Merge pull request #33 from redhatrises/add_SmartCard_oval

Add OVAL for Smart Card checks
ComplianceAsCode · Feb 13, 2015 · 8088871 · 8088871
2 parents 0bf9c5e + caf0828
commit 8088871
Show file tree

Hide file tree

Showing 7 changed files with 201 additions and 0 deletions.
diff --git a/RHEL/6/input/checks/package_esc_installed.xml b/RHEL/6/input/checks/package_esc_installed.xml
@@ -0,0 +1,25 @@
+<def-group>
+  <definition class="compliance" id="package_esc_installed"
+  version="1">
+    <metadata>
+      <title>Package esc Installed</title>
+      <affected family="unix">
+        <platform>Red Hat Enterprise Linux 6</platform>
+      </affected>
+      <description>The RPM package esc should be installed.</description>
+      <reference source="galford" ref_id="20140815" ref_url="test_attestation"/>
+    </metadata>
+    <criteria>
+      <criterion comment="package esc is installed"
+      test_ref="test_package_esc_installed" />
+    </criteria>
+  </definition>
+  <linux:rpminfo_test check="all" check_existence="all_exist"
+  id="test_package_esc_installed" version="1"
+  comment="package esc is installed">
+    <linux:object object_ref="obj_package_esc_installed" />
+  </linux:rpminfo_test>
+  <linux:rpminfo_object id="obj_package_esc_installed" version="1">
+    <linux:name>esc</linux:name>
+  </linux:rpminfo_object>
+</def-group>
diff --git a/RHEL/6/input/checks/package_pcsc-lite_installed.xml b/RHEL/6/input/checks/package_pcsc-lite_installed.xml
@@ -0,0 +1,25 @@
+<def-group>
+  <definition class="compliance" id="package_pcsc-lite_installed"
+  version="1">
+    <metadata>
+      <title>Package pcsc-lite Installed</title>
+      <affected family="unix">
+        <platform>Red Hat Enterprise Linux 6</platform>
+      </affected>
+      <description>The RPM package pcsc-lite should be installed.</description>
+      <reference source="galford" ref_id="20140815" ref_url="test_attestation"/>
+    </metadata>
+    <criteria>
+      <criterion comment="package pcsc-lite is installed"
+      test_ref="test_package_pcsc-lite_installed" />
+    </criteria>
+  </definition>
+  <linux:rpminfo_test check="all" check_existence="all_exist"
+  id="test_package_pcsc-lite_installed" version="1"
+  comment="package pcsc-lite is installed">
+    <linux:object object_ref="obj_package_pcsc-lite_installed" />
+  </linux:rpminfo_test>
+  <linux:rpminfo_object id="obj_package_pcsc-lite_installed" version="1">
+    <linux:name>pcsc-lite</linux:name>
+  </linux:rpminfo_object>
+</def-group>
diff --git a/RHEL/6/input/checks/service_pcscd_enabled.xml b/RHEL/6/input/checks/service_pcscd_enabled.xml
@@ -0,0 +1,98 @@
+<def-group>
+  <definition class="compliance" id="service_pcscd_enabled" version="1">
+    <metadata>
+      <title>Service pcscd Enabled</title>
+      <affected family="unix">
+        <platform>Red Hat Enterprise Linux 6</platform>
+      </affected>
+      <description>The pcscd service should be enabled if possible.</description>
+      <reference source="galford" ref_id="20140815" ref_url="test_attestation" />
+    </metadata>
+    <criteria comment="package pcsc-lite installed and service pcscd is configured to start" operator="AND">
+    <extend_definition comment="pcsc-lite installed" definition_ref="package_pcsc-lite_installed" />
+    <criteria operator="OR" comment="service pcscd is configured to start">
+      <criterion comment="pcscd runlevel 0" test_ref="test_runlevel0_pcscd" />
+      <criterion comment="pcscd runlevel 1" test_ref="test_runlevel1_pcscd" />
+      <criterion comment="pcscd runlevel 2" test_ref="test_runlevel2_pcscd" />
+      <criterion comment="pcscd runlevel 3" test_ref="test_runlevel3_pcscd" />
+      <criterion comment="pcscd runlevel 4" test_ref="test_runlevel4_pcscd" />
+      <criterion comment="pcscd runlevel 5" test_ref="test_runlevel5_pcscd" />
