the configuration files are present to enable this network parameter. - -$ sudo grep -r net.ipv4.conf.all.forwarding /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf /etc/sysctl.d/*.conf - -/etc/sysctl.d/99-sysctl.conf: net.ipv4.conf.all.forwarding = 0 - -If "net.ipv4.conf.all.forwarding" is not set to "0", is missing, or commented out, this is a finding. - -If conflicting results are returned, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-09-254010RHEL 9 must not accept router advertisements on all IPv6 interfaces.<VulnDiscussion>Routing protocol daemons are typically used on routers to exchange network topology information with other routers. If this software is used when not required, system network information may be unnecessarily transmitted across the network. +If "net.ipv4.conf.all.forwarding" is not set to "0" and is not documented with the information system security officer (ISSO) as an operational requirement or is missing, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-09-254010RHEL 9 must not accept router advertisements on all IPv6 interfaces.<VulnDiscussion>Routing protocol daemons are typically used on routers to exchange network topology information with other routers. If this software is used when not required, system network information may be unnecessarily transmitted across the network. An illicit router advertisement message could result in a man-in-the-middle attack. -The sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of the directories in which they reside. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored. +The sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographical order, regardless of the directories in which they reside. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored. /etc/sysctl.d/*.conf /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf -/etc/sysctl.conf</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 9DISADPMS TargetRed Hat Enterprise Linux 95551CCI-000366Configure RHEL 9 to not accept router advertisements on all IPv6 interfaces unless the system is a router. - -Add or edit the following line in a system configuration file in the "/etc/sysctl.d/" directory: - -net.ipv6.conf.all.accept_ra=0 - -Remove any configurations that conflict with the above from the following locations: -/run/sysctl.d/*.conf -/usr/local/lib/sysctl.d/*.conf -/usr/lib/sysctl.d/*.conf -/lib/sysctl.d/*.conf -/etc/sysctl.conf -/etc/sysctl.d/*.conf - -Load settings from all system configuration files with the following command: +/etc/sysctl.conf</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 9DISADPMS TargetRed Hat Enterprise Linux 95551CCI-000366Configure RHEL 9 to not accept router advertisements on all IPv6 interfaces unless the system is a router. -$ sudo sysctl --systemVerify RHEL 9 does not accept router advertisements on all IPv6 interfaces, unless the system is a router. +Create a configuration file if it does not already exist: -Note: If IPv6 is disabled on the system, this requirement is not applicable. - -Check to see if router advertisements are not accepted by using the following command: - -$ sudo sysctl net.ipv6.conf.all.accept_ra +$ sudo vi /etc/sysctl.d/ipv4_accept_ra.conf +Add the following line to the file: net.ipv6.conf.all.accept_ra = 0 -If the "accept_ra" value is not "0" and is not documented with the information system security officer (ISSO) as an operational requirement, this is a finding. +Reload settings from all system configuration files with the following command: -Check that the configuration files are present to enable this network parameter. +$ sudo sysctl --systemVerify RHEL 9 does not accept router advertisements on all IPv6 interfaces, unless the system is a router. -$ sudo grep -r net.ipv6.conf.all.accept_ra /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf /etc/sysctl.d/*.conf +Note: If IPv6 is disabled on the system, this requirement is Not Applicable. -/etc/sysctl.d/99-sysctl.conf: net.ipv6.conf.all.accept_ra = 0 +Check that "net.ipv6.conf.all.accept_ra" is set to not accept router advertisements by using the following command: -If "net.ipv6.conf.all.accept_ra" is not set to "0", is missing, or commented out, this is a finding. +$ sudo sysctl net.ipv6.conf.all.accept_ra +net.ipv6.conf.all.accept_ra = 0 -If conflicting results are returned, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-09-254015RHEL 9 must ignore IPv6 Internet Control Message Protocol (ICMP) redirect messages.<VulnDiscussion>ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages modify the host's route table and are unauthenticated. An illicit ICMP redirect message could result in a man-in-the-middle attack. +If "net.ipv6.conf.all.accept_ra" is not set to "0" or is missing, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-09-254015RHEL 9 must ignore IPv6 Internet Control Message Protocol (ICMP) redirect messages.<VulnDiscussion>ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages modify the host's route table and are unauthenticated. An illicit ICMP redirect message could result in a man-in-the-middle attack. -The sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of the directories in which they reside. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored. +The sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographical order, regardless of the directories in which they reside. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored. /etc/sysctl.d/*.conf /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf -/etc/sysctl.conf</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 9DISADPMS TargetRed Hat Enterprise Linux 95551CCI-000366Configure RHEL 9 to ignore IPv6 ICMP redirect messages. - -Add or edit the following line in a system configuration file in the "/etc/sysctl.d/" directory: - -net.ipv6.conf.all.accept_redirects = 0 - -Remove any configurations that conflict with the above from the following locations: -/run/sysctl.d/*.conf -/usr/local/lib/sysctl.d/*.conf -/usr/lib/sysctl.d/*.conf -/lib/sysctl.d/*.conf -/etc/sysctl.conf -/etc/sysctl.d/*.conf - -Load settings from all system configuration files with the following command: +/etc/sysctl.conf</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 9DISADPMS TargetRed Hat Enterprise Linux 95551CCI-000366Configure RHEL 9 to ignore IPv6 ICMP redirect messages. -$ sudo sysctl --systemVerify RHEL 9 ignores IPv6 ICMP redirect messages. +Create a configuration file if it does not already exist: -Note: If IPv6 is disabled on the system, this requirement is not applicable. - -Check the value of the "accept_redirects" variables with the following command: - -$ sudo sysctl net.ipv6.conf.all.accept_redirects +$ sudo vi /etc/sysctl.d/ipv6_accept_redirects.conf +Add the following line to the file: net.ipv6.conf.all.accept_redirects = 0 -If the returned line does not have a value of "0", a line is not returned, or the line is commented out, this is a finding. +Reload settings from all system configuration files with the following command: -Check that the configuration files are present to enable this network parameter. +$ sudo sysctl --systemVerify RHEL 9 ignores IPv6 ICMP redirect messages. -$ sudo grep -r net.ipv6.conf.all.accept_redirects /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf /etc/sysctl.d/*.conf +Note: If IPv6 is disabled on the system, this requirement is Not Applicable. -/etc/sysctl.d/99-sysctl.conf: net.ipv6.conf.all.accept_redirects = 0 +Check the value of the "accept_redirects" variable with the following command: -If "net.ipv6.conf.all.accept_redirects" is not set to "0", is missing, or commented out, this is a finding. +$ sysctl net.ipv6.conf.all.accept_redirects +net.ipv6.conf.all.accept_redirects = 0 -If conflicting results are returned, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-09-254020RHEL 9 must not forward IPv6 source-routed packets.<VulnDiscussion>Source-routed packets allow the source of the packet to suggest that routers forward the packet along a different path than configured on the router, which can be used to bypass network security measures. This requirement applies only to the forwarding of source-routed traffic, such as when forwarding is enabled and the system is functioning as a router. +If "net.ipv6.conf.all.accept_redirects" is not set to "0" or is missing, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-09-254020RHEL 9 must not forward IPv6 source-routed packets.<VulnDiscussion>Source-routed packets allow the source of the packet to suggest that routers forward the packet along a different path than configured on the router, which can be used to bypass network security measures. This requirement applies only to the forwarding of source-routed traffic, such as when forwarding is enabled and the system is functioning as a router. -The sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of the directories in which they reside. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored. +The sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographical order, regardless of the directories in which they reside. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored. /etc/sysctl.d/*.conf /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf -/etc/sysctl.conf</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 9DISADPMS TargetRed Hat Enterprise Linux 95551CCI-000366Configure RHEL 9 to not forward IPv6 source-routed packets. +/etc/sysctl.conf</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 9DISADPMS TargetRed Hat Enterprise Linux 95551CCI-000366Configure RHEL 9 to not accept IPv6 source-routed packets. -Add or edit the following line in a system configuration file in the "/etc/sysctl.d/" directory: +Create a configuration file if it does not already exist: -net.ipv6.conf.all.accept_source_route=0 +$ sudo vi /etc/sysctl.d/ipv6_accept_source_route.conf -Remove any configurations that conflict with the above from the following locations: -/run/sysctl.d/*.conf -/usr/local/lib/sysctl.d/*.conf -/usr/lib/sysctl.d/*.conf -/lib/sysctl.d/*.conf -/etc/sysctl.conf -/etc/sysctl.d/*.conf +Add the following line to the file: +net.ipv6.conf.all.accept_source_route = 0 -Load settings from all system configuration files with the following command: +Reload settings from all system configuration files with the following command: -$ sudo sysctl --systemVerify RHEL 9 does not accept IPv6 source-routed packets. +$ sudo sysctl --systemVerify RHEL 9 does not accept IPv6 source-routed packets. -Note: If IPv6 is disabled on the system, this requirement is not applicable. +Note: If IPv6 is disabled on the system, this requirement is Not Applicable. -Check the value of the accept source route variable with the following command: +Check the value of the "net.ipv6.conf.all.accept_source_route" variable with the following command: $ sudo sysctl net.ipv6.conf.all.accept_source_route - net.ipv6.conf.all.accept_source_route = 0 -If the returned line does not have a value of "0", a line is not returned, or the line is commented out, this is a finding. - -Check that the configuration files are present to enable this network parameter. - -$ sudo grep -r net.ipv6.conf.all.accept_source_route /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf /etc/sysctl.d/*.conf - -/etc/sysctl.d/99-sysctl.conf: net.ipv6.conf.all.accept_source_route = 0 +If "net.ipv6.conf.all.accept_source_route" is not set to "0" or is missing, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-09-254025RHEL 9 must not enable IPv6 packet forwarding unless the system is a router.<VulnDiscussion>Routing protocol daemons are typically used on routers to exchange network topology information with other routers. If this software is used when not required, system network information may be unnecessarily transmitted across the network. -If "net.ipv6.conf.all.accept_source_route" is not set to "0", is missing, or commented out, this is a finding. - -If conflicting results are returned, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-09-254025RHEL 9 must not enable IPv6 packet forwarding unless the system is a router.<VulnDiscussion>Routing protocol daemons are typically used on routers to exchange network topology information with other routers. If this software is used when not required, system network information may be unnecessarily transmitted across the network. - -The sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of the directories in which they reside. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored. +The sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographical order, regardless of the directories in which they reside. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored. /etc/sysctl.d/*.conf /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf -/etc/sysctl.conf</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 9DISADPMS TargetRed Hat Enterprise Linux 95551CCI-000366Configure RHEL 9 to not allow IPv6 packet forwarding, unless the system is a router. +/etc/sysctl.conf</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 9DISADPMS TargetRed Hat Enterprise Linux 95551CCI-000366Configure RHEL 9 to not allow IPv6 packet forwarding, unless the system is a router. -Add or edit the following line in a system configuration file in the "/etc/sysctl.d/" directory: +Create a configuration file if it does not already exist: -net.ipv6.conf.all.forwarding=0 +$ sudo vi /etc/sysctl.d/ipv6_forwarding.conf -Remove any configurations that conflict with the above from the following locations: -/run/sysctl.d/*.conf -/usr/local/lib/sysctl.d/*.conf -/usr/lib/sysctl.d/*.conf -/lib/sysctl.d/*.conf -/etc/sysctl.conf -/etc/sysctl.d/*.conf +Add the following line to the file: +net.ipv6.conf.all.forwarding = 0 -Load settings from all system configuration files with the following command: +Reload settings from all system configuration files with the following command: -$ sudo sysctl --systemVerify RHEL 9 is not performing IPv6 packet forwarding, unless the system is a router. +$ sudo sysctl --systemVerify RHEL 9 is not performing IPv6 packet forwarding, unless the system is a router. -Note: If IPv6 is disabled on the system, this requirement is not applicable. +Note: If IPv6 is disabled on the system, this requirement is Not Applicable. -Check that IPv6 forwarding is disabled using the following commands: +Check the value of the "net.ipv6.conf.all.forwarding" variable with the following command: $ sudo sysctl net.ipv6.conf.all.forwarding - net.ipv6.conf.all.forwarding = 0 -If the IPv6 forwarding value is not "0" and is not documented with the information system security officer (ISSO) as an operational requirement, this is a finding. - -Check that the configuration files are present to enable this network parameter. - -$ sudo grep -r net.ipv6.conf.all.forwarding /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf /etc/sysctl.d/*.conf - -/etc/sysctl.d/99-sysctl.conf: net.ipv6.conf.all.forwarding = 0 - -If "net.ipv6.conf.all.forwarding" is not set to "0", is missing, or commented out, this is a finding. +If "net.ipv6.conf.all.forwarding" is not set to "0" or is missing, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-09-254030RHEL 9 must not accept router advertisements on all IPv6 interfaces by default.<VulnDiscussion>Routing protocol daemons are typically used on routers to exchange network topology information with other routers. If this software is used when not required, system network information may be unnecessarily transmitted across the network. An illicit router advertisement message could result in a man-in-the-middle attack. -If conflicting results are returned, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-09-254030RHEL 9 must not accept router advertisements on all IPv6 interfaces by default.<VulnDiscussion>Routing protocol daemons are typically used on routers to exchange network topology information with other routers. If this software is used when not required, system network information may be unnecessarily transmitted across the network. An illicit router advertisement message could result in a man-in-the-middle attack. - -The sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of the directories in which they reside. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored. +The sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographical order, regardless of the directories in which they reside. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored. /etc/sysctl.d/*.conf /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf -/etc/sysctl.conf</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 9DISADPMS TargetRed Hat Enterprise Linux 95551CCI-000366Configure RHEL 9 to not accept router advertisements on all IPv6 interfaces by default unless the system is a router. - -Add or edit the following line in a system configuration file in the "/etc/sysctl.d/" directory: - -net.ipv6.conf.default.accept_ra=0 - -Remove any configurations that conflict with the above from the following locations: -/run/sysctl.d/*.conf -/usr/local/lib/sysctl.d/*.conf -/usr/lib/sysctl.d/*.conf -/lib/sysctl.d/*.conf -/etc/sysctl.conf -/etc/sysctl.d/*.conf - -Load settings from all system configuration files with the following command: - -$ sudo sysctl --systemVerify RHEL 9 does not accept router advertisements on all IPv6 interfaces by default, unless the system is a router. +/etc/sysctl.conf</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 9DISADPMS TargetRed Hat Enterprise Linux 95551CCI-000366Configure RHEL 9 to not accept router advertisements on all IPv6 interfaces by default unless the system is a router. -Note: If IPv6 is disabled on the system, this requirement is not applicable. +Create a configuration file if it does not already exist: -Check to see if router advertisements are not accepted by default by using the following command: - -$ sudo sysctl net.ipv6.conf.default.accept_ra +$ sudo vi /etc/sysctl.d/ipv6_accept_ra.conf +Add the following line to the file: net.ipv6.conf.default.accept_ra = 0 -If the "accept_ra" value is not "0" and is not documented with the information system security officer (ISSO) as an operational requirement, this is a finding. +Reload settings from all system configuration files with the following command: -Check that the configuration files are present to enable this network parameter. +$ sudo sysctl --systemVerify RHEL 9 does not accept router advertisements on all IPv6 interfaces by default, unless the system is a router. -$ sudo grep -r net.ipv6.conf.default.accept_ra /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf /etc/sysctl.d/*.conf +Note: If IPv6 is disabled on the system, this requirement is Not Applicable. -/etc/sysctl.d/99-sysctl.conf: net.ipv6.conf.default.accept_ra = 0 +Check the value of the "net.ipv6.conf.default.accept_ra" variable with the following command: -If "net.ipv6.conf.default.accept_ra" is not set to "0", is missing, or commented out, this is a finding. +$ sudo sysctl net.ipv6.conf.default.accept_ra +net.ipv6.conf.default.accept_ra = 0 -If conflicting results are returned, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-09-254035RHEL 9 must prevent IPv6 Internet Control Message Protocol (ICMP) redirect messages from being accepted.<VulnDiscussion>ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages modify the host's route table and are unauthenticated. An illicit ICMP redirect message could result in a man-in-the-middle attack. +If "net.ipv6.conf.default.accept_ra" is not set to "0" or is missing, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-09-254035RHEL 9 must prevent IPv6 Internet Control Message Protocol (ICMP) redirect messages from being accepted.<VulnDiscussion>ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages modify the host's route table and are unauthenticated. An illicit ICMP redirect message could result in a man-in-the-middle attack. -The sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of the directories in which they reside. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored. +The sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographical order, regardless of the directories in which they reside. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored. /etc/sysctl.d/*.conf /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf -/etc/sysctl.conf</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 9DISADPMS TargetRed Hat Enterprise Linux 95551CCI-000366Configure RHEL 9 to prevent IPv6 ICMP redirect messages from being accepted. +/etc/sysctl.conf</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 9DISADPMS TargetRed Hat Enterprise Linux 95551CCI-000366Configure RHEL 9 to prevent IPv6 ICMP redirect messages from being accepted. -Add or edit the following line in a system configuration file in the "/etc/sysctl.d/" directory: +Create a configuration file if it does not already exist: -net.ipv6.conf.default.accept_redirects = 0 +$ sudo vi /etc/sysctl.d/ipv6_accept_redirects.conf -Remove any configurations that conflict with the above from the following locations: -/run/sysctl.d/*.conf -/usr/local/lib/sysctl.d/*.conf -/usr/lib/sysctl.d/*.conf -/lib/sysctl.d/*.conf -/etc/sysctl.conf -/etc/sysctl.d/*.conf +Add the following line to the file: +net.ipv6.conf.default.accept_redirects = 0 -Load settings from all system configuration files with the following command: +Reload settings from all system configuration files with the following command: -$ sudo sysctl --systemVerify RHEL 9 will not accept IPv6 ICMP redirect messages. +$ sudo sysctl --systemVerify RHEL 9 to prevent IPv6 ICMP redirect messages. -Note: If IPv6 is disabled on the system, this requirement is not applicable. +Note: If IPv6 is disabled on the system, this requirement is Not Applicable. -Check the value of the default "accept_redirects" variables with the following command: +Check the value of the "net.ipv6.conf.default.accept_redirects" variables with the following command: $ sudo sysctl net.ipv6.conf.default.accept_redirects - net.ipv6.conf.default.accept_redirects = 0 -If the returned line does not have a value of "0", a line is not returned, or the line is commented out, this is a finding. - -Check that the configuration files are present to enable this network parameter. - -$ sudo grep -r net.ipv6.conf.default.accept_redirects /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf /etc/sysctl.d/*.conf - -/etc/sysctl.d/99-sysctl.conf: net.ipv6.conf.default.accept_redirects = 0 - -If "net.ipv6.conf.default.accept_redirects" is not set to "0", is missing, or commented out, this is a finding. - -If conflicting results are returned, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-09-254040RHEL 9 must not forward IPv6 source-routed packets by default.<VulnDiscussion>Source-routed packets allow the source of the packet to suggest that routers forward the packet along a different path than configured on the router, which can be used to bypass network security measures. This requirement applies only to the forwarding of source-routed traffic, such as when forwarding is enabled and the system is functioning as a router. +If "net.ipv6.conf.default.accept_redirects" is not set to "0" or is missing, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-09-254040RHEL 9 must not forward IPv6 source-routed packets by default.<VulnDiscussion>Source-routed packets allow the source of the packet to suggest that routers forward the packet along a different path than configured on the router, which can be used to bypass network security measures. This requirement applies only to the forwarding of source-routed traffic, such as when forwarding is enabled and the system is functioning as a router. Accepting source-routed packets in the IPv6 protocol has few legitimate uses. It must be disabled unless it is absolutely required. -The sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of the directories in which they reside. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored. +The sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographical order, regardless of the directories in which they reside. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored. /etc/sysctl.d/*.conf /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf -/etc/sysctl.conf</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 9DISADPMS TargetRed Hat Enterprise Linux 95551CCI-000366Configure RHEL 9 to not forward IPv6 source-routed packets by default. +/etc/sysctl.conf</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 9DISADPMS TargetRed Hat Enterprise Linux 95551CCI-000366Configure RHEL 9 to not accept IPv6 source-routed packets by default. -Add or edit the following line in a system configuration file in the "/etc/sysctl.d/" directory: +Create a configuration file if it does not already exist: -net.ipv6.conf.default.accept_source_route=0 +$ sudo vi /etc/sysctl.d/ipv6_accept_source_route.conf -Remove any configurations that conflict with the above from the following locations: -/run/sysctl.d/*.conf -/usr/local/lib/sysctl.d/*.conf -/usr/lib/sysctl.d/*.conf -/lib/sysctl.d/*.conf -/etc/sysctl.conf -/etc/sysctl.d/*.conf +Add the following line to the file: +net.ipv6.conf.default.accept_source_route = 0 -Load settings from all system configuration files with the following command: +Reload settings from all system configuration files with the following command: -$ sudo sysctl --systemVerify RHEL 9 does not accept IPv6 source-routed packets by default. +$ sudo sysctl --systemVerify RHEL 9 does not accept IPv6 source-routed packets by default. -Note: If IPv6 is disabled on the system, this requirement is not applicable. +Note: If IPv6 is disabled on the system, this requirement is Not Applicable. -Check the value of the accept source route variable with the following command: +Check the value of the "net.ipv6.conf.default.accept_source_route" variables with the following command: $ sudo sysctl net.ipv6.conf.default.accept_source_route - net.ipv6.conf.default.accept_source_route = 0 -If the returned line does not have a value of "0", a line is not returned, or the line is commented out, this is a finding. - -Check that the configuration files are present to enable this network parameter. - -$ sudo grep -r net.ipv6.conf.default.accept_source_route /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf /etc/sysctl.d/*.conf - -/etc/sysctl.d/99-sysctl.conf: net.ipv6.conf.default.accept_source_route = 0 - -If "net.ipv6.conf.default.accept_source_route" is not set to "0", is missing, or commented out, this is a finding. - -If conflicting results are returned, this is a finding.SRG-OS-000423-GPOS-00187<GroupDescription></GroupDescription>RHEL-09-255010All RHEL 9 networked systems must have SSH installed.<VulnDiscussion>Without protection of the transmitted information, confidentiality and integrity may be compromised because unprotected communications can be intercepted and either read or altered. +If "net.ipv6.conf.default.accept_source_route" is not set to "0" or is missing, this is a finding.SRG-OS-000423-GPOS-00187<GroupDescription></GroupDescription>RHEL-09-255010All RHEL 9 networked systems must have SSH installed.<VulnDiscussion>Without protection of the transmitted information, confidentiality and integrity may be compromised because unprotected communications can be intercepted and either read or altered. This requirement applies to both internal and external networks and all types of information system components from which information can be transmitted (e.g., servers, mobile devices, notebook computers, printers, copiers, scanners, and facsimile machines). Communication paths outside the physical protection of a controlled boundary are exposed to the possibility of interception and modification. @@ -3716,10 +3318,10 @@ root /etc/ssh/sshd_config.d root /etc/ssh/sshd_config.d/50-cloud-init.conf root /etc/ssh/sshd_config.d/50-redhat.conf -If the "/etc/ssh/sshd_config" file or "/etc/ssh/sshd_config.d" or any files in the "sshd_config.d" directory do not have an owner of "root", this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-09-255115RHEL 9 SSH server configuration files' permissions must not be modified.<VulnDiscussion>Service configuration files enable or disable features of their respective services, that if configured incorrectly, can lead to insecure and vulnerable configurations. Therefore, service configuration files must have correct permissions (owner, group owner, mode) to prevent unauthorized changes.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 9DISADPMS TargetRed Hat Enterprise Linux 95551CCI-000366Run the following commands to restore the correct permissions of OpenSSH server configuration files: +If the "/etc/ssh/sshd_config" file or "/etc/ssh/sshd_config.d" or any files in the "sshd_config.d" directory do not have an owner of "root", this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-09-255115RHEL 9 SSH server configuration files' permissions must not be modified.<VulnDiscussion>Service configuration files enable or disable features of their respective services, that if configured incorrectly, can lead to insecure and vulnerable configurations. Therefore, service configuration files must have correct permissions (owner, group owner, mode) to prevent unauthorized changes.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 9DISADPMS TargetRed Hat Enterprise Linux 95551CCI-000366Run the following commands to restore the correct permissions of OpenSSH server configuration files: -$ rpm --setugids openssh-server -$ rpm --setperms openssh-serverVerify the permissions of the "/etc/ssh/sshd_config" file with the following command: +$ sudo rpm --setugids openssh-server +$ sudo rpm --setperms openssh-serverVerify the permissions of the "/etc/ssh/sshd_config" file with the following command: $ sudo rpm --verify openssh-server | awk '! ($2 == "c" && $1 ~ /^.\..\.\.\.\..\./) {print $0}' @@ -3755,7 +3357,12 @@ $ sudo stat -c "%a %n" /etc/ssh/*.pub 644 /etc/ssh/ssh_host_ed25519_key.pub 644 /etc/ssh/ssh_host_rsa_key.pub -If any key.pub file has a mode more permissive than "0644", this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-09-255130RHEL 9 SSH daemon must not allow compression or must only allow compression after successful authentication.<VulnDiscussion>If compression is allowed in an SSH connection prior to authentication, vulnerabilities in the compression software could result in compromise of the system from an unauthenticated connection, potentially with root privileges.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 9DISADPMS TargetRed Hat Enterprise Linux 95551CCI-000366Configure the SSH daemon to not allow compression. +If any key.pub file has a mode more permissive than "0644", this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-09-255130RHEL 9 SSH daemon must not allow compression or must only allow compression after successful authentication.<VulnDiscussion>If compression is allowed in an SSH connection prior to authentication, vulnerabilities in the compression software could result in compromise of the system from an unauthenticated connection, potentially with root privileges. + +Compression options are: +no - disables compression +delayed - allow compression only after authentication +yes - enables compression before authentication, which can leak sensitive metadata and is not recommended</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 9DISADPMS TargetRed Hat Enterprise Linux 95551CCI-000366Configure the SSH daemon to not allow compression. Uncomment the "Compression" keyword in "/etc/ssh/sshd_config" on the system and set the value to "delayed" or "no": @@ -3763,11 +3370,10 @@ Compression no The SSH service must be restarted for changes to take effect: -$ sudo systemctl restart sshd.serviceVerify the SSH daemon performs compression after a user successfully authenticates with the following command: +$ sudo systemctl restart sshd.serviceVerify the RHEL 9 SSH daemon performs compression after a user successfully authenticates with the following command: $ sudo /usr/sbin/sshd -dd 2>&1 | awk '/filename/ {print $4}' | tr -d '\r' | tr '\n' ' ' | xargs sudo grep -iH '^\s*compression' - -Compression delayed +/etc/ssh/sshd_config:Compression no If the "Compression" keyword is set to "yes", is missing, or the returned line is commented out, this is a finding.SRG-OS-000364-GPOS-00151<GroupDescription></GroupDescription>RHEL-09-255135RHEL 9 SSH daemon must not allow GSSAPI authentication.<VulnDiscussion>Generic Security Service Application Program Interface (GSSAPI) authentication is used to provide additional authentication mechanisms to applications. Allowing GSSAPI authentication through SSH exposes the system's GSSAPI to remote hosts, increasing the attack surface of the system. @@ -4009,7 +3615,7 @@ $ gsettings get org.gnome.desktop.media-handling autorun-never true -If "autorun-never" is set to "false", and is not documented with the information system security officer (ISSO) as an operational requirement, this is a finding.SRG-OS-000114-GPOS-00059<GroupDescription></GroupDescription>RHEL-09-271035RHEL 9 must prevent a user from overriding the disabling of the graphical user interface autorun function.<VulnDiscussion>Techniques used to address this include protocols using nonces (e.g., numbers generated for a specific one-time use) or challenges (e.g., TLS, WS_Security). Additional techniques include time-synchronous or challenge-response one-time authenticators. +If "autorun-never" is set to "false", and is not documented with the information system security officer (ISSO) as an operational requirement, this is a finding.SRG-OS-000114-GPOS-00059<GroupDescription></GroupDescription>RHEL-09-271035RHEL 9 must prevent a user from overriding the disabling of the graphical user interface autorun function.<VulnDiscussion>Techniques used to address this include protocols using nonces (e.g., numbers generated for a specific one-time use) or challenges (e.g., TLS, WS_Security). Additional techniques include time-synchronous or challenge-response one-time authenticators. Satisfies: SRG-OS-000114-GPOS-00059, SRG-OS-000378-GPOS-00163, SRG-OS-000480-GPOS-00227</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 9DISADPMS TargetRed Hat Enterprise Linux 95551CCI-000778CCI-001958Configure the GNOME desktop to not allow a user to change the setting that disables autorun on removable media. @@ -4019,11 +3625,11 @@ Add the following line to "/etc/dconf/db/local.d/locks/00-security-settings-lock Then update the dconf system databases: -$ sudo dconf updateNote: This requirement assumes the use of the RHEL 9 default graphical user interface, the GNOME desktop environment. If the system does not have any graphical user interface installed, this requirement is Not Applicable. +$ sudo dconf updateNote: This requirement assumes the use of the RHEL 9 default graphical user interface, the GNOME desktop environment. If the system does not have any graphical user interface installed, this requirement is Not Applicable. Verify RHEL 9 disables ability of the user to override the graphical user interface autorun setting. -Determine which profile the system database is using with the following command: +Check that the autorun setting is set to prevent user modification with the following command: $ gsettings writable org.gnome.desktop.media-handling autorun-never @@ -4144,31 +3750,31 @@ $ gsettings writable org.gnome.desktop.screensaver lock-enabled false -If "lock-enabled" is writable and the result is "true", this is a finding.SRG-OS-000029-GPOS-00010<GroupDescription></GroupDescription>RHEL-09-271065RHEL 9 must automatically lock graphical user sessions after 15 minutes of inactivity.<VulnDiscussion>A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not logout because of the temporary nature of the absence. Rather than relying on the user to manually lock their operating system session prior to vacating the vicinity, the GNOME desktop can be configured to identify when a user's session has idled and take action to initiate a session lock. +If "lock-enabled" is writable and the result is "true", this is a finding.SRG-OS-000029-GPOS-00010<GroupDescription></GroupDescription>RHEL-09-271065RHEL 9 must automatically lock graphical user sessions after 10 minutes of inactivity.<VulnDiscussion>A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not logout because of the temporary nature of the absence. Rather than relying on the user to manually lock their operating system session prior to vacating the vicinity, the GNOME desktop can be configured to identify when a user's session has idled and take action to initiate a session lock. -Satisfies: SRG-OS-000029-GPOS-00010, SRG-OS-000031-GPOS-00012</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 9DISADPMS TargetRed Hat Enterprise Linux 95551CCI-000057CCI-000060Configure RHEL 9 to initiate a screensaver after a 15-minute period of inactivity for graphical user interfaces. +Satisfies: SRG-OS-000029-GPOS-00010, SRG-OS-000031-GPOS-00012</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 9DISADPMS TargetRed Hat Enterprise Linux 95551CCI-000057CCI-000060Configure RHEL 9 to initiate a screensaver after a 10-minute period of inactivity for graphical user interfaces. -Create a database to contain the system-wide screensaver settings (if it does not already exist) with the following command: +Create a database to contain the systemwide screensaver settings (if it does not already exist) with the following command: $ sudo touch /etc/dconf/db/local.d/00-screensaver Edit /etc/dconf/db/local.d/00-screensaver and add or update the following lines: [org/gnome/desktop/session] -# Set the lock time out to 900 seconds before the session is considered idle -idle-delay=uint32 900 +# Set the lock time out to 600 seconds before the session is considered idle +idle-delay=uint32 600 Update the system databases: -$ sudo dconf updateVerify RHEL 9 initiates a session lock after a 15-minute period of inactivity for graphical user interfaces with the following command: +$ sudo dconf updateVerify RHEL 9 initiates a session lock after a 10-minute period of inactivity for graphical user interfaces with the following command: Note: This requirement assumes the use of the RHEL 9 default graphical user interface, the GNOME desktop environment. If the system does not have any graphical user interface installed, this requirement is Not Applicable. $ sudo gsettings get org.gnome.desktop.session idle-delay -uint32 900 +uint32 600 -If "idle-delay" is set to "0" or a value greater than "900", this is a finding.SRG-OS-000029-GPOS-00010<GroupDescription></GroupDescription>RHEL-09-271070RHEL 9 must prevent a user from overriding the session idle-delay setting for the graphical user interface.<VulnDiscussion>A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not logout because of the temporary nature of the absence. Rather than relying on the user to manually lock their operating system session prior to vacating the vicinity, the GNOME desktop can be configured to identify when a user's session has idled and take action to initiate the session lock. As such, users should not be allowed to change session settings. +If "idle-delay" is set to "0" or a value greater than "600", this is a finding.SRG-OS-000029-GPOS-00010<GroupDescription></GroupDescription>RHEL-09-271070RHEL 9 must prevent a user from overriding the session idle-delay setting for the graphical user interface.<VulnDiscussion>A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not logout because of the temporary nature of the absence. Rather than relying on the user to manually lock their operating system session prior to vacating the vicinity, the GNOME desktop can be configured to identify when a user's session has idled and take action to initiate the session lock. As such, users should not be allowed to change session settings. Satisfies: SRG-OS-000029-GPOS-00010, SRG-OS-000031-GPOS-00012</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 9DISADPMS TargetRed Hat Enterprise Linux 95551CCI-000057CCI-000060Configure RHEL 9 to prevent a user from overriding settings for graphical user interfaces. @@ -4621,22 +4227,25 @@ djohnson:x:1002:1002:djohnson:/home/djohnson:/bin/bash Inspect the output and verify that all interactive users (normally users with a user identifier (UID) greater that 1000) have a home directory defined. -If users home directory is not defined, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-09-411065All RHEL 9 local interactive user home directories defined in the /etc/passwd file must exist.<VulnDiscussion>If a local interactive user has a home directory defined that does not exist, the user may be given access to the / directory as the current working directory upon logon. This could create a denial of service because the user would not be able to access their logon configuration files, and it may give them visibility to system files they normally would not be able to access.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 9DISADPMS TargetRed Hat Enterprise Linux 95551CCI-000366Create home directories to all local interactive users that currently do not have a home directory assigned. Use the following commands to create the user home directory assigned in "/etc/ passwd": +If users home directory is not defined, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-09-411065All RHEL 9 local interactive user home directories defined in the /etc/passwd file must exist.<VulnDiscussion>If a local interactive user has a home directory defined that does not exist, the user may be given access to the / directory as the current working directory upon logon. This could create a denial of service because the user would not be able to access their logon configuration files, and it may give them visibility to system files they normally would not be able to access.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 9DISADPMS TargetRed Hat Enterprise Linux 95551CCI-000366Create home directories to all local interactive users that currently do not have a home directory assigned. Use the following commands to create the user home directory assigned in "/etc/ passwd": -Note: The example will be for the user wadea, who has a home directory of "/home/wadea", a user identifier (UID) of "wadea", and a Group Identifier (GID) of "users assigned" in "/etc/passwd". +Note: The example will be for the user wadea, who has a home directory of "/home/wadea", a user identifier (UID) of "wadea", and a group identifier (GID) of "users assigned" in "/etc/passwd". $ sudo mkdir /home/wadea $ sudo chown wadea /home/wadea $ sudo chgrp users /home/wadea -$ sudo chmod 0750 /home/wadeaVerify the assigned home directories of all interactive users on the system exist with the following command: +$ sudo chmod 0750 /home/wadeaVerify the assigned home directories of all interactive users on the system exist with the following command: $ sudo pwck -r -user 'mailnull': directory 'var/spool/mqueue' does not exist +The output should not return any interactive (human) users. + +Ask the system administrator (SA) if any users found without home directories are local interactive users. +If the SA is unable to provide a response, check for users with a user identifier (UID) of 1000 or greater with the following command: -The output should not return any interactive users. +$ awk -F: '($3>=1000)&&($1!="nobody"){print $1 ":" $3}' /etc/passwd -If users home directory does not exist, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-09-411070All RHEL 9 local interactive user home directories must be group-owned by the home directory owner's primary group.<VulnDiscussion>If the Group Identifier (GID) of a local interactive users home directory is not the same as the primary GID of the user, this would allow unauthorized access to the users files, and users that share the same group may not be able to access files that they legitimately should.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 9DISADPMS TargetRed Hat Enterprise Linux 95551CCI-000366Change the group owner of a local interactive user's home directory to the group found in "/etc/passwd". To change the group owner of a local interactive user's home directory, use the following command: +If any interactive users do not have a home directory assigned, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-09-411070All RHEL 9 local interactive user home directories must be group-owned by the home directory owner's primary group.<VulnDiscussion>If the Group Identifier (GID) of a local interactive users home directory is not the same as the primary GID of the user, this would allow unauthorized access to the users files, and users that share the same group may not be able to access files that they legitimately should.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 9DISADPMS TargetRed Hat Enterprise Linux 95551CCI-000366Change the group owner of a local interactive user's home directory to the group found in "/etc/passwd". To change the group owner of a local interactive user's home directory, use the following command: Note: The example will be for the user "wadea", who has a home directory of "/home/wadea", and has a primary group of users. @@ -4748,15 +4357,7 @@ If the "dir" option is not set to a nondefault documented tally log directory or $ cut -d : -f 3 /etc/group | uniq -d -If the system has duplicate GIDs, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-09-411115Local RHEL 9 initialization files must not execute world-writable programs.