Merge pull request #10149 from vojtapolasek/idle_session_timeout_main

Change applicability of rules configuring idle session timeouts (going to master branch)

controls/anssi.yml

@@ -676,6 +676,8 @@ controls:
     - var_accounts_tmout=10_min
     - sshd_set_idle_timeout
     - sshd_idle_timeout_value=10_minutes
+    - logind_session_timeout
+    - var_logind_session_timeout=10_minutes
     - sshd_set_keepalive
 
   - id: R30

linux_os/guide/services/ssh/ssh_server/sshd_set_idle_timeout/rule.yml

@@ -24,6 +24,11 @@ rationale: |-
 
 severity: medium
 
+{{% if "rhel" in product %}}
+platforms:
+    - rhel_less_equal_8_5
+{{% endif %}}
+
 identifiers:
     cce@rhcos4: CCE-82549-7
     cce@rhel7: CCE-27433-2

linux_os/guide/system/accounts/accounts-physical/logind_session_timeout/rule.yml

@@ -18,14 +18,30 @@ rationale: |-
 
 severity: medium
 
+platforms:
+    - rhel_greater_equal_8_7 and not rhel_equals_9_0
+
 identifiers:
     cce@rhel8: CCE-90784-0
     cce@rhel9: CCE-90785-7
 
 references:
+    anssi: BP28(R29)
+    cis-csc: 1,12,13,14,15,16,18,3,5,7,8
+    cjis: 5.5.6
+    cobit5: APO13.01,BAI03.01,BAI03.02,BAI03.03,DSS01.03,DSS03.05,DSS05.04,DSS05.05,DSS05.07,DSS05.10,DSS06.03,DSS06.10
+    cui: 3.1.11
+    isa-62443-2009: 4.3.3.2.2,4.3.3.5.1,4.3.3.5.2,4.3.3.6.1,4.3.3.6.2,4.3.3.6.3,4.3.3.6.4,4.3.3.6.5,4.3.3.6.6,4.3.3.6.7,4.3.3.6.8,4.3.3.6.9,4.3.3.7.2,4.3.3.7.3,4.3.3.7.4,4.3.4.3.3
+    isa-62443-2013: 'SR 1.1,SR 1.10,SR 1.2,SR 1.3,SR 1.4,SR 1.5,SR 1.7,SR 1.8,SR 1.9,SR 2.1,SR 6.2'
+    iso27001-2013: A.12.4.1,A.12.4.3,A.14.1.1,A.14.2.1,A.14.2.5,A.18.1.4,A.6.1.2,A.6.1.5,A.7.1.1,A.9.1.2,A.9.2.1,A.9.2.2,A.9.2.3,A.9.2.4,A.9.2.6,A.9.3.1,A.9.4.1,A.9.4.2,A.9.4.3,A.9.4.4,A.9.4.5
+    nerc-cip: CIP-004-6 R2.2.3,CIP-007-3 R5.1,CIP-007-3 R5.2,CIP-007-3 R5.3.1,CIP-007-3 R5.3.2,CIP-007-3 R5.3.3
+    nist: CM-6(a),AC-17(a),AC-2(5),AC-12,AC-17(a),SC-10,CM-6(a)
+    nist-csf: DE.CM-1,DE.CM-3,PR.AC-1,PR.AC-4,PR.AC-6,PR.AC-7,PR.IP-2
     ospp: FMT_SMF_EXT.1.1
+    pcidss: Req-8.1.8
+    vmmsrg: SRG-OS-000480-VMM-002000
 
-ocil_clause: "The option is not configured"
+ocil_clause: "the option is not configured"
 
 ocil: |-
     Display the contents of the file <tt>/etc/systemd/logind.conf</tt>:

products/rhel8/profiles/cjis.profile

@@ -104,6 +104,7 @@ selections:
     - sshd_allow_only_protocol2
     - sshd_set_idle_timeout
     - var_sshd_set_keepalive=0
+    - logind_session_timeout
     - sshd_set_keepalive_0
     - disable_host_auth
     - sshd_disable_root_login
@@ -119,6 +120,7 @@ selections:
     - set_firewalld_default_zone
     - firewalld_sshd_port_enabled
     - sshd_idle_timeout_value=30_minutes
+    - var_logind_session_timeout=30_minutes
     - inactivity_timeout_value=30_minutes
     - sysctl_net_ipv4_conf_default_accept_source_route
     - sysctl_net_ipv4_tcp_syncookies

products/rhel8/profiles/ospp.profile

@@ -300,6 +300,8 @@ selections:
     ## We deliberately set sshd timeout to 1 minute before tmux lock timeout
     - sshd_idle_timeout_value=14_minutes
     - sshd_set_idle_timeout
+    - logind_session_timeout
+    - var_logind_session_timeout=14_minutes
 