+      <criterion comment="pcscd runlevel 6" test_ref="test_runlevel6_pcscd" />
+    </criteria>
+    </criteria>
+  </definition>
+  <unix:runlevel_test check="all" check_existence="any_exist"
+  comment="Runlevel test" id="test_runlevel0_pcscd"
+  version="2">
+    <unix:object object_ref="obj_runlevel0_pcscd" />
+    <unix:state state_ref="state_service_pcscd_on" />
+  </unix:runlevel_test>
+  <unix:runlevel_test check="all" check_existence="any_exist"
+  comment="Runlevel test" id="test_runlevel1_pcscd"
+  version="2">
+    <unix:object object_ref="obj_runlevel1_pcscd" />
+    <unix:state state_ref="state_service_pcscd_on" />
+  </unix:runlevel_test>
+  <unix:runlevel_test check="all" check_existence="any_exist"
+  comment="Runlevel test" id="test_runlevel2_pcscd"
+  version="2">
+    <unix:object object_ref="obj_runlevel2_pcscd" />
+    <unix:state state_ref="state_service_pcscd_on" />
+  </unix:runlevel_test>
+  <unix:runlevel_test check="all" check_existence="any_exist"
+  comment="Runlevel test" id="test_runlevel3_pcscd"
+  version="2">
+    <unix:object object_ref="obj_runlevel3_pcscd" />
+    <unix:state state_ref="state_service_pcscd_on" />
+  </unix:runlevel_test>
+  <unix:runlevel_test check="all" check_existence="any_exist"
+  comment="Runlevel test" id="test_runlevel4_pcscd"
+  version="2">
+    <unix:object object_ref="obj_runlevel4_pcscd" />
+    <unix:state state_ref="state_service_pcscd_on" />
+  </unix:runlevel_test>
+  <unix:runlevel_test check="all" check_existence="any_exist"
+  comment="Runlevel test" id="test_runlevel5_pcscd"
+  version="2">
+    <unix:object object_ref="obj_runlevel5_pcscd" />
+    <unix:state state_ref="state_service_pcscd_on" />
+  </unix:runlevel_test>
+  <unix:runlevel_test check="all" check_existence="any_exist"
+  comment="Runlevel test" id="test_runlevel6_pcscd"
+  version="2">
+    <unix:object object_ref="obj_runlevel6_pcscd" />
+    <unix:state state_ref="state_service_pcscd_on" />
+  </unix:runlevel_test>
+  <unix:runlevel_object id="obj_runlevel0_pcscd" version="1">
+    <unix:service_name>pcscd</unix:service_name>
+    <unix:runlevel operation="equals">0</unix:runlevel>
+  </unix:runlevel_object>
+  <unix:runlevel_object id="obj_runlevel1_pcscd" version="1">
+    <unix:service_name>pcscd</unix:service_name>
+    <unix:runlevel operation="equals">1</unix:runlevel>
+  </unix:runlevel_object>
+  <unix:runlevel_object id="obj_runlevel2_pcscd" version="1">
+    <unix:service_name>pcscd</unix:service_name>
+    <unix:runlevel operation="equals">2</unix:runlevel>
+  </unix:runlevel_object>
+  <unix:runlevel_object id="obj_runlevel3_pcscd" version="1">
+    <unix:service_name>pcscd</unix:service_name>
+    <unix:runlevel operation="equals">3</unix:runlevel>
+  </unix:runlevel_object>
+  <unix:runlevel_object id="obj_runlevel4_pcscd" version="1">
+    <unix:service_name>pcscd</unix:service_name>
+    <unix:runlevel operation="equals">4</unix:runlevel>
+  </unix:runlevel_object>
+  <unix:runlevel_object id="obj_runlevel5_pcscd" version="1">
+    <unix:service_name>pcscd</unix:service_name>
+    <unix:runlevel operation="equals">5</unix:runlevel>
+  </unix:runlevel_object>
+  <unix:runlevel_object id="obj_runlevel6_pcscd" version="1">
+    <unix:service_name>pcscd</unix:service_name>
+    <unix:runlevel operation="equals">6</unix:runlevel>
+  </unix:runlevel_object>
+  <unix:runlevel_state comment="configured to start" id="state_service_pcscd_on" version="1">
+    <unix:start datatype="boolean">true</unix:start>
+    <unix:kill datatype="boolean">false</unix:kill>
+  </unix:runlevel_state>
+</def-group>
diff --git a/RHEL/6/input/checks/smartcard_auth.xml b/RHEL/6/input/checks/smartcard_auth.xml
@@ -0,0 +1,50 @@
+<def-group>
+  <definition class="compliance" id="smartcard_auth" version="1">