<VulnDiscussion>If user start-up files execute world-writable programs, especially in unprotected directories, they could be maliciously modified to destroy user files or otherwise compromise the system at the user level. If the system is compromised at the user level, it is easier to elevate privileges to eventually compromise the system at the root and network level.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 9DISADPMS TargetRed Hat Enterprise Linux 95551CCI-000366Set the mode on files being executed by the local initialization files with the following command: - -$ sudo chmod 0755 <file>Verify that local initialization files do not execute world-writable programs with the following command: - -Note: The example will be for a system that is configured to create user home directories in the "/home" directory. - -$ sudo find /home -perm -002 -type f -name ".[^.]*" -exec ls -ld {} \; - -If any local initialization files are found to reference world-writable files, this is a finding.SRG-OS-000163-GPOS-00072<GroupDescription></GroupDescription>RHEL-09-412035RHEL 9 must automatically exit interactive command shell user sessions after 10 minutes of inactivity.<VulnDiscussion>Terminating an idle interactive command shell user session within a short time period reduces the window of opportunity for unauthorized personnel to take control of it when left unattended in a virtual terminal or physical console. +If the system has duplicate GIDs, this is a finding.SRG-OS-000163-GPOS-00072<GroupDescription></GroupDescription>RHEL-09-412035RHEL 9 must automatically exit interactive command shell user sessions after 10 minutes of inactivity.<VulnDiscussion>Terminating an idle interactive command shell user session within a short time period reduces the window of opportunity for unauthorized personnel to take control of it when left unattended in a virtual terminal or physical console. Satisfies: SRG-OS-000163-GPOS-00072, SRG-OS-000029-GPOS-00010</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 9DISADPMS TargetRed Hat Enterprise Linux 95551CCI-000057CCI-001133Configure RHEL 9 to exit interactive command shell user sessions after 10 minutes of inactivity. @@ -4862,29 +4463,28 @@ $ grep umask /etc/profile umask 077 -If the value for the "umask" parameter is not "077", or the "umask" parameter is missing or is commented out, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-09-412075RHEL 9 must display the date and time of the last successful account logon upon logon.<VulnDiscussion>Users need to be aware of activity that occurs regarding their account. Providing users with information regarding the number of unsuccessful attempts that were made to login to their account allows the user to determine if any unauthorized activity has occurred and gives them an opportunity to notify administrators.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 9DISADPMS TargetRed Hat Enterprise Linux 95551CCI-000366Configure RHEL 9 to provide users with feedback on when account accesses last occurred by setting the required configuration options in "/etc/pam.d/postlogin". +If the value for the "umask" parameter is not "077", or the "umask" parameter is missing or is commented out, this is a finding.SRG-OS-000163-GPOS-00072<GroupDescription></GroupDescription>RHEL-09-412080RHEL 9 must terminate idle user sessions.<VulnDiscussion>Terminating an idle session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled on the console or console port that has been left unattended.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 9DISADPMS TargetRed Hat Enterprise Linux 95551CCI-001133Configure RHEL 9 to log out idle sessions. -Add the following line to the top of "/etc/pam.d/postlogin": +Create the directory if necessary: -session required pam_lastlog.so showfailedVerify users are provided with feedback on when account accesses last occurred with the following command: +$ mkdir -p /etc/systemd/logind.conf.d/ -$ sudo grep pam_lastlog /etc/pam.d/postlogin +Create a *.conf file in /etc/systemd/logind.conf.d/ with the following content: -session required pam_lastlog.so showfailed +[Login] +StopIdleSessionSec=600 +KillUserProcesses=no -If "pam_lastlog" is missing from "/etc/pam.d/postlogin" file, or the silent option is present, this is a finding.SRG-OS-000163-GPOS-00072<GroupDescription></GroupDescription>RHEL-09-412080RHEL 9 must terminate idle user sessions.<VulnDiscussion>Terminating an idle session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled on the console or console port that has been left unattended.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 9DISADPMS TargetRed Hat Enterprise Linux 95551CCI-001133Configure RHEL 9 to log out idle sessions by editing the /etc/systemd/logind.conf file with the following line: +Restart systemd-logind: -StopIdleSessionSec=900 +$ systemctl restart systemd-logindVerify RHEL 9 logs out sessions that are idle for 10 minutes with the following command: -The "logind" service must be restarted for the changes to take effect. To restart the "logind" service, run the following command: +$ systemd-analyze cat-config systemd/logind.conf | grep StopIdleSessionSec -$ sudo systemctl restart systemd-logindVerify that RHEL 9 logs out sessions that are idle for 15 minutes with the following command: +#StopIdleSessionSec=infinity +StopIdleSessionSec=600 -$ sudo grep -i ^StopIdleSessionSec /etc/systemd/logind.conf - -StopIdleSessionSec=900 - -If "StopIdleSessionSec" is not configured to "900" seconds, this is a finding.SRG-OS-000445-GPOS-00199<GroupDescription></GroupDescription>RHEL-09-431010RHEL 9 must use a Linux Security Module configured to enforce limits on system services.<VulnDiscussion>Without verification of the security functions, security functions may not operate correctly and the failure may go unnoticed. Security function is defined as the hardware, software, and/or firmware of the information system responsible for enforcing the system security policy and supporting the isolation of code and data on which the protection is based. Security functionality includes, but is not limited to, establishing system accounts, configuring access authorizations (i.e., permissions, privileges), setting events to be audited, and setting intrusion detection parameters. +If "StopIdleSessionSec" is not configured to "600" seconds, this is a finding.SRG-OS-000445-GPOS-00199<GroupDescription></GroupDescription>RHEL-09-431010RHEL 9 must use a Linux Security Module configured to enforce limits on system services.<VulnDiscussion>Without verification of the security functions, security functions may not operate correctly and the failure may go unnoticed. Security function is defined as the hardware, software, and/or firmware of the information system responsible for enforcing the system security policy and supporting the isolation of code and data on which the protection is based. Security functionality includes, but is not limited to, establishing system accounts, configuring access authorizations (i.e., permissions, privileges), setting events to be audited, and setting intrusion detection parameters. This requirement applies to operating systems performing security function verification/testing and/or systems and environments that require this functionality. @@ -5048,7 +4648,7 @@ $ sudo grep -iwR 'ALL' /etc/sudoers /etc/sudoers.d/ | grep -v '#' If the either of the following entries are returned, this is a finding: ALL ALL=(ALL) ALL -ALL ALL=(ALL:ALL) ALLSRG-OS-000373-GPOS-00156<GroupDescription></GroupDescription>RHEL-09-432035RHEL 9 must restrict the use of the "su" command.<VulnDiscussion>The "su" program allows to run commands with a substitute user and group ID. It is commonly used to run commands as the root user. Limiting access to such commands is considered a good security practice. +ALL ALL=(ALL:ALL) ALLSRG-OS-000373-GPOS-00156<GroupDescription></GroupDescription>RHEL-09-432035RHEL 9 must restrict the use of the "su" command.<VulnDiscussion>The "su" program allows to run commands with a substitute user and group ID. It is commonly used to run commands as the root user. Limiting access to such commands is considered a good security practice. Satisfies: SRG-OS-000373-GPOS-00156, SRG-OS-000312-GPOS-00123</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 9DISADPMS TargetRed Hat Enterprise Linux 95551CCI-004895CCI-002165CCI-002038Configure RHEL 9 to require users to be in the "wheel" group to run "su" command. @@ -5058,13 +4658,13 @@ In file "/etc/pam.d/su", uncomment the following line: $ sed '/^[[:space:]]*#[[:space:]]*auth[[:space:]]\+required[[:space:]]\+pam_wheel\.so[[:space:]]\+use_uid$/s/^[[:space:]]*#//' -i /etc/pam.d/su -If necessary, create a "wheel" group and add administrative users to the group.Verify that RHEL 9 requires uses to be members of the "wheel" group with the following command: +If necessary, create a "wheel" group and add administrative users to the group.Verify RHEL 9 includes users who require privilege escalation to be members of the "wheel" group with the following command: -$ grep pam_wheel /etc/pam.d/su +$ sudo grep pam_wheel /etc/pam.d/su auth required pam_wheel.so use_uid -If a line for "pam_wheel.so" does not exist, or is commented out, this is a finding.SRG-OS-000370-GPOS-00155<GroupDescription></GroupDescription>RHEL-09-433010RHEL 9 fapolicy module must be installed.<VulnDiscussion>The organization must identify authorized software programs and permit execution of authorized software. The process used to identify software programs that are authorized to execute on organizational information systems is commonly referred to as allow listing. +If a line for "pam_wheel.so" does not exist, or the line is commented out, this is a finding.SRG-OS-000370-GPOS-00155<GroupDescription></GroupDescription>RHEL-09-433010RHEL 9 fapolicy module must be installed.<VulnDiscussion>The organization must identify authorized software programs and permit execution of authorized software. The process used to identify software programs that are authorized to execute on organizational information systems is commonly referred to as allow listing. Utilizing an allow list provides a configuration management method for allowing the execution of only authorized software. Using only authorized software decreases risk by limiting the number of potential vulnerabilities. Verification of allow listed software occurs prior to execution or at system startup. @@ -5448,17 +5048,17 @@ $ sudo passwd -l [username]SRG-OS-000104-GPOS-00051<GroupDescription></GroupDescription>RHEL-09-611160RHEL 9 must use the common access card (CAC) smart card driver.<VulnDiscussion>Smart card login provides two-factor authentication stronger than that provided by a username and password combination. Smart cards leverage public key infrastructure to provide and verify credentials. Configuring the smart card driver in use by the organization helps to prevent users from using unauthorized smart cards. +If the command returns any results, this is a finding.SRG-OS-000104-GPOS-00051<GroupDescription></GroupDescription>RHEL-09-611160RHEL 9 must use the common access card (CAC) smart card driver.<VulnDiscussion>Smart card login provides two-factor authentication stronger than that provided by a username and password combination. Smart cards leverage public key infrastructure to provide and verify credentials. Configuring the smart card driver in use by the organization helps to prevent users from using unauthorized smart cards. -Satisfies: SRG-OS-000104-GPOS-00051, SRG-OS-000106-GPOS-00053, SRG-OS-000107-GPOS-00054, SRG-OS-000109-GPOS-00056, SRG-OS-000108-GPOS-00055, SRG-OS-000112-GPOS-00057, SRG-OS-000113-GPOS-00058</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 9DISADPMS TargetRed Hat Enterprise Linux 95551CCI-000764CCI-000766CCI-000765CCI-004045CCI-001941CCI-000767CCI-000768CCI-000770CCI-001942Configure RHEL 9 to load the CAC driver. +Satisfies: SRG-OS-000104-GPOS-00051, SRG-OS-000106-GPOS-00053, SRG-OS-000107-GPOS-00054, SRG-OS-000109-GPOS-00056, SRG-OS-000108-GPOS-00055, SRG-OS-000112-GPOS-00057, SRG-OS-000113-GPOS-00058</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 9DISADPMS TargetRed Hat Enterprise Linux 95551CCI-000764CCI-000766CCI-000765CCI-004045CCI-001941CCI-000767CCI-000768CCI-000770CCI-001942Configure RHEL 9 to load the CAC driver. -$ sudo opensc-tool --set-conf-entry app:default:card_driver:cac +$ sudo opensc-tool --set-conf-entry app:default:card_drivers:cac Restart the pcscd service to apply the changes: -$ sudo systemctl restart pcscdVerify that RHEL loads the CAC driver with the following command: +$ sudo systemctl restart pcscdVerify RHEL loads the CAC driver with the following command: -$ sudo opensc-tool --get-conf-entry app:default:card_drivers cac +$ sudo opensc-tool --get-conf-entry app:default:card_drivers cac @@ -5541,15 +5141,15 @@ Example output: opensc.x86_64 0.22.0-2.el9 -If the "opensc" package is not installed, this is a finding.SRG-OS-000067-GPOS-00035<GroupDescription></GroupDescription>RHEL-09-611190RHEL 9, for PKI-based authentication, must enforce authorized access to the corresponding private key.<VulnDiscussion>If the private key is discovered, an attacker can use the key to authenticate as an authorized user and gain access to the network infrastructure. +If the "opensc" package is not installed, this is a finding.SRG-OS-000067-GPOS-00035<GroupDescription></GroupDescription>RHEL-09-611190RHEL 9, for PKI-based authentication, must enforce authorized access to the corresponding private key.<VulnDiscussion>If the private key is discovered, an attacker can use the key to authenticate as an authorized user and gain access to the network infrastructure. The cornerstone of the PKI is the private key used to encrypt or digitally sign information. If the private key is stolen, this will lead to the compromise of the authentication and nonrepudiation gained through PKI because the attacker can use the private key to digitally sign documents and pretend to be the authorized user. -Both the holders of a digital certificate and the issuing authority must protect the computers, storage devices, or whatever they use to keep the private keys.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 9DISADPMS TargetRed Hat Enterprise Linux 95551CCI-000186Create a new private and public key pair that utilizes a passcode with the following command: +Both the holders of a digital certificate and the issuing authority must protect the computers, storage devices, or whatever they use to keep the private keys.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 9DISADPMS TargetRed Hat Enterprise Linux 95551CCI-000186Create a new private and public key pair that utilizes a passcode with the following command: -$ sudo ssh-keygen -n [passphrase]Note: If the system administrator demonstrates the use of an approved alternate multifactor authentication method, this requirement is not applicable. +$ sudo ssh-keygen -N [passphrase]Note: If the system administrator demonstrates the use of an approved alternate multifactor authentication method, this requirement is not applicable. Verify the SSH private key files have a passcode. @@ -5560,43 +5160,61 @@ $ sudo ssh-keygen -y -f /path/to/file The expected output is a password prompt: "Enter passphrase:" -If the password prompt is not displayed, and the contents of the key are displayed, this is a finding.SRG-OS-000080-GPOS-00048<GroupDescription></GroupDescription>RHEL-09-611195RHEL 9 must require authentication to access emergency mode.<VulnDiscussion>To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DOD-approved PKIs, all DOD systems (e.g., web servers and web portals) must be properly configured to incorporate access control methods that do not rely solely on the possession of a certificate for access. Successful authentication must not automatically give an entity access to an asset or security boundary. Authorization procedures and controls must be implemented to ensure each authenticated entity also has a validated and current authorization. Authorization is the process of determining whether an entity, once authenticated, is permitted to access a specific asset. Information systems use access control policies and enforcement mechanisms to implement this requirement. +If the password prompt is not displayed, and the contents of the key are displayed, this is a finding.SRG-OS-000080-GPOS-00048<GroupDescription></GroupDescription>RHEL-09-611195RHEL 9 must require authentication to access emergency mode.<VulnDiscussion>To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DOD-approved PKIs, all DOD systems (e.g., web servers and web portals) must be properly configured to incorporate access control methods that do not rely solely on the possession of a certificate for access. Successful authentication must not automatically give an entity access to an asset or security boundary. Authorization procedures and controls must be implemented to ensure each authenticated entity also has a validated and current authorization. Authorization is the process of determining whether an entity, once authenticated, is permitted to access a specific asset. Information systems use access control policies and enforcement mechanisms to implement this requirement. + +This requirement prevents attackers with physical access from trivially bypassing security on the machine and gaining root access. Such accesses are further prevented by configuring the bootloader password.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 9DISADPMS TargetRed Hat Enterprise Linux 95551CCI-000213Configure RHEL 9 to require authentication for emergency mode. + +Create a directory for supplementary configuration files: +$ sudo mkdir /etc/systemd/system/emergency.service.d/ -This requirement prevents attackers with physical access from trivially bypassing security on the machine and gaining root access. Such accesses are further prevented by configuring the bootloader password.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 9DISADPMS TargetRed Hat Enterprise Linux 95551CCI-000213Configure RHEL 9 to require authentication for emergency mode. +Copy the original file emergency.service file to the new directory with: +$ sudo cp /usr/lib/systemd/system/emergency.service /etc/systemd/system/emergency.service.d/emergency.service.conf -Add or modify the following line in the "/usr/lib/systemd/system/emergency.service" file: +Open the new file: +$ sudo vi /etc/systemd/system/emergency.service.d/emergency.service.conf -ExecStart=-/usr/lib/systemd/systemd-sulogin-shell emergencyVerify that RHEL 9 requires authentication for emergency mode with the following command: +Add or modify the following line in the new file: +ExecStart=-/usr/lib/systemd/systemd-sulogin-shell emergency + +Comment out or remove the ExecStart and ExecStartPre lines in /usr/lib/systemd/system/emergency.service as they can only exist in one location. + +Apply changes to unit files without rebooting the system: +$ sudo systemctl daemon-reloadVerify RHEL 9 requires authentication for emergency mode with the following command: $ grep sulogin /usr/lib/systemd/system/emergency.service ExecStart=-/usr/lib/systemd/systemd-sulogin-shell emergency -If this line is not returned, or is commented out, this is a finding. If the output is different, this is a finding.SRG-OS-000080-GPOS-00048<GroupDescription></GroupDescription>RHEL-09-611200RHEL 9 must require authentication to access single-user mode.<VulnDiscussion>To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DOD-approved PKIs, all DOD systems (e.g., web servers and web portals) must be properly configured to incorporate access control methods that do not rely solely on the possession of a certificate for access. Successful authentication must not automatically give an entity access to an asset or security boundary. Authorization procedures and controls must be implemented to ensure each authenticated entity also has a validated and current authorization. Authorization is the process of determining whether an entity, once authenticated, is permitted to access a specific asset. Information systems use access control policies and enforcement mechanisms to implement this requirement. +If the line is not returned from the default systemd file, use the following command to look for modifications to the emergency.service: + +$ grep sulogin /etc/systemd/system/emergency.service.d/*.conf + +If the line is not returned from either location this is a finding. + +Note: The configuration setting can only be in either the default location, or in the drop in file, not both locations.SRG-OS-000080-GPOS-00048<GroupDescription></GroupDescription>RHEL-09-611200RHEL 9 must require authentication to access single-user mode.<VulnDiscussion>To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DOD-approved PKIs, all DOD systems (e.g., web servers and web portals) must be properly configured to incorporate access control methods that do not rely solely on the possession of a certificate for access. Successful authentication must not automatically give an entity access to an asset or security boundary. Authorization procedures and controls must be implemented to ensure each authenticated entity also has a validated and current authorization. Authorization is the process of determining whether an entity, once authenticated, is permitted to access a specific asset. Information systems use access control policies and enforcement mechanisms to implement this requirement. This requirement prevents attackers with physical access from trivially bypassing security on the machine and gaining root access. Such accesses are further prevented by configuring the bootloader password. To modify properties, such as dependencies or timeouts, of a service that is handled by a SysV initscript, do not modify the initscript itself. Instead, create a systemd drop-in configuration file for the service. Then manage this service in the same way as a normal systemd service. -For example, to extend the configuration of the network service, do not modify the /etc/rc.d/init.d/network initscript file. Instead, create new directory /etc/systemd/system/network.service.d/ and a systemd drop-in file /etc/systemd/system/network.service.d/my_config.conf. Then, put the modified values into the drop-in file. Note: systemd knows the network service as network.service, which is why the created directory must be called "network.service.d".</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 9DISADPMS TargetRed Hat Enterprise Linux 95551CCI-000213Configure RHEL 9 to require authentication for single-user mode. +For example, to extend the configuration of the network service, do not modify the /etc/rc.d/init.d/network initscript file. Instead, create new directory /etc/systemd/system/network.service.d/ and a systemd drop-in file /etc/systemd/system/network.service.d/my_config.conf. Then, put the modified values into the drop-in file. Note: systemd knows the network service as network.service, which is why the created directory must be called "network.service.d".</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 9DISADPMS TargetRed Hat Enterprise Linux 95551CCI-000213Configure RHEL 9 to require authentication for single-user mode. -Create a directory for supplementary configuration files at /etc/systemd/system/rescue.service.d/ +Create a directory for supplementary configuration files: +$ sudo mkdir /etc/systemd/system/rescue.service.d/ Copy the original file rescue.service file to the new directory with: - $ sudo cp /usr/lib/systemd/system/rescue.service /etc/systemd/system/rescue.service.d/rescue.service.conf -Add or modify the following line in the "etc/systemd/system/rescue.service.d/rescue.service.conf" file: +Open the new file: +$ sudo vi etc/systemd/system/rescue.service.d/rescue.service.conf +Add this line to the new file: ExecStart=-/usr/lib/systemd/systemd-sulogin-shell rescue -Apply changes to unit files without rebooting the system: - -$ sudo systemctl daemon-reload - -If the modified unit file belongs to a running service, restart the service: +Comment out or remove the ExecStart and ExecStartPre lines in /usr/lib/systemd/system/rescue.service as they can only exist in one location. -$ sudo systemctl restart rescue.serviceVerify RHEL 9 requires authentication for single-user mode with the following command: +Apply changes to unit files without rebooting the system: +$ sudo systemctl daemon-reloadVerify RHEL 9 requires authentication for single-user mode with the following command: $ grep sulogin /usr/lib/systemd/system/rescue.service @@ -5686,7 +5304,7 @@ $ sudo grep -ir offline_credentials_expiration /etc/sssd/sssd.conf /etc/sssd/con offline_credentials_expiration = 1 -If "offline_credentials_expiration" is not set to a value of "1", this is a finding.SRG-OS-000363-GPOS-00150<GroupDescription></GroupDescription>RHEL-09-651010RHEL 9 must have the AIDE package installed.<VulnDiscussion>Without verification of the security functions, security functions may not operate correctly, and the failure may go unnoticed. Security function is defined as the hardware, software, and/or firmware of the information system responsible for enforcing the system security policy and supporting the isolation of code and data on which the protection is based. Security functionality includes, but is not limited to, establishing system accounts, configuring access authorizations (i.e., permissions, privileges), setting events to be audited, and setting intrusion detection parameters. +If "offline_credentials_expiration" is not set to a value of "1", this is a finding.SRG-OS-000363-GPOS-00150<GroupDescription></GroupDescription>RHEL-09-651010RHEL 9 must have the AIDE package installed.<VulnDiscussion>Without verification of the security functions, security functions may not operate correctly, and the failure may go unnoticed. Security function is defined as the hardware, software, and/or firmware of the information system responsible for enforcing the system security policy and supporting the isolation of code and data on which the protection is based. Security functionality includes, but is not limited to, establishing system accounts, configuring access authorizations (i.e., permissions, privileges), setting events to be audited, and setting intrusion detection parameters. Selection lines in the aide.conf file determine which files and directories AIDE will monitor for changes. They follow this format: @@ -5740,21 +5358,23 @@ Example output: 2023-06-05 10:16:08 -0600 (AIDE 0.16) AIDE found NO differences between database and filesystem. Looks okay!! -...Verify the file integrity tool is configured to verify ACLs. +...Verify the file integrity tool is configured to verify ACLs. Note: AIDE is highly configurable at install time. This requirement assumes the "aide.conf" file is under the "/etc" directory. -If AIDE is not installed, ask the system administrator (SA) how file integrity checks are performed on the system. +Verify AIDE is installed with the following command: -Use the following command to determine if the file is in a location other than "/etc/aide/aide.conf": +$ sudo dnf list installed aide -$ sudo find / -name aide.conf +Updating Subscription Management repositories. +Installed Packages +aide.x86_64 0.16-103.el9 @rhel-9-for-x86_64-appstream-rpms -Use the following command to review the "aide.conf" file to determine if the "acl" rule has been added to the rule list being applied to the files and directories selection lists: +Use the following command to determine if the file is in a location other than "/etc/aide/aide.conf": -$ sudo cat /etc/aide.conf | more +$ sudo find / -name aide.conf -If the "acl" rule is not being used on all selection lines in the "/etc/aide.conf" file, is commented out, or ACLs are not being checked by another file integrity tool, this is a finding.SRG-OS-000363-GPOS-00150<GroupDescription></GroupDescription>RHEL-09-651015RHEL 9 must routinely check the baseline configuration for unauthorized changes and notify the system administrator when anomalies in the operation of any security functions are discovered.<VulnDiscussion>Unauthorized changes to the baseline configuration could make the system vulnerable to various attacks or allow unauthorized access to the operating system. Changes to operating system configurations can have unintended side effects, some of which may be relevant to security. +If AIDE is not installed, ask the system administrator (SA) how file integrity checks are performed on the system.SRG-OS-000363-GPOS-00150<GroupDescription></GroupDescription>RHEL-09-651015RHEL 9 must routinely check the baseline configuration for unauthorized changes and notify the system administrator when anomalies in the operation of any security functions are discovered.<VulnDiscussion>Unauthorized changes to the baseline configuration could make the system vulnerable to various attacks or allow unauthorized access to the operating system. Changes to operating system configurations can have unintended side effects, some of which may be relevant to security. Detecting such changes and providing an automated response can help avoid unintended, negative consequences that could ultimately affect the security state of the operating system. The operating system's information management officer (IMO)/information system security officer (ISSO) and system administrators (SAs) must be notified via email and/or monitoring system trap when there is an unauthorized modification of a configuration item. @@ -5879,11 +5499,14 @@ $ systemctl is-active rsyslog active -If the rsyslog service is not active, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-09-652025RHEL 9 must be configured so that the rsyslog daemon does not accept log messages from other servers unless the server is being used for log aggregation.<VulnDiscussion>Unintentionally running a rsyslog server accepting remote messages puts the system at increased risk. Malicious rsyslog messages sent to the server could exploit vulnerabilities in the server software itself, could introduce misleading information into the system's logs, or could fill the system's storage leading to a denial of service. +If the rsyslog service is not active, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-09-652025RHEL 9 must be configured so that the rsyslog daemon does not accept log messages from other servers unless the server is being used for log aggregation.<VulnDiscussion>Unintentionally running a rsyslog server accepting remote messages puts the system at increased risk. Malicious rsyslog messages sent to the server could exploit vulnerabilities in the server software itself, could introduce misleading information into the system's logs, or could fill the system's storage leading to a denial of service. -If the system is intended to be a log aggregation server, its use must be documented with the information system security officer (ISSO).</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 9DISADPMS TargetRed Hat Enterprise Linux 95551CCI-000366Configure RHEL 9 to not receive remote logs using rsyslog. +If the system is intended to be a log aggregation server, its use must be documented with the information system security officer (ISSO).</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 9DISADPMS TargetRed Hat Enterprise Linux 95551CCI-000366Configure RHEL 9 to not receive remote logs using rsyslog. Remove the lines in /etc/rsyslog.conf and any files in the /etc/rsyslog.d directory that match any of the following: +InputTCPServerRun +UDPServerRun +RELPServerRun module(load="imtcp") module(load="imudp") module(load="imrelp") @@ -5893,21 +5516,21 @@ input(type="imrelp" port="514") The rsyslog daemon must be restarted for the changes to take effect: -$ sudo systemctl restart rsyslog.serviceNote: If the system administrator can demonstrate that another tool (e.g., SPLUNK) is being used to manage log offload and aggregation in lieu of rsyslog, this check is not applicable. +$ sudo systemctl restart rsyslog.serviceNote: If the system administrator can demonstrate that another tool (e.g., SPLUNK) is being used to manage log off-load and aggregation in lieu of rsyslog, this check is not applicable. -Verify that RHEL 9 is not configured to receive remote logs using rsyslog with the following commands: +Verify RHEL 9 is not configured to receive remote logs using rsyslog with the following commands: $ ss -tulnp | grep rsyslog -If no output is returned, rsyslog is not listening for remote logs. +If no output is returned, rsyslog is not listening for remote messages, and is compliant. If output appears, check for configured ports (514 is the default for syslog). Check for remote logging configuration in rsyslog by examining the rsyslog configuration files: -$ sudo grep -E 'InputTCPServerRun | UDPServerRun' /etc/rsyslog.conf /etc/rsyslog.d/* +$ sudo grep -E 'InputTCPServerRun | UDPServerRun | RELPServerRun | imtcp | imudp | imrelp' /etc/rsyslog.conf /etc/rsyslog.d/* -If uncommented lines are returned, this is a finding.SRG-OS-000032-GPOS-00013<GroupDescription></GroupDescription>RHEL-09-652030All RHEL 9 remote access methods must be monitored.<VulnDiscussion>Logging remote access methods can be used to trace the decrease in the risks associated with remote user access management. It can also be used to spot cyberattacks and ensure ongoing compliance with organizational policies surrounding the use of remote access methods.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 9DISADPMS TargetRed Hat Enterprise Linux 95551CCI-000067Add or update the following lines to the "/etc/rsyslog.conf" file or a file in "/etc/rsyslog.d": +If this command returns uncommented lines enabling network listeners, the system is accepting remote logs. If this system is not documented and authorized as a log aggregation server, this is a finding.SRG-OS-000032-GPOS-00013<GroupDescription></GroupDescription>RHEL-09-652030All RHEL 9 remote access methods must be monitored.<VulnDiscussion>Logging remote access methods can be used to trace the decrease in the risks associated with remote user access management. It can also be used to spot cyberattacks and ensure ongoing compliance with organizational policies surrounding the use of remote access methods.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 9DISADPMS TargetRed Hat Enterprise Linux 95551CCI-000067Add or update the following lines to the "/etc/rsyslog.conf" file or a file in "/etc/rsyslog.d": auth.*;authpriv.*;daemon.* /var/log/secure @@ -5983,7 +5606,7 @@ $ grep -Ei 'DefaultNetStreamDriver\b|StreamDriver.Name' /etc/rsyslog.conf /etc/r If the value of the "$DefaultNetstreamDriver or StreamDriver" option is not set to "gtls" or the line is commented out, this is a finding. -If the variable name "StreamDriver" is present in an omfwd statement block, this is not a finding. However, if the "StreamDriver" variable is in a module block, this is a finding.SRG-OS-000479-GPOS-00224<GroupDescription></GroupDescription>RHEL-09-652055RHEL 9 must be configured to forward audit records via TCP to a different system or media from the system being audited via rsyslog.<VulnDiscussion>Information stored in one location is vulnerable to accidental or incidental deletion or alteration. +If the variable name "StreamDriver" is present in an omfwd statement block, this is not a finding. However, if the "StreamDriver" variable is in a module block, this is a finding.SRG-OS-000479-GPOS-00224<GroupDescription></GroupDescription>RHEL-09-652055RHEL 9 must be configured to forward audit records via TCP to a different system or media from the system being audited via rsyslog.<VulnDiscussion>Information stored in one location is vulnerable to accidental or incidental deletion or alteration. Off-loading is a common process in information systems with limited audit storage capacity. @@ -5997,13 +5620,29 @@ TCP *.* @@remotesystemname RELP *.* :omrelp:remotesystemname:2514 Note that a port number was given as there is no standard port for RELP. -Satisfies: SRG-OS-000479-GPOS-00224, SRG-OS-000480-GPOS-00227, SRG-OS-000342-GPOS-00133</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 9DISADPMS TargetRed Hat Enterprise Linux 95551CCI-001851Configure RHEL 9 to off-load audit records onto a different system or media from the system being audited via TCP using rsyslog by specifying the remote logging server in "/etc/rsyslog.conf" or "/etc/rsyslog.d/[customfile].conf" with the name or IP address of the log aggregation server. +Satisfies: SRG-OS-000479-GPOS-00224, SRG-OS-000480-GPOS-00227, SRG-OS-000342-GPOS-00133</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 9DISADPMS TargetRed Hat Enterprise Linux 95551CCI-001851Configure RHEL 9 to off-load audit records onto a different system or media from the system being audited via TCP using rsyslog by specifying the remote logging server in "/etc/rsyslog.conf" or "/etc/rsyslog.d/[customfile].conf" with the name or IP address of the log aggregation server. The following are examples of the configuration for the legacy syntax and for the newer Rainer script. Only one should be used. -*.* @@[remoteloggingserver]:[port]Verify RHEL 9 audit system off-loads audit records onto a different system or media from the system being audited via rsyslog using TCP with the following command: +Using legacy '@host:port" syntax example: +*.* @@[remoteloggingserver]:[port] -$ sudo grep -iR '@@' /etc/rsyslog.conf /etc/rsyslog.d/ +Using Rainer script example: +action( + type="omfwd" + target="logserver.example.com" + port="514" + protocol="tcp" + action.resumeRetryCount="-1" + queue.type="linkedList" + que.size="10000" +) -/etc/rsyslog.d/remoteLogging.conf:*.* @@[remoteloggingserver]:[port] +Note: The Rainer Script above does not contain the required encryption settings.Verify RHEL 9 audit system off-loads audit records onto a different system or media from the system being audited via rsyslog using TCP with the following commands: + +To check for legacy configuration syntax, perform the following: +$ sudo grep -ir '@@' /etc/rsyslog.conf /etc/rsyslog.d/ + +To check for Rainer script syntax, perform the following: +$ sudo grep -rq 'type="omfwd"' /etc/rsyslog.conf /etc/rsyslog.d/ If a remote server is not configured, or the line is commented out, ask the system administrator (SA) to indicate how the audit logs are off-loaded to a different system or media. @@ -6272,7 +5911,7 @@ $ sudo stat -c '%U %n' /var/log/audit root /var/log/audit -If the audit log directory is not owned by "root", this is a finding.SRG-OS-000057-GPOS-00027<GroupDescription></GroupDescription>RHEL-09-653090RHEL 9 audit logs file must have mode 0600 or less permissive to prevent unauthorized access to the audit log.<VulnDiscussion>Only authorized personnel should be aware of errors and the details of the errors. Error messages are an indicator of an organization's operational state or can identify the RHEL 9 system or platform. Additionally, Personally Identifiable Information (PII) and operational information must not be revealed through error messages to unauthorized personnel or their designated representatives. +If the audit log directory is not owned by "root", this is a finding.SRG-OS-000057-GPOS-00027<GroupDescription></GroupDescription>RHEL-09-653090RHEL 9 audit logs file must have mode 0600 or less permissive to prevent unauthorized access to the audit log.<VulnDiscussion>Only authorized personnel should be aware of errors and the details of the errors. Error messages are an indicator of an organization's operational state or can identify the RHEL 9 system or platform. Additionally, Personally Identifiable Information (PII) and operational information must not be revealed through error messages to unauthorized personnel or their designated representatives. The structure and content of error messages must be carefully considered by the organization and development team. The extent to which the information system is able to identify and handle error conditions is guided by organizational policy and operational requirements. @@ -6294,19 +5933,19 @@ $ sudo chmod 0440 $log_file.* Otherwise, configure the permissions the following way: $ sudo chmod 0600 $log_file -$ sudo chmod 0400 $log_file.*Verify the audit logs have a mode of "0600". +$ sudo chmod 0400 $log_file.*Verify the audit logs have a mode of "0600". Determine where the audit logs are stored with the following command: -$ sudo find /var/log/audit/ -type f -exec stat -c '%a %n' {} \; +$ sudo grep "^log_file" /etc/audit/auditd.conf -600 /var/log/audit/audit.log +log_file = /var/log/audit/audit.log Using the location of the audit log file, determine the mode of each audit log with the following command: $ sudo find /var/log/audit/ -type f -exec stat -c '%a %n' {} \; -rw-------. 2 root root 237923 Jun 11 11:56 /var/log/audit/audit.log +600 /var/log/audit/audit.log If the audit logs have a mode more permissive than "0600", this is a finding.SRG-OS-000051-GPOS-00024<GroupDescription></GroupDescription>RHEL-09-653095RHEL 9 must periodically flush audit records to disk to prevent the loss of audit records.<VulnDiscussion>If option "freq" is not set to a value that requires audit records being written to disk after a threshold number is reached, then audit records may be lost.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 9DISADPMS TargetRed Hat Enterprise Linux 95551CCI-000154Configure RHEL 9 to flush audit to disk by adding or updating the following rule in "/etc/audit/auditd.conf": @@ -6405,7 +6044,7 @@ Example output: audispd-plugins.x86_64 3.0.7-101.el9_0.2 -If the "audispd-plugins" package is not installed, this is a finding.SRG-OS-000326-GPOS-00126<GroupDescription></GroupDescription>RHEL-09-654010RHEL 9 must audit uses of the "execve" system call.<VulnDiscussion>Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised information system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider threats and the advanced persistent threat. +If the "audispd-plugins" package is not installed, this is a finding.SRG-OS-000326-GPOS-00126<GroupDescription></GroupDescription>RHEL-09-654010RHEL 9 must audit uses of the "execve" system call.<VulnDiscussion>Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised information system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider threats and the advanced persistent threat. Satisfies: SRG-OS-000326-GPOS-00126, SRG-OS-000327-GPOS-00127</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 9DISADPMS TargetRed Hat Enterprise Linux 95551CCI-002233CCI-002234Configure RHEL 9 to audit the execution of the "execve" system call. @@ -6418,16 +6057,16 @@ Add or update the following file system rules to "/etc/audit/rules.d/audit.rules To load the rules to the kernel immediately, use the following command: -$ sudo augenrules --loadVerify RHEL 9 is configured to audit the execution of the "execve" system call with the following command: +$ sudo augenrules --loadVerify RHEL 9 is configured to audit the execution of the "execve" system call with the following command: $ sudo auditctl -l | grep execve --a always,exit -S arch=b32 -S execve -C uid!=euid -F euid=0 -F key=execpriv --a always,exit -S arch=b64 -S execve -C uid!=euid -F euid=0 -F key=execpriv --a always,exit -S arch=b32 -S execve -C gid!=egid -F egid=0 -F key=execpriv --a always,exit -S arch=b64 -S execve -C gid!=egid -F egid=0 -F key=execpriv +-a always,exit -F arch=b32 -S execve -C uid!=euid -F euid=0 -k execpriv +-a always,exit -F arch=b64 -S execve -C uid!=euid -F euid=0 -k execpriv +-a always,exit -F arch=b32 -S execve -C gid!=egid -F egid=0 -k execpriv +-a always,exit -F arch=b64 -S execve -C gid!=egid -F egid=0 -k execpriv -If the command does not return all lines, or the lines are commented out, this is a finding.SRG-OS-000037-GPOS-00015<GroupDescription></GroupDescription>RHEL-09-654015RHEL 9 must audit all uses of the chmod, fchmod, and fchmodat system calls.<VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. +If the command does not return all lines, or the lines are commented out, this is a finding.SRG-OS-000037-GPOS-00015<GroupDescription></GroupDescription>RHEL-09-654015RHEL 9 must audit all uses of the chmod, fchmod, and fchmodat system calls.<VulnDiscussion>Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). @@ -6444,14 +6083,14 @@ Add or update the following rules in "/etc/audit/rules.d/audit.rules": To load the rules to the kernel immediately, use the following command: -$ sudo augenrules --loadVerify RHEL 9 is configured to audit the execution of the "chmod", "fchmod", and "fchmodat" system calls with the following command: +$ sudo augenrules --loadVerify RHEL 9 is configured to audit the execution of the "chmod", "fchmod", and "fchmodat" system calls with the following command: $ sudo auditctl -l | grep chmod --a always,exit -S arch=b32 -S chmod,fchmod,fchmodat -F auid>=1000 -F auid!=-1 -F key=perm_mod --a always,exit -S arch=b64 -S chmod,fchmod,fchmodat -F auid>=1000 -F auid!=-1 -F key=perm_mod +-a always,exit -F arch=b32 -S chmod,fchmod,fchmodat -F auid>=1000 -F auid!=-1 -F key=perm_mod +-a always,exit -F arch=b64 -S chmod,fchmod,fchmodat -F auid>=1000 -F auid!=-1 -F key=perm_mod -If both the "b32" and "b64" audit rules are not defined for the "chmod", "fchmod", and "fchmodat" system calls, this is a finding.SRG-OS-000037-GPOS-00015<GroupDescription></GroupDescription>RHEL-09-654020RHEL 9 must audit all uses of the chown, fchown, fchownat, and lchown system calls.<VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. +If both the "b32" and "b64" audit rules are not defined for the "chmod", "fchmod", and "fchmodat" system calls, this is a finding.SRG-OS-000037-GPOS-00015<GroupDescription></GroupDescription>RHEL-09-654020RHEL 9 must audit all uses of the chown, fchown, fchownat, and lchown system calls.<VulnDiscussion>Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). @@ -6468,14 +6107,14 @@ Add or update the following rules in "/etc/audit/rules.d/audit.rules": To load the rules to the kernel immediately, use the following command: -$ sudo augenrules --loadVerify RHEL 9 is configured to audit the execution of the "chown", "fchown", "fchownat", and "lchown" system calls with the following command: +$ sudo augenrules --loadVerify RHEL 9 is configured to audit the execution of the "chown", "fchown", "fchownat", and "lchown" system calls with the following command: $ sudo auditctl -l | grep chown --a always,exit -S arch=b32 -S lchown,fchown,chown,fchownat -F auid>=1000 -F auid!=-1 -F key=perm_mod --a always,exit -S arch=b64 -S chown,fchown,lchown,fchownat -F auid>=1000 -F auid!=-1 -F key=perm_mod +-a always,exit -F arch=b32 -S lchown,fchown,chown,fchownat -F auid>=1000 -F auid!=-1 -F key=perm_mod +-a always,exit -F arch=b64 -S chown,fchown,lchown,fchownat -F auid>=1000 -F auid!=-1 -F key=perm_mod -If both the "b32" and "b64" audit rules are not defined for the "chown", "fchown", "fchownat", and "lchown" system calls, this is a finding.SRG-OS-000037-GPOS-00015<GroupDescription></GroupDescription>RHEL-09-654025RHEL 9 must audit all uses of the setxattr, fsetxattr, lsetxattr, removexattr, fremovexattr, and lremovexattr system calls.<VulnDiscussion>Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. +If both the "b32" and "b64" audit rules are not defined for the "chown", "fchown", "fchownat", and "lchown" system calls, this is a finding.SRG-OS-000037-GPOS-00015<GroupDescription></GroupDescription>RHEL-09-654025RHEL 9 must audit all uses of the setxattr, fsetxattr, lsetxattr, removexattr, fremovexattr, and lremovexattr system calls.<VulnDiscussion>Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). @@ -6492,14 +6131,14 @@ Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPO To load the rules to the kernel immediately, use the following command: -$ sudo augenrules --loadVerify RHEL 9 is configured to audit the execution of the "setxattr", "fsetxattr", "lsetxattr", "removexattr", "fremovexattr", and "lremovexattr" system calls with the following command: +$ sudo augenrules --loadVerify RHEL 9 is configured to audit the execution of the "setxattr", "fsetxattr", "lsetxattr", "removexattr", "fremovexattr", and "lremovexattr" system calls with the following command: $ sudo auditctl -l | grep xattr --a always,exit -S arch=b32 -S setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F auid>=1000 -F auid!=-1 -F key=perm_mod --a always,exit -S arch=b64 -S setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F auid>=1000 -F auid!=-1 -F key=perm_mod --a always,exit -S arch=b32 -S setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F auid=0 -F key=perm_mod --a always,exit -S arch=b64 -S setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F auid=0 -F key=perm_mod +-a always,exit -F arch=b32 -S setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F auid>=1000 -F auid!=-1 -F key=perm_mod +-a always,exit -F arch=b64 -S setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F auid>=1000 -F auid!=-1 -F key=perm_mod +-a always,exit -F arch=b32 -S setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F auid=0 -F key=perm_mod +-a always,exit -F arch=b64 -S setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F auid=0 -F key=perm_mod If both the "b32" and "b64" audit rules are not defined for the "setxattr", "fsetxattr", "lsetxattr", "removexattr", "fremovexattr", and "lremovexattr" system calls, or any of the lines returned are commented out, this is a finding.SRG-OS-000037-GPOS-00015<GroupDescription></GroupDescription>RHEL-09-654030RHEL 9 must audit all uses of umount system calls.<VulnDiscussion>Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. @@ -6641,7 +6280,7 @@ $ sudo auditctl -l | grep setsebool -a always,exit -S all -F path=/usr/sbin/setsebool -F perm=x -F auid>=1000 -F auid!=-1 -F key=privileged -If the command does not return a line, or the line is commented out, this is a finding.SRG-OS-000037-GPOS-00015<GroupDescription></GroupDescription>RHEL-09-654065RHEL 9 must audit all uses of the rename, unlink, rmdir, renameat, and unlinkat system calls.<VulnDiscussion>Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. +If the command does not return a line, or the line is commented out, this is a finding.SRG-OS-000037-GPOS-00015<GroupDescription></GroupDescription>RHEL-09-654065RHEL 9 must audit all uses of the rename, unlink, rmdir, renameat, and unlinkat system calls.<VulnDiscussion>Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). @@ -6656,14 +6295,14 @@ Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPO To load the rules to the kernel immediately, use the following command: -$ sudo augenrules --loadVerify RHEL 9 is configured to audit successful/unsuccessful attempts to use the "rename", "unlink", "rmdir", "renameat", and "unlinkat" system calls with the following command: +$ sudo augenrules --loadVerify RHEL 9 is configured to audit successful/unsuccessful attempts to use the "rename", "unlink", "rmdir", "renameat", and "unlinkat" system calls with the following command: $ sudo auditctl -l | grep 'rename\|unlink\|rmdir' --a always,exit -S arch=b32 -S unlink,rename,rmdir,unlinkat,renameat -F auid>=1000 -F auid!=-1 -F key=delete --a always,exit -S arch=b64 -S rename,rmdir,unlink,unlinkat,renameat -F auid>=1000 -F auid!=-1 -F key=delete +-a always,exit -F arch=b32 -S unlink,rename,rmdir,unlinkat,renameat -F auid>=1000 -F auid!=-1 -F key=delete +-a always,exit -F arch=b64 -S rename,rmdir,unlink,unlinkat,renameat -F auid>=1000 -F auid!=-1 -F key=delete -If the command does not return an audit rule for "rename", "unlink", "rmdir", "renameat", and "unlinkat" or any of the lines returned are commented out, this is a finding.SRG-OS-000037-GPOS-00015<GroupDescription></GroupDescription>RHEL-09-654070RHEL 9 must audit all uses of the truncate, ftruncate, creat, open, openat, and open_by_handle_at system calls.<VulnDiscussion>Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. +If the command does not return an audit rule for "rename", "unlink", "rmdir", "renameat", and "unlinkat" or any of the lines returned are commented out, this is a finding.SRG-OS-000037-GPOS-00015<GroupDescription></GroupDescription>RHEL-09-654070RHEL 9 must audit all uses of the truncate, ftruncate, creat, open, openat, and open_by_handle_at system calls.<VulnDiscussion>Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). @@ -6681,20 +6320,20 @@ Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPO To load the rules to the kernel immediately, use the following command: -$ sudo augenrules --loadVerify RHEL 9 is configured to audit successful/unsuccessful attempts to use the "truncate", "ftruncate", "creat", "open", "openat", and "open_by_handle_at" system calls with the following command: +$ sudo augenrules --loadVerify RHEL 9 is configured to audit successful/unsuccessful attempts to use the "truncate", "ftruncate", "creat", "open", "openat", and "open_by_handle_at" system calls with the following command: $ sudo auditctl -l | grep 'open\b\|openat\|open_by_handle_at\|truncate\|creat' --a always,exit -S arch=b32 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EPERM -F auid>=1000 -S auid!=-1 -F key=perm_access --a always,exit -F arch=b64 -S open,truncate,ftruncate,creat,openat,open_by_handle_at -F exit=-EPERM -F auid>=1000 -S auid!=-1 -F key=perm_access --a always,exit -F arch=b32 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EACCES -F auid>=1000 -S auid!=-1 -F key=perm_access --a always,exit -F arch=b64 -S open,truncate,ftruncate,creat,openat,open_by_handle_at -F exit=-EACCES -F auid>=1000 -S auid!=-1 -F key=perm_access +-a always,exit -F arch=b32 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=-1 -F key=perm_access +-a always,exit -F arch=b64 -S open,truncate,ftruncate,creat,openat,open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=-1 -F key=perm_access +-a always,exit -F arch=b32 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=-1 -F key=perm_access +-a always,exit -F arch=b64 -S open,truncate,ftruncate,creat,openat,open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=-1 -F key=perm_access If the output does not produce rules containing "-F exit=-EPERM", this is a finding. If the output does not produce rules containing "-F exit=-EACCES", this is a finding. -If the command does not return an audit rule for "truncate", "ftruncate", "creat", "open", "openat", and "open_by_handle_at" or any of the lines returned are commented out, this is a finding.SRG-OS-000037-GPOS-00015<GroupDescription></GroupDescription>RHEL-09-654075RHEL 9 must audit all uses of the delete_module system call.<VulnDiscussion>Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. +If the command does not return an audit rule for "truncate", "ftruncate", "creat", "open", "openat", and "open_by_handle_at" or any of the lines returned are commented out, this is a finding.SRG-OS-000037-GPOS-00015<GroupDescription></GroupDescription>RHEL-09-654075RHEL 9 must audit all uses of the delete_module system call.<VulnDiscussion>Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). @@ -6709,14 +6348,14 @@ Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPO To load the rules to the kernel immediately, use the following command: -$ sudo augenrules --loadVerify RHEL 9 is configured to audit the execution of the "delete_module" system call with the following command: +$ sudo augenrules --loadVerify RHEL 9 is configured to audit the execution of the "delete_module" system call with the following command: $ sudo auditctl -l | grep delete_module --a always,exit -S arch=b32 -S delete_module -F auid>=1000 -F auid!=-1 -F key=module_chng --a always,exit -S arch=b64 -S delete_module -F auid>=1000 -F auid!=-1 -F key=module_chng +-a always,exit -F arch=b32 -S delete_module -F auid>=1000 -F auid!=-1 -F key=module_chng +-a always,exit -F arch=b64 -S delete_module -F auid>=1000 -F auid!=-1 -F key=module_chng -If both the "b32" and "b64" audit rules are not defined for the "delete_module" system call, or any of the lines returned are commented out, this is a finding.SRG-OS-000037-GPOS-00015<GroupDescription></GroupDescription>RHEL-09-654080RHEL 9 must audit all uses of the init_module and finit_module system calls.<VulnDiscussion>Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. +If both the "b32" and "b64" audit rules are not defined for the "delete_module" system call, or any of the lines returned are commented out, this is a finding.SRG-OS-000037-GPOS-00015<GroupDescription></GroupDescription>RHEL-09-654080RHEL 9 must audit all uses of the init_module and finit_module system calls.<VulnDiscussion>Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). @@ -6731,12 +6370,12 @@ Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPO To load the rules to the kernel immediately, use the following command: -$ sudo augenrules --loadVerify RHEL 9 is configured to audit the execution of the "init_module" and "finit_module" system calls with the following command: +$ sudo augenrules --loadVerify RHEL 9 is configured to audit the execution of the "init_module" and "finit_module" system calls with the following command: $ sudo auditctl -l | grep init_module --a always,exit -S arch=b32 -S init_module,finit_module -F auid>=1000 -F auid!=-1 -F key=module_chng --a always,exit -S arch=b64 -S init_module,finit_module -F auid>=1000 -F auid!=-1 -F key=module_chng +-a always,exit -F arch=b32 -S init_module,finit_module -F auid>=1000 -F auid!=-1 -F key=module_chng +-a always,exit -F arch=b64 -S init_module,finit_module -F auid>=1000 -F auid!=-1 -F key=module_chng If both the "b32" and "b64" audit rules are not defined for the "init_module" system call, or any of the lines returned are commented out, this is a finding.SRG-OS-000037-GPOS-00015<GroupDescription></GroupDescription>RHEL-09-654085RHEL 9 must audit all uses of the chage command.<VulnDiscussion>Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. @@ -7186,7 +6825,7 @@ $ sudo cat /etc/audit/rules.d/* | grep shutdown -a always,exit -S all -F path=/usr/sbin/shutdown -F perm=x -F auid>=1000 -F auid!=-1 -F key=privileged-shutdown -If the command does not return a line, or the line is commented out, this is a finding.SRG-OS-000037-GPOS-00015<GroupDescription></GroupDescription>RHEL-09-654205Successful/unsuccessful uses of the umount system call in RHEL 9 must generate an audit record.<VulnDiscussion>The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users. +If the command does not return a line, or the line is commented out, this is a finding.SRG-OS-000037-GPOS-00015<GroupDescription></GroupDescription>RHEL-09-654205Successful/unsuccessful uses of the umount system call in RHEL 9 must generate an audit record.<VulnDiscussion>The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users. Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 9DISADPMS TargetRed Hat Enterprise Linux 95551CCI-000130CCI-000169CCI-000172CCI-002884Configure the audit system to generate an audit event for any successful/unsuccessful use of the "umount" system call by adding or updating the following rules in "/etc/audit/audit.rules" and adding the following rules to "/etc/audit/rules.d/perm_mod.rules" or updating the existing rules in files in the "/etc/audit/rules.d/" directory: @@ -7194,13 +6833,13 @@ Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPO To load the rules to the kernel immediately, use the following command: -$ sudo augenrules --loadVerify RHEL 9 generates an audit record for all uses of the "umount" and system call with the following command: +$ sudo augenrules --loadVerify RHEL 9 generates an audit record for all uses of the "umount" and system call with the following command: $ sudo auditctl -l | grep b32 | grep 'umount\b' --a always,exit -S arch=b32 -S umount -F auid>=1000 -F auid!=-1 -F key=privileged-umount +-a always,exit -F arch=b32 -S umount -F auid>=1000 -F auid!=-1 -F key=privileged-umount -If the command does not return a line, or the line is commented out, this is a finding.SRG-OS-000037-GPOS-00015<GroupDescription></GroupDescription>RHEL-09-654210Successful/unsuccessful uses of the umount2 system call in RHEL 9 must generate an audit record.<VulnDiscussion>The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users. +If the command does not return a line, or the line is commented out, this is a finding.SRG-OS-000037-GPOS-00015<GroupDescription></GroupDescription>RHEL-09-654210Successful/unsuccessful uses of the umount2 system call in RHEL 9 must generate an audit record.<VulnDiscussion>The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users. Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 9DISADPMS TargetRed Hat Enterprise Linux 95551CCI-000130CCI-000169CCI-000172CCI-002884Configure the audit system to generate an audit event for any successful/unsuccessful use of the "umount2" system call by adding or updating the following rules in a file in "/etc/audit/rules.d". @@ -7209,12 +6848,12 @@ Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPO To load the rules to the kernel immediately, use the following command: -$ sudo augenrules --loadTo determine if the system is configured to audit calls to the umount2 system call, run the following command: +$ sudo augenrules --loadTo determine if the system is configured to audit calls to the umount2 system call, run the following command: $ sudo auditctl -l | grep umount2 --a always,exit -S arch=b64 -S umount2 -F auid>=1000 -F auid!=-1 -F key=privileged-umount --a always,exit -S arch=b32 -S umount2 -F auid>=1000 -F auid!=-1 -F key=privileged-umount +-a always,exit -F arch=b64 -S umount2 -F auid>=1000 -F auid!=-1 -F key=privileged-umount +-a always,exit -F arch=b32 -S umount2 -F auid>=1000 -F auid!=-1 -F key=privileged-umount If no line is returned, this is a finding.SRG-OS-000004-GPOS-00004<GroupDescription></GroupDescription>RHEL-09-654215RHEL 9 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/sudoers.<VulnDiscussion>The actions taken by system administrators must be audited to keep a record of what was executed on the system, as well as for accountability purposes. Editing the sudoers file may be sign of an attacker trying to establish persistent methods to a system, auditing the editing of the sudoers files mitigates this risk. @@ -7392,13 +7031,20 @@ $ sudo grep "^\s*[^#]" /etc/audit/audit.rules | tail -1 -e 2 -If the audit system is not set to be immutable by adding the "-e 2" option to the end of "/etc/audit/audit.rules", this is a finding.SRG-OS-000033-GPOS-00014<GroupDescription></GroupDescription>RHEL-09-671010RHEL 9 must enable FIPS mode.<VulnDiscussion>Use of weak or untested encryption algorithms undermines the purposes of utilizing encryption to protect data. The operating system must implement cryptographic modules adhering to the higher standards approved by the federal government since this provides assurance they have been tested and validated. This includes NIST FIPS-validated cryptography for the following: Provisioning digital signatures, generating cryptographic hashes, and to protect data requiring data-at-rest protections in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards. +If the audit system is not set to be immutable by adding the "-e 2" option to the end of "/etc/audit/audit.rules", this is a finding.SRG-OS-000033-GPOS-00014<GroupDescription></GroupDescription>RHEL-09-671010RHEL 9 must enable FIPS mode.<VulnDiscussion>Use of weak or untested encryption algorithms undermines the purposes of utilizing encryption to protect data. The operating system must implement cryptographic modules adhering to the higher standards approved by the federal government since this provides assurance they have been tested and validated. This includes NIST FIPS-validated cryptography for the following: Provisioning digital signatures, generating cryptographic hashes, and to protect data requiring data-at-rest protections in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards. -Satisfies: SRG-OS-000033-GPOS-00014, SRG-OS-000125-GPOS-00065, SRG-OS-000396-GPOS-00176, SRG-OS-000423-GPOS-00187, SRG-OS-000478-GPOS-00223</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 9DISADPMS TargetRed Hat Enterprise Linux 95551CCI-000068CCI-000877CCI-002418CCI-002450Configure the operating system to implement FIPS mode with the following command +Satisfies: SRG-OS-000033-GPOS-00014, SRG-OS-000125-GPOS-00065, SRG-OS-000396-GPOS-00176, SRG-OS-000423-GPOS-00187, SRG-OS-000478-GPOS-00223</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 9DISADPMS TargetRed Hat Enterprise Linux 95551CCI-000068CCI-000877CCI-002418CCI-002450Configure the operating system to implement FIPS mode with the following command $ sudo fips-mode-setup --enable -Reboot the system for the changes to take effect.Verify that RHEL 9 is in FIPS mode with the following command: +To ensure the kernel enables FIPS mode for early boot, "fips=1" must be added to the grub config: +$ sudo grubby --update-kernel=ALL --args="fips=1" + +Verify the setting with the following command: +$ cat /proc/cmdline +BOOT_IMAGE=(hd0,gpt2)/vmlinuz-5.14.0-570.21.1.el9_6.x86_64 root=/dev/mapper/rhel-root ro resume=/dev/mapper/rhel-swap rd.luks.uuid=luks-cd37eb8d-a2c3-4671-96ee-1e6a3a681561 rd.lvm.lv=rhel/root rd.lvm.lv=rhel/swap rhgb quiet fips=1 boot=UUID=acbbb4ee-adc0-4cb2-9546-afab857b8849 audit_backlog_limit=8192 crashkernel=1G-4G:192M,4G-64G:256M,64G-:512M + +Reboot the system for the changes to take effect.Verify RHEL 9 is in FIPS mode with the following command: $ sudo fips-mode-setup --check FIPS mode is enabled. @@ -7614,7 +7260,7 @@ banner-message-text= Note: The "\n " characters are for formatting only. They will not be displayed on the graphical interface. -If the banner does not match the Standard Mandatory DOD Notice and Consent Banner exactly, this is a finding.SRG-OS-000080-GPOS-00048<GroupDescription></GroupDescription>RHEL-09-232103RHEL 9 "/etc/audit/" must be owned by root.<VulnDiscussion>The "/etc/audit/" directory contains files that ensure the proper auditing of command execution, privilege escalation, file manipulation, and more. Protection of this directory is critical for system security.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 9DISADPMS TargetRed Hat Enterprise Linux 95551CCI-000162Change the owner of the file "/etc/audit/" to "root" by running the following command: +If the banner does not match the Standard Mandatory DOD Notice and Consent Banner exactly, this is a finding.SRG-OS-000080-GPOS-00048<GroupDescription></GroupDescription>RHEL-09-232103RHEL 9 "/etc/audit/" must be owned by root.<VulnDiscussion>The "/etc/audit/" directory contains files that ensure the proper auditing of command execution, privilege escalation, file manipulation, and more. Protection of this directory is critical for system security.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 9DISADPMS TargetRed Hat Enterprise Linux 95551CCI-000162Change the owner of the file "/etc/audit/" to "root" by running the following command: $ sudo chown root /etc/audit/Verify the ownership of the "/etc/audit/" directory with the following command: @@ -7622,7 +7268,7 @@ $ sudo stat -c "%U %n" /etc/audit/ root /etc/audit/ -If the "/etc/audit/" directory does not have an owner of "root", this is a finding.SRG-OS-000080-GPOS-00048<GroupDescription></GroupDescription>RHEL-09-232104RHEL 9 "/etc/audit/" must be group-owned by root.<VulnDiscussion>The "/etc/audit/" directory contains files that ensure the proper auditing of command execution, privilege escalation, file manipulation, and more. Protection of this directory is critical for system security.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 9DISADPMS TargetRed Hat Enterprise Linux 95551CCI-000162Change the group of the file "/etc/audit/" to "root" by running the following command: +If the "/etc/audit/" directory does not have an owner of "root", this is a finding.SRG-OS-000080-GPOS-00048<GroupDescription></GroupDescription>RHEL-09-232104RHEL 9 "/etc/audit/" must be group-owned by root.<VulnDiscussion>The "/etc/audit/" directory contains files that ensure the proper auditing of command execution, privilege escalation, file manipulation, and more. Protection of this directory is critical for system security.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 9DISADPMS TargetRed Hat Enterprise Linux 95551CCI-000162Change the group of the file "/etc/audit/" to "root" by running the following command: $ sudo chgrp root /etc/audit/Verify the group ownership of the "/etc/audit/" directory with the following command: @@ -7718,11 +7364,13 @@ allow exe=/usr/bin/python3.7 : ftype=text/x-python deny_audit perm=any pattern=ld_so : all deny perm=any all : all -If "fapolicyd" is not running in enforcement mode with a deny-all, permit-by-exception policy, this is a finding.SRG-OS-000304-GPOS-00121<GroupDescription></GroupDescription>RHEL-09-215101RHEL 9 must have the Postfix package installed.<VulnDiscussion>Postfix is a free, open-source mail transfer agent (MTA) that sends and receives emails. It is a server-side application that can be used to set up a local mail server, create a null-client mail relay, use a Postfix server as a destination for multiple domains, or choose an LDAP directory instead of files for lookups. Postfix supports protocols such as LDAP, SMTP AUTH (SASL), and TLS. It uses the Simple Mail Transfer Protocol (SMTP) to transfer emails between servers. +If "fapolicyd" is not running in enforcement mode with a deny-all, permit-by-exception policy, this is a finding.SRG-OS-000304-GPOS-00121<GroupDescription></GroupDescription>RHEL-09-215101RHEL 9 must have the Postfix package installed.<VulnDiscussion>Postfix is a free, open-source mail transfer agent (MTA) that sends and receives emails. It is a server-side application that can be used to set up a local mail server, create a null-client mail relay, use a Postfix server as a destination for multiple domains, or choose an LDAP directory instead of files for lookups. Postfix supports protocols such as LDAP, SMTP AUTH (SASL), and TLS. It uses the Simple Mail Transfer Protocol (SMTP) to transfer emails between servers. Satisfies: SRG-OS-000304-GPOS-00121, SRG-OS-000343-GPOS-00134, SRG-OS-000363-GPOS-00150, SRG-OS-000447-GPOS-00201</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 9DISADPMS TargetRed Hat Enterprise Linux 95551CCI-000015Install the Postfix package with the following command: -$ sudo dnf install postfixVerify that RHEL 9 has the Postfix package installed with the following command: +$ sudo dnf install postfixNote: If the admin can demonstrate that there is another system/service to send audit failure notifications to the administrator/ISSO, this control is not applicable. + +Verify RHEL 9 has the Postfix package installed with the following command: $ sudo dnf list --installed postfix @@ -7730,12 +7378,12 @@ Example output: postfix.x86_64 2:3.5.25-1.el9 -If the "postfix" package is not installed, this is a finding.SRG-OS-000445-GPOS-00199<GroupDescription></GroupDescription>RHEL-09-431016RHEL 9 must elevate the SELinux context when an administrator calls the sudo command.<VulnDiscussion>Without verification of the security functions, security functions may not operate correctly and the failure may go unnoticed. Security function is defined as the hardware, software, and/or firmware of the information system responsible for enforcing the system security policy and supporting the isolation of code and data on which the protection is based. Security functionality includes, but is not limited to, establishing system accounts, configuring access authorizations (i.e., permissions, privileges), setting events to be audited, and setting intrusion detection parameters. - -This requirement applies to operating systems performing security function verification/testing and/or systems and environments that require this functionality. - -Preventing nonprivileged users from executing privileged functions mitigates the risk that unauthorized individuals or processes may gain unnecessary access to information or privileges. - +If the "postfix" package is not installed, this is a finding.SRG-OS-000445-GPOS-00199<GroupDescription></GroupDescription>RHEL-09-431016RHEL 9 must elevate the SELinux context when an administrator calls the sudo command.<VulnDiscussion>Without verification of the security functions, security functions may not operate correctly and the failure may go unnoticed. Security function is defined as the hardware, software, and/or firmware of the information system responsible for enforcing the system security policy and supporting the isolation of code and data on which the protection is based. Security functionality includes, but is not limited to, establishing system accounts, configuring access authorizations (i.e., permissions, privileges), setting events to be audited, and setting intrusion detection parameters. + +This requirement applies to operating systems performing security function verification/testing and/or systems and environments that require this functionality. + +Preventing nonprivileged users from executing privileged functions mitigates the risk that unauthorized individuals or processes may gain unnecessary access to information or privileges. + Privileged functions include, for example, establishing accounts, performing system integrity checks, or administering cryptographic key management activities. Nonprivileged users are individuals who do not possess appropriate authorizations. Circumventing intrusion detection and prevention mechanisms or malicious code protection mechanisms are examples of privileged functions that require protection from nonprivileged users.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 9DISADPMS TargetRed Hat Enterprise Linux 95551CCI-002235Configure RHEL 9 to elevate the SELinux context when an administrator calls the sudo command. Edit a file in the "/etc/sudoers.d" directory with the following command: @@ -7749,13 +7397,27 @@ Use the following example to build the <customfile> in the /etc/sudoers.d Remove any configurations that conflict with the above from the following locations: /etc/sudoers -/etc/sudoers.d/Verify that RHEL 9 elevates the SELinux context when an administrator calls the sudo command with the following command: +/etc/sudoers.d/Verify RHEL 9 elevates the SELinux context when an administrator calls the sudo command with the following command: This command must be run as root: # grep -r sysadm_r /etc/sudoers /etc/sudoers.d %{designated_group_or_user_name} ALL=(ALL) TYPE=sysadm_t ROLE=sysadm_r ALL -If conflicting results are returned, this is a finding. +If a designated sudoers administrator group or account(s) is not configured to elevate the SELinux type and role to "sysadm_t" and "sysadm_r" with the use of the sudo command, this is a finding.SRG-OS-000471-GPOS-00215<GroupDescription></GroupDescription>RHEL-09-654097RHEL 9 must audit any script or executable called by cron as root or by any privileged user.<VulnDiscussion>Any script or executable called by cron as root or by any privileged user must be owned by that user. It must also have the permissions 755 or more restrictive and should have no extended rights that allow any nonprivileged user to modify the script or executable.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 9DISADPMS TargetRed Hat Enterprise Linux 95551CCI-000172Configure RHEL 9 to audit the execution of any system call made by cron as root or by any privileged user. + +Add or update the following file system rules to "/etc/audit/rules.d/audit.rules": +-w /etc/cron.d/ -p wa -k cronjobs +-w /var/spool/cron/ -p wa -k cronjobs + +To load the rules to the kernel immediately, use the following command: + +$ sudo augenrules --loadVerify RHEL 9 is configured to audit the execution of any system call made by cron as root or by any privileged user. + +$ sudo auditctl -l | grep /etc/cron.d +-w /etc/cron.d -p wa -k cronjobs + +$ sudo auditctl -l | grep /var/spool/cron +-w /var/spool/cron -p wa -k cronjobs -If a designated sudoers administrator group or account(s) is not configured to elevate the SELinux type and role to "sysadm_t" and "sysadm_r" with the use of the sudo command, this is a finding. \ No newline at end of file +If either of these commands do not return the expected output, or the lines are commented out, this is a finding. \ No newline at end of file diff --git a/shared/references/disa-stig-rhel9-v2r6-xccdf-scap.xml b/shared/references/disa-stig-rhel9-v2r7-xccdf-scap.xml similarity index 93% rename from shared/references/disa-stig-rhel9-v2r6-xccdf-scap.xml rename to shared/references/disa-stig-rhel9-v2r7-xccdf-scap.xml index 7545d9f22b79..1e605cb9f0f6 100644 --- a/shared/references/disa-stig-rhel9-v2r6-xccdf-scap.xml +++ b/shared/references/disa-stig-rhel9-v2r7-xccdf-scap.xml @@ -1,36 +1,36 @@ - - + + - + - + - + - + - - + + - + Red Hat Enterprise Linux 9 - oval:mil.disa.stig.rhel9os:def:1 + oval:mil.disa.stig.rhel9os:def:1 - + - accepted + accepted Red Hat Enterprise Linux 9 STIG SCAP Benchmark This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DOD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil. @@ -40,67 +40,85 @@ DISA STIG.DOD.MIL - Benchmark Date: 01 Oct 2025 - 3.5.1 + Benchmark Date: 05 Jan 2026 + 3.5.2 1.10.0 Linux with BIND installed - - - - - Gnome-shell Package - - + Linux with NFS mounts configured - + Linux IPv6 Enabled - + Linux with Libreswan installed - + + + + + Gnome-shell Package + + + + + + Linux with no NFS mounts configured + + + + + + Linux with TFTP installed + + + + + + RHEL9 and Not FIPS + + Kernel dumps are enabled - + Linux UEFI system with boot partition file type other than VFAT - + Linux with postfix installed - + Linux with autofs installed - + - 002.006 + 002.007 DISA DISA @@ -318,12 +336,10 @@ - - @@ -358,7 +374,6 @@ - @@ -491,6 +506,7 @@ + @@ -716,12 +732,10 @@ - - @@ -756,7 +770,6 @@ - @@ -889,6 +902,7 @@ + @@ -1114,12 +1128,10 @@ - - @@ -1154,7 +1166,6 @@ - @@ -1287,6 +1298,7 @@ + @@ -1512,12 +1524,10 @@ - - @@ -1552,7 +1562,6 @@ - @@ -1685,6 +1694,7 @@ + @@ -1910,12 +1920,10 @@ - - @@ -1950,7 +1958,6 @@ - @@ -2083,6 +2090,7 @@ + @@ -2308,12 +2316,10 @@ - - @@ -2348,7 +2354,6 @@ - @@ -2481,6 +2486,7 @@ + @@ -2706,12 +2712,10 @@ - - @@ -2746,7 +2750,6 @@ - @@ -2879,6 +2882,7 @@ + @@ -3104,12 +3108,10 @@ - - @@ -3144,7 +3146,6 @@ - @@ -3277,6 +3278,7 @@ + @@ -3502,12 +3504,10 @@ - - @@ -3542,7 +3542,6 @@ - @@ -3675,6 +3674,7 @@ + @@ -3707,13 +3707,11 @@ - - @@ -3723,42 +3721,42 @@ + - + - - - - - - - + + + + + + @@ -3768,64 +3766,71 @@ + + + + + - - + + - + - + + - + + - + - - + + @@ -3838,25 +3843,29 @@ + - - + + + + + + - @@ -3865,12 +3874,10 @@ - - @@ -3878,7 +3885,8 @@ - + + @@ -3887,33 +3895,31 @@ + - - + - - - + - + + - @@ -3926,84 +3932,76 @@ - - + - + + + - + + - - + - + - + + - - - - - - - + + + + - - - - - - + - - @@ -4015,26 +4013,29 @@ + - + - + - - + + + + @@ -4045,38 +4046,34 @@ - + - - + - - - + - - - + + @@ -4084,12 +4081,15 @@ SRG-OS-000480-GPOS-00227 <GroupDescription></GroupDescription> - + RHEL-09-211010 RHEL 9 must be a vendor-supported release. <VulnDiscussion>An operating system release is considered "supported" if the vendor continues to provide security patches for the product. With an unsupported release, it will not be possible to resolve security issues discovered in the system software. -Red Hat offers the Extended Update Support (EUS) add-on to a Red Hat Enterprise Linux subscription, for a fee, for those customers who wish to standardize on a specific minor release for an extended period.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> +End Of Life dates for Red Hat Linux 9 releases are as follows: +Current end of Full Support for Red Hat Linux 9 is 31 May 2027. +Current end of Maintenance Support for Red Hat Linux 9 is 31 May 3032. +Current end of Extended Life Cycle Support (ELS) for Red Hat Linux 9 is 31 May 2035.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> DPMS Target Red Hat Enterprise Linux 9 DISA @@ -4101,7 +4101,7 @@ Red Hat offers the Extended Update Support (EUS) add-on to a Red Hat Enterprise Upgrade to a supported version of RHEL 9. - + @@ -4125,7 +4125,7 @@ Red Hat offers the Extended Update Support (EUS) add-on to a Red Hat Enterprise $ sudo systemctl set-default multi-user.target - + @@ -4145,6 +4145,7 @@ The rngd service feeds random data from hardware device to kernel random device. Red Hat Enterprise Linux 9 5551 + CCI-000366 Install the rng-tools package with the following command: @@ -4155,7 +4156,7 @@ Then enable the rngd service run the following command: $ sudo systemctl enable --now rngd - + @@ -4179,14 +4180,14 @@ $ sudo systemctl enable --now rngd $ sudo systemctl enable --now systemd-journald - + SRG-OS-000324-GPOS-00125 <GroupDescription></GroupDescription> - + RHEL-09-211045 The systemd Ctrl-Alt-Delete burst key sequence in RHEL 9 must be disabled. <VulnDiscussion>A locally logged-on user who presses Ctrl-Alt-Delete when at the console can reboot the system. If accidentally pressed, as could happen in the case of a mixed OS environment, this can create the risk of short-term loss of availability of systems due to unintentional reboot. In a graphical user environment, risk of unintentional reboot from the Ctrl-Alt-Delete sequence is reduced because the user will be prompted before any action is taken. @@ -4200,16 +4201,22 @@ Satisfies: SRG-OS-000324-GPOS-00125, SRG-OS-000480-GPOS-00227</VulnDiscussion 5551 CCI-002235 - Configure the system to disable the CtrlAltDelBurstAction by added or modifying the following line in the "/etc/systemd/system.conf" configuration file: + Configure RHEL 9 to disable the CtrlAltDelBurstAction by adding it to a drop file in a "/etc/systemd/system.conf.d/" configuration file: + +If no drop file exists, create one with the following command: + +$ sudo mkdir -p /etc/systemd/system.conf.d && sudo vi /etc/systemd/system.conf.d/55-CtrlAltDel-BurstAction + +Edit the file to contain the setting by adding the following text: CtrlAltDelBurstAction=none Reload the daemon for this change to take effect. $ sudo systemctl daemon-reload - + - + @@ -4236,7 +4243,7 @@ $ sudo systemctl disable --now ctrl-alt-del.target $ sudo systemctl mask --now ctrl-alt-del.target - + @@ -4263,14 +4270,14 @@ $ sudo systemctl disable --now debug-shell.service $ sudo systemctl mask --now debug-shell.service - + SRG-OS-000080-GPOS-00048 <GroupDescription></GroupDescription> - + RHEL-09-212010 RHEL 9 must require a boot loader superuser password. <VulnDiscussion>To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DOD-approved PKIs, all DOD systems (e.g., web servers and web portals) must be properly configured to incorporate access control methods that do not rely solely on the possession of a certificate for access. Successful authentication must not automatically give an entity access to an asset or security boundary. Authorization procedures and controls must be implemented to ensure each authenticated entity also has a validated and current authorization. Authorization is the process of determining whether an entity, once authenticated, is permitted to access a specific asset. Information systems use access control policies and enforcement mechanisms to implement this requirement. @@ -4293,7 +4300,7 @@ Enter password: Confirm password: - + @@ -4317,7 +4324,7 @@ Confirm password: $ sudo grubby --update-kernel=ALL --remove-args="systemd.confirm_spawn" - + @@ -4341,7 +4348,7 @@ $ sudo grubby --update-kernel=ALL --remove-args="systemd.confirm_spawn" - + @@ -4365,7 +4372,7 @@ $ sudo chgrp root /boot/grub2/grub.cfg $ sudo chown root /boot/grub2/grub.cfg - + @@ -4397,7 +4404,7 @@ Add or modify the following line in "/etc/default/grub" to ensure the configurat GRUB_CMDLINE_LINUX="vsyscall=none" - + @@ -4427,7 +4434,7 @@ Add or modify the following line in "/etc/default/grub" to ensure the configurat GRUB_CMDLINE_LINUX="page_poison=1" - + @@ -4467,7 +4474,7 @@ Reboot the system: $ sudo reboot - + @@ -4498,7 +4505,7 @@ Add or modify the following line in "/etc/default/grub" to ensure the configurat GRUB_CMDLINE_LINUX="pti=on" - + @@ -4535,14 +4542,14 @@ Add or modify the following line in "/etc/default/grub" to ensure the configurat GRUB_CMDLINE_LINUX="audit=1" - + SRG-OS-000132-GPOS-00067 <GroupDescription></GroupDescription> - + RHEL-09-213010 RHEL 9 must restrict access to the kernel message buffer. <VulnDiscussion>Preventing unauthorized information transfers mitigates the risk of information, including encrypted representations of information, produced by the actions of prior users/roles (or the actions of processes acting on behalf of prior users/roles) from being available to any current users/roles (or current processes) that obtain access to shared system resources (e.g., registers, main memory, hard disks) after those resources have been released back to information systems. The control of information in shared resources is also commonly referred to as object reuse and residual information protection. @@ -4553,7 +4560,7 @@ There may be shared resources with configurable protections (e.g., files in stor Restricting access to the kernel message buffer limits access to only root. This prevents attackers from gaining additional system information as a nonprivileged user. -The sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of the directories in which they reside. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored. +The sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographical order, regardless of the directories in which they reside. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored. /etc/sysctl.d/*.conf /run/sysctl.d/*.conf @@ -4572,33 +4579,28 @@ Satisfies: SRG-OS-000132-GPOS-00067, SRG-OS-000138-GPOS-00069</VulnDiscussion CCI-001082 CCI-001090 - Configure RHEL 9 to restrict access to the kernel message buffer. + Configure RHEL 9 to restrict access to the kernel message buffer. -Add or edit the following line in a system configuration file, in the "/etc/sysctl.d/" directory: +Create a drop-in if it does not already exist: -kernel.dmesg_restrict = 1 +$ sudo vi /etc/sysctl.d/99-dmesg_restrict.conf -Remove any configurations that conflict with the above from the following locations: -/run/sysctl.d/*.conf -/usr/local/lib/sysctl.d/*.conf -/usr/lib/sysctl.d/*.conf -/lib/sysctl.d/*.conf -/etc/sysctl.conf -/etc/sysctl.d/*.conf +Add the following to the file: +kernel.dmesg_restrict = 1 -Load settings from all system configuration files with the following command: +Reload settings from all system configuration files with the following command: $ sudo sysctl --system - + - + SRG-OS-000132-GPOS-00067 <GroupDescription></GroupDescription> - + RHEL-09-213015 RHEL 9 must prevent kernel profiling by nonprivileged users. <VulnDiscussion>Preventing unauthorized information transfers mitigates the risk of information, including encrypted representations of information, produced by the actions of prior users/roles (or the actions of processes acting on behalf of prior users/roles) from being available to any current users/roles (or current processes) that obtain access to shared system resources (e.g., registers, main memory, hard disks) after those resources have been released back to information systems. The control of information in shared resources is also commonly referred to as object reuse and residual information protection. @@ -4609,7 +4611,7 @@ There may be shared resources with configurable protections (e.g., files in stor Setting the kernel.perf_event_paranoid kernel parameter to "2" prevents attackers from gaining additional system information as a nonprivileged user. -The sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of the directories in which they reside. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored. +The sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographical order, regardless of the directories in which they reside. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored. /etc/sysctl.d/*.conf /run/sysctl.d/*.conf @@ -4628,40 +4630,35 @@ Satisfies: SRG-OS-000132-GPOS-00067, SRG-OS-000138-GPOS-00069</VulnDiscussion CCI-001082 CCI-001090 - Configure RHEL 9 to prevent kernel profiling by nonprivileged users. + Configure RHEL 9 to prevent kernel profiling by nonprivileged users. -Add or edit the following line in a system configuration file, in the "/etc/sysctl.d/" directory: +Create a drop-in if it does not already exist: -kernel.perf_event_paranoid = 2 +$ sudo vi /etc/sysctl.d/99-kernel_perf_event_paranoid.conf -Remove any configurations that conflict with the above from the following locations: -/run/sysctl.d/*.conf -/usr/local/lib/sysctl.d/*.conf -/usr/lib/sysctl.d/*.conf -/lib/sysctl.d/*.conf -/etc/sysctl.conf -/etc/sysctl.d/*.conf +Add the following to the file: +kernel.perf_event_paranoid = 2 -Load settings from all system configuration files with the following command: +Reload settings from all system configuration files with the following command: $ sudo sysctl --system - + - + SRG-OS-000480-GPOS-00227 <GroupDescription></GroupDescription> - + RHEL-09-213020 RHEL 9 must prevent the loading of a new kernel for later execution. <VulnDiscussion>Changes to any software components can have significant effects on the overall security of the operating system. This requirement ensures the software has not been tampered with and that it has been provided by a trusted vendor. Disabling kexec_load prevents an unsigned kernel image (that could be a windows kernel or modified vulnerable kernel) from being loaded. Kexec can be used subvert the entire secureboot process and should be avoided at all costs especially since it can load unsigned kernel images. -The sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of the directories in which they reside. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored. +The sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographical order, regardless of the directories in which they reside. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored. /etc/sysctl.d/*.conf /run/sysctl.d/*.conf @@ -4680,36 +4677,33 @@ Satisfies: SRG-OS-000480-GPOS-00227, SRG-OS-000366-GPOS-00153</VulnDiscussion CCI-003992 CCI-001749 - Add or edit the following line in a system configuration file in the "/etc/sysctl.d/" directory: + Configure RHEL 9 to disable kernel image loading. -kernel.kexec_load_disabled = 1 +Create a drop-in if it does not already exist: -Remove any configurations that conflict with the above from the following locations: -/run/sysctl.d/*.conf -/usr/local/lib/sysctl.d/*.conf -/usr/lib/sysctl.d/*.conf -/lib/sysctl.d/*.conf -/etc/sysctl.conf -/etc/sysctl.d/*.conf +$ sudo vi /etc/sysctl.d/99-kernel_kexec_load_disabled.conf -Load settings from all system configuration files with the following command: +Add the following to the file: +kernel.kexec_load_disabled = 1 + +Reload settings from all system configuration files with the following command: $ sudo sysctl --system - + - + SRG-OS-000132-GPOS-00067 <GroupDescription></GroupDescription> - + RHEL-09-213025 RHEL 9 must restrict exposed kernel pointer addresses access. <VulnDiscussion>It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. -The sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of the directories in which they reside. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored. +The sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographical order, regardless of the directories in which they reside. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored. /etc/sysctl.d/*.conf /run/sysctl.d/*.conf @@ -4728,40 +4722,37 @@ Satisfies: SRG-OS-000132-GPOS-00067, SRG-OS-000433-GPOS-00192, SRG-OS-000480-GPO CCI-001082 CCI-002824 - Configure RHEL 9 to restrict exposed kernel pointer addresses access by adding the following line to a file in the "/etc/sysctl.d" directory: + Configure RHEL 9 to restrict exposed kernel pointer addresses access. -kernel.kptr_restrict = 1 +Create a drop-in if it does not already exist: -Remove any configurations that conflict with the above from the following locations: -/run/sysctl.d/*.conf -/usr/local/lib/sysctl.d/*.conf -/usr/lib/sysctl.d/*.conf -/lib/sysctl.d/*.conf -/etc/sysctl.conf -/etc/sysctl.d/*.conf +$ sudo vi /etc/sysctl.d/99-kernel_kptr_restrict.conf + +Add the following to the file: +kernel.kptr_restrict = 1 -The system configuration files need to be reloaded for the changes to take effect. To reload the contents of the files, run the following command: +Reload settings from all system configuration files with the following command: $ sudo sysctl --system - + - + SRG-OS-000312-GPOS-00123 <GroupDescription></GroupDescription> - + RHEL-09-213030 - RHEL 9 must enable kernel parameters to enforce discretionary access control on hardlinks. - <VulnDiscussion>Discretionary Access Control (DAC) is based on the notion that individual users are "owners" of objects and therefore have discretion over who should be authorized to access the object and in which mode (e.g., read or write). Ownership is usually acquired as a consequence of creating the object or via specified ownership assignment. DAC allows the owner to determine who will have access to objects they control. An example of DAC includes user-controlled file permissions. + RHEL 9 must enable kernel parameters to enforce discretionary access control (DAC) on hardlinks. + <VulnDiscussion>DAC is based on the notion that individual users are "owners" of objects and therefore have discretion over who should be authorized to access the object and in which mode (e.g., read or write). Ownership is usually acquired as a consequence of creating the object or via specified ownership assignment. DAC allows the owner to determine who will have access to objects they control. An example of DAC includes user-controlled file permissions. When discretionary access control policies are implemented, subjects are not constrained with regard to what actions they can take with information for which they have already been granted access. Thus, subjects that have been granted access to information are not prevented from passing (i.e., the subjects have the discretion to pass) the information to other subjects or objects. A subject that is constrained in its operation by Mandatory Access Control policies is still able to operate under the less rigorous constraints of this requirement. Thus, while Mandatory Access Control imposes constraints preventing a subject from passing information to another subject operating at a different sensitivity level, this requirement permits the subject to pass the information to any subject at the same sensitivity level. The policy is bounded by the information system boundary. Once the information is passed outside the control of the information system, additional means may be required to ensure the constraints remain in effect. While the older, more traditional definitions of discretionary access control require identity-based access control, that limitation is not required for this use of discretionary access control. By enabling the fs.protected_hardlinks kernel parameter, users can no longer create soft or hard links to files they do not own. Disallowing such hardlinks mitigate vulnerabilities based on insecure file system accessed by privileged programs, avoiding an exploitation vector exploiting unsafe use of open() or creat(). -The sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of the directories in which they reside. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored. +The sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographical order, regardless of the directories in which they reside. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored. /etc/sysctl.d/*.conf /run/sysctl.d/*.conf @@ -4780,40 +4771,37 @@ Satisfies: SRG-OS-000312-GPOS-00122, SRG-OS-000312-GPOS-00123, SRG-OS-000312-GPO CCI-002165 CCI-002235 - Add or edit the following line in a system configuration file in the "/etc/sysctl.d/" directory: + Configure RHEL 9 to enable DAC on hardlinks. -fs.protected_hardlinks = 1 +Create a drop-in if it does not already exist: -Remove any configurations that conflict with the above from the following locations: -/run/sysctl.d/*.conf -/usr/local/lib/sysctl.d/*.conf -/usr/lib/sysctl.d/*.conf -/lib/sysctl.d/*.conf -/etc/sysctl.conf -/etc/sysctl.d/*.conf +$ sudo vi /etc/sysctl.d/99-fs_protected_hardlinks.conf -Load settings from all system configuration files with the following command: +Add the following to the file: +fs.protected_hardlinks = 1 + +Reload settings from all system configuration files with the following command: $ sudo sysctl --system - + - + SRG-OS-000312-GPOS-00123 <GroupDescription></GroupDescription> - + RHEL-09-213035 - RHEL 9 must enable kernel parameters to enforce discretionary access control on symlinks. - <VulnDiscussion>Discretionary Access Control (DAC) is based on the notion that individual users are "owners" of objects and therefore have discretion over who should be authorized to access the object and in which mode (e.g., read or write). Ownership is usually acquired as a consequence of creating the object or via specified ownership assignment. DAC allows the owner to determine who will have access to objects they control. An example of DAC includes user-controlled file permissions. + RHEL 9 must enable kernel parameters to enforce discretionary access (DAC) control on symlinks. + <VulnDiscussion>DAC is based on the notion that individual users are "owners" of objects and therefore have discretion over who should be authorized to access the object and in which mode (e.g., read or write). Ownership is usually acquired as a consequence of creating the object or via specified ownership assignment. DAC allows the owner to determine who will have access to objects they control. An example of DAC includes user-controlled file permissions. When discretionary access control policies are implemented, subjects are not constrained with regard to what actions they can take with information for which they have already been granted access. Thus, subjects that have been granted access to information are not prevented from passing (i.e., the subjects have the discretion to pass) the information to other subjects or objects. A subject that is constrained in its operation by Mandatory Access Control policies is still able to operate under the less rigorous constraints of this requirement. Thus, while Mandatory Access Control imposes constraints preventing a subject from passing information to another subject operating at a different sensitivity level, this requirement permits the subject to pass the information to any subject at the same sensitivity level. The policy is bounded by the information system boundary. Once the information is passed outside the control of the information system, additional means may be required to ensure the constraints remain in effect. While the older, more traditional definitions of discretionary access control require identity-based access control, that limitation is not required for this use of discretionary access control. By enabling the fs.protected_symlinks kernel parameter, symbolic links are permitted to be followed only when outside a sticky world-writable directory, or when the UID of the link and follower match, or when the directory owner matches the symlink's owner. Disallowing such symlinks helps mitigate vulnerabilities based on insecure file system accessed by privileged programs, avoiding an exploitation vector exploiting unsafe use of open() or creat(). -The sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of the directories in which they reside. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored. +The sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographical order, regardless of the directories in which they reside. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored. /etc/sysctl.d/*.conf /run/sysctl.d/*.conf @@ -4832,38 +4820,33 @@ Satisfies: SRG-OS-000312-GPOS-00122, SRG-OS-000312-GPOS-00123, SRG-OS-000312-GPO CCI-002165 CCI-002235 - Configure RHEL 9 to enable DAC on symlinks. + Configure RHEL 9 to enable DAC on symlinks with the following: -Add or edit the following line in a system configuration file in the "/etc/sysctl.d/" directory: +Create a drop-in if it does not already exist: -fs.protected_symlinks = 1 +$ sudo vi /etc/sysctl.d/99-fs_protected_symlinks.conf -Remove any configurations that conflict with the above from the following locations: -/run/sysctl.d/*.conf -/usr/local/lib/sysctl.d/*.conf -/usr/lib/sysctl.d/*.conf -/lib/sysctl.d/*.conf -/etc/sysctl.conf -/etc/sysctl.d/*.conf +Add the following to the file: +fs.protected_symlinks = 1 -Load settings from all system configuration files with the following command: +Reload settings from all system configuration files with the following command: $ sudo sysctl --system - + - + SRG-OS-000480-GPOS-00227 <GroupDescription></GroupDescription> - + RHEL-09-213040 RHEL 9 must disable the kernel.core_pattern. - <VulnDiscussion>It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore, may remain unsecured. They increase the risk to the platform by providing additional attack vectors. + <VulnDiscussion>A core dump includes a memory image taken at the time the operating system terminates an application. The memory image could contain sensitive data and is generally useful only for developers trying to debug problems. -The sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of the directories in which they reside. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored. +The sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographical order, regardless of the directories in which they reside. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored. /etc/sysctl.d/*.conf /run/sysctl.d/*.conf @@ -4879,26 +4862,21 @@ The sysctl --system command will load settings from all system configuration fil 5551 CCI-000366 - Configure RHEL 9 to disable storing core dumps. + Configure RHEL 9 to disable storing core dumps. -Add or edit the following line in a system configuration file in the "/etc/sysctl.d/" directory: +Create a drop-in if it does not already exist: -kernel.core_pattern = |/bin/false +$ sudo vi /etc/sysctl.d/99-kernel_core_pattern.conf -Remove any configurations that conflict with the above from the following locations: -/run/sysctl.d/*.conf -/usr/local/lib/sysctl.d/*.conf -/usr/lib/sysctl.d/*.conf -/lib/sysctl.d/*.conf -/etc/sysctl.conf -/etc/sysctl.d/*.conf +Add the following to the file: +kernel.core_pattern = |/bin/false -The system configuration files must reloaded for the changes to take effect. To reload the contents of the files, run the following command: +Reload settings from all system configuration files with the following command: $ sudo sysctl --system - + - + @@ -4923,7 +4901,7 @@ install atm /bin/false blacklist atm - + @@ -4948,7 +4926,7 @@ install can /bin/false blacklist can - + @@ -4973,7 +4951,7 @@ install firewire-core /bin/false blacklist firewire-core - + @@ -5002,7 +4980,7 @@ install sctp /bin/false blacklist sctp - + @@ -5031,21 +5009,21 @@ install tipc /bin/false blacklist tipc - + SRG-OS-000433-GPOS-00193 <GroupDescription></GroupDescription> - + RHEL-09-213070 RHEL 9 must implement address space layout randomization (ASLR) to protect its memory from unauthorized code execution. <VulnDiscussion>Some adversaries launch attacks with the intent of executing code in nonexecutable regions of memory or in memory locations that are prohibited. Security safeguards employed to protect memory include, for example, data execution prevention and address space layout randomization. Data execution prevention safeguards can be either hardware-enforced or software-enforced with hardware providing the greater strength of mechanism. Examples of attacks are buffer overflow attacks. -The sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of the directories in which they reside. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored. +The sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographical order, regardless of the directories in which they reside. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored. /etc/sysctl.d/*.conf /run/sysctl.d/*.conf @@ -5063,38 +5041,33 @@ Satisfies: SRG-OS-000433-GPOS-00193, SRG-OS-000480-GPOS-00227</VulnDiscussion 5551 CCI-002824 - Configure RHEL 9 to implement virtual address space randomization. + Configure RHEL 9 to implement ASLR. -Add or edit the following line in a system configuration file in the "/etc/sysctl.d/" directory: +Create the drop-in if it does not already exist: -kernel.randomize_va_space=2 +$ sudo vi /etc/sysctl.d/99-kernel_randomize_va_space.conf -Remove any configurations that conflict with the above from the following locations: -/run/sysctl.d/*.conf -/usr/local/lib/sysctl.d/*.conf -/usr/lib/sysctl.d/*.conf -/lib/sysctl.d/*.conf -/etc/sysctl.conf -/etc/sysctl.d/*.conf +Add the following line to the file: +kernel.randomize_va_space = 2 -Issue the following command to make the changes take effect: +Reload settings from all system configuration files with the following command: $ sudo sysctl --system - + - + SRG-OS-000132-GPOS-00067 <GroupDescription></GroupDescription> - + RHEL-09-213075 RHEL 9 must disable access to network bpf system call from nonprivileged processes. <VulnDiscussion>It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore, may remain unsecured. They increase the risk to the platform by providing additional attack vectors. -The sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of the directories in which they reside. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored. +The sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographical order, regardless of the directories in which they reside. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored. /etc/sysctl.d/*.conf /run/sysctl.d/*.conf @@ -5112,31 +5085,28 @@ Satisfies: SRG-OS-000132-GPOS-00067, SRG-OS-000480-GPOS-00227</VulnDiscussion 5551 CCI-001082 - Configure RHEL 9 to prevent privilege escalation through the kernel by disabling access to the bpf syscall by adding the following line to a file in the "/etc/sysctl.d" directory: + Configure RHEL 9 to prevent privilege escalation through the kernel by disabling access to the bpf system call. -kernel.unprivileged_bpf_disabled = 1 +Create the drop-in file if it does not already exist: -Remove any configurations that conflict with the above from the following locations: -/run/sysctl.d/*.conf -/usr/local/lib/sysctl.d/*.conf -/usr/lib/sysctl.d/*.conf -/lib/sysctl.d/*.conf -/etc/sysctl.conf -/etc/sysctl.d/*.conf +$ sudo vi /etc/sysctl.d/99-kernel_unprivileged_bpf_disabled.conf + +Add the following line to the file: +kernel.unprivileged_bpf_disabled = 1 -The system configuration files must be reloaded for the changes to take effect. To reload the contents of the files, run the following command: +Reload settings from all system configuration files with the following command: $ sudo sysctl --system - + - + SRG-OS-000132-GPOS-00067 <GroupDescription></GroupDescription> - + RHEL-09-213080 RHEL 9 must restrict usage of ptrace to descendant processes. <VulnDiscussion>It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore, may remain unsecured. They increase the risk to the platform by providing additional attack vectors. @@ -5159,24 +5129,21 @@ Satisfies: SRG-OS-000132-GPOS-00067, SRG-OS-000480-GPOS-00227</VulnDiscussion 5551 CCI-001082 - Configure RHEL 9 to restrict usage of ptrace to descendant processes by adding the following line to a file in the "/etc/sysctl.d" directory: + Configure RHEL 9 to restrict the usage of ptrace to descendant processes. -kernel.yama.ptrace_scope = 1 +Create the drop-in if it doesn't already exist: -Remove any configurations that conflict with the above from the following locations: -/run/sysctl.d/*.conf -/usr/local/lib/sysctl.d/*.conf -/usr/lib/sysctl.d/*.conf -/lib/sysctl.d/*.conf -/etc/sysctl.conf -/etc/sysctl.d/*.conf +$ sudo vi /etc/sysctl.d/99-kernel_yama.ptrace_scope.conf + +Add the following line to the file: +kernel.yama.ptrace_scope = 1 -The system configuration files must be reloaded for the changes to take effect. To reload the contents of the files, run the following command: +Reload settings from all system configuration files with the following command: $ sudo sysctl --system - + - + @@ -5205,7 +5172,7 @@ Add or modify the following line in /etc/systemd/coredump.conf: ProcessSizeMax=0 - + @@ -5232,14 +5199,14 @@ Add or modify the following line in /etc/systemd/coredump.conf: Storage=none - + SRG-OS-000480-GPOS-00227 <GroupDescription></GroupDescription> - + RHEL-09-213095 RHEL 9 must disable core dumps for all users. <VulnDiscussion>A core dump includes a memory image taken at the time the operating system terminates an application. The memory image could contain sensitive data and is generally useful only for developers trying to debug problems.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> @@ -5252,14 +5219,16 @@ Storage=none CCI-000366 - Configure the operating system to disable core dumps for all users. + Configure RHEL 9 to disable core dumps for all users. Add the following line to the top of the /etc/security/limits.conf or in a single ".conf" file defined in /etc/security/limits.d/: -* hard core 0 - +* hard core 0 + +Remove or comment out any entries for users or groups with a value set to anything other than "0". + - + @@ -5290,19 +5259,19 @@ Reload the daemon for this change to take effect. $ sudo systemctl daemon-reload - + SRG-OS-000480-GPOS-00227 <GroupDescription></GroupDescription> - + RHEL-09-213105 RHEL 9 must disable the use of user namespaces. <VulnDiscussion>It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore, may remain unsecured. They increase the risk to the platform by providing additional attack vectors. -The sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of the directories in which they reside. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored. +The sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographical order, regardless of the directories in which they reside. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored. /etc/sysctl.d/*.conf /run/sysctl.d/*.conf @@ -5318,24 +5287,22 @@ The sysctl --system command will load settings from all system configuration fil 5551 CCI-000366 - Configure RHEL 9 to disable the use of user namespaces by adding the following line to a file in the "/etc/sysctl.d" directory: + Configure RHEL 9 to disable the use of user namespaces. -user.max_user_namespaces = 0 +Create the drop-in if it does not already exist: -Remove any configurations that conflict with the above from the following locations: -/run/sysctl.d/*.conf -/usr/local/lib/sysctl.d/*.conf -/usr/lib/sysctl.d/*.conf -/lib/sysctl.d/*.conf -/etc/sysctl.conf -/etc/sysctl.d/*.conf +$ sudo vi /etc/sysctl.d/99-user_max_user_namespaces.conf + +Add the following line to the file: + +user.max_user_namespaces = 0 -The system configuration files must be reloaded for the changes to take effect. To reload the contents of the files, run the following command: +Reload settings from all system configuration files with the following command: $ sudo sysctl --system - + - + @@ -5365,7 +5332,7 @@ To mask the kdump service run the following command: $ sudo systemctl mask --now kdump - + @@ -5396,7 +5363,7 @@ Add or update the following line in the [main] section of the /etc/dnf/dnf.conf gpgcheck=1 - + @@ -5427,14 +5394,14 @@ Add or update the following line in the [main] section of the /etc/dnf/dnf.conf localpkg_gpgcheck=1 - + SRG-OS-000366-GPOS-00153 <GroupDescription></GroupDescription> - + RHEL-09-214025 RHEL 9 must have GPG signature verification enabled for all software repositories. <VulnDiscussion>Changes to any software components can have significant effects on the overall security of the operating system. This requirement ensures the software has not been tampered with and that it has been provided by a trusted vendor. @@ -5456,7 +5423,7 @@ Verifying the authenticity of software prior to installation validates the integ $ sudo sed -i 's/gpgcheck\s*=.*/gpgcheck=1/g' /etc/yum.repos.d/* - + @@ -5482,7 +5449,7 @@ Edit the file /etc/dnf/dnf.conf by adding or editing the following line: clean_requirements_on_remove=True - + @@ -5507,7 +5474,7 @@ Edit the file /etc/dnf/dnf.conf by adding or editing the following line: $ sudo dnf install subscription-manager - + @@ -5538,7 +5505,7 @@ Satisfies: SRG-OS-000074-GPOS-00042, SRG-OS-000095-GPOS-00049, SRG-OS-000480-GPO $ sudo dnf remove vsftpd - + @@ -5564,7 +5531,7 @@ Satisfies: SRG-OS-000480-GPOS-00227, SRG-OS-000095-GPOS-00049</VulnDiscussion $ sudo dnf remove sendmail - + @@ -5588,7 +5555,7 @@ $ sudo dnf remove sendmail $ sudo dnf remove nfs-utils - + @@ -5614,7 +5581,7 @@ Removing the "ypserv" package decreases the risk of the accidental (or intention $ sudo dnf remove ypserv - + @@ -5642,14 +5609,14 @@ Removing the "telnet-server" package decreases the risk of accidental (or intent $ sudo dnf remove telnet-server - + SRG-OS-000095-GPOS-00049 <GroupDescription></GroupDescription> - + RHEL-09-215045 RHEL 9 must not have the gssproxy package installed. <VulnDiscussion>It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore, may remain unsecured. They increase the risk to the platform by providing additional attack vectors. @@ -5666,13 +5633,14 @@ Satisfies: SRG-OS-000095-GPOS-00049, SRG-OS-000480-GPOS-00227</VulnDiscussion Red Hat Enterprise Linux 9 5551 + CCI-000381 Remove the gssproxy package with the following command: $ sudo dnf remove gssproxy - + @@ -5702,7 +5670,7 @@ Satisfies: SRG-OS-000095-GPOS-00049, SRG-OS-000480-GPOS-00227</VulnDiscussion $ sudo dnf remove iprutils - + @@ -5732,19 +5700,21 @@ Satisfies: SRG-OS-000095-GPOS-00049, SRG-OS-000480-GPOS-00227</VulnDiscussion $ sudo dnf remove tuned - + SRG-OS-000480-GPOS-00227 <GroupDescription></GroupDescription> - + RHEL-09-215060 - RHEL 9 must not have a Trivial File Transfer Protocol (TFTP) server package installed. + The Trivial File Transfer Protocol (TFTP) server must not be installed unless it is required, and if required, the RHEL 9 TFTP daemon must be configured to operate in secure mode. <VulnDiscussion>Removing the "tftp-server" package decreases the risk of the accidental (or intentional) activation of tftp services. -If TFTP is required for operational support (such as transmission of router configurations), its use must be documented with the information systems security manager (ISSM), restricted to only authorized personnel, and have access control rules established.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> +If TFTP is required for operational support (such as transmission of router configurations), its use must be documented with the information systems security manager (ISSM), restricted to only authorized personnel, and have access control rules established. + +Restricting TFTP to a specific directory prevents remote users from copying, transferring, or overwriting system files.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> DPMS Target Red Hat Enterprise Linux 9 DISA @@ -5752,13 +5722,29 @@ If TFTP is required for operational support (such as transmission of router conf Red Hat Enterprise Linux 9 5551 + CCI-000366 - The "tftp-server" package can be removed with the following command: + Configure RHEL 9 so that TFTP operates in secure mode if installed. + +If TFTP server is not required, remove it with the following command: +$ sudo dnf -y remove tftp-server + +Configure the TFTP daemon to operate in secure mode with the following command: +$ sudo systemctl edit tftp.service + +In the editor, enter: +[Service] +ExecStart=/usr/sbin/in.tftpd -s /var/lib/tftpboot -$ sudo dnf remove tftp-server - +After making changes, reload the systemd daemon and restart the TFTP service as follows: + +$ sudo systemctl daemon-reload +$ sudo systemctl restart tftp.service + +If the "-s" option is not present in the "ExecStart" line or if the line is missing, this is a finding. + - + @@ -5784,7 +5770,7 @@ If there is no need to make the router software available, removing it provides $ sudo dnf remove quagga - + @@ -5815,7 +5801,7 @@ $ sudo dnf remove "xorg*" $ sudo systemctl set-default multi-user.target - + @@ -5845,7 +5831,7 @@ Satisfies: SRG-OS-000105-GPOS-00052, SRG-OS-000375-GPOS-00160, SRG-OS-000376-GPO $ sudo dnf install openssl-pkcs11 - + @@ -5869,7 +5855,7 @@ $ sudo dnf install openssl-pkcs11 $ sudo dnf install gnutls-utils - + @@ -5893,7 +5879,7 @@ $ sudo dnf install gnutls-utils $ sudo dnf install nss-tools - + @@ -5917,7 +5903,7 @@ $ sudo dnf install nss-tools $ sudo dnf install rng-tools - + @@ -5941,7 +5927,7 @@ $ sudo dnf install rng-tools $ sudo dnf install s-nail - + @@ -5963,7 +5949,7 @@ $ sudo dnf install s-nail Migrate the "/home" directory onto a separate file system/partition. - + @@ -5985,7 +5971,7 @@ $ sudo dnf install s-nail Migrate the "/tmp" path onto a separate file system. - + @@ -6007,7 +5993,7 @@ $ sudo dnf install s-nail Migrate the "/var" path onto a separate file system. - + @@ -6029,7 +6015,7 @@ $ sudo dnf install s-nail Migrate the "/var/log" path onto a separate file system. - + @@ -6053,7 +6039,7 @@ Satisfies: SRG-OS-000341-GPOS-00132, SRG-OS-000480-GPOS-00227</VulnDiscussion Migrate the system audit data path onto a separate file system. - + @@ -6075,7 +6061,7 @@ Satisfies: SRG-OS-000341-GPOS-00132, SRG-OS-000480-GPOS-00227</VulnDiscussion Migrate the "/var/tmp" path onto a separate file system. - + @@ -6105,7 +6091,7 @@ The autofs service can be disabled with the following command: $ sudo systemctl mask --now autofs.service - + @@ -6129,7 +6115,7 @@ The only legitimate location for device files is the "/dev" directory located on Modify "/etc/fstab" to use the "nodev" option on the "/home" directory. - + @@ -6153,7 +6139,7 @@ Satisfies: SRG-OS-000368-GPOS-00154, SRG-OS-000480-GPOS-00227</VulnDiscussion Modify "/etc/fstab" to use the "nosuid" option on the "/home" directory. - + @@ -6175,7 +6161,7 @@ Satisfies: SRG-OS-000368-GPOS-00154, SRG-OS-000480-GPOS-00227</VulnDiscussion Modify "/etc/fstab" to use the "noexec" option on the "/home" directory. - + @@ -6198,7 +6184,7 @@ Satisfies: SRG-OS-000368-GPOS-00154, SRG-OS-000480-GPOS-00227</VulnDiscussion Update each NFS mounted file system to use the "nodev" option on file systems that are being imported via NFS. - + @@ -6216,11 +6202,12 @@ Satisfies: SRG-OS-000368-GPOS-00154, SRG-OS-000480-GPOS-00227</VulnDiscussion Red Hat Enterprise Linux 9 5551 + CCI-000366 Update each NFS mounted file system to use the "noexec" option on file systems that are being imported via NFS. - + @@ -6243,7 +6230,7 @@ Satisfies: SRG-OS-000368-GPOS-00154, SRG-OS-000480-GPOS-00227</VulnDiscussion Update each NFS mounted file system to use the "nosuid" option on file systems that are being imported via NFS. - + @@ -6265,7 +6252,7 @@ Satisfies: SRG-OS-000368-GPOS-00154, SRG-OS-000480-GPOS-00227</VulnDiscussion Modify "/etc/fstab" to use the "nodev" option on the "/boot" directory. - + @@ -6289,14 +6276,14 @@ Satisfies: SRG-OS-000368-GPOS-00154, SRG-OS-000480-GPOS-00227</VulnDiscussion Modify "/etc/fstab" to use the "nosuid" option on the "/boot" directory. - + SRG-OS-000368-GPOS-00154 <GroupDescription></GroupDescription> - + RHEL-09-231105 RHEL 9 must prevent files with the setuid and setgid bit set from being executed on the /boot/efi directory. <VulnDiscussion>The "nosuid" mount option causes the system not to execute "setuid" and "setgid" files with owner privileges. This option must be used for mounting any file system not containing approved "setuid" and "setguid" files. Executing files from untrusted file systems increases the opportunity for nonprivileged users to attain unauthorized administrative access. @@ -6314,14 +6301,14 @@ Satisfies: SRG-OS-000368-GPOS-00154, SRG-OS-000480-GPOS-00227</VulnDiscussion Modify "/etc/fstab" to use the "nosuid" option on the "/boot/efi" directory. - + SRG-OS-000368-GPOS-00154 <GroupDescription></GroupDescription> - + RHEL-09-231110 RHEL 9 must mount /dev/shm with the nodev option. <VulnDiscussion>The "nodev" mount option causes the system to not interpret character or block special devices. Executing character or block special devices from untrusted file systems increases the opportunity for nonprivileged users to attain unauthorized administrative access. @@ -6335,17 +6322,27 @@ The only legitimate location for device files is the "/dev" directory located on 5551 CCI-001764 - Modify "/etc/fstab" to use the "nodev" option on the "/dev/shm" file system. - + Configure "/dev/shm" to mount with the "nodev" option. + +Modify "/etc/fstab" to use the "nodev" option on the "/dev/shm" file system. + +To reload all implicit mount units and update the dependency graph so that new options will apply correctly at next remount, run the following command: + +$ sudo systemctl daemon-reload + +Use the following command to apply the changes immediately without a reboot: + +$ sudo mount -o remount /dev/shm + - + SRG-OS-000368-GPOS-00154 <GroupDescription></GroupDescription> - + RHEL-09-231115 RHEL 9 must mount /dev/shm with the noexec option. <VulnDiscussion>The "noexec" mount option causes the system to not execute binary files. This option must be used for mounting any file system not containing approved binary files, as they may be incompatible. Executing files from untrusted file systems increases the opportunity for nonprivileged users to attain unauthorized administrative access.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> @@ -6357,50 +6354,27 @@ The only legitimate location for device files is the "/dev" directory located on 5551 CCI-001764 - Configure "/dev/shm" to mount with the "noexec" option. - -Determine how /dev/shm is managed. - -$ systemctl status systemd-tmpfiles-setup -If "active", systemd is managing temporary files (including /dev/shm). -Otherwise, /etc/fstab is managing temporary files. + Configure "/dev/shm" to mount with the "noexec" option. -If systemd is managing /dev/shm, use the following commands to add the noexec option to the mount: - If /etc/tmpfiles.d does not exist, create it: - $ sudo mkdir -p /etc/tmpfiles.d +Modify "/etc/fstab" to use the "noexec" option on the "/dev/shm" file system. - Add a configuration file with the appropriate options for /dev/shm as follows: - $ echo 'd /dev/shm 1777 root root 10d' | sudo tee /etc/tmpfiles.d/dev-shm.conf - $ echo 'x /dev/shm' | sudo tee -a /etc/tmpfiles.d/dev-shm.conf +To reload all implicit mount units and update the dependency graph so that new options will apply correctly at next remount, run the following command: - Apply new mount options with the following commands: - $ sudo systemctl mask tmp.mount - Created symlink /etc/systemd/system/tmp.mount ? /dev/null. - - $ echo 'tmpfs /dev/shm tmpfs rw,nodev,nosuid,noexec,seclabel 0 0' | sudo tee -a /etc/fstab - $ sudo mount -o remount /dev/shm - $ sudo systemctl daemon-reload - -If /dev/shm is managed by /etc/fstab, use the following commands to add the noexec option to the mount: - $ sudo vi /etc/fstab - - Add or modify the following line: - tmpfs /dev/shm tmpfs rw,nodev,nosuid,noexec,seclabel 0 0 +$ sudo systemctl daemon-reload - Remount /dev/shm: - $ sudo mount -o remount /dev/shm +Use the following command to apply the changes immediately without a reboot: -Note: Although systemd manages tmpfs mounts by default, administrators can override settings by adding entries to /etc/fstab. Either approach is acceptable. - +$ sudo mount -o remount /dev/shm + - + SRG-OS-000368-GPOS-00154 <GroupDescription></GroupDescription> - + RHEL-09-231120 RHEL 9 must mount /dev/shm with the nosuid option. <VulnDiscussion>The "nosuid" mount option causes the system to not execute "setuid" and "setgid" files with owner privileges. This option must be used for mounting any file system not containing approved "setuid" and "setguid" files. Executing files from untrusted file systems increases the opportunity for nonprivileged users to attain unauthorized administrative access.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> @@ -6412,10 +6386,20 @@ Note: Although systemd manages tmpfs mounts by default, administrators can overr 5551 CCI-001764 - Modify "/etc/fstab" to use the "nosuid" option on the "/dev/shm" file system. - + Configure "/dev/shm" to mount with the "nosuid" option. + +Modify "/etc/fstab" to use the "nosuid" option on the "/dev/shm" file system. + +To reload all implicit mount units and update the dependency graph so that new options will apply correctly at next remount, run the following command: + +$ sudo systemctl daemon-reload + +Use the following command to apply the changes immediately without a reboot: + +$ sudo mount -o remount /dev/shm + - + @@ -6439,7 +6423,7 @@ The only legitimate location for device files is the "/dev" directory located on Modify "/etc/fstab" to use the "nodev" option on the "/tmp" directory. - + @@ -6461,7 +6445,7 @@ The only legitimate location for device files is the "/dev" directory located on Modify "/etc/fstab" to use the "noexec" option on the "/tmp" directory. - + @@ -6483,7 +6467,7 @@ The only legitimate location for device files is the "/dev" directory located on Modify "/etc/fstab" to use the "nosuid" option on the "/tmp" directory. - + @@ -6507,7 +6491,7 @@ The only legitimate location for device files is the "/dev" directory located on Modify "/etc/fstab" to use the "nodev" option on the "/var" directory. - + @@ -6531,7 +6515,7 @@ The only legitimate location for device files is the "/dev" directory located on Modify "/etc/fstab" to use the "nodev" option on the "/var/log" directory. - + @@ -6553,7 +6537,7 @@ The only legitimate location for device files is the "/dev" directory located on Modify "/etc/fstab" to use the "noexec" option on the "/var/log" directory. - + @@ -6575,7 +6559,7 @@ The only legitimate location for device files is the "/dev" directory located on Modify "/etc/fstab" to use the "nosuid" option on the "/var/log" directory. - + @@ -6599,7 +6583,7 @@ The only legitimate location for device files is the "/dev" directory located on Modify "/etc/fstab" to use the "nodev" option on the "/var/log/audit" directory. - + @@ -6621,7 +6605,7 @@ The only legitimate location for device files is the "/dev" directory located on Modify "/etc/fstab" to use the "noexec" option on the "/var/log/audit" directory. - + @@ -6643,7 +6627,7 @@ The only legitimate location for device files is the "/dev" directory located on Modify "/etc/fstab" to use the "nosuid" option on the "/var/log/audit" directory. - + @@ -6667,7 +6651,7 @@ The only legitimate location for device files is the "/dev" directory located on Modify "/etc/fstab" to use the "nodev" option on the "/var/tmp" directory. - + @@ -6689,7 +6673,7 @@ The only legitimate location for device files is the "/dev" directory located on Modify "/etc/fstab" to use the "noexec" option on the "/var/tmp" directory. - + @@ -6711,7 +6695,7 @@ The only legitimate location for device files is the "/dev" directory located on Modify "/etc/fstab" to use the "nosuid" option on the "/var/tmp" directory. - + @@ -6740,14 +6724,14 @@ install cramfs /bin/false blacklist cramfs - + SRG-OS-000480-GPOS-00227 <GroupDescription></GroupDescription> - + RHEL-09-231200 RHEL 9 must prevent special devices on non-root local partitions. <VulnDiscussion>The "nodev" mount option causes the system to not interpret character or block special devices. Executing character or block special devices from untrusted file systems increases the opportunity for nonprivileged users to attain unauthorized administrative access. @@ -6764,7 +6748,7 @@ The only legitimate location for device files is the "/dev" directory located on Configure the "/etc/fstab" to use the "nodev" option on all non-root local partitions. - + @@ -6792,7 +6776,7 @@ Run the following command, replacing "[FILE]" with any system command with a mod $ sudo chmod 755 [FILE] - + @@ -6820,7 +6804,7 @@ Run the following command, replacing "[DIRECTORY]" with any library directory wi $ sudo chmod 755 [DIRECTORY] - + @@ -6846,7 +6830,7 @@ This requirement applies to RHEL 9 with software libraries that are accessible a $ sudo find /lib /lib64 /usr/lib /usr/lib64 -type f -name '*.so*' -perm /022 -exec chmod go-w {} + - + @@ -6872,7 +6856,7 @@ The structure and content of error messages must be carefully considered by the $ sudo chmod 0755 /var/log - + @@ -6898,7 +6882,7 @@ The structure and content of error messages must be carefully considered by the $ sudo chmod 0640 /var/log/messages - + @@ -6928,7 +6912,7 @@ $ sudo chmod 0755 [audit_tool] Replace "[audit_tool]" with each audit tool that has a more permissive mode than 0755. - + @@ -6954,7 +6938,7 @@ Note: The example will be for the wadea user, who has a home directory of "/home $ sudo chmod 0740 /home/wadea/.<INIT_FILE> - + @@ -6980,7 +6964,7 @@ Note: The example will be for the user "wadea". $ sudo chmod 0750 /home/wadea - + @@ -7004,7 +6988,7 @@ $ sudo chmod 0750 /home/wadea $ sudo chmod 0644 /etc/group - + @@ -7028,7 +7012,7 @@ $ sudo chmod 0644 /etc/group $ sudo chmod 0644 /etc/group- - + @@ -7052,7 +7036,7 @@ $ sudo chmod 0644 /etc/group- $ sudo chmod 0000 /etc/gshadow - + @@ -7076,7 +7060,7 @@ $ sudo chmod 0000 /etc/gshadow $ sudo chmod 0000 /etc/gshadow- - + @@ -7100,7 +7084,7 @@ $ sudo chmod 0000 /etc/gshadow- $ sudo chmod 0644 /etc/passwd - + @@ -7124,7 +7108,7 @@ $ sudo chmod 0644 /etc/passwd $ sudo chmod 0644 /etc/passwd- - + @@ -7148,7 +7132,7 @@ $ sudo chmod 0644 /etc/passwd- $ sudo chmod 0000 /etc/shadow- - + @@ -7172,7 +7156,7 @@ $ sudo chmod 0000 /etc/shadow- $ sudo chown root /etc/group - + @@ -7196,7 +7180,7 @@ $ sudo chown root /etc/group $ sudo chgrp root /etc/group - + @@ -7220,7 +7204,7 @@ $ sudo chgrp root /etc/group $ sudo chown root /etc/group- - + @@ -7244,7 +7228,7 @@ $ sudo chown root /etc/group- $ sudo chgrp root /etc/group- - + @@ -7268,7 +7252,7 @@ $ sudo chgrp root /etc/group- $ sudo chown root /etc/gshadow - + @@ -7292,7 +7276,7 @@ $ sudo chown root /etc/gshadow $ sudo chgrp root /etc/gshadow - + @@ -7316,7 +7300,7 @@ $ sudo chgrp root /etc/gshadow $ sudo chown root /etc/gshadow- - + @@ -7340,7 +7324,7 @@ $ sudo chown root /etc/gshadow- $ sudo chgrp root /etc/gshadow- - + @@ -7364,7 +7348,7 @@ $ sudo chgrp root /etc/gshadow- $ sudo chown root /etc/passwd - + @@ -7388,7 +7372,7 @@ $ sudo chown root /etc/passwd $ sudo chgrp root /etc/passwd - + @@ -7412,7 +7396,7 @@ $ sudo chgrp root /etc/passwd $ sudo chown root /etc/passwd- - + @@ -7436,7 +7420,7 @@ $ sudo chown root /etc/passwd- $ sudo chgrp root /etc/passwd- - + @@ -7460,7 +7444,7 @@ $ sudo chgrp root /etc/passwd- $ sudo chown root /etc/shadow - + @@ -7484,7 +7468,7 @@ $ sudo chown root /etc/shadow $ sudo chgrp root /etc/shadow - + @@ -7508,7 +7492,7 @@ $ sudo chgrp root /etc/shadow $ sudo chown root /etc/shadow- - + @@ -7532,7 +7516,7 @@ $ sudo chown root /etc/shadow- $ sudo chgrp root /etc/shadow- - + @@ -7558,7 +7542,7 @@ The structure and content of error messages must be carefully considered by the $ sudo chown root /var/log - + @@ -7584,7 +7568,7 @@ The structure and content of error messages must be carefully considered by the $ sudo chgrp root /var/log - + @@ -7610,7 +7594,7 @@ The structure and content of error messages must be carefully considered by the $ sudo chown root /var/log/messages - + @@ -7636,7 +7620,7 @@ The structure and content of error messages must be carefully considered by the $ sudo chgrp root /var/log/messages - + @@ -7664,7 +7648,7 @@ Run the following command, replacing "[FILE]" with any system command file not o $ sudo chown root [FILE] - + @@ -7692,7 +7676,7 @@ Run the following command, replacing "[FILE]" with any system command file not g $ sudo chgrp root [FILE] - + @@ -7718,7 +7702,7 @@ This requirement applies to RHEL 9 with software libraries that are accessible a $ sudo find /lib /lib64 /usr/lib /usr/lib64 -type f -name '*.so*' ! -user root -exec chown root {} + - + @@ -7744,7 +7728,7 @@ This requirement applies to RHEL 9 with software libraries that are accessible a $ sudo find /lib /lib64 /usr/lib /usr/lib64 -type f -name '*.so*' ! -group root -exec chown :root {} + - + @@ -7772,7 +7756,7 @@ Run the following command, replacing "[DIRECTORY]" with any library directory no $ sudo chown root [DIRECTORY] - + @@ -7800,7 +7784,7 @@ Run the following command, replacing "[DIRECTORY]" with any library directory no $ sudo chgrp root [DIRECTORY] - + @@ -7830,7 +7814,7 @@ $ sudo chown root [audit_tool] Replace "[audit_tool]" with each audit tool not owned by "root". - + @@ -7860,7 +7844,7 @@ $ sudo chgrp root [audit_tool] Replace "[audit_tool]" with each audit tool not group-owned by "root". - + @@ -7884,7 +7868,7 @@ Replace "[audit_tool]" with each audit tool not group-owned by "root". - + @@ -7908,7 +7892,7 @@ $ sudo chown root [cron config file] $ sudo chgrp root [cron config file] - + @@ -7932,7 +7916,7 @@ $ sudo chgrp root [cron config file] $ sudo chmod 0000 /etc/shadow - + @@ -7966,7 +7950,7 @@ Satisfies: SRG-OS-000096-GPOS-00050, SRG-OS-000297-GPOS-00115, SRG-OS-000298-GPO $ sudo dnf install firewalld - + @@ -7999,7 +7983,7 @@ Satisfies: SRG-OS-000096-GPOS-00050, SRG-OS-000297-GPOS-00115, SRG-OS-000480-GPO $ sudo systemctl enable --now firewalld - + @@ -8027,7 +8011,7 @@ FirewallBackend=nftables Establish rate-limiting rules based on organization-defined types of DoS attacks on impacted network interfaces. - + @@ -8055,21 +8039,21 @@ Set the promiscuous mode of an interface to off with the following command: $ sudo ip link set dev <devicename> multicast off promisc off - + SRG-OS-000480-GPOS-00227 <GroupDescription></GroupDescription> - + RHEL-09-251045 RHEL 9 must enable hardening for the Berkeley Packet Filter just-in-time compiler. <VulnDiscussion>It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. Enabling hardening for the Berkeley Packet Filter (BPF) Just-in-time (JIT) compiler aids in mitigating JIT spraying attacks. Setting the value to "2" enables JIT hardening for all users. -The sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of the directories in which they reside. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored. +The sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographical order, regardless of the directories in which they reside. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored. /etc/sysctl.d/*.conf /run/sysctl.d/*.conf @@ -8085,24 +8069,21 @@ The sysctl --system command will load settings from all system configuration fil 5551 CCI-000366 - Configure RHEL 9 to enable hardening for the BPF JIT compiler by adding the following line to a file, in the "/etc/sysctl.d" directory: + Configure RHEL 9 to enable hardening for the BPF JIT compiler. -net.core.bpf_jit_harden = 2 +Create the drop-in file if it does not already exist: -Remove any configurations that conflict with the above from the following locations: -/run/sysctl.d/*.conf -/usr/local/lib/sysctl.d/*.conf -/usr/lib/sysctl.d/*.conf -/lib/sysctl.d/*.conf -/etc/sysctl.conf -/etc/sysctl.d/*.conf +$ sudo vi /etc/sysctl.d/99-net_core-bpf_jit_harden.conf + +Add the following line to the file: +net.core.bpf_jit_harden = 2 -The system configuration files must be reloaded for the changes to take effect. To reload the contents of the files, run the following command: +Reload settings from all system configuration files with the following command: $ sudo sysctl --system - + - + @@ -8127,7 +8108,7 @@ $ sudo sysctl --system $ sudo dnf install chrony - + @@ -8154,7 +8135,7 @@ Synchronizing internal information system clocks provides uniformity of time sta $ sudo systemctl enable --now chronyd - + @@ -8181,7 +8162,7 @@ Satisfies: SRG-OS-000096-GPOS-00050, SRG-OS-000095-GPOS-00049</VulnDiscussion port 0 - + @@ -8208,7 +8189,7 @@ Satisfies: SRG-OS-000096-GPOS-00050, SRG-OS-000095-GPOS-00049</VulnDiscussion cmdport 0 - + @@ -8243,7 +8224,7 @@ $ nmcli connection modify [connection name] ipv4.dns [name server 1],[name serve Replace [name server 1] and [name server 2] with the IPs of two different DNS resolvers. Replace [connection name] with a valid NetworkManager connection name on the system. Replace ipv4 with ipv6 if IPv6 DNS servers are used. - + @@ -8280,7 +8261,7 @@ NetworkManager must be reloaded for the change to take effect. $ sudo systemctl reload NetworkManager - + @@ -8305,7 +8286,7 @@ $ sudo systemctl reload NetworkManager $ sudo postconf -e 'smtpd_client_restrictions = permit_mynetworks,reject' - + @@ -8337,7 +8318,7 @@ Then, run the following command: $ sudo newaliases - + @@ -8363,7 +8344,7 @@ Satisfies: SRG-OS-000480-GPOS-00227, SRG-OS-000120-GPOS-00061</VulnDiscussion $ sudo dnf install libreswan - + @@ -8387,7 +8368,7 @@ $ sudo dnf install libreswan $ sudo rm /[path]/[to]/[file]/shosts.equiv - + @@ -8411,14 +8392,14 @@ $ sudo rm /[path]/[to]/[file]/shosts.equiv $ sudo rm /[path]/[to]/[file]/.shosts - + SRG-OS-000480-GPOS-00227 <GroupDescription></GroupDescription> - + RHEL-09-253010 RHEL 9 must be configured to use TCP syncookies. <VulnDiscussion>Preventing unauthorized information transfers mitigates the risk of information, including encrypted representations of information, produced by the actions of prior users/roles (or the actions of processes acting on behalf of prior users/roles) from being available to any current users/roles (or current processes) that obtain access to shared system resources (e.g., registers, main memory, hard disks) after those resources have been released back to information systems. The control of information in shared resources is also commonly referred to as object reuse and residual information protection. @@ -8429,7 +8410,7 @@ There may be shared resources with configurable protections (e.g., files in stor Restricting access to the kernel message buffer limits access to only root. This prevents attackers from gaining additional system information as a nonprivileged user. -The sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of the directories in which they reside. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored. +The sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographical order, regardless of the directories in which they reside. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored. /etc/sysctl.d/*.conf /run/sysctl.d/*.conf @@ -8448,38 +8429,33 @@ Satisfies: SRG-OS-000480-GPOS-00227, SRG-OS-000420-GPOS-00186, SRG-OS-000142-GPO CCI-001095 CCI-002385 - Configure RHEL 9 to use TCP syncookies. + Configure RHEL 9 to use TCP syncookies. -Add or edit the following line in a system configuration file in the "/etc/sysctl.d/" directory: +Create a configuration file if it does not already exist: -net.ipv4.tcp_syncookies = 1 +$ sudo vi /etc/sysctl.d/99-ipv4_tcp_syncookies.conf -Remove any configurations that conflict with the above from the following locations: -/run/sysctl.d/*.conf -/usr/local/lib/sysctl.d/*.conf -/usr/lib/sysctl.d/*.conf -/lib/sysctl.d/*.conf -/etc/sysctl.conf -/etc/sysctl.d/*.conf +Add the following line to the file: +net.ipv4.tcp_syncookies = 1 -Load settings from all system configuration files with the following command: +Reload settings from all system configuration files with the following command: $ sudo sysctl --system - + - + SRG-OS-000480-GPOS-00227 <GroupDescription></GroupDescription> - + RHEL-09-253015 RHEL 9 must ignore Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirect messages. <VulnDiscussion>ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages modify the host's route table and are unauthenticated. An illicit ICMP redirect message could result in a man-in-the-middle attack. -The sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of the directories in which they reside. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored. +The sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographical order, regardless of the directories in which they reside. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored. /etc/sysctl.d/*.conf /run/sysctl.d/*.conf @@ -8495,38 +8471,33 @@ The sysctl --system command will load settings from all system configuration fil 5551 CCI-000366 - Configure RHEL 9 to ignore IPv4 ICMP redirect messages. + Configure RHEL 9 to ignore IPv4 ICMP redirect messages. -Add or edit the following line in a system configuration file, in the "/etc/sysctl.d/" directory: +Create a configuration file if it does not already exist: -net.ipv4.conf.all.accept_redirects = 0 +$ sudo vi /etc/sysctl.d/99-ipv4_accept_redirects.conf -Remove any configurations that conflict with the above from the following locations: -/run/sysctl.d/*.conf -/usr/local/lib/sysctl.d/*.conf -/usr/lib/sysctl.d/*.conf -/lib/sysctl.d/*.conf -/etc/sysctl.conf -/etc/sysctl.d/*.conf +Add the following line to the file: +net.ipv4.conf.all.accept_redirects = 0 -Load settings from all system configuration files with the following command: +Reload settings from all system configuration files with the following command: $ sudo sysctl --system - + - + SRG-OS-000480-GPOS-00227 <GroupDescription></GroupDescription> - + RHEL-09-253020 RHEL 9 must not forward Internet Protocol version 4 (IPv4) source-routed packets. <VulnDiscussion>Source-routed packets allow the source of the packet to suggest that routers forward the packet along a different path than configured on the router, which can be used to bypass network security measures. This requirement applies only to the forwarding of source-routed traffic, such as when forwarding is enabled and the system is functioning as a router. -The sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of which of the directories they reside in. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored. +The sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographical order, regardless of which of the directories in which they reside. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored. /etc/sysctl.d/*.conf /run/sysctl.d/*.conf @@ -8542,33 +8513,28 @@ The sysctl --system command will load settings from all system configuration fil 5551 CCI-000366 - Configure RHEL 9 to not forward IPv4 source-routed packets. + Configure RHEL 9 to ignore IPv4 source-routed packets. -Add or edit the following line in a system configuration file, in the "/etc/sysctl.d/" directory: +Create a configuration file if it does not already exist: -net.ipv4.conf.all.accept_source_route=0 +$ sudo vi /etc/sysctl.d/99-ipv4_accept_source.conf -Remove any configurations that conflict with the above from the following locations: -/run/sysctl.d/*.conf -/usr/local/lib/sysctl.d/*.conf -/usr/lib/sysctl.d/*.conf -/lib/sysctl.d/*.conf -/etc/sysctl.conf -/etc/sysctl.d/*.conf +Add the following line to the file: +net.ipv4.conf.all.accept_source_route = 0 -Load settings from all system configuration files with the following command: +Reload settings from all system configuration files with the following command: $ sudo sysctl --system - + - + SRG-OS-000480-GPOS-00227 <GroupDescription></GroupDescription> - + RHEL-09-253025 RHEL 9 must log IPv4 packets with impossible addresses. <VulnDiscussion>The presence of "martian" packets (which have impossible addresses) as well as spoofed packets, source-routed packets, and redirects could be a sign of nefarious network activity. Logging these packets enables this activity to be detected. @@ -8581,7 +8547,7 @@ There may be shared resources with configurable protections (e.g., files in stor Restricting access to the kernel message buffer limits access to only root. This prevents attackers from gaining additional system information as a nonprivileged user. -The sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of the directories in which they reside. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored. +The sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographical order, regardless of the directories in which they reside. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored. /etc/sysctl.d/*.conf /run/sysctl.d/*.conf @@ -8597,25 +8563,28 @@ The sysctl --system command will load settings from all system configuration fil 5551 CCI-000366 - Configure RHEL 9 to log martian packets on IPv4 interfaces. + Configure RHEL 9 to log martian packets on IPv4 interfaces. -Add or edit the following line in a single system configuration file in the "/etc/sysctl.d/" directory: +Create a configuration file if it does not already exist: +$ sudo vi /etc/sysctl.d/99-ipv4_log_martians.conf + +Add the following line to the file: net.ipv4.conf.all.log_martians=1 -Load settings from all system configuration files with the following command: +Reload settings from all system configuration files with the following command: $ sudo sysctl --system - + - + SRG-OS-000480-GPOS-00227 <GroupDescription></GroupDescription> - + RHEL-09-253030 RHEL 9 must log IPv4 packets with impossible addresses by default. <VulnDiscussion>The presence of "martian" packets (which have impossible addresses) as well as spoofed packets, source-routed packets, and redirects could be a sign of nefarious network activity. Logging these packets enables this activity to be detected. @@ -8628,7 +8597,7 @@ There may be shared resources with configurable protections (e.g., files in stor Restricting access to the kernel message buffer limits access to only root. This prevents attackers from gaining additional system information as a nonprivileged user. -The sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of the directories in which they reside. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored. +The sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographical order, regardless of the directories in which they reside. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored. /etc/sysctl.d/*.conf /run/sysctl.d/*.conf @@ -8644,30 +8613,33 @@ The sysctl --system command will load settings from all system configuration fil 5551 CCI-000366 - Configure RHEL 9 to log martian packets on IPv4 interfaces by default. + Configure RHEL 9 to log martian packets on IPv4 interfaces by default. -Add or edit the following line in a single system configuration file in the "/etc/sysctl.d/" directory: +Create a configuration file if it does not already exist: -net.ipv4.conf.default.log_martians = 1 +$ sudo vi /etc/sysctl.d/99-ipv4_log_martians.conf -Load settings from all system configuration files with the following command: +Add the following line to the file: +net.ipv4.conf.default.log_martians=1 + +Reload settings from all system configuration files with the following command: $ sudo sysctl --system - + - + SRG-OS-000480-GPOS-00227 <GroupDescription></GroupDescription> - + RHEL-09-253035 RHEL 9 must use reverse path filtering on all IPv4 interfaces. <VulnDiscussion>Enabling reverse path filtering drops packets with source addresses that should not have been able to be received on the interface on which they were received. It must not be used on systems that are routers for complicated networks, but is helpful for end hosts and routers serving small networks. -The sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of the directories in which they reside. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored. +The sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographical order, regardless of the directories in which they reside. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored. /etc/sysctl.d/*.conf /run/sysctl.d/*.conf @@ -8683,38 +8655,35 @@ The sysctl --system command will load settings from all system configuration fil 5551 CCI-000366 - Configure RHEL 9 to use reverse path filtering on all IPv4 interfaces by adding the following line to a file in the "/etc/sysctl.d" directory: + Configure RHEL 9 to use reverse path filtering on all IPv4 interfaces. -net.ipv4.conf.all.rp_filter = 1 +Create a configuration file if it does not already exist: -Remove any configurations that conflict with the above from the following locations: -/run/sysctl.d/*.conf -/usr/local/lib/sysctl.d/*.conf -/usr/lib/sysctl.d/*.conf -/lib/sysctl.d/*.conf -/etc/sysctl.conf -/etc/sysctl.d/*.conf +$ sudo vi /etc/sysctl.d/99-ipv4_rp_filter.conf + +Add the following line to the file: +net.ipv4.conf.all.rp_filter = 1 -The system configuration files must be reloaded for the changes to take effect. To reload the contents of the files, run the following command: +Reload settings from all system configuration files with the following command: $ sudo sysctl --system - + - + SRG-OS-000480-GPOS-00227 <GroupDescription></GroupDescription> - + RHEL-09-253040 RHEL 9 must prevent IPv4 Internet Control Message Protocol (ICMP) redirect messages from being accepted. <VulnDiscussion>ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages modify the host's route table and are unauthenticated. An illicit ICMP redirect message could result in a man-in-the-middle attack. This feature of the IPv4 protocol has few legitimate uses. It must be disabled unless absolutely required. -The sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of the directories in which they reside. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored. +The sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographical order, regardless of the directories in which they reside. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored. /etc/sysctl.d/*.conf /run/sysctl.d/*.conf @@ -8730,38 +8699,33 @@ The sysctl --system command will load settings from all system configuration fil 5551 CCI-000366 - Configure RHEL 9 to prevent IPv4 ICMP redirect messages from being accepted. + Configure RHEL 9 to prevent IPv4 ICMP redirect messages from being accepted. -Add or edit the following line in a system configuration file in the "/etc/sysctl.d/" directory: +Create a configuration file if it does not already exist: -net.ipv4.conf.default.accept_redirects = 0 +$ sudo vi /etc/sysctl.d/99-ipv4_accept_redirects.conf -Remove any configurations that conflict with the above from the following locations: -/run/sysctl.d/*.conf -/usr/local/lib/sysctl.d/*.conf -/usr/lib/sysctl.d/*.conf -/lib/sysctl.d/*.conf -/etc/sysctl.conf -/etc/sysctl.d/*.conf +Add the following line to the file: +net.ipv4.conf.default.accept_redirects = 0 -Load settings from all system configuration files with the following command: +Reload settings from all system configuration files with the following command: $ sudo sysctl --system - + - + SRG-OS-000480-GPOS-00227 <GroupDescription></GroupDescription> - + RHEL-09-253045 RHEL 9 must not forward IPv4 source-routed packets by default. <VulnDiscussion>Source-routed packets allow the source of the packet to suggest routers forward the packet along a different path than configured on the router, which can be used to bypass network security measures. This requirement applies only to the forwarding of source-routed traffic, such as when forwarding is enabled and the system is functioning as a router. -The sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of the directories in which they reside. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored. +The sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographical order, regardless of the directories in which they reside. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored. /etc/sysctl.d/*.conf /run/sysctl.d/*.conf @@ -8777,33 +8741,28 @@ The sysctl --system command will load settings from all system configuration fil 5551 CCI-000366 - Configure RHEL 9 to not forward IPv4 source-routed packets by default. + Configure RHEL 9 to not forward IPv4 source-routed packets by default. -Add or edit the following line in a system configuration file in the "/etc/sysctl.d/" directory: +Create a configuration file if it does not already exist: -net.ipv4.conf.default.accept_source_route=0 +$ sudo vi /etc/sysctl.d/99-ipv4_accept_source_route.conf -Remove any configurations that conflict with the above from the following locations: -/run/sysctl.d/*.conf -/usr/local/lib/sysctl.d/*.conf -/usr/lib/sysctl.d/*.conf -/lib/sysctl.d/*.conf -/etc/sysctl.conf -/etc/sysctl.d/*.conf +Add the following line to the file: +net.ipv4.conf.default.accept_source_route = 0 -Load settings from all system configuration files with the following command: +Reload settings from all system configuration files with the following command: $ sudo sysctl --system - + - + SRG-OS-000480-GPOS-00227 <GroupDescription></GroupDescription> - + RHEL-09-253050 RHEL 9 must use a reverse-path filter for IPv4 network traffic when possible by default. <VulnDiscussion>Enabling reverse path filtering drops packets with source addresses that should not have been able to be received on the interface on which they were received. It must not be used on systems that are routers for complicated networks, but is helpful for end hosts and routers serving small networks. @@ -8824,25 +8783,28 @@ The sysctl --system command will load settings from all system configuration fil 5551 CCI-000366 - Configure RHEL 9 to use reverse path filtering on IPv4 interfaces by default. + Configure RHEL 9 to use reverse path filtering on IPv4 interfaces by default. + +Create a configuration file if it does not already exist: -Add or edit the following line in a single system configuration file in the "/etc/sysctl.d/" directory: +$ sudo vi /etc/sysctl.d/ipv4_rp_filter.conf +Add the following line to the file: net.ipv4.conf.default.rp_filter = 1 -Load settings from all system configuration files with the following command: +Reload settings from all system configuration files with the following command: $ sudo sysctl --system - + - + SRG-OS-000480-GPOS-00227 <GroupDescription></GroupDescription> - + RHEL-09-253055 RHEL 9 must not respond to Internet Control Message Protocol (ICMP) echoes sent to a broadcast address. <VulnDiscussion>Responding to broadcast (ICMP) echoes facilitates network mapping and provides a vector for amplification attacks. @@ -8851,7 +8813,7 @@ Ignoring ICMP echo requests (pings) sent to broadcast or multicast addresses mak There are notable differences between Internet Protocol version 4 (IPv4) and Internet Protocol version 6 (IPv6). IPv6 does not implement the same method of broadcast as IPv4. Instead, IPv6 uses multicast addressing to the all-hosts multicast group. Refer to RFC4294 for an explanation of "IPv6 Node Requirements", which resulted in this difference between IPv4 and IPv6. -The sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of the directories in which they reside. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored. +The sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographical order, regardless of the directories in which they reside. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored. /etc/sysctl.d/*.conf /run/sysctl.d/*.conf @@ -8867,38 +8829,33 @@ The sysctl --system command will load settings from all system configuration fil 5551 CCI-000366 - Configure RHEL 9 to not respond to IPv4 ICMP echoes sent to a broadcast address. + Configure RHEL 9 to ignore IPv4 ICMP echoes sent to a broadcast address. -Add or edit the following line in a system configuration file in the "/etc/sysctl.d/" directory: +Create a configuration file if it does not already exist: -net.ipv4.icmp_echo_ignore_broadcasts=1 +$ sudo vi /etc/sysctl.d/ipv4_icmp_echo_ignore_broadcasts.conf -Remove any configurations that conflict with the above from the following locations: -/run/sysctl.d/*.conf -/usr/local/lib/sysctl.d/*.conf -/usr/lib/sysctl.d/*.conf -/lib/sysctl.d/*.conf -/etc/sysctl.conf -/etc/sysctl.d/*.conf +Add the following line to the file: +net.ipv4.icmp_echo_ignore_broadcasts = 1 -Load settings from all system configuration files with the following command: +Reload settings from all system configuration files with the following command: $ sudo sysctl --system - + - + SRG-OS-000480-GPOS-00227 <GroupDescription></GroupDescription> - + RHEL-09-253060 RHEL 9 must limit the number of bogus Internet Control Message Protocol (ICMP) response errors logs. <VulnDiscussion>Some routers will send responses to broadcast frames that violate RFC-1122, which fills up a log file system with many useless error messages. An attacker may take advantage of this and attempt to flood the logs with bogus error logs. Ignoring bogus ICMP error responses reduces log size, although some activity would not be logged. -The sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of the directories in which they reside. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored. +The sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographical order, regardless of the directories in which they reside. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored. /etc/sysctl.d/*.conf /run/sysctl.d/*.conf @@ -8914,32 +8871,35 @@ The sysctl --system command will load settings from all system configuration fil 5551 CCI-000366 - Configure RHEL 9 to not log bogus ICMP errors: + Configure RHEL 9 to not log bogus ICMP errors: -Add or edit the following line in a single system configuration file in the "/etc/sysctl.d/" directory: +Create a configuration file if it does not already exist: +$ sudo vi /etc/sysctl.d/ipv4_icmp_ignore_bogus_error_responses.conf + +Add the following line to the file: net.ipv4.icmp_ignore_bogus_error_responses = 1 -Load settings from all system configuration files with the following command: +Reload settings from all system configuration files with the following command: $ sudo sysctl --system - + - + SRG-OS-000480-GPOS-00227 <GroupDescription></GroupDescription> - + RHEL-09-253065 RHEL 9 must not send Internet Control Message Protocol (ICMP) redirects. <VulnDiscussion>ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages contain information from the system's route table possibly revealing portions of the network topology. The ability to send ICMP redirects is only appropriate for systems acting as routers. -The sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of the directories in which they reside. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored. +The sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographical order, regardless of the directories in which they reside. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored. /etc/sysctl.d/*.conf /run/sysctl.d/*.conf @@ -8955,70 +8915,75 @@ The sysctl --system command will load settings from all system configuration fil 5551 CCI-000366 - Configure RHEL 9 to not allow interfaces to perform IPv4 ICMP redirects. + Configure RHEL 9 to not allow interfaces to perform IPv4 ICMP redirects. -Add or edit the following line in a system configuration file in the "/etc/sysctl.d/" directory: +Create a configuration file if it does not already exist: -net.ipv4.conf.all.send_redirects=0 +$ sudo vi /etc/sysctl.d/ipv4_send_redirects.conf -Remove any configurations that conflict with the above from the following locations: -/run/sysctl.d/*.conf -/usr/local/lib/sysctl.d/*.conf -/usr/lib/sysctl.d/*.conf -/lib/sysctl.d/*.conf -/etc/sysctl.conf -/etc/sysctl.d/*.conf +Add the following line to the file: +net.ipv4.conf.all.send_redirects = 0 -Load settings from all system configuration files with the following command: +Reload settings from all system configuration files with the following command: $ sudo sysctl --system - + - + SRG-OS-000480-GPOS-00227 <GroupDescription></GroupDescription> - + RHEL-09-253070 RHEL 9 must not allow interfaces to perform Internet Control Message Protocol (ICMP) redirects by default. - <VulnDiscussion>ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages contain information from the system's route table possibly revealing portions of the network topology. + <VulnDiscussion>ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages contain information from the system's route table possibly revealing portions of the network topology. The ability to send ICMP redirects is only appropriate for systems acting as routers. -The ability to send ICMP redirects is only appropriate for systems acting as routers.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - - DPMS Target Red Hat Enterprise Linux 9 - DISA - DPMS Target - Red Hat Enterprise Linux 9 +The sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographical order, regardless of the directories in which they reside. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored. + +/etc/sysctl.d/*.conf +/run/sysctl.d/*.conf +/usr/local/lib/sysctl.d/*.conf +/usr/lib/sysctl.d/*.conf +/lib/sysctl.d/*.conf +/etc/sysctl.conf</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + DPMS Target Red Hat Enterprise Linux 9 + DISA + DPMS Target + Red Hat Enterprise Linux 9 5551 CCI-000366 - Configure RHEL 9 to not allow interfaces to perform Internet Protocol version 4 (IPv4) ICMP redirects by default. + Configure RHEL 9 to not allow interfaces to perform Internet Protocol version 4 (IPv4) ICMP redirects by default. -Add or edit the following line in a single system configuration file, in the "/etc/sysctl.d/" directory: +Create a configuration file if it does not already exist: +$ sudo vi /etc/sysctl.d/ipv4_send_redirect.conf + +Add the following line to the file: net.ipv4.conf.default.send_redirects = 0 Load settings from all system configuration files with the following command: $ sudo sysctl --system - + - + SRG-OS-000480-GPOS-00227 <GroupDescription></GroupDescription> - + RHEL-09-253075 RHEL 9 must not enable IPv4 packet forwarding unless the system is a router. <VulnDiscussion>Routing protocol daemons are typically used on routers to exchange network topology information with other routers. If this capability is used when not required, system network information may be unnecessarily transmitted across the network. -The sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of the directories in which they reside. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored. +The sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographical order, regardless of the directories in which they reside. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored. /etc/sysctl.d/*.conf /run/sysctl.d/*.conf @@ -9034,40 +8999,35 @@ The sysctl --system command will load settings from all system configuration fil 5551 CCI-000366 - Configure RHEL 9 to not allow IPv4 packet forwarding, unless the system is a router. + Configure RHEL 9 to not allow IPv4 packet forwarding, unless the system is a router. -Add or edit the following line in a system configuration file in the "/etc/sysctl.d/" directory: +Create a configuration file if it does not already exist: -net.ipv4.conf.all.forwarding=0 +$ sudo vi /etc/sysctl.d/ipv4_forwarding.conf -Remove any configurations that conflict with the above from the following locations: -/run/sysctl.d/*.conf -/usr/local/lib/sysctl.d/*.conf -/usr/lib/sysctl.d/*.conf -/lib/sysctl.d/*.conf -/etc/sysctl.conf -/etc/sysctl.d/*.conf +Add the following line to the file: +net.ipv4.conf.all.forwarding = 0 -Load settings from all system configuration files with the following command: +Reload settings from all system configuration files with the following command: $ sudo sysctl --system - + - + SRG-OS-000480-GPOS-00227 <GroupDescription></GroupDescription> - + RHEL-09-254010 RHEL 9 must not accept router advertisements on all IPv6 interfaces. <VulnDiscussion>Routing protocol daemons are typically used on routers to exchange network topology information with other routers. If this software is used when not required, system network information may be unnecessarily transmitted across the network. An illicit router advertisement message could result in a man-in-the-middle attack. -The sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of the directories in which they reside. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored. +The sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographical order, regardless of the directories in which they reside. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored. /etc/sysctl.d/*.conf /run/sysctl.d/*.conf @@ -9084,38 +9044,33 @@ The sysctl --system command will load settings from all system configuration fil CCI-000366 - Configure RHEL 9 to not accept router advertisements on all IPv6 interfaces unless the system is a router. + Configure RHEL 9 to not accept router advertisements on all IPv6 interfaces unless the system is a router. -Add or edit the following line in a system configuration file in the "/etc/sysctl.d/" directory: +Create a configuration file if it does not already exist: -net.ipv6.conf.all.accept_ra=0 +$ sudo vi /etc/sysctl.d/ipv4_accept_ra.conf -Remove any configurations that conflict with the above from the following locations: -/run/sysctl.d/*.conf -/usr/local/lib/sysctl.d/*.conf -/usr/lib/sysctl.d/*.conf -/lib/sysctl.d/*.conf -/etc/sysctl.conf -/etc/sysctl.d/*.conf +Add the following line to the file: +net.ipv6.conf.all.accept_ra = 0 -Load settings from all system configuration files with the following command: +Reload settings from all system configuration files with the following command: $ sudo sysctl --system - + - + SRG-OS-000480-GPOS-00227 <GroupDescription></GroupDescription> - + RHEL-09-254015 RHEL 9 must ignore IPv6 Internet Control Message Protocol (ICMP) redirect messages. <VulnDiscussion>ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages modify the host's route table and are unauthenticated. An illicit ICMP redirect message could result in a man-in-the-middle attack. -The sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of the directories in which they reside. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored. +The sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographical order, regardless of the directories in which they reside. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored. /etc/sysctl.d/*.conf /run/sysctl.d/*.conf @@ -9132,38 +9087,33 @@ The sysctl --system command will load settings from all system configuration fil CCI-000366 - Configure RHEL 9 to ignore IPv6 ICMP redirect messages. + Configure RHEL 9 to ignore IPv6 ICMP redirect messages. -Add or edit the following line in a system configuration file in the "/etc/sysctl.d/" directory: +Create a configuration file if it does not already exist: -net.ipv6.conf.all.accept_redirects = 0 +$ sudo vi /etc/sysctl.d/ipv6_accept_redirects.conf -Remove any configurations that conflict with the above from the following locations: -/run/sysctl.d/*.conf -/usr/local/lib/sysctl.d/*.conf -/usr/lib/sysctl.d/*.conf -/lib/sysctl.d/*.conf -/etc/sysctl.conf -/etc/sysctl.d/*.conf +Add the following line to the file: +net.ipv6.conf.all.accept_redirects = 0 -Load settings from all system configuration files with the following command: +Reload settings from all system configuration files with the following command: $ sudo sysctl --system - + - + SRG-OS-000480-GPOS-00227 <GroupDescription></GroupDescription> - + RHEL-09-254020 RHEL 9 must not forward IPv6 source-routed packets. <VulnDiscussion>Source-routed packets allow the source of the packet to suggest that routers forward the packet along a different path than configured on the router, which can be used to bypass network security measures. This requirement applies only to the forwarding of source-routed traffic, such as when forwarding is enabled and the system is functioning as a router. -The sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of the directories in which they reside. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored. +The sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographical order, regardless of the directories in which they reside. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored. /etc/sysctl.d/*.conf /run/sysctl.d/*.conf @@ -9180,38 +9130,33 @@ The sysctl --system command will load settings from all system configuration fil CCI-000366 - Configure RHEL 9 to not forward IPv6 source-routed packets. + Configure RHEL 9 to not accept IPv6 source-routed packets. -Add or edit the following line in a system configuration file in the "/etc/sysctl.d/" directory: +Create a configuration file if it does not already exist: -net.ipv6.conf.all.accept_source_route=0 +$ sudo vi /etc/sysctl.d/ipv6_accept_source_route.conf -Remove any configurations that conflict with the above from the following locations: -/run/sysctl.d/*.conf -/usr/local/lib/sysctl.d/*.conf -/usr/lib/sysctl.d/*.conf -/lib/sysctl.d/*.conf -/etc/sysctl.conf -/etc/sysctl.d/*.conf +Add the following line to the file: +net.ipv6.conf.all.accept_source_route = 0 -Load settings from all system configuration files with the following command: +Reload settings from all system configuration files with the following command: $ sudo sysctl --system - + - + SRG-OS-000480-GPOS-00227 <GroupDescription></GroupDescription> - + RHEL-09-254025 RHEL 9 must not enable IPv6 packet forwarding unless the system is a router. <VulnDiscussion>Routing protocol daemons are typically used on routers to exchange network topology information with other routers. If this software is used when not required, system network information may be unnecessarily transmitted across the network. -The sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of the directories in which they reside. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored. +The sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographical order, regardless of the directories in which they reside. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored. /etc/sysctl.d/*.conf /run/sysctl.d/*.conf @@ -9228,38 +9173,33 @@ The sysctl --system command will load settings from all system configuration fil CCI-000366 - Configure RHEL 9 to not allow IPv6 packet forwarding, unless the system is a router. + Configure RHEL 9 to not allow IPv6 packet forwarding, unless the system is a router. -Add or edit the following line in a system configuration file in the "/etc/sysctl.d/" directory: +Create a configuration file if it does not already exist: -net.ipv6.conf.all.forwarding=0 +$ sudo vi /etc/sysctl.d/ipv6_forwarding.conf -Remove any configurations that conflict with the above from the following locations: -/run/sysctl.d/*.conf -/usr/local/lib/sysctl.d/*.conf -/usr/lib/sysctl.d/*.conf -/lib/sysctl.d/*.conf -/etc/sysctl.conf -/etc/sysctl.d/*.conf +Add the following line to the file: +net.ipv6.conf.all.forwarding = 0 -Load settings from all system configuration files with the following command: +Reload settings from all system configuration files with the following command: $ sudo sysctl --system - + - + SRG-OS-000480-GPOS-00227 <GroupDescription></GroupDescription> - + RHEL-09-254030 RHEL 9 must not accept router advertisements on all IPv6 interfaces by default. <VulnDiscussion>Routing protocol daemons are typically used on routers to exchange network topology information with other routers. If this software is used when not required, system network information may be unnecessarily transmitted across the network. An illicit router advertisement message could result in a man-in-the-middle attack. -The sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of the directories in which they reside. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored. +The sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographical order, regardless of the directories in which they reside. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored. /etc/sysctl.d/*.conf /run/sysctl.d/*.conf @@ -9276,38 +9216,33 @@ The sysctl --system command will load settings from all system configuration fil CCI-000366 - Configure RHEL 9 to not accept router advertisements on all IPv6 interfaces by default unless the system is a router. + Configure RHEL 9 to not accept router advertisements on all IPv6 interfaces by default unless the system is a router. -Add or edit the following line in a system configuration file in the "/etc/sysctl.d/" directory: +Create a configuration file if it does not already exist: -net.ipv6.conf.default.accept_ra=0 +$ sudo vi /etc/sysctl.d/ipv6_accept_ra.conf -Remove any configurations that conflict with the above from the following locations: -/run/sysctl.d/*.conf -/usr/local/lib/sysctl.d/*.conf -/usr/lib/sysctl.d/*.conf -/lib/sysctl.d/*.conf -/etc/sysctl.conf -/etc/sysctl.d/*.conf +Add the following line to the file: +net.ipv6.conf.default.accept_ra = 0 -Load settings from all system configuration files with the following command: +Reload settings from all system configuration files with the following command: $ sudo sysctl --system - + - + SRG-OS-000480-GPOS-00227 <GroupDescription></GroupDescription> - + RHEL-09-254035 RHEL 9 must prevent IPv6 Internet Control Message Protocol (ICMP) redirect messages from being accepted. <VulnDiscussion>ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages modify the host's route table and are unauthenticated. An illicit ICMP redirect message could result in a man-in-the-middle attack. -The sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of the directories in which they reside. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored. +The sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographical order, regardless of the directories in which they reside. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored. /etc/sysctl.d/*.conf /run/sysctl.d/*.conf @@ -9324,40 +9259,35 @@ The sysctl --system command will load settings from all system configuration fil CCI-000366 - Configure RHEL 9 to prevent IPv6 ICMP redirect messages from being accepted. + Configure RHEL 9 to prevent IPv6 ICMP redirect messages from being accepted. -Add or edit the following line in a system configuration file in the "/etc/sysctl.d/" directory: +Create a configuration file if it does not already exist: -net.ipv6.conf.default.accept_redirects = 0 +$ sudo vi /etc/sysctl.d/ipv6_accept_redirects.conf -Remove any configurations that conflict with the above from the following locations: -/run/sysctl.d/*.conf -/usr/local/lib/sysctl.d/*.conf -/usr/lib/sysctl.d/*.conf -/lib/sysctl.d/*.conf -/etc/sysctl.conf -/etc/sysctl.d/*.conf +Add the following line to the file: +net.ipv6.conf.default.accept_redirects = 0 -Load settings from all system configuration files with the following command: +Reload settings from all system configuration files with the following command: $ sudo sysctl --system - + - + SRG-OS-000480-GPOS-00227 <GroupDescription></GroupDescription> - + RHEL-09-254040 RHEL 9 must not forward IPv6 source-routed packets by default. <VulnDiscussion>Source-routed packets allow the source of the packet to suggest that routers forward the packet along a different path than configured on the router, which can be used to bypass network security measures. This requirement applies only to the forwarding of source-routed traffic, such as when forwarding is enabled and the system is functioning as a router. Accepting source-routed packets in the IPv6 protocol has few legitimate uses. It must be disabled unless it is absolutely required. -The sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of the directories in which they reside. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored. +The sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographical order, regardless of the directories in which they reside. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored. /etc/sysctl.d/*.conf /run/sysctl.d/*.conf @@ -9374,26 +9304,21 @@ The sysctl --system command will load settings from all system configuration fil CCI-000366 - Configure RHEL 9 to not forward IPv6 source-routed packets by default. + Configure RHEL 9 to not accept IPv6 source-routed packets by default. -Add or edit the following line in a system configuration file in the "/etc/sysctl.d/" directory: +Create a configuration file if it does not already exist: -net.ipv6.conf.default.accept_source_route=0 +$ sudo vi /etc/sysctl.d/ipv6_accept_source_route.conf -Remove any configurations that conflict with the above from the following locations: -/run/sysctl.d/*.conf -/usr/local/lib/sysctl.d/*.conf -/usr/lib/sysctl.d/*.conf -/lib/sysctl.d/*.conf -/etc/sysctl.conf -/etc/sysctl.d/*.conf +Add the following line to the file: +net.ipv6.conf.default.accept_source_route = 0 -Load settings from all system configuration files with the following command: +Reload settings from all system configuration files with the following command: $ sudo sysctl --system - + - + @@ -9426,7 +9351,7 @@ Satisfies: SRG-OS-000423-GPOS-00187, SRG-OS-000424-GPOS-00188, SRG-OS-000425-GPO $ sudo dnf install openssh-server - + @@ -9459,7 +9384,7 @@ Satisfies: SRG-OS-000423-GPOS-00187, SRG-OS-000424-GPOS-00188, SRG-OS-000425-GPO $ systemctl enable --now sshd - + @@ -9483,7 +9408,7 @@ $ systemctl enable --now sshd $ sudo dnf install openssh-clients - + @@ -9518,7 +9443,7 @@ An example configuration line is: Banner /etc/issue - + @@ -9546,7 +9471,7 @@ Restart the SSH daemon for the settings to take effect: $ sudo systemctl restart sshd.service - + @@ -9579,7 +9504,7 @@ Restart the SSH daemon for the settings to take effect: $ sudo systemctl restart sshd.service - + @@ -9609,7 +9534,7 @@ Restart the SSH daemon for the settings to take effect: $ sudo systemctl restart sshd.service - + @@ -9640,7 +9565,7 @@ Restart the SSH daemon for the settings to take effect: $ sudo systemctl restart sshd.service - + @@ -9668,7 +9593,7 @@ Restart the SSH daemon for the settings to take effect: $ sudo systemctl restart sshd.service - + @@ -9708,7 +9633,7 @@ Setting system policy to FIPS Note: Systemwide crypto policies are applied on application startup. It is recommended to restart the system for the change of policies to fully take place. - + @@ -9748,7 +9673,7 @@ Setting system policy to FIPS Note: Systemwide crypto policies are applied on application startup. It is recommended to restart the system for the change of policies to fully take place. - + @@ -9776,7 +9701,7 @@ Restart the SSH daemon for the settings to take effect: $ sudo systemctl restart sshd.service - + @@ -9804,7 +9729,7 @@ Restart the SSH daemon for the setting to take effect: $ sudo systemctl restart sshd.service - + @@ -9842,7 +9767,7 @@ Restart the SSH daemon for the settings to take effect. $ sudo systemctl restart sshd.service - + @@ -9881,7 +9806,7 @@ For the changes to take effect, the SSH daemon must be restarted. $ sudo systemctl restart sshd.service - + @@ -9921,7 +9846,7 @@ For the changes to take effect, the SSH daemon must be restarted. $ sudo systemctl restart sshd.service - + @@ -9945,7 +9870,7 @@ $ sudo systemctl restart sshd.service $ sudo chgrp root /etc/ssh/sshd_config /etc/ssh/sshd_config.d - + @@ -9969,7 +9894,7 @@ $ sudo chgrp root /etc/ssh/sshd_config /etc/ssh/sshd_config.d $ sudo chown -R root /etc/ssh/sshd_config /etc/ssh/sshd_config.d - + @@ -9997,7 +9922,7 @@ Restart the SSH daemon for the changes to take effect: $ sudo systemctl restart sshd.service - + @@ -10025,17 +9950,22 @@ Restart the SSH daemon for the changes to take effect: $ sudo systemctl restart sshd.service - + SRG-OS-000480-GPOS-00227 <GroupDescription></GroupDescription> - + RHEL-09-255130 RHEL 9 SSH daemon must not allow compression or must only allow compression after successful authentication. - <VulnDiscussion>If compression is allowed in an SSH connection prior to authentication, vulnerabilities in the compression software could result in compromise of the system from an unauthenticated connection, potentially with root privileges.