+    <metadata>
+      <title>Enable Smart Card Login</title>
+      <affected family="unix">
+        <platform>Red Hat Enterprise Linux 6</platform>
+      </affected>
+      <description>Enable Smart Card logins</description>
+      <reference source="galford" ref_id="20140815" ref_url="test_attestation" />
+    </metadata>
+    <criteria operator="AND" comment="Smart Card is required to login">
+      <extend_definition comment="pcscd service is enabled" definition_ref="service_pcscd_enabled" />
+      <extend_definition comment="esc package is installed" definition_ref="package_esc_installed" />
+      <criterion comment="use smart card login for specific services" test_ref="test_smartcard_services_system-auth" />
+      <criterion comment="require smart card login" test_ref="test_require_smartcard_system-auth" />
+      <criterion comment="enable OCSP" test_ref="test_require_ocsp_configured" />
+    </criteria>
+  </definition>
+
+  <ind:textfilecontent54_test check="all" check_existence="all_exist" comment="check for specific services for smart card login in /etc/pam.d/system-auth" id="test_smartcard_services_system-auth" version="1">
+    <ind:object object_ref="object_smartcard_services_system-auth" />
+  </ind:textfilecontent54_test>
+
+  <ind:textfilecontent54_test check="all" check_existence="all_exist" comment="require smart card login in /etc/pam.d/system-auth" id="test_require_smartcard_system-auth" version="1">
+    <ind:object object_ref="object_require_smartcard_system-auth" />
+  </ind:textfilecontent54_test>
+
+  <ind:textfilecontent54_test check="all" check_existence="all_exist" comment="require OCSP is enabled" id="test_require_ocsp_configured" version="1">
+    <ind:object object_ref="object_require_ocsp_configured" />
+  </ind:textfilecontent54_test>
+
+  <ind:textfilecontent54_object id="object_smartcard_services_system-auth" version="1">
+    <ind:filepath>/etc/pam.d/system-auth</ind:filepath>
+    <ind:pattern operation="pattern match">^\s*auth\s+(?:(?:required)|(?:\[success=1\s*default=ignore\]))\s+pam_succeed_if\.so\s*service\s*notin\s*login.*quiet\s*use_uid$</ind:pattern>
+    <ind:instance datatype="int">1</ind:instance>
+  </ind:textfilecontent54_object>
+
+  <ind:textfilecontent54_object id="object_require_smartcard_system-auth" version="1">
+    <ind:filepath>/etc/pam.d/system-auth</ind:filepath>
+    <ind:pattern operation="pattern match">^\s*auth\s+(?:(?:sufficient)|(?:\[success=done\s*ignore=ignore\s*default=die\]))\s+pam_pkcs11\.so\s*wait_for_card\s*card_only$</ind:pattern>
+    <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
+  </ind:textfilecontent54_object>
+
+  <ind:textfilecontent54_object id="object_require_ocsp_configured" version="1">
+    <ind:filepath>/etc/pam_pkcs11/pam_pkcs11.conf</ind:filepath>
+    <ind:pattern operation="pattern match">^\s*cert_policy( )=( )ca,( )ocsp_on,( )signature;$</ind:pattern>
+    <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
+  </ind:textfilecontent54_object>
+
+</def-group>
diff --git a/RHEL/6/input/checks/templates/packages_installed.csv b/RHEL/6/input/checks/templates/packages_installed.csv
@@ -1,6 +1,7 @@
 aide
 audit
 cronie
+esc
 GConf2
 gdm
 iptables

diff --git a/RHEL/6/input/checks/templates/services_enabled.csv b/RHEL/6/input/checks/templates/services_enabled.csv
@@ -4,6 +4,7 @@ ip6tables,iptables-ipv6
 iptables,iptables
 irqbalance,irqbalance
 ntpd,ntp
+pcscd,pcsc-lite
 postfix,postfix
 psacct,psacct
 restorecond,policycoreutils

diff --git a/RHEL/6/input/system/accounts/physical.xml b/RHEL/6/input/system/accounts/physical.xml
@@ -429,6 +429,7 @@ that provided by a username and password combination. Smart cards leverage PKI
 </rationale>
 <ident cce="27440-7"/>
 <ref disa="765,766,767,768,771,772,884" />
+<oval id="smartcard_auth" />
 </Rule>
 
 </Group>