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + <VulnDiscussion>If compression is allowed in an SSH connection prior to authentication, vulnerabilities in the compression software could result in compromise of the system from an unauthenticated connection, potentially with root privileges. + +Compression options are: +no - disables compression +delayed - allow compression only after authentication +yes - enables compression before authentication, which can leak sensitive metadata and is not recommended</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> DPMS Target Red Hat Enterprise Linux 9 DISA @@ -10055,7 +9985,7 @@ The SSH service must be restarted for changes to take effect: $ sudo systemctl restart sshd.service - + @@ -10087,7 +10017,7 @@ The SSH service must be restarted for changes to take effect: $ sudo systemctl restart sshd.service - + @@ -10119,7 +10049,7 @@ The SSH service must be restarted for changes to take effect: $ sudo systemctl restart sshd.service - + @@ -10149,7 +10079,7 @@ The SSH service must be restarted for changes to take effect: $ sudo systemctl restart sshd.service - + @@ -10179,7 +10109,7 @@ The SSH service must be restarted for changes to take effect: $ sudo systemctl restart sshd.service - + @@ -10209,7 +10139,7 @@ The SSH service must be restarted for changes to take effect: $ sudo systemctl restart sshd.service - + @@ -10239,7 +10169,7 @@ The SSH service must be restarted for changes to take effect: $ sudo systemctl restart sshd.service - + @@ -10269,7 +10199,7 @@ The SSH service must be restarted for changes to take effect: $ sudo systemctl restart sshd.service - + @@ -10299,7 +10229,7 @@ The SSH service must be restarted for changes to take effect: $ sudo systemctl restart sshd.service - + @@ -10345,7 +10275,7 @@ Run the following command to update the database: $ sudo dconf update - + @@ -10389,7 +10319,7 @@ Run the following command to update the database: $ sudo dconf update - + @@ -10426,7 +10356,7 @@ Then update the dconf system databases: $ sudo dconf update - + @@ -10460,41 +10390,7 @@ Then update the dconf system databases: $ sudo dconf update - - - - - - SRG-OS-000114-GPOS-00059 - <GroupDescription></GroupDescription> - - RHEL-09-271035 - RHEL 9 must prevent a user from overriding the disabling of the graphical user interface autorun function. - <VulnDiscussion>Techniques used to address this include protocols using nonces (e.g., numbers generated for a specific one-time use) or challenges (e.g., TLS, WS_Security). Additional techniques include time-synchronous or challenge-response one-time authenticators. - -Satisfies: SRG-OS-000114-GPOS-00059, SRG-OS-000378-GPOS-00163, SRG-OS-000480-GPOS-00227</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - - DPMS Target Red Hat Enterprise Linux 9 - DISA - DPMS Target - Red Hat Enterprise Linux 9 - 5551 - - - CCI-000778 - CCI-001958 - Configure the GNOME desktop to not allow a user to change the setting that disables autorun on removable media. - -Add the following line to "/etc/dconf/db/local.d/locks/00-security-settings-lock" to prevent user modification: - -/org/gnome/desktop/media-handling/autorun-never - -Then update the dconf system databases: - -$ sudo dconf update - - - + @@ -10522,7 +10418,7 @@ Set AutomaticLoginEnable to false in the [daemon] section in /etc/gdm/custom.con AutomaticLoginEnable=false - + @@ -10566,7 +10462,7 @@ Then update the dconf system databases: $ sudo dconf update - + @@ -10601,7 +10497,7 @@ Then update the dconf system databases: $ sudo dconf update - + @@ -10646,47 +10542,7 @@ Run the following command to update the database: $ sudo dconf update - - - - - - SRG-OS-000029-GPOS-00010 - <GroupDescription></GroupDescription> - - RHEL-09-271065 - RHEL 9 must automatically lock graphical user sessions after 15 minutes of inactivity. - <VulnDiscussion>A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not logout because of the temporary nature of the absence. Rather than relying on the user to manually lock their operating system session prior to vacating the vicinity, the GNOME desktop can be configured to identify when a user's session has idled and take action to initiate a session lock. - -Satisfies: SRG-OS-000029-GPOS-00010, SRG-OS-000031-GPOS-00012</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - - DPMS Target Red Hat Enterprise Linux 9 - DISA - DPMS Target - Red Hat Enterprise Linux 9 - 5551 - - - CCI-000057 - CCI-000060 - Configure RHEL 9 to initiate a screensaver after a 15-minute period of inactivity for graphical user interfaces. - -Create a database to contain the system-wide screensaver settings (if it does not already exist) with the following command: - -$ sudo touch /etc/dconf/db/local.d/00-screensaver - -Edit /etc/dconf/db/local.d/00-screensaver and add or update the following lines: - -[org/gnome/desktop/session] -# Set the lock time out to 900 seconds before the session is considered idle -idle-delay=uint32 900 - -Update the system databases: - -$ sudo dconf update - - - + @@ -10726,7 +10582,7 @@ Run the following command to update the database: $ sudo dconf update - + @@ -10763,7 +10619,7 @@ Run the following command to update the database: $ sudo dconf update - + @@ -10792,7 +10648,7 @@ Update the dconf system databases: $ sudo dconf update - + @@ -10827,7 +10683,7 @@ Run the following command to update the database: $ sudo dconf update - + @@ -10862,7 +10718,7 @@ Run the following command to update the database: $ sudo dconf update - + @@ -10897,7 +10753,7 @@ Update the system databases: $ sudo dconf update - + @@ -10926,7 +10782,7 @@ install usb-storage /bin/false blacklist usb-storage - + @@ -10962,7 +10818,7 @@ $ sudo systemctl status usbguard Note: usbguard will need to be configured to allow authorized devices once it is enabled on RHEL 9. - + @@ -10989,7 +10845,7 @@ The system administrator (SA) must work with the site information system securit $ sudo systemctl enable --now usbguard - + @@ -11031,7 +10887,7 @@ Add or edit the following line in /etc/usbguard/usbguard-daemon.conf AuditBackend=LinuxAudit - + @@ -11063,7 +10919,7 @@ blacklist bluetooth Reboot the system for the settings to take effect. - + @@ -11092,7 +10948,7 @@ Add or modify the following line in the "/etc/login.defs" file: PASS_MAX_DAYS 60 - + @@ -11117,7 +10973,7 @@ PASS_MAX_DAYS 60 passwd -x 60 [user] - + @@ -11141,7 +10997,7 @@ passwd -x 60 [user] CREATE_HOME yes - + @@ -11167,7 +11023,7 @@ Satisfies: SRG-OS-000104-GPOS-00051, SRG-OS-000121-GPOS-00062, SRG-OS-000042-GPO Edit the file "/etc/passwd" and provide each interactive user account that has a duplicate UID with a unique UID. - + @@ -11199,7 +11055,7 @@ $ sudo usermod --shell /sbin/nologin <user> Do not perform the steps in this section on the root account. Doing so will cause the system to become inaccessible. - + @@ -11223,7 +11079,7 @@ Do not perform the steps in this section on the root account. Doing so will caus Edit the file "/etc/passwd" and ensure that every user's GID is a valid GID. - + @@ -11257,7 +11113,7 @@ $ sudo useradd -D -f 35 The recommendation is 35 days, but a lower value is acceptable. - + @@ -11279,7 +11135,7 @@ The recommendation is 35 days, but a lower value is acceptable. Create and assign home directories to all local interactive users on RHEL 9 that currently do not have a home directory assigned. - + @@ -11308,7 +11164,7 @@ Add/modify the "/etc/security/faillock.conf" file to match the following line: deny = 3 - + @@ -11339,7 +11195,7 @@ Edit the "/etc/security/faillock.conf" by uncommenting or adding the following l even_deny_root - + @@ -11370,7 +11226,7 @@ Then edit the "/etc/security/faillock.conf" file as follows: fail_interval = 900 - + @@ -11401,7 +11257,7 @@ Edit the "/etc/security/faillock.conf" file as follows: unlock_time = 0 - + @@ -11425,7 +11281,7 @@ unlock_time = 0 If the account is associated with system commands or applications, the UID should be changed to one greater than "0" but less than "1000". Otherwise, assign a UID of greater than "1000" that has not already been assigned. - + @@ -11451,7 +11307,7 @@ Add/modify the "/etc/security/faillock.conf" file to match the following line: dir = /var/log/faillock - + @@ -11473,7 +11329,7 @@ dir = /var/log/faillock Edit the file "/etc/group" and provide each group that has a duplicate GID with a unique GID. - + @@ -11504,7 +11360,7 @@ Add or edit the following line in "/etc/profile.d/tmout.sh": declare -xr TMOUT=600 - + @@ -11532,7 +11388,7 @@ Add the following line to the top of the /etc/security/limits.conf or in a ".con * hard maxlogins 10 - + @@ -11562,7 +11418,7 @@ Add/modify the "/etc/security/faillock.conf" file to match the following line: audit - + @@ -11588,7 +11444,7 @@ Modify the "/etc/login.defs" file to set the "FAIL_DELAY" parameter to 4 or grea FAIL_DELAY 4 - + @@ -11616,7 +11472,7 @@ Add or edit the lines for the "umask" parameter in the "/etc/bashrc" file to "07 umask 077 - + @@ -11644,7 +11500,7 @@ Add or edit the lines for the "umask" parameter in the "/etc/csh.cshrc" file to umask 077 - + @@ -11670,7 +11526,7 @@ Add or edit the lines for the "UMASK" parameter in the "/etc/login.defs" file to UMASK 077 - + @@ -11698,40 +11554,14 @@ Add or edit the lines for the "umask" parameter in the "/etc/profile" file to "0 umask 077 - - - - - - SRG-OS-000480-GPOS-00227 - <GroupDescription></GroupDescription> - - RHEL-09-412075 - RHEL 9 must display the date and time of the last successful account logon upon logon. - <VulnDiscussion>Users need to be aware of activity that occurs regarding their account. Providing users with information regarding the number of unsuccessful attempts that were made to login to their account allows the user to determine if any unauthorized activity has occurred and gives them an opportunity to notify administrators.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - - DPMS Target Red Hat Enterprise Linux 9 - DISA - DPMS Target - Red Hat Enterprise Linux 9 - 5551 - - CCI-000366 - Configure RHEL 9 to provide users with feedback on when account accesses last occurred by setting the required configuration options in "/etc/pam.d/postlogin". - -Add the following line to the top of "/etc/pam.d/postlogin": - -session required pam_lastlog.so showfailed - - - + SRG-OS-000163-GPOS-00072 <GroupDescription></GroupDescription> - + RHEL-09-412080 RHEL 9 must terminate idle user sessions. <VulnDiscussion>Terminating an idle session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled on the console or console port that has been left unattended.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> @@ -11743,16 +11573,24 @@ session required pam_lastlog.so showfailed 5551 CCI-001133 - Configure RHEL 9 to log out idle sessions by editing the /etc/systemd/logind.conf file with the following line: + Configure RHEL 9 to log out idle sessions. + +Create the directory if necessary: + +$ mkdir -p /etc/systemd/logind.conf.d/ + +Create a *.conf file in /etc/systemd/logind.conf.d/ with the following content: -StopIdleSessionSec=900 +[Login] +StopIdleSessionSec=600 +KillUserProcesses=no -The "logind" service must be restarted for the changes to take effect. To restart the "logind" service, run the following command: +Restart systemd-logind: -$ sudo systemctl restart systemd-logind - +$ systemctl restart systemd-logind + - + @@ -11785,7 +11623,7 @@ Edit the file "/etc/selinux/config" and add or modify the following line: A reboot is required for the changes to take effect. - + @@ -11815,7 +11653,7 @@ Edit the file "/etc/selinux/config" and add or modify the following line: A reboot is required for the changes to take effect. - + @@ -11843,7 +11681,7 @@ Satisfies: SRG-OS-000480-GPOS-00227, SRG-OS-000134-GPOS-00068</VulnDiscussion $ sudo dnf install policycoreutils - + @@ -11867,7 +11705,7 @@ $ sudo dnf install policycoreutils $ sudo dnf install policycoreutils-python-utils - + @@ -11891,7 +11729,7 @@ $ sudo dnf install policycoreutils-python-utils $ sudo dnf install sudo - + @@ -11922,7 +11760,7 @@ Add the following line to "/etc/sudoers" or a file in "/etc/sudoers.d": Defaults timestamp_timeout=0 - + @@ -11948,7 +11786,7 @@ Defaults !rootpw Defaults !runaspw - + @@ -11979,7 +11817,7 @@ Remove any occurrence of "!authenticate" found in "/etc/sudoers" file or files i $ sudo sed -i '/\!authenticate/ s/^/# /g' /etc/sudoers /etc/sudoers.d/* - + @@ -12004,14 +11842,14 @@ ALL ALL=(ALL) ALL ALL ALL=(ALL:ALL) ALL - + SRG-OS-000373-GPOS-00156 <GroupDescription></GroupDescription> - + RHEL-09-432035 RHEL 9 must restrict the use of the "su" command. <VulnDiscussion>The "su" program allows to run commands with a substitute user and group ID. It is commonly used to run commands as the root user. Limiting access to such commands is considered a good security practice. @@ -12038,7 +11876,7 @@ $ sed '/^[[:space:]]*#[[:space:]]*auth[[:space:]]\+required[[:space:]]\+pam_whee If necessary, create a "wheel" group and add administrative users to the group. - + @@ -12073,7 +11911,7 @@ Satisfies: SRG-OS-000370-GPOS-00155, SRG-OS-000368-GPOS-00154</VulnDiscussion $ sudo dnf install fapolicyd - + @@ -12108,7 +11946,7 @@ Satisfies: SRG-OS-000370-GPOS-00155, SRG-OS-000368-GPOS-00154</VulnDiscussion $ systemctl enable --now fapolicyd - + @@ -12141,7 +11979,7 @@ Add or update the following line in the "/etc/security/pwquality.conf" file or a retry = 3 - + @@ -12169,7 +12007,7 @@ Otherwise, remove any instances of the "nullok" option in the "/etc/pam.d/passwo Note: Manual changes to the listed file may be overwritten by the "authselect" program. - + @@ -12199,7 +12037,7 @@ Add the following line to the "/etc/pam.d/password-auth" file (or modify the lin password required pam_pwquality.so - + @@ -12225,7 +12063,7 @@ Add the following line to the "/etc/pam.d/system-auth" file(or modify the line t password required pam_pwquality.so - + @@ -12259,7 +12097,7 @@ password sufficient pam_unix.so sha512 rounds=100000 Note: Running authselect will overwrite this value unless a custom authselect policy is created. - + @@ -12293,7 +12131,7 @@ password sufficient pam_unix.so sha512 rounds=100000 Note: Running authselect will overwrite this value unless a custom authselect policy is created. - + @@ -12329,7 +12167,7 @@ Add or update the following line in the "/etc/security/pwquality.conf" file or a enforce_for_root - + @@ -12358,7 +12196,7 @@ Add or update the following line in the "/etc/security/pwquality.conf" file or a lcredit = -1 - + @@ -12387,7 +12225,7 @@ Add or update the following line in the "/etc/security/pwquality.conf" file or a dcredit = -1 - + @@ -12416,7 +12254,7 @@ Add the following line in "/etc/login.defs" (or modify the line to have the requ PASS_MIN_DAYS 1 - + @@ -12441,7 +12279,7 @@ PASS_MIN_DAYS 1 $ sudo passwd -n 1 [user] - + @@ -12472,7 +12310,7 @@ Remove any occurrence of "NOPASSWD" found in "/etc/sudoers" file or files in the $ sudo find /etc/sudoers /etc/sudoers.d -type f -exec sed -i '/NOPASSWD/ s/^/# /g' {} \; - + @@ -12507,7 +12345,7 @@ Add or update the following line in the "/etc/security/pwquality.conf" file or a minlen = 15 - + @@ -12534,7 +12372,7 @@ Add or update the following line in the "/etc/security/pwquality.conf" file or a ocredit = -1 - + @@ -12560,7 +12398,7 @@ Add or update the following line in the "/etc/security/pwquality.conf" file or a dictcheck=1 - + @@ -12587,7 +12425,7 @@ Add or update the following line in the "/etc/security/pwquality.conf" file or a ucredit = -1 - + @@ -12616,7 +12454,7 @@ Add or update the following line in the "/etc/security/pwquality.conf" file or a difok = 8 - + @@ -12645,7 +12483,7 @@ Add or update the following line in the "/etc/security/pwquality.conf" file or a maxclassrepeat = 4 - + @@ -12674,7 +12512,7 @@ Add or update the following line in the "/etc/security/pwquality.conf" file or a maxrepeat = 3 - + @@ -12703,7 +12541,7 @@ Add or update the following line in the "/etc/security/pwquality.conf" file or a minclass = 4 - + @@ -12732,7 +12570,7 @@ Add or change the following line in the "[defaults]" section of "/etc/libuser.co crypt_style = sha512 - + @@ -12761,7 +12599,7 @@ Add or update the following line in the "/etc/login.defs" file: ENCRYPT_METHOD SHA512 - + @@ -12788,7 +12626,7 @@ Satisfies: SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPO Remove any occurrences of " pam_succeed_if " in the "/etc/pam.d/sudo" file. - + @@ -12818,14 +12656,14 @@ To lock an account: $ sudo passwd -l [username] - + SRG-OS-000104-GPOS-00051 <GroupDescription></GroupDescription> - + RHEL-09-611160 RHEL 9 must use the common access card (CAC) smart card driver. <VulnDiscussion>Smart card login provides two-factor authentication stronger than that provided by a username and password combination. Smart cards leverage public key infrastructure to provide and verify credentials. Configuring the smart card driver in use by the organization helps to prevent users from using unauthorized smart cards. @@ -12847,16 +12685,16 @@ Satisfies: SRG-OS-000104-GPOS-00051, SRG-OS-000106-GPOS-00053, SRG-OS-000107-GPO CCI-000768 CCI-000770 CCI-001942 - Configure RHEL 9 to load the CAC driver. + Configure RHEL 9 to load the CAC driver. -$ sudo opensc-tool --set-conf-entry app:default:card_driver:cac +$ sudo opensc-tool --set-conf-entry app:default:card_drivers:cac Restart the pcscd service to apply the changes: $ sudo systemctl restart pcscd - + - + @@ -12885,7 +12723,7 @@ Satisfies: SRG-OS-000375-GPOS-00160, SRG-OS-000105-GPOS-00052</VulnDiscussion pam_cert_auth = True - + @@ -12930,7 +12768,7 @@ The "sssd" service must be restarted for the changes to take effect. To restart $ sudo systemctl restart sssd.service - + @@ -12955,7 +12793,7 @@ $ sudo systemctl restart sssd.service $ sudo dnf install pcsc-lite - + @@ -12982,7 +12820,7 @@ The daemon program for pcsc-lite and the MuscleCard framework is pcscd. It is a $ sudo systemctl enable --now pcscd.socket - + @@ -13012,14 +12850,14 @@ Satisfies: SRG-OS-000375-GPOS-00160, SRG-OS-000376-GPOS-00161</VulnDiscussion $ sudo dnf install opensc - + SRG-OS-000080-GPOS-00048 <GroupDescription></GroupDescription> - + RHEL-09-611195 RHEL 9 must require authentication to access emergency mode. <VulnDiscussion>To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DOD-approved PKIs, all DOD systems (e.g., web servers and web portals) must be properly configured to incorporate access control methods that do not rely solely on the possession of a certificate for access. Successful authentication must not automatically give an entity access to an asset or security boundary. Authorization procedures and controls must be implemented to ensure each authenticated entity also has a validated and current authorization. Authorization is the process of determining whether an entity, once authenticated, is permitted to access a specific asset. Information systems use access control policies and enforcement mechanisms to implement this requirement. @@ -13033,21 +12871,34 @@ This requirement prevents attackers with physical access from trivially bypassin 5551 CCI-000213 - Configure RHEL 9 to require authentication for emergency mode. + Configure RHEL 9 to require authentication for emergency mode. -Add or modify the following line in the "/usr/lib/systemd/system/emergency.service" file: +Create a directory for supplementary configuration files: +$ sudo mkdir /etc/systemd/system/emergency.service.d/ -ExecStart=-/usr/lib/systemd/systemd-sulogin-shell emergency - +Copy the original file emergency.service file to the new directory with: +$ sudo cp /usr/lib/systemd/system/emergency.service /etc/systemd/system/emergency.service.d/emergency.service.conf + +Open the new file: +$ sudo vi /etc/systemd/system/emergency.service.d/emergency.service.conf + +Add or modify the following line in the new file: +ExecStart=-/usr/lib/systemd/systemd-sulogin-shell emergency + +Comment out or remove the ExecStart and ExecStartPre lines in /usr/lib/systemd/system/emergency.service as they can only exist in one location. + +Apply changes to unit files without rebooting the system: +$ sudo systemctl daemon-reload + - + SRG-OS-000080-GPOS-00048 <GroupDescription></GroupDescription> - + RHEL-09-611200 RHEL 9 must require authentication to access single-user mode. <VulnDiscussion>To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DOD-approved PKIs, all DOD systems (e.g., web servers and web portals) must be properly configured to incorporate access control methods that do not rely solely on the possession of a certificate for access. Successful authentication must not automatically give an entity access to an asset or security boundary. Authorization procedures and controls must be implemented to ensure each authenticated entity also has a validated and current authorization. Authorization is the process of determining whether an entity, once authenticated, is permitted to access a specific asset. Information systems use access control policies and enforcement mechanisms to implement this requirement. @@ -13065,28 +12916,27 @@ For example, to extend the configuration of the network service, do not modify t 5551 CCI-000213 - Configure RHEL 9 to require authentication for single-user mode. + Configure RHEL 9 to require authentication for single-user mode. -Create a directory for supplementary configuration files at /etc/systemd/system/rescue.service.d/ +Create a directory for supplementary configuration files: +$ sudo mkdir /etc/systemd/system/rescue.service.d/ Copy the original file rescue.service file to the new directory with: - $ sudo cp /usr/lib/systemd/system/rescue.service /etc/systemd/system/rescue.service.d/rescue.service.conf -Add or modify the following line in the "etc/systemd/system/rescue.service.d/rescue.service.conf" file: +Open the new file: +$ sudo vi etc/systemd/system/rescue.service.d/rescue.service.conf +Add this line to the new file: ExecStart=-/usr/lib/systemd/systemd-sulogin-shell rescue -Apply changes to unit files without rebooting the system: - -$ sudo systemctl daemon-reload - -If the modified unit file belongs to a running service, restart the service: +Comment out or remove the ExecStart and ExecStartPre lines in /usr/lib/systemd/system/rescue.service as they can only exist in one location. -$ sudo systemctl restart rescue.service - +Apply changes to unit files without rebooting the system: +$ sudo systemctl daemon-reload + - + @@ -13112,7 +12962,7 @@ Edit the file "/etc/sssd/sssd.conf" or a configuration file in "/etc/sssd/conf.d offline_credentials_expiration = 1 - + @@ -13152,7 +13002,7 @@ Satisfies: SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPO /usr/sbin/augenrules p+i+n+u+g+s+b+acl+xattrs+sha512 - + @@ -13179,7 +13029,7 @@ Satisfies: SRG-OS-000479-GPOS-00224, SRG-OS-000051-GPOS-00024, SRG-OS-000480-GPO $ sudo dnf install rsyslog - + @@ -13205,7 +13055,7 @@ Satisfies: SRG-OS-000480-GPOS-00227, SRG-OS-000120-GPOS-00061</VulnDiscussion $ sudo dnf install rsyslog-gnutls - + @@ -13229,14 +13079,14 @@ $ sudo dnf install rsyslog-gnutls $ sudo systemctl enable --now rsyslog - + SRG-OS-000480-GPOS-00227 <GroupDescription></GroupDescription> - + RHEL-09-652025 RHEL 9 must be configured so that the rsyslog daemon does not accept log messages from other servers unless the server is being used for log aggregation. <VulnDiscussion>Unintentionally running a rsyslog server accepting remote messages puts the system at increased risk. Malicious rsyslog messages sent to the server could exploit vulnerabilities in the server software itself, could introduce misleading information into the system's logs, or could fill the system's storage leading to a denial of service. @@ -13250,9 +13100,12 @@ If the system is intended to be a log aggregation server, its use must be docume 5551 CCI-000366 - Configure RHEL 9 to not receive remote logs using rsyslog. + Configure RHEL 9 to not receive remote logs using rsyslog. Remove the lines in /etc/rsyslog.conf and any files in the /etc/rsyslog.d directory that match any of the following: +InputTCPServerRun +UDPServerRun +RELPServerRun module(load="imtcp") module(load="imudp") module(load="imrelp") @@ -13263,9 +13116,9 @@ input(type="imrelp" port="514") The rsyslog daemon must be restarted for the changes to take effect: $ sudo systemctl restart rsyslog.service - + - + @@ -13293,7 +13146,7 @@ The "rsyslog" service must be restarted for the changes to take effect with the $ sudo systemctl restart rsyslog.service - + @@ -13329,7 +13182,7 @@ Satisfies: SRG-OS-000342-GPOS-00133, SRG-OS-000479-GPOS-00224</VulnDiscussion $ActionSendStreamDriverAuthMode x509/name - + @@ -13365,7 +13218,7 @@ Satisfies: SRG-OS-000342-GPOS-00133, SRG-OS-000479-GPOS-00224</VulnDiscussion $ActionSendStreamDriverMode 1 - + @@ -13395,14 +13248,14 @@ Satisfies: SRG-OS-000342-GPOS-00133, SRG-OS-000479-GPOS-00224</VulnDiscussion $DefaultNetstreamDriver gtls - + SRG-OS-000479-GPOS-00224 <GroupDescription></GroupDescription> - + RHEL-09-652055 RHEL 9 must be configured to forward audit records via TCP to a different system or media from the system being audited via rsyslog. <VulnDiscussion>Information stored in one location is vulnerable to accidental or incidental deletion or alteration. @@ -13428,12 +13281,26 @@ Satisfies: SRG-OS-000479-GPOS-00224, SRG-OS-000480-GPOS-00227, SRG-OS-000342-GPO 5551 CCI-001851 - Configure RHEL 9 to off-load audit records onto a different system or media from the system being audited via TCP using rsyslog by specifying the remote logging server in "/etc/rsyslog.conf" or "/etc/rsyslog.d/[customfile].conf" with the name or IP address of the log aggregation server. + Configure RHEL 9 to off-load audit records onto a different system or media from the system being audited via TCP using rsyslog by specifying the remote logging server in "/etc/rsyslog.conf" or "/etc/rsyslog.d/[customfile].conf" with the name or IP address of the log aggregation server. The following are examples of the configuration for the legacy syntax and for the newer Rainer script. Only one should be used. + +Using legacy '@host:port" syntax example: +*.* @@[remoteloggingserver]:[port] -*.* @@[remoteloggingserver]:[port] - +Using Rainer script example: +action( + type="omfwd" + target="logserver.example.com" + port="514" + protocol="tcp" + action.resumeRetryCount="-1" + queue.type="linkedList" + que.size="10000" +) + +Note: The Rainer Script above does not contain the required encryption settings. + - + @@ -13488,7 +13355,7 @@ Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000038-GPO $ sudo dnf install audit - + @@ -13541,7 +13408,7 @@ Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000038-GPO $ sudo systemctl enable --now auditd - + @@ -13569,7 +13436,7 @@ disk_error_action = HALT If availability has been determined to be more important, and this decision is documented with the information system security officer (ISSO), configure the operating system to notify SA staff and ISSO staff in the event of an audit processing failure by setting the "disk_error_action" to "SYSLOG". - + @@ -13597,7 +13464,7 @@ disk_full_action = HALT If availability has been determined to be more important, and this decision is documented with the information system security officer (ISSO), configure the operating system to notify SA staff and ISSO staff in the event of an audit processing failure by setting the "disk_full_action" to "SYSLOG". - + @@ -13628,7 +13495,7 @@ If audit records are stored on a partition made specifically for audit records, If audit records are not stored on a partition made specifically for audit records, a new partition with sufficient space will need be to be created. - + @@ -13652,7 +13519,7 @@ If audit records are not stored on a partition made specifically for audit recor space_left = 25% - + @@ -13676,7 +13543,7 @@ space_left = 25% space_left_action = email - + @@ -13700,7 +13567,7 @@ space_left_action = email admin_space_left = 5% - + @@ -13728,7 +13595,7 @@ admin_space_left_action = single The audit daemon must be restarted for changes to take effect. - + @@ -13754,7 +13621,7 @@ Add or update the following line in "/etc/audit/auditd.conf" file: max_log_file_action = ROTATE - + @@ -13785,7 +13652,7 @@ name_format = hostname The audit daemon must be restarted for changes to take effect. - + @@ -13815,7 +13682,7 @@ overflow_action = syslog The audit daemon must be restarted for changes to take effect. - + @@ -13850,7 +13717,7 @@ action_mail_acct = root The audit daemon must be restarted for changes to take effect. - + @@ -13880,7 +13747,7 @@ local_events = yes The audit daemon must be restarted for the changes to take effect. - + @@ -13915,7 +13782,7 @@ Change the ownership to that group: $ sudo chgrp ${GROUP} /var/log/audit - + @@ -13944,14 +13811,14 @@ Satisfies: SRG-OS-000057-GPOS-00027, SRG-OS-000058-GPOS-00028, SRG-OS-000059-GPO $ sudo chown root /var/log/audit - + SRG-OS-000057-GPOS-00027 <GroupDescription></GroupDescription> - + RHEL-09-653090 RHEL 9 audit logs file must have mode 0600 or less permissive to prevent unauthorized access to the audit log. <VulnDiscussion>Only authorized personnel should be aware of errors and the details of the errors. Error messages are an indicator of an organization's operational state or can identify the RHEL 9 system or platform. Additionally, Personally Identifiable Information (PII) and operational information must not be revealed through error messages to unauthorized personnel or their designated representatives. @@ -13991,7 +13858,7 @@ $ sudo chmod 0600 $log_file $ sudo chmod 0400 $log_file.* - + @@ -14017,7 +13884,7 @@ freq = 100 The audit daemon must be restarted for the changes to take effect. - + @@ -14050,7 +13917,7 @@ log_format = ENRICHED The audit daemon must be restarted for changes to take effect. - + @@ -14078,7 +13945,7 @@ write_logs = yes The audit daemon must be restarted for changes to take effect. - + @@ -14104,7 +13971,7 @@ $ sudo chmod 0640 /etc/audit/rules.d/[customrulesfile].rules $ sudo chmod 0640 /etc/audit/auditd.conf - + @@ -14137,7 +14004,7 @@ Satisfies: SRG-OS-000254-GPOS-00095, SRG-OS-000341-GPOS-00132</VulnDiscussion $ sudo grubby --update-kernel=ALL --args=audit_backlog_limit=8192 - + @@ -14161,14 +14028,14 @@ $ sudo grubby --update-kernel=ALL --args=audit_backlog_limit=8192 - + SRG-OS-000326-GPOS-00126 <GroupDescription></GroupDescription> - + RHEL-09-654010 RHEL 9 must audit uses of the "execve" system call. <VulnDiscussion>Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised information system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider threats and the advanced persistent threat. @@ -14197,17 +14064,17 @@ To load the rules to the kernel immediately, use the following command: $ sudo augenrules --load - + SRG-OS-000037-GPOS-00015 <GroupDescription></GroupDescription> - + RHEL-09-654015 RHEL 9 must audit all uses of the chmod, fchmod, and fchmodat system calls. - <VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. + <VulnDiscussion>Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). @@ -14240,17 +14107,17 @@ To load the rules to the kernel immediately, use the following command: $ sudo augenrules --load - + SRG-OS-000037-GPOS-00015 <GroupDescription></GroupDescription> - + RHEL-09-654020 RHEL 9 must audit all uses of the chown, fchown, fchownat, and lchown system calls. - <VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. + <VulnDiscussion>Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). @@ -14283,14 +14150,14 @@ To load the rules to the kernel immediately, use the following command: $ sudo augenrules --load - + SRG-OS-000037-GPOS-00015 <GroupDescription></GroupDescription> - + RHEL-09-654025 RHEL 9 must audit all uses of the setxattr, fsetxattr, lsetxattr, removexattr, fremovexattr, and lremovexattr system calls. <VulnDiscussion>Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. @@ -14326,7 +14193,7 @@ To load the rules to the kernel immediately, use the following command: $ sudo augenrules --load - + @@ -14365,7 +14232,7 @@ To load the rules to the kernel immediately, use the following command: $ sudo augenrules --load - + @@ -14405,7 +14272,7 @@ To load the rules to the kernel immediately, use the following command: $ sudo augenrules --load - + @@ -14445,7 +14312,7 @@ To load the rules to the kernel immediately, use the following command: $ sudo augenrules --load - + @@ -14485,7 +14352,7 @@ To load the rules to the kernel immediately, use the following command: $ sudo augenrules --load - + @@ -14525,7 +14392,7 @@ To load the rules to the kernel immediately, use the following command: $ sudo augenrules --load - + @@ -14565,7 +14432,7 @@ To load the rules to the kernel immediately, use the following command: $ sudo augenrules --load - + @@ -14605,14 +14472,14 @@ To load the rules to the kernel immediately, use the following command: $ sudo augenrules --load - + SRG-OS-000037-GPOS-00015 <GroupDescription></GroupDescription> - + RHEL-09-654065 RHEL 9 must audit all uses of the rename, unlink, rmdir, renameat, and unlinkat system calls. <VulnDiscussion>Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. @@ -14646,14 +14513,14 @@ To load the rules to the kernel immediately, use the following command: $ sudo augenrules --load - + SRG-OS-000037-GPOS-00015 <GroupDescription></GroupDescription> - + RHEL-09-654070 RHEL 9 must audit all uses of the truncate, ftruncate, creat, open, openat, and open_by_handle_at system calls. <VulnDiscussion>Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. @@ -14690,14 +14557,14 @@ To load the rules to the kernel immediately, use the following command: $ sudo augenrules --load - + SRG-OS-000037-GPOS-00015 <GroupDescription></GroupDescription> - + RHEL-09-654075 RHEL 9 must audit all uses of the delete_module system call. <VulnDiscussion>Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. @@ -14731,14 +14598,14 @@ To load the rules to the kernel immediately, use the following command: $ sudo augenrules --load - + SRG-OS-000037-GPOS-00015 <GroupDescription></GroupDescription> - + RHEL-09-654080 RHEL 9 must audit all uses of the init_module and finit_module system calls. <VulnDiscussion>Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. @@ -14772,7 +14639,7 @@ To load the rules to the kernel immediately, use the following command: $ sudo augenrules --load - + @@ -14812,7 +14679,7 @@ To load the rules to the kernel immediately, use the following command: $ sudo augenrules --load - + @@ -14852,7 +14719,7 @@ To load the rules to the kernel immediately, use the following command: $ sudo augenrules --load - + @@ -14892,7 +14759,7 @@ To load the rules to the kernel immediately, use the following command: $ sudo augenrules --load - + @@ -14932,7 +14799,7 @@ To load the rules to the kernel immediately, use the following command: $ sudo augenrules --load - + @@ -14972,7 +14839,7 @@ To load the rules to the kernel immediately, use the following command: $ sudo augenrules --load - + @@ -15012,7 +14879,7 @@ To load the rules to the kernel immediately, use the following command: $ sudo augenrules --load - + @@ -15052,7 +14919,7 @@ To load the rules to the kernel immediately, use the following command: $ sudo augenrules --load - + @@ -15092,7 +14959,7 @@ To load the rules to the kernel immediately, use the following command: $ sudo augenrules --load - + @@ -15132,7 +14999,7 @@ To load the rules to the kernel immediately, use the following command: $ sudo augenrules --load - + @@ -15172,7 +15039,7 @@ To load the rules to the kernel immediately, use the following command: $ sudo augenrules --load - + @@ -15212,7 +15079,7 @@ To load the rules to the kernel immediately, use the following command: $ sudo augenrules --load - + @@ -15252,7 +15119,7 @@ To load the rules to the kernel immediately, use the following command: $ sudo augenrules --load - + @@ -15292,7 +15159,7 @@ To load the rules to the kernel immediately, use the following command: $ sudo augenrules --load - + @@ -15332,7 +15199,7 @@ To load the rules to the kernel immediately, use the following command: $ sudo augenrules --load - + @@ -15372,7 +15239,7 @@ To load the rules to the kernel immediately, use the following command: $ sudo augenrules --load - + @@ -15412,7 +15279,7 @@ To load the rules to the kernel immediately, use the following command: $ sudo augenrules --load - + @@ -15452,7 +15319,7 @@ To load the rules to the kernel immediately, use the following command: $ sudo augenrules --load - + @@ -15492,7 +15359,7 @@ To load the rules to the kernel immediately, use the following command: $ sudo augenrules --load - + @@ -15532,7 +15399,7 @@ To load the rules to the kernel immediately, use the following command: $ sudo augenrules --load - + @@ -15572,7 +15439,7 @@ To load the rules to the kernel immediately, use the following command: $ sudo augenrules --load - + @@ -15600,7 +15467,7 @@ To load the rules to the kernel immediately, use the following command: $ sudo augenrules --load - + @@ -15628,7 +15495,7 @@ To load the rules to the kernel immediately, use the following command: $ sudo augenrules --load - + @@ -15656,7 +15523,7 @@ To load the rules to the kernel immediately, use the following command: $ sudo augenrules --load - + @@ -15684,14 +15551,14 @@ To load the rules to the kernel immediately, use the following command: $ sudo augenrules --load - + SRG-OS-000037-GPOS-00015 <GroupDescription></GroupDescription> - + RHEL-09-654205 Successful/unsuccessful uses of the umount system call in RHEL 9 must generate an audit record. <VulnDiscussion>The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users. @@ -15717,14 +15584,14 @@ To load the rules to the kernel immediately, use the following command: $ sudo augenrules --load - + SRG-OS-000037-GPOS-00015 <GroupDescription></GroupDescription> - + RHEL-09-654210 Successful/unsuccessful uses of the umount2 system call in RHEL 9 must generate an audit record. <VulnDiscussion>The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users. @@ -15751,7 +15618,7 @@ To load the rules to the kernel immediately, use the following command: $ sudo augenrules --load - + @@ -15794,7 +15661,7 @@ To load the rules to the kernel immediately, use the following command: $ sudo augenrules --load - + @@ -15837,7 +15704,7 @@ To load the rules to the kernel immediately, use the following command: $ sudo augenrules --load - + @@ -15878,7 +15745,7 @@ Add or update the following file system rule to "/etc/audit/rules.d/audit.rules" The audit daemon must be restarted for the changes to take effect. - + @@ -15919,7 +15786,7 @@ Add or update the following file system rule to "/etc/audit/rules.d/audit.rules" The audit daemon must be restarted for the changes to take effect. - + @@ -15960,7 +15827,7 @@ Add or update the following file system rule to "/etc/audit/rules.d/audit.rules" The audit daemon must be restarted for the changes to take effect. - + @@ -16005,7 +15872,7 @@ Add or update the following file system rule to "/etc/audit/rules.d/audit.rules" The audit daemon must be restarted for the changes to take effect. - + @@ -16046,7 +15913,7 @@ Add or update the following file system rule to "/etc/audit/rules.d/audit.rules" The audit daemon must be restarted for the changes to take effect. - + @@ -16079,7 +15946,7 @@ The audit daemon must be restarted for the changes to take effect. $ sudo service auditd restart - + @@ -16115,7 +15982,7 @@ The audit daemon must be restarted for the changes to take effect. $ sudo service auditd restart - + @@ -16146,7 +16013,7 @@ Add the following line to the bottom of the /etc/audit/rules.d/audit.rules file: -f 2 - + @@ -16177,7 +16044,7 @@ Satisfies: SRG-OS-000462-GPOS-00206, SRG-OS-000475-GPOS-00220, SRG-OS-000057-GPO The audit daemon must be restarted for the changes to take effect. - + @@ -16211,7 +16078,45 @@ Satisfies: SRG-OS-000057-GPOS-00027, SRG-OS-000058-GPOS-00028, SRG-OS-000059-GPO The audit daemon must be restarted for the changes to take effect. - + + + + + + SRG-OS-000033-GPOS-00014 + <GroupDescription></GroupDescription> + + RHEL-09-671010 + RHEL 9 must enable FIPS mode. + <VulnDiscussion>Use of weak or untested encryption algorithms undermines the purposes of utilizing encryption to protect data. The operating system must implement cryptographic modules adhering to the higher standards approved by the federal government since this provides assurance they have been tested and validated. This includes NIST FIPS-validated cryptography for the following: Provisioning digital signatures, generating cryptographic hashes, and to protect data requiring data-at-rest protections in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards. + +Satisfies: SRG-OS-000033-GPOS-00014, SRG-OS-000125-GPOS-00065, SRG-OS-000396-GPOS-00176, SRG-OS-000423-GPOS-00187, SRG-OS-000478-GPOS-00223</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + DPMS Target Red Hat Enterprise Linux 9 + DISA + DPMS Target + Red Hat Enterprise Linux 9 + 5551 + + CCI-000068 + CCI-000877 + CCI-002418 + CCI-002450 + Configure the operating system to implement FIPS mode with the following command + +$ sudo fips-mode-setup --enable + +To ensure the kernel enables FIPS mode for early boot, "fips=1" must be added to the grub config: +$ sudo grubby --update-kernel=ALL --args="fips=1" + +Verify the setting with the following command: +$ cat /proc/cmdline +BOOT_IMAGE=(hd0,gpt2)/vmlinuz-5.14.0-570.21.1.el9_6.x86_64 root=/dev/mapper/rhel-root ro resume=/dev/mapper/rhel-swap rd.luks.uuid=luks-cd37eb8d-a2c3-4671-96ee-1e6a3a681561 rd.lvm.lv=rhel/root rd.lvm.lv=rhel/swap rhgb quiet fips=1 boot=UUID=acbbb4ee-adc0-4cb2-9546-afab857b8849 audit_backlog_limit=8192 crashkernel=1G-4G:192M,4G-64G:256M,64G-:512M + +Reboot the system for the changes to take effect. + + + @@ -16239,7 +16144,7 @@ Satisfies: SRG-OS-000073-GPOS-00041, SRG-OS-000120-GPOS-00061</VulnDiscussion Lock all interactive user accounts not using SHA-512 hashing until the passwords can be regenerated with SHA-512. - + @@ -16266,7 +16171,7 @@ Add the following line to "/etc/ipsec.conf": include /etc/crypto-policies/back-ends/libreswan.config - + @@ -16297,7 +16202,7 @@ Edit/modify the following line in the "/etc/pam.d/password-auth" file to include password sufficient pam_unix.so sha512 - + @@ -16325,7 +16230,7 @@ Satisfies: SRG-OS-000396-GPOS-00176, SRG-OS-000393-GPOS-00173, SRG-OS-000394-GPO $ sudo dnf -y install crypto-policies - + @@ -16363,7 +16268,7 @@ Setting system policy to FIPS Note: Systemwide crypto policies are applied on application startup. It is recommended to restart the system for the change of policies to fully take place. - + @@ -16397,14 +16302,14 @@ Add the following line to the "options" section in "/etc/named.conf": include "/etc/crypto-policies/back-ends/bind.config"; - + SRG-OS-000080-GPOS-00048 <GroupDescription></GroupDescription> - + RHEL-09-232103 RHEL 9 "/etc/audit/" must be owned by root. <VulnDiscussion>The "/etc/audit/" directory contains files that ensure the proper auditing of command execution, privilege escalation, file manipulation, and more. Protection of this directory is critical for system security.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> @@ -16421,14 +16326,14 @@ include "/etc/crypto-policies/back-ends/bind.config"; $ sudo chown root /etc/audit/ - + SRG-OS-000080-GPOS-00048 <GroupDescription></GroupDescription> - + RHEL-09-232104 RHEL 9 "/etc/audit/" must be group-owned by root. <VulnDiscussion>The "/etc/audit/" directory contains files that ensure the proper auditing of command execution, privilege escalation, file manipulation, and more. Protection of this directory is critical for system security.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> @@ -16445,7 +16350,7 @@ $ sudo chown root /etc/audit/ $ sudo chgrp root /etc/audit/ - + @@ -16485,7 +16390,7 @@ Setting system policy to FIPS Note: Systemwide crypto policies are applied on application startup. It is recommended to restart the system for the change of policies to fully take place. - + @@ -16525,7 +16430,7 @@ Setting system policy to FIPS Note: Systemwide crypto policies are applied on application startup. It is recommended to restart the system for the change of policies to fully take place. - + @@ -16567,14 +16472,14 @@ Once it is determined the allow list is built correctly, set the "fapolicyd" to permissive = 0 - + SRG-OS-000304-GPOS-00121 <GroupDescription></GroupDescription> - + RHEL-09-215101 RHEL 9 must have the Postfix package installed. <VulnDiscussion>Postfix is a free, open-source mail transfer agent (MTA) that sends and receives emails. It is a server-side application that can be used to set up a local mail server, create a null-client mail relay, use a Postfix server as a destination for multiple domains, or choose an LDAP directory instead of files for lookups. Postfix supports protocols such as LDAP, SMTP AUTH (SASL), and TLS. It uses the Simple Mail Transfer Protocol (SMTP) to transfer emails between servers. @@ -16593,14 +16498,14 @@ Satisfies: SRG-OS-000304-GPOS-00121, SRG-OS-000343-GPOS-00134, SRG-OS-000363-GPO $ sudo dnf install postfix - + SRG-OS-000445-GPOS-00199 <GroupDescription></GroupDescription> - + RHEL-09-431016 RHEL 9 must elevate the SELinux context when an administrator calls the sudo command. <VulnDiscussion>Without verification of the security functions, security functions may not operate correctly and the failure may go unnoticed. Security function is defined as the hardware, software, and/or firmware of the information system responsible for enforcing the system security policy and supporting the isolation of code and data on which the protection is based. Security functionality includes, but is not limited to, establishing system accounts, configuring access authorizations (i.e., permissions, privileges), setting events to be audited, and setting intrusion detection parameters. @@ -16634,18 +16539,18 @@ Remove any configurations that conflict with the above from the following locati /etc/sudoers.d/ - + - + - Security Content Tool 1.6.0 + Security Content Tool 1.7.0 5.11 - 2025-09-27T11:04:04 + 2026-01-05T02:28:52 @@ -16667,16 +16572,6 @@ Remove any configurations that conflict with the above from the following locati - - - The operating system must use a reverse-path filter for IPv4 network traffic when possible by default. - - - - - - - The operating system must encrypt all stored passwords with a FIPS 140-2 approved cryptographic hashing algorithm. @@ -16724,15 +16619,6 @@ Remove any configurations that conflict with the above from the following locati - - - The operating system must be configured so that all network connections associated with SSH traffic are terminated at the end of the session or after 10 minutes of inactivity, except to fulfill documented and validated mission requirements. - - - - - - The operating system /var/log/messages file must have mode 0640 or less permissive. @@ -16861,36 +16747,6 @@ Remove any configurations that conflict with the above from the following locati - - - The operating system must enable kernel parameters to enforce discretionary access control on hardlinks. - - - - - - - - - - The operating system must restrict access to the kernel message buffer. - - - - - - - - - - The operating system must prevent kernel profiling by unprivileged users. - - - - - - - The operating system must require users to provide a password for privilege escalation. @@ -16940,16 +16796,6 @@ Remove any configurations that conflict with the above from the following locati - - - The operating system must implement address space layout randomization (ASLR) to protect its memory from unauthorized code execution. - - - - - - - YUM must remove all software components after updated versions have been installed on the operating system. @@ -17121,14 +16967,13 @@ Remove any configurations that conflict with the above from the following locati - + The operating system must disable the kernel.core_pattern. - @@ -17449,16 +17294,6 @@ Remove any configurations that conflict with the above from the following locati - - - The operating system must display the date and time of the last successful account logon upon logon. - - - - - - - The operating system must define default permissions for all authenticated users in such a way that the user can only read and modify their own files. @@ -18441,15 +18276,6 @@ Remove any configurations that conflict with the above from the following locati - - - The Trivial File Transfer Protocol (TFTP) server package must not be installed if not required for the operating system operational support. - - - - - - The root account must be the only account having unrestricted access to the operating system system. @@ -18459,146 +18285,25 @@ Remove any configurations that conflict with the above from the following locati - + - The operating system must prevent IPv6 Internet Control Message Protocol (ICMP) redirect messages from being accepted. + The operating system must restrict usage of ptrace to descendant processes. - - + - + - The operating system must not send Internet Control Message Protocol (ICMP) redirects. + The operating system must be configured to prevent unrestricted mail relaying. - - + - - - The operating system must not respond to Internet Control Message Protocol (ICMP) echoes sent to a broadcast address. - - - - - - - - - - The operating system must not forward IPv6 source-routed packets. - - - - - - - - - - The operating system must not forward IPv6 source-routed packets by default. - - - - - - - - - - The operating system must not enable IPv6 packet forwarding unless the system is a router. - - - - - - - - - - The operating system must not accept router advertisements on all IPv6 interfaces by default. - - - - - - - - - - The operating system must not allow interfaces to perform Internet Control Message Protocol (ICMP) redirects by default. - - - - - - - - - - The operating system must ignore IPv6 Internet Control Message Protocol (ICMP) redirect messages. - - - - - - - - - - The operating system must disable access to network bpf syscall from unprivileged processes. - - - - - - - - - - The operating system must restrict usage of ptrace to descendant processes. - - - - - - - - - - The operating system must disable the use of user namespaces. - - - - - - - - - - The operating system must use reverse path filtering on all IPv4 interfaces. - - - - - - - - - - The operating system must be configured to prevent unrestricted mail relaying. - - - - - - - + The graphical display manager must not be installed on the operating system unless approved. @@ -18707,16 +18412,6 @@ Remove any configurations that conflict with the above from the following locati - - - The operating system must be configured to use TCP syncookies. - - - - - - - The operating system must display a banner before granting local or remote access to the system via a graphical user logon. @@ -18841,34 +18536,40 @@ Remove any configurations that conflict with the above from the following locati - + - The operating system must prevent IPv4 Internet Control Message Protocol (ICMP) redirect messages from being accepted. + The operating system must enable kernel parameters to enforce discretionary access control on symlinks. - - - + + - + - The operating system must not forward IPv4 source-routed packets by default. + The operating system must enable kernel parameters to enforce discretionary access control on hardlinks. - - - + + - + - The operating system must enable hardening for the Berkeley Packet Filter Just-in-time compiler. + The operating system must restrict access to the kernel message buffer. - - + + + + + + The operating system must prevent kernel profiling by unprivileged users. + + + + @@ -18881,6 +18582,15 @@ Remove any configurations that conflict with the above from the following locati + + + The operating system must not forward IPv6 source-routed packets by default. + + + + + + The operating system operating system must not have accounts configured with blank or null passwords. @@ -18926,15 +18636,6 @@ Remove any configurations that conflict with the above from the following locati - - - Systems below version 8.4 must ensure the password complexity module in the system-auth file is configured for three retries or less. - - - - - - The graphical display manager must not be the default target on the operating system unless approved. @@ -19044,6 +18745,15 @@ Remove any configurations that conflict with the above from the following locati + + + The system must terminate idle user sessions. + + + + + + The operating system must be a vendor-supported release. @@ -19109,24 +18819,13 @@ Remove any configurations that conflict with the above from the following locati - + The operating system must restrict exposed kernel pointer addresses access. - - - - - - - The operating system must enable kernel parameters to enforce discretionary access control on symlinks. - - - - - + @@ -19231,6 +18930,15 @@ Remove any configurations that conflict with the above from the following locati + + + The TFTP daemon must be configured to operate in secure mode. + + + + + + The operating system must not have the quagga package installed. @@ -19612,76 +19320,6 @@ Remove any configurations that conflict with the above from the following locati - - - The operating system must ignore IPv4 Internet Control Message Protocol (ICMP) redirect messages. - - - - - - - - - - The operating system must not forward IPv4 source-routed packets. - - - - - - - - - - The operating system must log IPv4 packets with impossible addresses. - - - - - - - - - - The operating system must log IPv4 packets with impossible addresses by default. - - - - - - - - - - The operating system must limit the number of bogus Internet Control Message Protocol (ICMP) response errors logs. - - - - - - - - - - The operating system must not enable IPv4 packet forwarding unless the system is a router. - - - - - - - - - - The operating system must not accept router advertisements on all IPv6 interfaces. - - - - - - - All the operating system networked systems must have and implement SSH to protect the confidentiality and integrity of transmitted and received information, as well as information during preparation for transmission. @@ -19833,9 +19471,9 @@ Remove any configurations that conflict with the above from the following locati - + - The operating system SSH daemon must not allow authentication using known host’s authentication. + The operating system SSH daemon must not allow authentication using known host's authentication. @@ -19888,16 +19526,6 @@ Remove any configurations that conflict with the above from the following locati - - - The operating system must prevent a user from overriding the disabling of the graphical user interface autorun function. - - - - - - - The operating system must prevent a user from overriding the disabling of the graphical user smart card removal action. @@ -19908,16 +19536,6 @@ Remove any configurations that conflict with the above from the following locati - - - The operating system must automatically lock graphical user sessions after 15 minutes of inactivity. - - - - - - - The operating system must prevent a user from overriding the session lock-delay setting for the graphical user interface. @@ -20074,15 +19692,6 @@ Remove any configurations that conflict with the above from the following locati - - - The system must terminate idle user sessions. - - - - - - The operating system policycoreutils-python-utils package must be installed. @@ -20139,6 +19748,15 @@ Remove any configurations that conflict with the above from the following locati + + + Systems below version 8.4 must ensure the password complexity module in the system-auth file is configured for three retries or less. + + + + + + The operating system password-auth must be configured to use a sufficient number of hashing rounds. @@ -20324,250 +19942,485 @@ Remove any configurations that conflict with the above from the following locati - + + + The operating system must take action when allocated audit record storage volume reaches 95 percent of the audit record storage capacity. + + + + + + + + + The operating system must take action when allocated audit record storage volume reaches 95 percent of the repository maximum audit record storage capacity. + + + + + + + + + The operating system audit system must take appropriate action when the audit files have reached maximum size. + + + + + + + + + The operating system must periodically flush audit records to disk to prevent the loss of audit records. + + + + + + + + + The operating system must write audit records to disk. + + + + + + + + + The operating system audispd-plugins package must be installed. + + + + + + + + + Successful/unsuccessful uses of the init command in the operating system must generate an audit record. + + + + + + + + + Successful/unsuccessful uses of the poweroff command in the operating system must generate an audit record. + + + + + + + + + Successful/unsuccessful uses of the reboot command in the operating system must generate an audit record. + + + + + + + + + Successful/unsuccessful uses of the shutdown command in the operating system must generate an audit record. + + + + + + + + + Successful/unsuccessful uses of the umount system call in the operating system must generate an audit record. + + + + + + + + + Successful/unsuccessful uses of the umount2 system call in the operating system must generate an audit record. + + + + + + + + + + The operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect /var/log/faillock. + + + + + + + + + The operating system must take appropriate action when a critical audit processing failure occurs. + + + + + + + + + The operating system must enable FIPS mode. + + + + + + + + + + The operating system IP tunnels must use FIPS 140-2/140-3 approved cryptographic algorithms. + + + + + + + + + + + + + The operating system must have the crypto-policies package installed. + + + + + + + + + The operating system crypto policy must not be overridden. + + + + + + + + + + + + + + + + + + + + The operating system must implement DOD-approved encryption in the bind package. + + + + + + + + + The operating system library directories must have mode 0755 or less permissive. + + + + + + + + + + + + + The operating system "/etc/audit/" must be owned by root. + + + + + + + + + The operating system "/etc/audit/" must be group-owned by root. + + + + + + + + + The operating system SSH client must be configured to use only DOD-approved encryption ciphers employing FIPS 140-3 validated cryptographic hash algorithms to protect the confidentiality of SSH client connections. + + + + + + + + + The operating system SSH client must be configured to use only DOD-approved Message Authentication Codes (MACs) employing FIPS 140-3 validated cryptographic hash algorithms to protect the confidentiality of SSH client connections. + + + + + + + + + The operating system fapolicy module must be configured to employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs. + + + + + + + + + + The operating system must be configured so that all network connections associated with SSH traffic are terminated at the end of the session or after 10 minutes of inactivity, except to fulfill documented and validated mission requirements. + + + + + + + - The operating system must take action when allocated audit record storage volume reaches 95 percent of the audit record storage capacity. + The operating system must not allow users to override SSH environment variables. - + - + - The operating system must take action when allocated audit record storage volume reaches 95 percent of the repository maximum audit record storage capacity. + The operating system must disable the use of user namespaces. - + - + - The operating system audit system must take appropriate action when the audit files have reached maximum size. + The operating system must disable access to network bpf system call from nonprivileged processes. - + - + - The operating system must periodically flush audit records to disk to prevent the loss of audit records. + The operating system must implement address space layout randomization (ASLR) to protect its memory from unauthorized code execution. - - + + - + - The operating system must write audit records to disk. + The operating system must enable hardening for the Berkeley Packet Filter Just-in-time compiler. - + - + - The operating system audispd-plugins package must be installed. + The operating system must ignore Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirect messages. - + - + - Successful/unsuccessful uses of the init command in the operating system must generate an audit record. + The operating system must not forward IPv4 source-routed packets. - + - + - Successful/unsuccessful uses of the poweroff command in the operating system must generate an audit record. + The operating system must log IPv4 packets with impossible addresses. - + - + - Successful/unsuccessful uses of the reboot command in the operating system must generate an audit record. + The operating system must log IPv4 packets with impossible addresses by default. - + - + - Successful/unsuccessful uses of the shutdown command in the operating system must generate an audit record. + The operating system must use reverse path filtering on all IPv4 interfaces. - + - + - Successful/unsuccessful uses of the umount system call in the operating system must generate an audit record. + The operating system must prevent IPv4 Internet Control Message Protocol (ICMP) redirect messages from being accepted. - - + + - + - Successful/unsuccessful uses of the umount2 system call in the operating system must generate an audit record. + The operating system must not forward IPv4 source-routed packets by default. - - + - + - The operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect /var/log/faillock. + The operating system must use a reverse-path filter for IPv4 network traffic, when possible, by default. - + - + - The operating system must take appropriate action when a critical audit processing failure occurs. + The operating system must not enable IPv4 packet forwarding unless the system is a router. - + - + - The operating system IP tunnels must use FIPS 140-2/140-3 approved cryptographic algorithms. + The operating system must not respond to Internet Control Message Protocol (ICMP) echoes sent to a broadcast address. - - - - - - + + - + - The operating system must have the crypto-policies package installed. + The operating system must limit the number of bogus Internet Control Message Protocol (ICMP) response errors logs. - + - + - The operating system crypto policy must not be overridden. + The operating system must not send Internet Control Message Protocol (ICMP) redirects. - - - - - - - - - - - - - + + - + - The operating system must implement DOD-approved encryption in the bind package. + The operating system must not allow interfaces to perform Internet Control Message Protocol (ICMP) redirects by default. - + - + - The operating system library directories must have mode 0755 or less permissive. + The operating system must not accept router advertisements on all IPv6 interfaces. - - - - - + - + - The operating system "/etc/audit/" must be owned by root. + The operating system must ignore IPv6 Internet Control Message Protocol (ICMP) redirect messages. - + - + - The operating system "/etc/audit/" must be group-owned by root. + The operating system must not forward IPv6 source-routed packets. - + - + - The operating system SSH client must be configured to use only DOD-approved encryption ciphers employing FIPS 140-3 validated cryptographic hash algorithms to protect the confidentiality of SSH client connections. + The operating system must not enable IPv6 packet forwarding unless the system is a router. - + - + - The operating system SSH client must be configured to use only DOD-approved Message Authentication Codes (MACs) employing FIPS 140-3 validated cryptographic hash algorithms to protect the confidentiality of SSH client connections. + The operating system must not accept router advertisements on all IPv6 interfaces by default. - + - + - The operating system fapolicy module must be configured to employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs. + The operating system must prevent IPv6 Internet Control Message Protocol (ICMP) redirect messages from being accepted. - - + - + - The operating system must not allow users to override SSH environment variables. + The operating system must be configured to use TCP syncookies. - + @@ -20615,6 +20468,15 @@ Remove any configurations that conflict with the above from the following locati + + + The Trivial File Transfer Protocol (TFTP) server package is installed. + + + + + + The libreswan package is installed. @@ -20916,7 +20778,7 @@ Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPO - + RHEL-09-213010 - RHEL 9 must restrict access to the kernel message buffer. @@ -20933,10 +20795,10 @@ Restricting access to the kernel message buffer limits access to only root. This Satisfies: SRG-OS-000132-GPOS-00067, SRG-OS-000138-GPOS-00069 - + - + RHEL-09-213015 - RHEL 9 must prevent kernel profiling by nonprivileged users. @@ -20953,7 +20815,7 @@ Setting the kernel.perf_event_paranoid kernel parameter to "2" prevents attacker Satisfies: SRG-OS-000132-GPOS-00067, SRG-OS-000138-GPOS-00069 - + @@ -20986,7 +20848,7 @@ Satisfies: SRG-OS-000132-GPOS-00067, SRG-OS-000433-GPOS-00192, SRG-OS-000480-GPO - + RHEL-09-213030 - RHEL 9 must enable kernel parameters to enforce discretionary access control on hardlinks. @@ -20997,10 +20859,10 @@ Satisfies: SRG-OS-000132-GPOS-00067, SRG-OS-000433-GPOS-00192, SRG-OS-000480-GPO Satisfies: SRG-OS-000312-GPOS-00123, SRG-OS-000324-GPOS-00125 - + - + RHEL-09-213035 - RHEL 9 must enable kernel parameters to enforce discretionary access control on symlinks. @@ -21011,7 +20873,7 @@ Satisfies: SRG-OS-000312-GPOS-00123, SRG-OS-000324-GPOS-00125 Satisfies: SRG-OS-000312-GPOS-00123, SRG-OS-000324-GPOS-00125 - + @@ -21094,7 +20956,7 @@ The Transparent Inter Process Communication (TIPC) is a protocol that is special - + RHEL-09-213070 - RHEL 9 must implement address space layout randomization (ASLR) to protect its memory from unauthorized code execution. @@ -21105,10 +20967,10 @@ The Transparent Inter Process Communication (TIPC) is a protocol that is special Satisfies: SRG-OS-000433-GPOS-00193, SRG-OS-000480-GPOS-00227 - + - + RHEL-09-213075 - RHEL 9 must disable access to network bpf system call from nonprivileged processes. @@ -21119,7 +20981,7 @@ Satisfies: SRG-OS-000433-GPOS-00193, SRG-OS-000480-GPOS-00227 Satisfies: SRG-OS-000132-GPOS-00067, SRG-OS-000480-GPOS-00227 - + @@ -21186,7 +21048,7 @@ Enabling core dumps on production systems is not recommended; however, there may - + RHEL-09-213105 - RHEL 9 must disable the use of user namespaces. @@ -21195,7 +21057,7 @@ Enabling core dumps on production systems is not recommended; however, there may User namespaces are used primarily for Linux containers. The value "0" disallows the use of user namespaces. - + @@ -21408,18 +21270,20 @@ Satisfies: SRG-OS-000095-GPOS-00049, SRG-OS-000480-GPOS-00227 - + - RHEL-09-215060 - RHEL 9 must not have a Trivial File Transfer Protocol (TFTP) server package installed. + RHEL-09-215060 - The Trivial File Transfer Protocol (TFTP) server must not be installed unless it is required, and if required, the RHEL 9 TFTP daemon must be configured to operate in secure mode. Red Hat Enterprise Linux 9 Removing the "tftp-server" package decreases the risk of the accidental (or intentional) activation of tftp services. -If TFTP is required for operational support (such as transmission of router configurations), its use must be documented with the information systems security manager (ISSM), restricted to only authorized personnel, and have access control rules established. +If TFTP is required for operational support (such as transmission of router configurations), its use must be documented with the information systems security manager (ISSM), restricted to only authorized personnel, and have access control rules established. + +Restricting TFTP to a specific directory prevents remote users from copying, transferring, or overwriting system files. - + @@ -22618,7 +22482,7 @@ If the system is being used to perform a network troubleshooting function, the u - + RHEL-09-251045 - RHEL 9 must enable hardening for the Berkeley Packet Filter just-in-time compiler. @@ -22627,7 +22491,7 @@ If the system is being used to perform a network troubleshooting function, the u When hardened, the extended Berkeley Packet Filter (BPF) just-in-time (JIT) compiler will randomize any kernel addresses in the BPF programs and maps, and will not expose the JIT addresses in "/proc/kallsyms". - + @@ -22772,7 +22636,7 @@ Satisfies: SRG-OS-000480-GPOS-00227, SRG-OS-000120-GPOS-00061 - + RHEL-09-253010 - RHEL 9 must be configured to use TCP syncookies. @@ -22785,10 +22649,10 @@ Managing excess capacity ensures that sufficient capacity is available to counte Satisfies: SRG-OS-000480-GPOS-00227, SRG-OS-000420-GPOS-00186, SRG-OS-000142-GPOS-00071 - + - + RHEL-09-253015 - RHEL 9 must ignore Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirect messages. @@ -22799,10 +22663,10 @@ Satisfies: SRG-OS-000480-GPOS-00227, SRG-OS-000420-GPOS-00186, SRG-OS-000142-GPO This feature of the IPv4 protocol has few legitimate uses. It should be disabled unless absolutely required. - + - + RHEL-09-253020 - RHEL 9 must not forward Internet Protocol version 4 (IPv4) source-routed packets. @@ -22813,10 +22677,10 @@ This feature of the IPv4 protocol has few legitimate uses. It should be disabled Accepting source-routed packets in the IPv4 protocol has few legitimate uses. It must be disabled unless it is absolutely required. - + - + RHEL-09-253025 - RHEL 9 must log IPv4 packets with impossible addresses. @@ -22825,10 +22689,10 @@ Accepting source-routed packets in the IPv4 protocol has few legitimate uses. It The presence of "martian" packets (which have impossible addresses) as well as spoofed packets, source-routed packets, and redirects could be a sign of nefarious network activity. Logging these packets enables this activity to be detected. - + - + RHEL-09-253030 - RHEL 9 must log IPv4 packets with impossible addresses by default. @@ -22837,10 +22701,10 @@ Accepting source-routed packets in the IPv4 protocol has few legitimate uses. It The presence of "martian" packets (which have impossible addresses) as well as spoofed packets, source-routed packets, and redirects could be a sign of nefarious network activity. Logging these packets enables this activity to be detected. - + - + RHEL-09-253035 - RHEL 9 must use reverse path filtering on all IPv4 interfaces. @@ -22849,10 +22713,10 @@ Accepting source-routed packets in the IPv4 protocol has few legitimate uses. It Enabling reverse path filtering drops packets with source addresses that should not have been able to be received on the interface on which they were received. It must not be used on systems that are routers for complicated networks, but is helpful for end hosts and routers serving small networks. - + - + RHEL-09-253040 - RHEL 9 must prevent IPv4 Internet Control Message Protocol (ICMP) redirect messages from being accepted. @@ -22863,10 +22727,10 @@ Accepting source-routed packets in the IPv4 protocol has few legitimate uses. It This feature of the IPv4 protocol has few legitimate uses. It must be disabled unless absolutely required. - + - + RHEL-09-253045 - RHEL 9 must not forward IPv4 source-routed packets by default. @@ -22877,10 +22741,10 @@ This feature of the IPv4 protocol has few legitimate uses. It must be disabled u Accepting source-routed packets in the IPv4 protocol has few legitimate uses. It must be disabled unless it is absolutely required, such as when IPv4 forwarding is enabled and the system is legitimately functioning as a router. - + - + RHEL-09-253050 - RHEL 9 must use a reverse-path filter for IPv4 network traffic when possible by default. @@ -22889,10 +22753,10 @@ Accepting source-routed packets in the IPv4 protocol has few legitimate uses. It Enabling reverse path filtering drops packets with source addresses that should not have been able to be received on the interface on which they were received. It must not be used on systems that are routers for complicated networks, but is helpful for end hosts and routers serving small networks. - + - + RHEL-09-253055 - RHEL 9 must not respond to Internet Control Message Protocol (ICMP) echoes sent to a broadcast address. @@ -22903,10 +22767,10 @@ Accepting source-routed packets in the IPv4 protocol has few legitimate uses. It Ignoring ICMP echo requests (pings) sent to broadcast or multicast addresses makes the system slightly more difficult to enumerate on the network. - + - + RHEL-09-253060 - RHEL 9 must limit the number of bogus Internet Control Message Protocol (ICMP) response errors logs. @@ -22915,10 +22779,10 @@ Ignoring ICMP echo requests (pings) sent to broadcast or multicast addresses mak Some routers will send responses to broadcast frames that violate RFC-1122, which fills up a log file system with many useless error messages. An attacker may take advantage of this and attempt to flood the logs with bogus error logs. Ignoring bogus ICMP error responses reduces log size, although some activity would not be logged. - + - + RHEL-09-253065 - RHEL 9 must not send Internet Control Message Protocol (ICMP) redirects. @@ -22929,10 +22793,10 @@ Ignoring ICMP echo requests (pings) sent to broadcast or multicast addresses mak The ability to send ICMP redirects is only appropriate for systems acting as routers. - + - + RHEL-09-253070 - RHEL 9 must not allow interfaces to perform Internet Control Message Protocol (ICMP) redirects by default. @@ -22943,10 +22807,10 @@ The ability to send ICMP redirects is only appropriate for systems acting as rou The ability to send ICMP redirects is only appropriate for systems acting as routers. - + - + RHEL-09-253075 - RHEL 9 must not enable IPv4 packet forwarding unless the system is a router. @@ -22955,10 +22819,10 @@ The ability to send ICMP redirects is only appropriate for systems acting as rou Routing protocol daemons are typically used on routers to exchange network topology information with other routers. If this capability is used when not required, system network information may be unnecessarily transmitted across the network. - + - + RHEL-09-254010 - RHEL 9 must not accept router advertisements on all IPv6 interfaces. @@ -22967,10 +22831,10 @@ The ability to send ICMP redirects is only appropriate for systems acting as rou An illicit router advertisement message could result in a man-in-the-middle attack. - + - + RHEL-09-254015 - RHEL 9 must ignore IPv6 Internet Control Message Protocol (ICMP) redirect messages. @@ -22979,10 +22843,10 @@ The ability to send ICMP redirects is only appropriate for systems acting as rou An illicit ICMP redirect message could result in a man-in-the-middle attack. - + - + RHEL-09-254020 - RHEL 9 must not forward IPv6 source-routed packets. @@ -22991,10 +22855,10 @@ The ability to send ICMP redirects is only appropriate for systems acting as rou Source-routed packets allow the source of the packet to suggest that routers forward the packet along a different path than configured on the router, which can be used to bypass network security measures. This requirement applies only to the forwarding of source-routed traffic, such as when forwarding is enabled and the system is functioning as a router. - + - + RHEL-09-254025 - RHEL 9 must not enable IPv6 packet forwarding unless the system is a router. @@ -23003,10 +22867,10 @@ The ability to send ICMP redirects is only appropriate for systems acting as rou IP forwarding permits the kernel to forward packets from one network interface to another. The ability to forward packets between two networks is only appropriate for systems acting as routers. - + - + RHEL-09-254030 - RHEL 9 must not accept router advertisements on all IPv6 interfaces by default. @@ -23015,10 +22879,10 @@ The ability to send ICMP redirects is only appropriate for systems acting as rou An illicit router advertisement message could result in a man-in-the-middle attack. - + - + RHEL-09-254035 - RHEL 9 must prevent IPv6 Internet Control Message Protocol (ICMP) redirect messages from being accepted. @@ -23027,10 +22891,10 @@ The ability to send ICMP redirects is only appropriate for systems acting as rou ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages modify the host's route table and are unauthenticated. An illicit ICMP redirect message could result in a man-in-the-middle attack. - + - + RHEL-09-254040 - RHEL 9 must not forward IPv6 source-routed packets by default. @@ -23041,7 +22905,7 @@ The ability to send ICMP redirects is only appropriate for systems acting as rou Accepting source-routed packets in the IPv6 protocol has few legitimate uses. It must be disabled unless it is absolutely required. - + @@ -23254,7 +23118,7 @@ Satisfies: SRG-OS-000423-GPOS-00187, SRG-OS-000033-GPOS-00014, SRG-OS-000424-GPO - + RHEL-09-255095 - RHEL 9 must be configured so that all network connections associated with SSH traffic terminate after becoming unresponsive. @@ -23269,7 +23133,7 @@ RHEL 9 utilizes /etc/ssh/sshd_config for configurations of OpenSSH. Within the s Satisfies: SRG-OS-000163-GPOS-00072, SRG-OS-000279-GPOS-00109 - + @@ -23510,20 +23374,6 @@ Satisfies: SRG-OS-000114-GPOS-00059, SRG-OS-000378-GPOS-00163, SRG-OS-000480-GPO - - - RHEL-09-271035 - RHEL 9 must prevent a user from overriding the disabling of the graphical user interface autorun function. - - Red Hat Enterprise Linux 9 - - Techniques used to address this include protocols using nonces (e.g., numbers generated for a specific one-time use) or challenges (e.g., TLS, WS_Security). Additional techniques include time-synchronous or challenge-response one-time authenticators. - -Satisfies: SRG-OS-000114-GPOS-00059, SRG-OS-000378-GPOS-00163, SRG-OS-000480-GPOS-00227 - - - - - RHEL-09-271040 - RHEL 9 must not allow unattended or automatic logon via the graphical user interface. @@ -23586,20 +23436,6 @@ Satisfies: SRG-OS-000028-GPOS-00009, SRG-OS-000030-GPOS-00011 - - - RHEL-09-271065 - RHEL 9 must automatically lock graphical user sessions after 15 minutes of inactivity. - - Red Hat Enterprise Linux 9 - - A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not logout because of the temporary nature of the absence. Rather than relying on the user to manually lock their operating system session prior to vacating the vicinity, the GNOME desktop can be configured to identify when a user's session has idled and take action to initiate a session lock. - -Satisfies: SRG-OS-000029-GPOS-00010, SRG-OS-000031-GPOS-00012 - - - - - RHEL-09-271070 - RHEL 9 must prevent a user from overriding the session idle-delay setting for the graphical user interface. @@ -24060,19 +23896,7 @@ Satisfies: SRG-OS-000480-GPOS-00228, SRG-OS-000480-GPOS-00227 - - - RHEL-09-412075 - RHEL 9 must display the date and time of the last successful account logon upon logon. - - Red Hat Enterprise Linux 9 - - Users need to be aware of activity that occurs regarding their account. Providing users with information regarding the number of unsuccessful attempts that were made to login to their account allows the user to determine if any unauthorized activity has occurred and gives them an opportunity to notify administrators. - - - - - - + RHEL-09-412080 - RHEL 9 must terminate idle user sessions. @@ -24081,7 +23905,7 @@ Satisfies: SRG-OS-000480-GPOS-00228, SRG-OS-000480-GPOS-00227 Terminating an idle session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled on the console or console port that has been left unattended. - + @@ -24268,7 +24092,7 @@ Satisfies: SRG-OS-000370-GPOS-00155, SRG-OS-000368-GPOS-00154 - + RHEL-09-611010 - RHEL 9 must ensure the password complexity module in the system-auth file is configured for three retries or less. @@ -24278,12 +24102,12 @@ Satisfies: SRG-OS-000370-GPOS-00155, SRG-OS-000368-GPOS-00154 RHEL 9 uses "pwquality" as a mechanism to enforce password complexity. This is set in both: /etc/pam.d/password-auth -/etc/pam.d/system-auth +/etc/security/pwquality.conf By limiting the number of attempts to meet the pwquality module complexity requirements before returning with an error, the system will audit abnormal attempts at password changes. - + @@ -24499,13 +24323,13 @@ The DOD minimum password requirement is 15 characters. - + RHEL-09-611115 - RHEL 9 must require the change of at least eight characters when passwords are changed. Red Hat Enterprise Linux 9 - Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute–force attacks. + Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute force attacks. Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised. Requiring a minimum number of different characters during password changes ensures that newly changed passwords will not resemble previously compromised ones. Note that passwords changed on compromised systems will still be compromised. @@ -26189,6 +26013,20 @@ Satisfies: SRG-OS-000057-GPOS-00027, SRG-OS-000058-GPOS-00028, SRG-OS-000059-GPO + + + RHEL-09-672582300 - RHEL 9 must enable FIPS mode. + + Red Hat Enterprise Linux 9 + + Use of weak or untested encryption algorithms undermines the purposes of utilizing encryption to protect data. The operating system must implement cryptographic modules adhering to the higher standards approved by the federal government since this provides assurance they have been tested and validated. This includes NIST FIPS-validated cryptography for the following: Provisioning digital signatures, generating cryptographic hashes, and to protect data requiring data-at-rest protections in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards. + +Satisfies: SRG-OS-000033-GPOS-00014, SRG-OS-000125-GPOS-00065, SRG-OS-000396-GPOS-00176, SRG-OS-000423-GPOS-00187, SRG-OS-000478-GPOS-00223 + + + + + RHEL-09-671015 - RHEL 9 must employ FIPS 140-3 approved cryptographic hashing algorithms for all stored passwords. @@ -26417,10 +26255,6 @@ Privileged functions include, for example, establishing accounts, performing sys - - - - @@ -26439,10 +26273,6 @@ Privileged functions include, for example, establishing accounts, performing sys - - - - @@ -26459,22 +26289,6 @@ Privileged functions include, for example, establishing accounts, performing sys - - - - - - - - - - - - - - - - @@ -26497,10 +26311,6 @@ Privileged functions include, for example, establishing accounts, performing sys - - - - @@ -26529,7 +26339,7 @@ Privileged functions include, for example, establishing accounts, performing sys - + @@ -26545,10 +26355,6 @@ Privileged functions include, for example, establishing accounts, performing sys - - - - @@ -26685,12 +26491,6 @@ Privileged functions include, for example, establishing accounts, performing sys - - - - - - @@ -27210,55 +27010,6 @@ Privileged functions include, for example, establishing accounts, performing sys - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - @@ -27307,10 +27058,6 @@ Privileged functions include, for example, establishing accounts, performing sys - - - - @@ -27347,24 +27094,15 @@ Privileged functions include, for example, establishing accounts, performing sys - - - - - - - - - - - - + + + @@ -27372,10 +27110,6 @@ Privileged functions include, for example, establishing accounts, performing sys - - - - @@ -27460,16 +27194,12 @@ Privileged functions include, for example, establishing accounts, performing sys - - - + + + - + - - - - @@ -27499,10 +27229,6 @@ Privileged functions include, for example, establishing accounts, performing sys - - - - @@ -27542,37 +27268,9 @@ Privileged functions include, for example, establishing accounts, performing sys - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + + + @@ -27662,21 +27360,9 @@ Privileged functions include, for example, establishing accounts, performing sys - - - - - - - - - - - - @@ -27722,10 +27408,6 @@ Privileged functions include, for example, establishing accounts, performing sys - - - - @@ -27741,6 +27423,10 @@ Privileged functions include, for example, establishing accounts, performing sys + + + + @@ -27873,6 +27559,13 @@ Privileged functions include, for example, establishing accounts, performing sys + + + + + + + @@ -27907,11 +27600,15 @@ Privileged functions include, for example, establishing accounts, performing sys + + + + - + @@ -27962,7 +27659,7 @@ Privileged functions include, for example, establishing accounts, performing sys - + @@ -28071,9 +27768,6 @@ Privileged functions include, for example, establishing accounts, performing sys - - - @@ -28161,6 +27855,9 @@ Privileged functions include, for example, establishing accounts, performing sys + + + @@ -28212,7 +27909,7 @@ Privileged functions include, for example, establishing accounts, performing sys - + @@ -28278,22 +27975,6 @@ Privileged functions include, for example, establishing accounts, performing sys - - - - - - - - - - - - - - - - @@ -28397,10 +28078,6 @@ Privileged functions include, for example, establishing accounts, performing sys - - - - @@ -28425,11 +28102,6 @@ Privileged functions include, for example, establishing accounts, performing sys - - - - - @@ -28454,6 +28126,26 @@ Privileged functions include, for example, establishing accounts, performing sys + + + + + + + + + + + + + + + + + + + + @@ -28482,9 +28174,9 @@ Privileged functions include, for example, establishing accounts, performing sys - + - + @@ -28733,6 +28425,10 @@ Privileged functions include, for example, establishing accounts, performing sys + + + + @@ -28820,23 +28516,6 @@ Privileged functions include, for example, establishing accounts, performing sys ^\s*crypt_style\s*=\s*(\S+)\s*$ 1 - - /etc/sysctl.conf - ^\s*net\.ipv4\.conf\.default\.rp_filter\s*=\s*(\d+)\s*$ - 1 - - - - ^.*\.conf$ - ^\s*net\.ipv4\.conf\.default\.rp_filter\s*=\s*(\d+)\s*$ - 1 - - - - oval:mil.disa.stig.ind:obj:20461100 - oval:mil.disa.stig.ind:obj:20461101 - - /etc/login.defs ^\s*ENCRYPT_METHOD\s+([^#\r\n]*) @@ -28870,11 +28549,6 @@ Privileged functions include, for example, establishing accounts, performing sys ^SELINUX=(.*)\s*$ 1 - - /etc/ssh/sshd_config - ^\s*(?i)ClientAliveCountMax(?-i)\s+"?(\d+)"?\s*(?:|(?:#.*))?$ - 1 - /etc/yum.repos.d \.repo$ @@ -28904,74 +28578,6 @@ Privileged functions include, for example, establishing accounts, performing sys oval:mil.disa.stig.ind:obj:23026602 - - - \.conf$ - (?:^|\.*\n)\s*fs\.protected_symlinks\s*=\s*(\d+)\s*$ - 1 - - - /etc/sysctl.conf - (?:^|\.*\n)\s*fs\.protected_symlinks\s*=\s*(\d+)\s*$ - 1 - - - - oval:mil.disa.stig.ind:obj:23026701 - oval:mil.disa.stig.ind:obj:23026702 - - - - - \.conf$ - (?:^|\.*\n)\s*fs\.protected_hardlinks\s*=\s*(\d+)\s*$ - 1 - - - /etc/sysctl.conf - (?:^|\.*\n)\s*fs\.protected_hardlinks\s*=\s*(\d+)\s*$ - 1 - - - - oval:mil.disa.stig.ind:obj:23026801 - oval:mil.disa.stig.ind:obj:23026802 - - - - /etc/sysctl.conf - ^\s*kernel\.dmesg_restrict\s*=\s*(\d+)\s*$ - 1 - - - - ^.*\.conf$ - ^\s*kernel\.dmesg_restrict\s*=\s*(\d+)\s*$ - 1 - - - - oval:mil.disa.stig.ind:obj:23026900 - oval:mil.disa.stig.ind:obj:23026901 - - - - - \.conf$ - (?:^|\.*\n)\s*kernel\.perf_event_paranoid\s*=\s*(\d+)\s*$ - 1 - - - /etc/sysctl.conf - (?:^|\.*\n)\s*kernel\.perf_event_paranoid\s*=\s*(\d+)\s*$ - 1 - - - - oval:mil.disa.stig.ind:obj:23027001 - oval:mil.disa.stig.ind:obj:23027002 - - /etc/sudoers @@ -28985,23 +28591,6 @@ Privileged functions include, for example, establishing accounts, performing sys ^(?!#).*\s+NOPASSWD.*$ 1 - - /etc/sysctl.conf - ^\s*kernel\.randomize_va_space\s*=\s*(\d+)\s*$ - 1 - - - - ^.*\.conf$ - ^\s*kernel\.randomize_va_space\s*=\s*(\d+)\s*$ - 1 - - - - oval:mil.disa.stig.ind:obj:23028000 - oval:mil.disa.stig.ind:obj:23028001 - - /etc/dnf/dnf.conf ^[ \t]*clean_requirements_on_remove[ \t]*=[ \t]*(?:True|1|yes)[ \t]*$ @@ -29072,9 +28661,9 @@ Privileged functions include, for example, establishing accounts, performing sys ^\s*[^#\s]+\s+/boot\s+\S+\s+(\S+)\s+\S+\s+\S+\s*$ 1 - + /etc/fstab - ^\s*/dev\S*\s+/\S+\s+\S+\s+(\S+)\s+\S+\s+\S+\s*$ + ^\s*/dev\S*\s+/\S+\s+(?!vfat\s+)\S+\s+(\S+)\s+\S+\s+\S+\s*$ 1 @@ -29087,23 +28676,6 @@ Privileged functions include, for example, establishing accounts, performing sys ^\s*\[?[\.\w:-]+\]?:[/\w-]+\s+[/\w-]+\s+nfs[4]?\s+(.*)$ 0 - - /etc/sysctl.conf - ^\s*kernel\.core_pattern\s*=\s*(.+)\s*$ - 1 - - - - ^.*\.conf$ - ^\s*kernel\.core_pattern\s*=\s*(.+)\s*$ - 1 - - - - oval:mil.disa.stig.ind:obj:23031100 - oval:mil.disa.stig.ind:obj:23031101 - - oval:mil.disa.stig.ind:obj:23031302 @@ -29487,16 +29059,6 @@ Privileged functions include, for example, establishing accounts, performing sys ^\s*FAIL_DELAY\s+(\d+)\s*$ 1 - - /etc/pam.d/postlogin - ^\s*session\s+.+\s+pam_lastlog\.so\s+(?:\w+\s+)*showfailed\b\s*(?:\w+\b\s*)*\s*(?:#.*)?$ - 1 - - - /etc/pam.d/postlogin - ^\s*session\s+.+\s+pam_lastlog\.so\s+(?:\w+\s+)*silent\b\s*(?:\w+\b\s*)*\s*(?:#.*)?$ - 1 - /etc/ssh/sshd_config ^\s*(?i)PrintLastLog(?-i)[ \t]+([\w\"]+)[\s]*(?:|(?:#.*))?$ @@ -30237,255 +29799,34 @@ Privileged functions include, for example, establishing accounts, performing sys /etc/fstab ^\s*[^#\s]+\s+/var/log/audit\s+\S+\s+(\S+)\s+\S+\s+\S+\s*$ - 1 - - - /etc/fstab - ^\s*[^#\s]+\s+/var/tmp\s+\S+\s+(\S+)\s+\S+\s+\S+\s*$ - 1 - - - /etc/fstab - ^\s*[^#\s]+\s+/var/tmp\s+\S+\s+(\S+)\s+\S+\s+\S+\s*$ - 1 - - - /etc/firewalld/firewalld.conf - ^\s*FirewallBackend\s*=\s*(\w+)\s*(?:#.*)?$ - 1 - - - - /etc/ssh/sshd_config - ^\s*RekeyLimit\s+\d+[kmg]?\s+\d+[smdhw]?\s* - 1 - - - - /etc/ssh/sshd_config.d - ^.+\.conf$ - ^\s*RekeyLimit\s+\d+[kmg]?\s+\d+[smdhw]?\s* - 1 - - - - \.conf$ - ^\s*net.ipv6.conf.default.accept_redirects\s*=\s*(\d+)\s*$ - 1 - - - /etc/sysctl.conf - ^\s*net.ipv6.conf.default.accept_redirects\s*=\s*(\d+)\s*$ - 1 - - - - oval:mil.disa.stig.ind:obj:23053500 - oval:mil.disa.stig.ind:obj:23053501 - - - - /etc/sysctl.conf - ^\s*net\.ipv4\.conf\.all\.send_redirects\s*=\s*(\d+)\s*$ - 1 - - - - ^.*\.conf$ - ^\s*net\.ipv4\.conf\.all\.send_redirects\s*=\s*(\d+)\s*$ - 1 - - - - oval:mil.disa.stig.ind:obj:23053600 - oval:mil.disa.stig.ind:obj:23053601 - - - - - \.conf$ - ^\s*net\.ipv4\.icmp_echo_ignore_broadcasts\s*=\s*(\d+)\s*$ - 1 - - - /etc/sysctl.conf - ^\s*net\.ipv4\.icmp_echo_ignore_broadcasts\s*=\s*(\d+)\s*$ - 1 - - - - oval:mil.disa.stig.ind:obj:23053700 - oval:mil.disa.stig.ind:obj:23053701 - - - - - oval:mil.disa.stig.ind:obj:23053802 - oval:mil.disa.stig.ind:obj:23053803 - - - - - \.conf$ - (?:^|.*\n)\s*net.ipv6.conf.all.accept_source_route\s*=\s*(\d+)\s*$ - 1 - - - /etc/sysctl.conf - (?:^|.*\n)\s*net.ipv6.conf.all.accept_source_route\s*=\s*(\d+)\s*$ - 1 - - - /etc/sysctl.conf - (?:^|.*\n)\s*net\.ipv6\.conf\.default\.accept_source_route\s*=\s*(\d+)\s*$ - 1 - - - - oval:mil.disa.stig.ind:obj:23053902 - oval:mil.disa.stig.ind:obj:23053905 - - - - - \.conf$ - (?:^|.*\n)\s*net\.ipv6\.conf\.default\.accept_source_route\s*=\s*(\d+)\s*$ - 1 - - - /etc/sysctl.conf - ^\s*net\.ipv6\.conf\.all\.forwarding\s*=\s*(\d+)\s*$ - 1 - - - - ^.*\.conf$ - ^\s*net\.ipv6\.conf\.all\.forwarding\s*=\s*(\d+)\s*$ - 1 - - - - oval:mil.disa.stig.ind:obj:23054000 - oval:mil.disa.stig.ind:obj:23054001 - - - - - \.conf$ - ^\s*net\.ipv4\.conf\.default\.send_redirects\s*=\s*(\d+)\s*$ - 1 - - - /etc/sysctl.conf - ^\s*net\.ipv4\.conf\.default\.send_redirects\s*=\s*(\d+)\s*$ - 1 - - - - oval:mil.disa.stig.ind:obj:23054301 - oval:mil.disa.stig.ind:obj:23054302 - - - - - \.conf - (?:^|.*\n)\s*net\.ipv6\.conf\.all\.accept_redirects\s*=\s*(\d+)\s*$ - 1 - - - /etc/sysctl.conf - (?:^|.*\n)\s*net\.ipv6\.conf\.all\.accept_redirects\s*=\s*(\d+)\s*$ - 1 - - - - oval:mil.disa.stig.ind:obj:23054401 - oval:mil.disa.stig.ind:obj:23054402 - - - - - oval:mil.disa.stig.ind:obj:23054502 - oval:mil.disa.stig.ind:obj:23054503 - - - - /etc/sysctl.conf - ^\s*kernel\.unprivileged_bpf_disabled\s*=\s*(\d+)\s*$ - 1 - - - - \.conf$ - (?:^|\.*\n)\s*kernel\.unprivileged_bpf_disabled\s*=\s*(\d+)\s*$ - 1 - - - /etc/sysctl.conf - ^\s*kernel\.yama\.ptrace_scope\s*=\s*(\d+)\s*$ - 1 - - - - \.conf$ - (?:^|\.*\n)\s*kernel\.yama\.ptrace_scope\s*=\s*(\d+)\s*$ - 1 - - - - oval:mil.disa.stig.ind:obj:23054601 - oval:mil.disa.stig.ind:obj:23054602 - - - - - \.conf$ - ^\s*kernel\.kptr_restrict\s*=\s*(\d+)\s*$ - 1 - - - /etc/sysctl.conf - ^\s*kernel\.kptr_restrict\s*=\s*(\d+)\s*$ - 1 + 1 - - - oval:mil.disa.stig.ind:obj:23054701 - oval:mil.disa.stig.ind:obj:23054702 - + + /etc/fstab + ^\s*[^#\s]+\s+/var/tmp\s+\S+\s+(\S+)\s+\S+\s+\S+\s*$ + 1 - - - \.conf$ - ^\s*user\.max_user_namespaces\s*=\s*(\d+)\s*$ - 1 + + /etc/fstab + ^\s*[^#\s]+\s+/var/tmp\s+\S+\s+(\S+)\s+\S+\s+\S+\s*$ + 1 - - /etc/sysctl.conf - ^\s*user\.max_user_namespaces\s*=\s*(\d+)\s*$ + + /etc/firewalld/firewalld.conf + ^\s*FirewallBackend\s*=\s*(\w+)\s*(?:#.*)?$ 1 - - - oval:mil.disa.stig.ind:obj:23054801 - oval:mil.disa.stig.ind:obj:23054802 - - - - - oval:mil.disa.stig.ind:obj:23054901 - oval:mil.disa.stig.ind:obj:23054902 - - - - - ^.*\.conf$ - ^\s*net\.ipv4\.conf\.all\.rp_filter\s*=\s*(\d+)\s*$ + + + /etc/ssh/sshd_config + ^\s*RekeyLimit\s+\d+[kmg]?\s+\d+[smdhw]?\s* 1 - - /etc/sysctl.conf - ^\s*net\.ipv4\.conf\.all\.rp_filter\s*=\s*(\d+)\s*$ + + + /etc/ssh/sshd_config.d + ^.+\.conf$ + ^\s*RekeyLimit\s+\d+[kmg]?\s+\d+[smdhw]?\s* 1 @@ -30621,23 +29962,6 @@ Privileged functions include, for example, establishing accounts, performing sys ^\s*-a\s+(always,exit|exit,always)(?:\s+-S\s+all)?\s+-F\s+path=/usr/bin/sudoedit\s+(-F\s+perm=([rwa]*x[rwa]*)\s+)?-F\s+auid>=1000\s+-F\s+auid!=(4294967295|-1|unset)(\s+(-k\s+|-F\s+key=)\S+)?\s*$ 1 - - - oval:mil.disa.stig.ind:obj:23833302 - oval:mil.disa.stig.ind:obj:23833303 - - - - /etc/sysctl.conf - (?:^|.*\n)\s*net\.ipv4\.tcp_syncookies\s*=\s*(\d+)\s*$ - 1 - - - - ^.*\.conf$ - (?:^|.*\n)\s*net\.ipv4\.tcp_syncookies\s*=\s*(\d+)\s*$ - 1 - /etc/dconf/db/local.d .* @@ -30694,62 +30018,6 @@ Privileged functions include, for example, establishing accounts, performing sys (?i)^\s*space_left_action\s*=\s*(\w+)\s*(?:#.*)?$ 1 - - - \.conf$ - (?:^|\.*\n)\s*net\.ipv4\.conf\.default\.accept_redirects\s*=\s*(\d+)\s*$ - 1 - - - /etc/sysctl.conf - (?:^|\.*\n)\s*net\.ipv4\.conf\.default\.accept_redirects\s*=\s*(\d+)\s*$ - 1 - - - - oval:mil.disa.stig.ind:obj:24455001 - oval:mil.disa.stig.ind:obj:24455002 - - - - - \.conf$ - (?:^|\.*\n)\s*net\.ipv4\.conf\.default\.accept_source_route\s*=\s*(\d+)\s*$ - 1 - - - /etc/sysctl.conf - (?:^|.*\n)\s*net\.ipv4\.conf\.default\.accept_source_route\s*=\s*(\d+)\s*$ - 1 - - - - oval:mil.disa.stig.ind:obj:24455201 - oval:mil.disa.stig.ind:obj:24455202 - - - - /etc/sysctl.conf - ^\s*net\.ipv4\.conf\.all\.accept_redirects\s*=\s*(\d+)\s*$ - 1 - - - - oval:mil.disa.stig.ind:obj:24455402 - oval:mil.disa.stig.ind:obj:24455403 - - - - - \.conf$ - ^\s*net\.core\.bpf_jit_harden\s*=\s*(\d+)\s*$ - 1 - - - /etc/sysctl.conf - ^\s*net\.core\.bpf_jit_harden\s*=\s*(\d+)\s*$ - 1 - /etc/audit/audit.rules ^\s*-a\s+(always,exit|exit,always)\s+-F\s+arch=b32\s+(?:.*(-S\s+rmdir\s+|(\s+|,)rmdir(\s+|,))).*-F\s+auid>=1000\s+-F\s+auid!=(4294967295|-1|unset)(\s+(-k\s+|-F\s+key=)[-\w]+)*\s*$ @@ -30760,6 +30028,11 @@ Privileged functions include, for example, establishing accounts, performing sys ^\s*-a\s+(always,exit|exit,always)\s+-F\s+arch=b64\s+(?:.*(-S\s+rmdir\s+|(\s+|,)rmdir(\s+|,))).*-F\s+auid>=1000\s+-F\s+auid!=(4294967295|-1|unset)(\s+(-k\s+|-F\s+key=)[-\w]+)*\s*$ 1 + + /usr/lib/systemd/system/tftp.service + ^ExecStart[ \t]*=[ \t]*\/usr\/sbin\/in\.tftpd[ \t]*-s[ \t]+/\S+[ \t]*$ + 1 + /etc/shadow ^[^:]+::[^:]*:[^:]*: @@ -30771,11 +30044,6 @@ Privileged functions include, for example, establishing accounts, performing sys ^\s*password\s+(?:required|requisite)\s+(.*)$ 1 - - /etc/pam.d/system-auth - ^[ \t]*password[ \t]+(?:(?:required)|(?:requisite))[ \t]+pam_pwquality\.so(?:[ \t]+|(?:[ \t][^#\r\f\n]+[ \t]+))retry=([0-9]+)(?:\s|$) - 1 - /etc/audit/audit.rules ^\s*-a\s+(always,exit|exit,always)\s+-F\s+arch=b32\s+(?:.*(-S\s+rename\s+|(\s+|,)rename(\s+|,))).*-F\s+auid>=1000\s+-F\s+auid!=(4294967295|-1|unset)(\s+(-k\s+|-F\s+key=)[-\w]+)*\s*$ @@ -30916,23 +30184,11 @@ Privileged functions include, for example, establishing accounts, performing sys 1 - - - \.conf$ - (?:^|\.*\n)\s*net\.ipv6\.conf\.default\.accept_ra\s*=\s*(\d+)\s*$ - 1 - - - /etc/sysctl.conf - (?:^|\.*\n)\s*net\.ipv6\.conf\.default\.accept_ra\s*=\s*(\d+)\s*$ + + /etc/systemd/logind.conf + ^\s*StopIdleSessionSec\s*=\s*(-?\d*)\s*(?:#.*)?$ 1 - - - oval:mil.disa.stig.ind:obj:25312001 - oval:mil.disa.stig.ind:obj:25312002 - - /etc redhat-release @@ -31015,120 +30271,6 @@ Privileged functions include, for example, establishing accounts, performing sys ^\[main\]((?:\r?\n(?:[^[\r\n].*)?)*) 1 - - - oval:mil.disa.stig.ind:obj:24455301 - oval:mil.disa.stig.ind:obj:25795801 - - - - - \.conf$ - ^\s*net\.ipv4\.conf\.all\.accept_redirects\s*=\s*(\d+)\s*$ - 1 - - - /etc/sysctl.conf - ^\s*net\.ipv4\.conf\.all\.accept_source_route\s*=\s*(\d+)\s*$ - 1 - - - - ^.*\.conf$ - ^\s*net\.ipv4\.conf\.all\.accept_source_route\s*=\s*(\d+)\s*$ - 1 - - - - oval:mil.disa.stig.ind:obj:25795900 - oval:mil.disa.stig.ind:obj:25795901 - - - - - oval:mil.disa.stig.ind:obj:25796002 - oval:mil.disa.stig.ind:obj:25796003 - - - - /etc/sysctl.conf - (?:^|.*\n)\s*net\.ipv4\.conf\.all\.log_martians\s*=\s*(\d+)\s*$ - 1 - - - - ^.*\.conf$ - (?:^|.*\n)\s*net\.ipv4\.conf\.all\.log_martians\s*=\s*(\d+)\s*$ - 1 - - - /etc/sysctl.conf - ^\s*net\.ipv4\.conf\.default\.log_martians\s*=\s*(\d+)\s*$ - 1 - - - - ^.*\.conf$ - ^\s*net\.ipv4\.conf\.default\.log_martians\s*=\s*(\d+)\s*$ - 1 - - - - oval:mil.disa.stig.ind:obj:25796100 - oval:mil.disa.stig.ind:obj:25796101 - - - - /etc/sysctl.conf - ^\s*net\.ipv4\.icmp_ignore_bogus_error_responses\s*=\s*(\d+)\s*$ - 1 - - - - ^.*\.conf$ - ^\s*net\.ipv4\.icmp_ignore_bogus_error_responses\s*=\s*(\d+)\s*$ - 1 - - - - oval:mil.disa.stig.ind:obj:25796700 - oval:mil.disa.stig.ind:obj:25796701 - - - - - \.conf$ - (?:^|\.*\n)\s*net\.ipv4\.conf\.all\.forwarding\s*=\s*(\d+)\s*$ - 1 - - - /etc/sysctl.conf - (?:^|.*\n)\s*net\.ipv4\.conf\.all\.forwarding\s*=\s*(\d+)\s*$ - 1 - - - - oval:mil.disa.stig.ind:obj:25797001 - oval:mil.disa.stig.ind:obj:25797002 - - - - /etc/sysctl.conf - ^\s*net\.ipv6\.conf\.all\.accept_ra\s*=\s*(\d+)\s*$ - 1 - - - - ^.*\.conf$ - ^\s*net\.ipv6\.conf\.all\.accept_ra\s*=\s*(\d+)\s*$ - 1 - - - - oval:mil.disa.stig.ind:obj:25797100 - oval:mil.disa.stig.ind:obj:25797101 - - /etc/ssh/sshd_config ^\s*(?i)banner(?-i)[ \t\"]+([\w\/]+)[\"\s]*(?:|(?:#.*))?$ @@ -31353,27 +30495,12 @@ Privileged functions include, for example, establishing accounts, performing sys ^\s*system-db\s*:\s*local\s*$ 1 - - /etc/dconf/db/local.d/locks - ^.*$ - ^\s*\/org\/gnome\/desktop\/media-handling\/autorun-never$ - 1 - .* ^/org/gnome/settings-daemon/peripherals/smartcard/removal-action$ 1 - - - .* - ^\[org/gnome/desktop/session](?:\r?\n(?:[^[\r\n].*)?)* - 1 - - - oval:mil.disa.stig.defs:var:25802301 - /etc/dconf/profile/user ^system-db:(\S+)\s*$ @@ -31458,11 +30585,6 @@ Privileged functions include, for example, establishing accounts, performing sys ^(?i)\s*umask\s+([^#\s]+) 1 - - /etc/systemd/logind.conf - ^\s*StopIdleSessionSec\s*=\s*(-?\d*)\s*(?:#.*)?$ - 1 - /etc/sudoers @@ -31494,6 +30616,24 @@ Privileged functions include, for example, establishing accounts, performing sys ^\s*auth\s+(?:required|requisite)\s+pam_wheel\.so(?:\s|$) 1 + + + oval:mil.disa.stig.ind:obj:25809101 + oval:mil.disa.stig.ind:obj:25809102 + + + + /etc/security/pwquality.conf + ^\s*retry\s*=\s*(-?\d*)\s*(?:#.*)?$ + 1 + + + + /etc/security/pwquality.conf.d + \.conf$ + ^\s*retry\s*=\s*(-?\d*)\s*(?:#.*)?$ + 1 + /etc/pam.d/password-auth ^\s*password\s+sufficient\s+pam_unix\.so\s+[^#\n]*\brounds=(\d+)\b @@ -31618,35 +30758,35 @@ Privileged functions include, for example, establishing accounts, performing sys /etc/rsyslog.conf - ^[ \t]*(?:(?:\w+,)*auth(?:,\w+)*\.\*|\S+;auth\.\*|auth\.\*;\S+|\S+;auth\.\*;\S+)[ \t]+(?:(?!action\()\S+|action\([^)]*file\s*=\s*["'][^"']+["'][^)]*\))\s*$ + ^[ \t]*(?:\S+;auth\.\*|auth\.\*;\S+|auth\.\*|\S+;auth\.\*;\S+)[ \t]+\S+\s*$ 1 /etc/rsyslog.conf - ^[ \t]*(?:(?:\w+,)*authpriv(?:,\w+)*\.\*|\S+;authpriv\.\*|authpriv\.\*;\S+|\S+;authpriv\.\*;\S+)[ \t]+(?:(?!action\()\S+|action\([^)]*file\s*=\s*["'][^"']+["'][^)]*\))\s*$ + ^[ \t]*(?:\S+;authpriv\.\*|authpriv\.\*;\S+|authpriv\.\*|\S+;authpriv\.\*;\S+)[ \t]+\S+\s*$ 1 /etc/rsyslog.conf - ^[ \t]*(?:(?:\w+,)*daemon(?:,\w+)*\.\*|\S+;daemon\.\*|daemon\.\*;\S+|\S+;daemon\.\*;\S+)[ \t]+(?:(?!action\()\S+|action\([^)]*file\s*=\s*["'][^"']+["'][^)]*\))\s*$ + ^[ \t]*(?:\S+;daemon\.\*|daemon\.\*;\S+|daemon\.\*|\S+;daemon\.\*;\S+)[ \t]+\S+\s*$ 1 /etc/rsyslog.d ^.*\.conf$ - ^[ \t]*(?:(?:\w+,)*auth(?:,\w+)*\.\*|\S+;auth\.\*|auth\.\*;\S+|\S+;auth\.\*;\S+)[ \t]+(?:(?!action\()\S+|action\([^)]*file\s*=\s*["'][^"']+["'][^)]*\))\s*$ + ^[ \t]*(?:\S+;auth\.\*|auth\.\*;\S+|auth\.\*|\S+;auth\.\*;\S+)[ \t]+\S+\s*$ 1 /etc/rsyslog.d ^.*\.conf$ - ^[ \t]*(?:(?:\w+,)*authpriv(?:,\w+)*\.\*|\S+;authpriv\.\*|authpriv\.\*;\S+|\S+;authpriv\.\*;\S+)[ \t]+(?:(?!action\()\S+|action\([^)]*file\s*=\s*["'][^"']+["'][^)]*\))\s*$ + ^[ \t]*(?:\S+;authpriv\.\*|authpriv\.\*;\S+|authpriv\.\*|\S+;authpriv\.\*;\S+)[ \t]+\S+\s*$ 1 /etc/rsyslog.d ^.*\.conf$ - ^[ \t]*(?:(?:\w+,)*daemon(?:,\w+)*\.\*|\S+;daemon\.\*|daemon\.\*;\S+|\S+;daemon\.\*;\S+)[ \t]+(?:(?!action\()\S+|action\([^)]*file\s*=\s*["'][^"']+["'][^)]*\))\s*$ + ^[ \t]*(?:\S+;daemon\.\*|daemon\.\*;\S+|daemon\.\*|\S+;daemon\.\*;\S+)[ \t]+\S+\s*$ 1 @@ -31779,6 +30919,16 @@ Privileged functions include, for example, establishing accounts, performing sys ^[ \t]*-f[ \t]+2\s*$ 1 + + /proc/sys/crypto/fips_enabled + ^(\d+)$ + 1 + + + /etc/crypto-policies/config + ^FIPS$ + 1 + /etc/ipsec.conf ^\s*include\s+(.*)\s*$ @@ -31816,6 +30966,23 @@ Privileged functions include, for example, establishing accounts, performing sys (.*\S.*)\s*$ 1 + + /etc/ssh/sshd_config + ^\s*(?i)ClientAliveCountMax(?-i)\s+"?(\d+)"?\s*(?:|(?:#.*))?$ + 1 + + + /etc/ssh/sshd_config.d + .+ + ^\s*(?i)ClientAliveCountMax(?-i)\s+"?(\d+)"?\s*(?:|(?:#.*))?$ + 1 + + + + oval:mil.disa.stig.ind:obj:27170900 + oval:mil.disa.stig.ind:obj:27170901 + + oval:mil.disa.stig.ind:obj:27172001 @@ -31892,8 +31059,9 @@ Privileged functions include, for example, establishing accounts, performing sys /boot - + ^/\S+$ + oval:mil.disa.stig.linux:ste:23030103 oval:mil.disa.stig.linux:ste:23030102 @@ -32195,35 +31363,23 @@ Privileged functions include, for example, establishing accounts, performing sys oval:mil.disa.stig.unix:ste:23025800 - - + + - \.so(\.\d+)*$ + \.so(\S+)*$ oval:mil.disa.stig.unix:ste:20000015 oval:mil.disa.stig.unix:ste:20000005 - + - \.so(\.\d+)*$ + (\.so\S*)$ oval:mil.disa.stig.unix:ste:20000015 oval:mil.disa.stig.unix:ste:20000006 kernel.kexec_load_disabled - - fs.protected_symlinks - - - fs.protected_hardlinks - - - kernel.dmesg_restrict - - - kernel.perf_event_paranoid - kernel.randomize_va_space @@ -32334,9 +31490,6 @@ Privileged functions include, for example, establishing accounts, performing sys net.ipv6.conf.all.accept_source_route - - net.ipv6.conf.default.accept_source_route - net.ipv6.conf.all.forwarding @@ -32383,6 +31536,21 @@ Privileged functions include, for example, establishing accounts, performing sys net.core.bpf_jit_harden + + fs.protected_symlinks + + + fs.protected_hardlinks + + + kernel.dmesg_restrict + + + kernel.perf_event_paranoid + + + net.ipv6.conf.default.accept_source_route + @@ -32515,12 +31683,6 @@ Privileged functions include, for example, establishing accounts, performing sys /etc/ssh/sshd_config.d .* - - - /etc/dconf/db - - oval:mil.disa.stig.unix:ste:25802300 - .* oval:mil.disa.stig.unix:ste:25804500 @@ -32574,38 +31736,38 @@ Privileged functions include, for example, establishing accounts, performing sys /etc/crypto-policies/back-ends/openssl.config - + - \.so + \.so\S*$ oval:mil.disa.stig.unix:ste:20000015 oval:mil.disa.stig.unix:ste:26048700 - + - \.so + \.so\S*$ oval:mil.disa.stig.unix:ste:20000015 oval:mil.disa.stig.unix:ste:26048701 - + - \.so + \.so\S*$ oval:mil.disa.stig.unix:ste:20000015 oval:mil.disa.stig.unix:ste:26048702 - + - \.so + \.so\S*$ oval:mil.disa.stig.unix:ste:20000015 oval:mil.disa.stig.unix:ste:26048703 - + - \.so + \.so\S*$ oval:mil.disa.stig.unix:ste:20000015 oval:mil.disa.stig.unix:ste:26048704 @@ -32632,18 +31794,6 @@ Privileged functions include, for example, establishing accounts, performing sys 1 - - 2 - - - 4 - - - 5 - - - 6 - 7 @@ -32725,9 +31875,6 @@ Privileged functions include, for example, establishing accounts, performing sys \n\s*gpgcheck\s*=\s*(False|0|no)\s*(\n|$) - - 1 - (^|\s)vsyscall=none(\s|$) @@ -32746,9 +31893,6 @@ Privileged functions include, for example, establishing accounts, performing sys (^|,)nosuid(,|$) - - |/bin/false - 0 @@ -32902,9 +32046,6 @@ Privileged functions include, for example, establishing accounts, performing sys ^(?i)\s*RekeyLimit\s+[1-9][0-9]*[kmg]?\s+([1-9][0-9]*[smhdw]?)+\s*$ - - 1 - ^VERBOSE$|^"VERBOSE"$ @@ -32923,6 +32064,9 @@ Privileged functions include, for example, establishing accounts, performing sys ^(delayed|"delayed")$ + + 600 + ^\S+$ @@ -32977,15 +32121,6 @@ Privileged functions include, for example, establishing accounts, performing sys 0 - - \nidle-delay=uint32 \d+\s*(\n|$) - - - 0 - - - 900 - \ndisable-restart-buttons=(true|'true')\s*(\n|$) @@ -32998,9 +32133,6 @@ Privileged functions include, for example, establishing accounts, performing sys - - 900 - 100000 @@ -33100,6 +32232,9 @@ Privileged functions include, for example, establishing accounts, performing sys ^/dev\S*$ + + vfat + nosuid @@ -33228,9 +32363,6 @@ Privileged functions include, for example, establishing accounts, performing sys 1000 - - 1 - |/bin/false @@ -33264,9 +32396,6 @@ Privileged functions include, for example, establishing accounts, performing sys 0 - - 1 - (^|\s)PROMISC(\s|$) @@ -33285,9 +32414,6 @@ Privileged functions include, for example, establishing accounts, performing sys 65534 - - ^/etc/dconf/db/.*\.d$ - 1000 @@ -33572,14 +32698,6 @@ Privileged functions include, for example, establishing accounts, performing sys - - - - - - - - /etc/dconf/db/ @@ -33614,19 +32732,16 @@ Privileged functions include, for example, establishing accounts, performing sys - - ^\s*\$ModLoad\s+imtcp - ^\s*\$ModLoad\s+imudp - ^\s*\$ModLoad\s+imrelp - ^\s*\$InputTCPServerRun - ^\s*\$UDPServerRun - ^\s*\$InputRELPServerRun - ^\s*module\s*\(.*\bload\s*=\s*"imtcp".*\) - ^\s*module\s*\(.*\bload\s*=\s*"imudp".*\) - ^\s*module\s*\(.*\bload\s*=\s*"imrelp".*\) - ^\s*input\s*\(.*\btype\s*=\s*"imtcp".*\) - ^\s*input\s*\(.*\btype\s*=\s*"imudp".*\) - ^\s*input\s*\(.*\btype\s*=\s*"imrelp".*\) + + ^[^#]*InputTCPServerRun + ^[^#]*UDPServerRun + ^[^#]*RELPServerRun + ^[^#]*module\s*\(.*\bload\s*=\s*"imtcp".*\) + ^[^#]*module\s*\(.*\bload\s*=\s*"imudp".*\) + ^[^#]*module\s*\(.*\bload\s*=\s*"imrelp".*\) + ^[^#]*input\s*\(.*\btype\b\s*=\s*"imtcp"\s*\bport\b\s*=\s*"514".*\) + ^[^#]*input\s*\(.*\btype\b\s*=\s*"imudp"\s*\bport\b\s*=\s*"514".*\) + ^[^#]*input\s*\(.*\btype\b\s*=\s*"imrelp"\s*\bport\b\s*=\s*"514".*\) @@ -33634,13 +32749,6 @@ Privileged functions include, for example, establishing accounts, performing sys - - /etc/sysctl.d - /run/sysctl.d - /lib/sysctl.d - /usr/lib/sysctl.d - /usr/local/lib/sysctl.d - @@ -33671,15 +32779,15 @@ Privileged functions include, for example, establishing accounts, performing sys - + - Security Content Tool 1.6.0 + Security Content Tool 1.7.0 5.11 - 2025-09-27T11:04:04 + 2026-01-05T02:28:56 - + RHEL 9 is installed @@ -33690,6 +32798,8 @@ Privileged functions include, for example, establishing accounts, performing sys + + @@ -33698,8 +32808,20 @@ Privileged functions include, for example, establishing accounts, performing sys + + + + + + + + toss-release + + + oraclelinux-release + redhat-release diff --git a/shared/references/disa-stig-sle12-v3r3-xccdf-manual.xml b/shared/references/disa-stig-sle12-v3r4-xccdf-manual.xml similarity index 89% rename from shared/references/disa-stig-sle12-v3r3-xccdf-manual.xml rename to shared/references/disa-stig-sle12-v3r4-xccdf-manual.xml index 545d79c1b059..32bf6eb5f24a 100644 --- a/shared/references/disa-stig-sle12-v3r3-xccdf-manual.xml +++ b/shared/references/disa-stig-sle12-v3r4-xccdf-manual.xml @@ -1,4 +1,11 @@ -acceptedSUSE Linux Enterprise Server 12 Security Technical Implementation GuideThis Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DOD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.DISASTIG.DOD.MILRelease: 3 Benchmark Date: 02 Jul 20253.51.10.03I - Mission Critical Classified<ProfileDescription></ProfileDescription>I - Mission Critical Sensitive<ProfileDescription></ProfileDescription>II - Mission Support Public<ProfileDescription></ProfileDescription>III - Administrative Classified<ProfileDescription></ProfileDescription>III - Administrative Sensitive<ProfileDescription></ProfileDescription>I - Mission Critical Public<ProfileDescription></ProfileDescription>II - Mission Support Classified<ProfileDescription></ProfileDescription>II - Mission Support Sensitive<ProfileDescription></ProfileDescription>III - Administrative Public<ProfileDescription></ProfileDescription>SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>SLES-15-010000The SUSE operating system must be a vendor-supported release.<VulnDiscussion>A SUSE operating system release is considered "supported" if the vendor continues to provide security patches for the product. With an unsupported release, it will not be possible to resolve security issues discovered in the system software. + +Release Released General Support Long Term Support +15.1 24 Jun 2019 31 Jan 2021 31 Jan 2024 +15.2 21 Jul 2020 31 Dec 2021 31 Dec 2024 +15.3 22 Jun 2021 31 Dec 2022 31 Dec 2025 +15.4 21 Jun 2022 31 Dec 2023 31 Dec 2026 +15.5 20 Jun 2023 31 Dec 2024 31 Dec 2027 +15.6 26 Jun 2024 31 Dec 2025 31 Dec 2028 +15.7 17 Jun 2025 31 Jul 2031 31 Jul 2034</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 15DISADPMS TargetSUSE Linux Enterprise Server 155274CCI-001230Upgrade the SUSE operating system to a version supported by the vendor. If the system is not registered with the SUSE Customer Center, register the system against the correct subscription. If the system requires Long-Term Service Pack Support (LTSS), obtain the correct LTSS subscription for the system.Verify the SUSE operating system is a vendor-supported release. @@ -539,7 +548,7 @@ Check that the telnet-server package is not installed on the SUSE operating syst > zypper info telnet-server | grep Installed -If the telnet-server package is installed, this is a finding.SRG-OS-000080-GPOS-00048<GroupDescription></GroupDescription>SLES-15-010190SUSE operating systems with a basic input/output system (BIOS) must require authentication upon booting into single-user and maintenance modes.<VulnDiscussion>To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD systems (e.g., web servers and web portals) must be properly configured to incorporate access control methods that do not rely solely on the possession of a certificate for access. Successful authentication must not automatically give an entity access to an asset or security boundary. Authorization procedures and controls must be implemented to ensure each authenticated entity also has a validated and current authorization. Authorization is the process of determining whether an entity, once authenticated, is permitted to access a specific asset. Information systems use access control policies and enforcement mechanisms to implement this requirement. +If the telnet-server package is installed, this is a finding.SRG-OS-000080-GPOS-00048<GroupDescription></GroupDescription>SLES-15-010190SUSE operating systems with a basic input/output system (BIOS) must require authentication upon booting into single-user and maintenance modes.<VulnDiscussion>To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD systems (e.g., web servers and web portals) must be properly configured to incorporate access control methods that do not rely solely on the possession of a certificate for access. Successful authentication must not automatically give an entity access to an asset or security boundary. Authorization procedures and controls must be implemented to ensure each authenticated entity also has a validated and current authorization. Authorization is the process of determining whether an entity, once authenticated, is permitted to access a specific asset. Information systems use access control policies and enforcement mechanisms to implement this requirement. Access control policies include identity-based policies, role-based policies, and attribute-based policies. Access enforcement mechanisms include access control lists, access control matrices, and cryptography. These policies and mechanisms must be employed by the application to control access between users (or processes acting on behalf of users) and objects (e.g., devices, files, records, processes, programs, and domains) in the information system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 15DISADPMS TargetSUSE Linux Enterprise Server 155274CCI-000213Note: If the system does not use a BIOS this requirement is Not Applicable. @@ -570,7 +579,7 @@ Check that the encrypted password is set for root with the following command: password_pbkdf2 root grub.pbkdf2.sha512.10000.VeryLongString -If the root password entry does not begin with "password_pbkdf2", this is a finding.SRG-OS-000080-GPOS-00048<GroupDescription></GroupDescription>SLES-15-010200SUSE operating systems with Unified Extensible Firmware Interface (UEFI) implemented must require authentication upon booting into single-user mode and maintenance.<VulnDiscussion>If the system allows a user to boot into single-user or maintenance mode without authentication, any user that invokes single-user or maintenance mode is granted privileged access to all system information.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 15DISADPMS TargetSUSE Linux Enterprise Server 155274CCI-000213Note: If the system does not use UEFI, this requirement is Not Applicable. +If the root password entry does not begin with "password_pbkdf2", this is a finding.SRG-OS-000080-GPOS-00048<GroupDescription></GroupDescription>SLES-15-010200SUSE operating systems with Unified Extensible Firmware Interface (UEFI) implemented must require authentication upon booting into single-user mode and maintenance.<VulnDiscussion>If the system allows a user to boot into single-user or maintenance mode without authentication, any user that invokes single-user or maintenance mode is granted privileged access to all system information.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 15DISADPMS TargetSUSE Linux Enterprise Server 155274CCI-000213Note: If the system does not use UEFI, this requirement is Not Applicable. Configure the SUSE operating system to encrypt the boot password. @@ -657,16 +666,14 @@ Check that the SUSE operating system contains no duplicate UIDs for interactive > awk -F ":" 'list[$3]++{print $1, $3}' /etc/passwd -If output is produced, this is a finding.SRG-OS-000114-GPOS-00059<GroupDescription></GroupDescription>SLES-15-010240The SUSE operating system must disable the file system automounter unless required.<VulnDiscussion>Automatically mounting file systems permits easy introduction of unknown devices, thereby facilitating malicious activity. +If output is produced, this is a finding.SRG-OS-000114-GPOS-00059<GroupDescription></GroupDescription>SLES-15-010240The SUSE operating system must disable the file system automounter.<VulnDiscussion>Automatically mounting file systems permits easy introduction of unknown devices, thereby facilitating malicious activity. -Satisfies: SRG-OS-000114-GPOS-00059, SRG-OS-000378-GPOS-00163</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 15DISADPMS TargetSUSE Linux Enterprise Server 155274CCI-000778CCI-001958Configure the SUSE operating system to disable the ability to automount devices. +Satisfies: SRG-OS-000114-GPOS-00059, SRG-OS-000378-GPOS-00163</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 15DISADPMS TargetSUSE Linux Enterprise Server 155274CCI-000778CCI-001958Configure the SUSE operating system to disable the ability to automount devices. -Turn off the automount service with the following command: +Turn off the automount service with the following commands: > systemctl stop autofs -> systemctl disable autofs - -If "autofs" is required for Network File System (NFS), it must be documented with the ISSO.Verify the SUSE operating system disables the ability to automount devices. +> systemctl disable autofsVerify the SUSE operating system disables the ability to automount devices. Check to see if automounter service is active with the following command: @@ -675,7 +682,7 @@ autofs.service - Automounts filesystems on demand Loaded: loaded (/usr/lib/systemd/system/autofs.service; disabled) Active: inactive (dead) -If the "autofs" status is set to "active" and is not documented with the Information System Security Officer (ISSO) as an operational requirement, this is a finding.SRG-OS-000120-GPOS-00061<GroupDescription></GroupDescription>SLES-15-010260The SUSE operating system must employ FIPS 140-2 approved cryptographic hashing algorithm for system authentication (login.defs).<VulnDiscussion>Unapproved mechanisms that are used for authentication to the cryptographic module are not verified and therefore cannot be relied on to provide confidentiality or integrity, and DoD data may be compromised. +If the "autofs" status is set to "active" this is a finding.SRG-OS-000120-GPOS-00061<GroupDescription></GroupDescription>SLES-15-010260The SUSE operating system must employ FIPS 140-2 approved cryptographic hashing algorithm for system authentication (login.defs).<VulnDiscussion>Unapproved mechanisms that are used for authentication to the cryptographic module are not verified and therefore cannot be relied on to provide confidentiality or integrity, and DoD data may be compromised. SUSE operating systems using encryption are required to use FIPS-compliant mechanisms for authenticating to cryptographic modules. @@ -729,7 +736,7 @@ Check that the "ClientAliveInterval" parameter is set to a value of "600" with t ClientAliveInterval 600 -If "ClientAliveInterval" is not set to "600" in "/etc/ssh/sshd_config", this is a finding.SRG-OS-000138-GPOS-00069<GroupDescription></GroupDescription>SLES-15-010300The sticky bit must be set on all SUSE operating system world-writable directories.<VulnDiscussion>Preventing unauthorized information transfers mitigates the risk of information, including encrypted representations of information, produced by the actions of prior users/roles (or the actions of processes acting on behalf of prior users/roles) from being available to any current users/roles (or current processes) that obtain access to shared system resources (e.g., registers, main memory, and hard disks) after those resources have been released back to information systems. The control of information in shared resources is also commonly referred to as object reuse and residual information protection. +If "ClientAliveInterval" is not set to "600" in "/etc/ssh/sshd_config", this is a finding.SRG-OS-000138-GPOS-00069<GroupDescription></GroupDescription>SLES-15-010300The sticky bit must be set on all SUSE operating system world-writable directories.<VulnDiscussion>Preventing unauthorized information transfers mitigates the risk of information, including encrypted representations of information, produced by the actions of prior users/roles (or the actions of processes acting on behalf of prior users/roles) from being available to any current users/roles (or current processes) that obtain access to shared system resources (e.g., registers, main memory, and hard disks) after those resources have been released back to information systems. The control of information in shared resources is also commonly referred to as object reuse and residual information protection. This requirement generally applies to the design of an information technology product, but it can also apply to the configuration of particular information system components that are, or use, such products. This can be verified by acceptance/validation processes in DoD or other government agencies. @@ -1288,13 +1295,13 @@ Check for the presence of the packages required to support multifactor authentic > zypper info coolkey | grep -i installed -If any of the packages required for multifactor authentication are not installed, this is a finding.SRG-OS-000375-GPOS-00160<GroupDescription></GroupDescription>SLES-15-010470The SUSE operating system must implement certificate status checking for multifactor authentication.<VulnDiscussion>Using an authentication device, such as a Common Access Card (CAC) or token separate from the information system, ensures credentials stored on the authentication device will not be affected if the information system is compromised. +If any of the packages required for multifactor authentication are not installed, this is a finding.SRG-OS-000375-GPOS-00160<GroupDescription></GroupDescription>SLES-15-010470The SUSE operating system must implement certificate status checking for multifactor authentication.<VulnDiscussion>Using an authentication device, such as a common access card (CAC) or token separate from the information system, ensures credentials stored on the authentication device will not be affected if the information system is compromised. Multifactor solutions that require devices separate from information systems to gain access include hardware tokens providing time-based or challenge-response authenticators, and smart cards such as the U.S. Government Personal Identity Verification (PIV) card and the DOD CAC. A privileged account is defined as an information system account with authorizations of a privileged user. -Remote access is access to DOD nonpublic information systems by an authorized user (or an information system) communicating through an external, non-organization-controlled network. Remote access methods include, for example, dial-up, broadband, and wireless. +Remote access is access to DOD nonpublic information systems by an authorized user (or an information system) communicating through an external, nonorganization-controlled network. Remote access methods include, for example, dial-up, broadband, and wireless. This requirement only applies to components with device-specific functions, or for organizational users (e.g., VPN, proxy capability). This does not apply to authentication for the purpose of configuring the device itself (management). @@ -1304,7 +1311,7 @@ Modify all of the cert_policy lines in "/etc/pam_pkcs11/pam_pkcs11.conf" to incl Note: OCSP allows sending request for certificate status information. Additional certificate validation polices are permitted. -Additional information on the configuration of multifactor authentication on the SUSE operating system can be found at https://www.suse.com/communities/blog/configuring-smart-card-authentication-suse-linux-enterprise/.Verify the SUSE operating system implements certificate status checking for multifactor authentication. +Additional information on the configuration of multifactor authentication on the SUSE operating system can be found at https://www.suse.com/communities/blog/configuring-smart-card-authentication-suse-linux-enterprise/.Verify the SUSE operating system implements certificate status checking for multifactor authentication. Check that certificate status checking for multifactor authentication is implemented with the following command: @@ -1312,7 +1319,7 @@ Check that certificate status checking for multifactor authentication is impleme cert_policy = ca,ocsp_on,signature,crl_auto; -If "cert_policy" is not set to include "ocsp", this is a finding.SRG-OS-000378-GPOS-00163<GroupDescription></GroupDescription>SLES-15-010480The SUSE operating system must disable the USB mass storage kernel module.<VulnDiscussion>Without identifying devices, unidentified or unknown devices may be introduced, thereby facilitating malicious activity. +If "cert_policy" is not set to include "ocsp_on", this is a finding.SRG-OS-000378-GPOS-00163<GroupDescription></GroupDescription>SLES-15-010480The SUSE operating system must disable the USB mass storage kernel module.<VulnDiscussion>Without identifying devices, unidentified or unknown devices may be introduced, thereby facilitating malicious activity. Peripherals include but are not limited to such devices as flash drives, external storage, and printers.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 15DISADPMS TargetSUSE Linux Enterprise Server 155274CCI-001958Configure the SUSE operating system to prevent USB mass storage devices from automounting when connected to the host. @@ -1624,19 +1631,7 @@ Check to see if the root account password or account expires with the following Password expires:never -If "Password expires" or "Account expires" is set to anything other than "never", this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>SLES-15-020080The SUSE operating system must display the date and time of the last successful account logon upon logon.<VulnDiscussion>Providing users with feedback on when account accesses last occurred facilitates user recognition and reporting of unauthorized account use.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 15DISADPMS TargetSUSE Linux Enterprise Server 155274CCI-000052Configure the SUSE operating system to provide users with feedback on when account accesses last occurred by setting the required configuration options in "/etc/pam.d/login". - -Add the following line to the top of "/etc/pam.d/login": - -session required pam_lastlog.so showfailedVerify the SUSE operating system users are provided with feedback on when account accesses last occurred. - -Check that "pam_lastlog" is used and not silent with the following command: - -> grep pam_lastlog /etc/pam.d/login - -session required pam_lastlog.so showfailed - -If "pam_lastlog" is missing from "/etc/pam.d/login" file, the "silent" option is present, or the returned line is commented out, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>SLES-15-020090The SUSE operating system must not have unnecessary accounts.<VulnDiscussion>Accounts providing no operational purpose provide additional opportunities for system compromise. Unnecessary accounts include user accounts for individuals not requiring access to the system and application accounts for applications not installed on the system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 15DISADPMS TargetSUSE Linux Enterprise Server 155274CCI-000366Configure the SUSE operating system so all accounts on the system are assigned to an active system, application, or user account. +If "Password expires" or "Account expires" is set to anything other than "never", this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>SLES-15-020090The SUSE operating system must not have unnecessary accounts.<VulnDiscussion>Accounts providing no operational purpose provide additional opportunities for system compromise. Unnecessary accounts include user accounts for individuals not requiring access to the system and application accounts for applications not installed on the system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 15DISADPMS TargetSUSE Linux Enterprise Server 155274CCI-000366Configure the SUSE operating system so all accounts on the system are assigned to an active system, application, or user account. Remove accounts that do not support approved system activities or that allow for a normal user to perform administrative-level actions. @@ -3663,11 +3658,9 @@ ctrl-alt-del.target Loaded: masked (/dev/null; maksed) Active: inactive (dead) -If the ctrl-alt-del.target is not masked, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>SLES-15-040061The SUSE operating system must disable the x86 Ctrl-Alt-Delete key sequence for Graphical User Interfaces.<VulnDiscussion>A locally logged-on user, who presses Ctrl-Alt-Delete when at the console, can reboot the system. If accidentally pressed, as could happen in the case of a mixed OS environment, this can create the risk of short-term loss of availability of systems due to unintentional reboot. In the graphical user interface environment, risk of unintentional reboot from the Ctrl-Alt-Delete sequence is reduced because the user will be prompted before any action is taken.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 15DISADPMS TargetSUSE Linux Enterprise Server 155274CCI-000366Configure the system to disable the Ctrl-Alt-Delete sequence for the -graphical user interface. +If the ctrl-alt-del.target is not masked, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>SLES-15-040061The SUSE operating system must disable the x86 Ctrl-Alt-Delete key sequence for Graphical User Interfaces.<VulnDiscussion>A locally logged-on user, who presses Ctrl-Alt-Delete when at the console, can reboot the system. If accidentally pressed, as could happen in the case of a mixed OS environment, this can create the risk of short-term loss of availability of systems due to unintentional reboot. In the graphical user interface environment, risk of unintentional reboot from the Ctrl-Alt-Delete sequence is reduced because the user will be prompted before any action is taken.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 15DISADPMS TargetSUSE Linux Enterprise Server 155274CCI-000366Configure the system to disable the Ctrl-Alt-Delete sequence for the graphical user interface. -Create a database to contain the system-wide setting (if it does not -already exist) with the following steps: +Create a database to contain the systemwide setting (if it does not already exist) with the following steps: 1. Create a user profile and with the listed content: @@ -3684,33 +3677,30 @@ system-db:local /etc/dconf/db/local.d/01-fips-settings [org/gnome/settings-daemon/plugins/media-keys] -logout=[''] +logout='' /etc/dconf/db/local.d/locks/01-fips-locks /org/gnome/settings-daemon/plugins/media-keys/logout 4. Update the dconf database: -> sudo dconf updateNote: If a graphical user interface is not installed, this requirement is Not Applicable. +> sudo dconf updateNote: If a graphical user interface is not installed, this requirement is Not Applicable. -Verify the SUSE operating system is not configured to reboot the system -when Ctrl-Alt-Delete is pressed in the graphical user interface. +Verify the SUSE operating system is not configured to reboot the system when Ctrl-Alt-Delete is pressed in the graphical user interface. -Check that the dconf setting was disabled to allow the Ctrl-Alt-Delete -sequence in the graphical user interface with the following command: +Check that the dconf setting was disabled to allow the Ctrl-Alt-Delete sequence in the graphical user interface with the following command: Check the default logout key sequence: > sudo gsettings get org.gnome.settings-daemon.plugins.media-keys logout -[''] +'' Check that the value is not writable and cannot be changed by the user: > sudo gsettings writable org.gnome.settings-daemon.plugins.media-keys logout false -If the logout value is not [''] and the writable status is not false, this -is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>SLES-15-040062The SUSE operating system must disable the systemd Ctrl-Alt-Delete burst key sequence.<VulnDiscussion>A locally logged-on user, who presses Ctrl-Alt-Delete when at the console, can reboot the system. If accidentally pressed, as could happen in the case of a mixed OS environment, this can create the risk of short-term loss of availability of systems due to unintentional reboot. In the graphical user interface environment, risk of unintentional reboot from the Ctrl-Alt-Delete sequence is reduced because the user will be prompted before any action is taken.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 15DISADPMS TargetSUSE Linux Enterprise Server 155274CCI-000366Configure the system to disable the CtrlAltDelBurstAction by adding it to a drop file in a "/etc/systemd/system.conf.d/" configuration file: +If the logout value is not [''] and the writable status is not false, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>SLES-15-040062The SUSE operating system must disable the systemd Ctrl-Alt-Delete burst key sequence.<VulnDiscussion>A locally logged-on user, who presses Ctrl-Alt-Delete when at the console, can reboot the system. If accidentally pressed, as could happen in the case of a mixed OS environment, this can create the risk of short-term loss of availability of systems due to unintentional reboot. In the graphical user interface environment, risk of unintentional reboot from the Ctrl-Alt-Delete sequence is reduced because the user will be prompted before any action is taken.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 15DISADPMS TargetSUSE Linux Enterprise Server 155274CCI-000366Configure the system to disable the CtrlAltDelBurstAction by adding it to a drop file in a "/etc/systemd/system.conf.d/" configuration file: If no drop file exists, create one with the following command: @@ -4364,7 +4354,7 @@ Restart the "sshd" service for changes to take effect: KexAlgorithms ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256 -If "KexAlgorithms" is not configured, is commented out, or does not contain only the algorithms "ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256" in exact order, this is a finding.SRG-OS-000138-GPOS-00069<GroupDescription></GroupDescription>SLES-15-010375The SUSE operating system must restrict access to the kernel message buffer.<VulnDiscussion>Restricting access to the kernel message buffer limits access only to root. This prevents attackers from gaining additional system information as a nonprivileged user.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 15DISADPMS TargetSUSE Linux Enterprise Server 155274CCI-001090Configure the operating system to restrict access to the kernel message buffer. +If "KexAlgorithms" is not configured, is commented out, or does not contain only the algorithms "ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256" in exact order, this is a finding.SRG-OS-000138-GPOS-00069<GroupDescription></GroupDescription>SLES-15-010375The SUSE operating system must restrict access to the kernel message buffer.<VulnDiscussion>Restricting access to the kernel message buffer limits access only to root. This prevents attackers from gaining additional system information as a nonprivileged user.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 15DISADPMS TargetSUSE Linux Enterprise Server 155274CCI-001090Configure the operating system to restrict access to the kernel message buffer. Set the system to the required kernel parameter by adding or modifying the following line in /etc/sysctl.conf or a config file in the /etc/sysctl.d/ directory: diff --git a/shared/references/disa-stig-slmicro5-v1r2-xccdf-manual.xml b/shared/references/disa-stig-slmicro5-v1r3-xccdf-manual.xml similarity index 87% rename from shared/references/disa-stig-slmicro5-v1r2-xccdf-manual.xml rename to shared/references/disa-stig-slmicro5-v1r3-xccdf-manual.xml index 5d041d34d222..d53d2389953f 100644 --- a/shared/references/disa-stig-slmicro5-v1r2-xccdf-manual.xml +++ b/shared/references/disa-stig-slmicro5-v1r3-xccdf-manual.xml @@ -1,10 +1,21 @@ -acceptedSUSE Linux Enterprise Micro (SLEM) 5 Security Technical Implementation GuideThis Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DOD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.DISASTIG.DOD.MILRelease: 2 Benchmark Date: 02 Jul 20253.51.10.01I - Mission Critical Classified<ProfileDescription></ProfileDescription>I - Mission Critical Public<ProfileDescription></ProfileDescription>I - Mission Critical Sensitive<ProfileDescription></ProfileDescription>II - Mission Support Classified<ProfileDescription></ProfileDescription>II - Mission Support Public<ProfileDescription></ProfileDescription>II - Mission Support Sensitive<ProfileDescription></ProfileDescription>III - Administrative Classified<ProfileDescription></ProfileDescription>III - Administrative Public<ProfileDescription></ProfileDescription>III - Administrative Sensitive<ProfileDescription></ProfileDescription>SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>SLEM-05-211010SLEM 5 must be a vendor-supported release.<VulnDiscussion>A SLEM 5 release is considered supported if the vendor continues to provide security patches for the product. With an unsupported release, it will not be possible to resolve security issues discovered in the system software.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Micro (SLEM) 5DISADPMS TargetSUSE Linux Enterprise Micro (SLEM) 55596CCI-000366Upgrade SLEM 5 to a version supported by the vendor. If the system is not registered with the SUSE Customer Center, register the system against the correct subscription. +acceptedSUSE Linux Enterprise Micro (SLEM) 5 Security Technical Implementation GuideThis Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DOD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.DISASTIG.DOD.MILRelease: 3 Benchmark Date: 05 Jan 20263.5.21.10.01I - Mission Critical Classified<ProfileDescription></ProfileDescription>I - Mission Critical Sensitive<ProfileDescription></ProfileDescription>II - Mission Support Public<ProfileDescription></ProfileDescription>III - Administrative Classified<ProfileDescription></ProfileDescription>III - Administrative Sensitive<ProfileDescription></ProfileDescription>