     ## Disable Unauthenticated Login (such as Guest Accounts)
     ## FIA_UAU.1

products/rhel8/profiles/pci-dss.profile

@@ -17,6 +17,7 @@ selections:
     - var_accounts_passwords_pam_faillock_deny=6
     - var_accounts_passwords_pam_faillock_unlock_time=1800
     - sshd_idle_timeout_value=15_minutes
+    - var_logind_session_timeout=15_minutes
     - var_password_pam_minlen=7
     - var_password_pam_minclass=2
     - var_accounts_maximum_age_login_defs=90
@@ -109,6 +110,7 @@ selections:
     - dconf_gnome_screensaver_lock_enabled
     - dconf_gnome_screensaver_mode_blank
     - sshd_set_idle_timeout
+    - logind_session_timeout
     - var_sshd_set_keepalive=0
     - sshd_set_keepalive_0
     - accounts_password_pam_minlen

products/rhel8/profiles/rht-ccp.profile

@@ -12,6 +12,7 @@ selections:
     - var_selinux_state=enforcing
     - var_selinux_policy_name=targeted
     - sshd_idle_timeout_value=5_minutes
+    - var_logind_session_timeout=5_minutes
     - var_accounts_minimum_age_login_defs=7
     - var_accounts_passwords_pam_faillock_deny=5
     - var_accounts_password_warn_age_login_defs=7
@@ -88,6 +89,7 @@ selections:
     - package_telnet_removed
     - sshd_allow_only_protocol2
     - sshd_set_idle_timeout
+    - logind_session_timeout
     - var_sshd_set_keepalive=0
     - sshd_set_keepalive_0
     - disable_host_auth

shared/applicability/rhel_equals_9_0.yml

@@ -0,0 +1,3 @@
+name: "cpe:/o:rhel:eq:9:0"
+title: "Operating System is RHEL and version equals 9.0"
+check_id: rhel9_equals_9_0

shared/applicability/rhel_greater_equal_8_7.yml

@@ -0,0 +1,3 @@
+name: "cpe:/o:rhel:ge:8:7"
+title: "Operating System is RHEL and version is greater than or equal to 8.7"
+check_id: rhel8_greater_equal_8_7

shared/applicability/rhel_less_equal_8_5.yml

@@ -0,0 +1,3 @@
+name: "cpe:/o:rhel:le:8:5"
+title: "Operating System is RHEL and version is less than or equal to 8.5"
+check_id: rhel8_less_equal_8_5

shared/checks/oval/installed_OS_is_rhel.xml

@@ -0,0 +1,24 @@
+<def-group>
+
+  <definition class="inventory" id="installed_os_is_rhel" version="1">
+    {{{ oval_metadata("Installed OS is RHEL", affected_platforms=["multi_platform_all"]) }}}
+    <criteria operator="AND">
+      <criterion comment="The operating system installed on the system is RHEL"
+      test_ref="test_os_id_is_rhel" />
+    </criteria>
+  </definition>
+
+  <ind:textfilecontent54_test check="all" comment="ID in os-release is rhel" id="test_os_id_is_rhel" version="1">
+    <ind:object object_ref="obj_os_id_is_rhel" />
+    <ind:state state_ref="state_os_id_is_rhel" />
+  </ind:textfilecontent54_test>
+  <ind:textfilecontent54_object id="obj_os_id_is_rhel" version="1">
+    <ind:filepath>/etc/os-release</ind:filepath>
+    <ind:pattern operation="pattern match">^ID=[&quot;&apos;]?(\w+)[&quot;&apos;]?$</ind:pattern>
+    <ind:instance operation="greater than or equal" datatype="int">1</ind:instance>
+  </ind:textfilecontent54_object>
+  <ind:textfilecontent54_state id="state_os_id_is_rhel" version="1">
+    <ind:subexpression operation="pattern match">rhel</ind:subexpression>
+  </ind:textfilecontent54_state>
+
+</def-group>

shared/checks/oval/rhel8_greater_equal_8_7.xml

@@ -0,0 +1,26 @@
+<def-group>
+
+  <definition class="inventory" id="rhel8_greater_equal_8_7" version="1">
+    {{{ oval_metadata("RHEL version greater or equal to 8.7", affected_platforms=["multi_platform_all"]) }}}
+    <criteria operator="AND">
+      <extend_definition comment="The operating system installed on the system is RHEL"
+      definition_ref="installed_os_is_rhel" />
+      <criterion comment="The version of operating system RHEL is greater than or equal 8.7"
+      test_ref="test_rhel_version_id_is_gt_8_7" />
+    </criteria>
+  </definition>
+
+  <ind:textfilecontent54_test check="all" comment="VERSION_ID in os-release is greater than or equal to 8.7" id="test_rhel_version_id_is_gt_8_7" version="1">
+    <ind:object object_ref="obj_rhel_version_id_is_gt_8_7" />
+    <ind:state state_ref="state_rhel_version_id_is_gt_8_7" />
+  </ind:textfilecontent54_test>
+  <ind:textfilecontent54_object id="obj_rhel_version_id_is_gt_8_7" version="1">
+    <ind:filepath>/etc/os-release</ind:filepath>
+    <ind:pattern operation="pattern match">^VERSION_ID=[&quot;&apos;]?([\d\.]+)[&quot;&apos;]?$</ind:pattern>
+    <ind:instance operation="greater than or equal" datatype="int">1</ind:instance>
+  </ind:textfilecontent54_object>
+  <ind:textfilecontent54_state id="state_rhel_version_id_is_gt_8_7" version="1">
+    <ind:subexpression datatype="evr_string" operation="greater than or equal">8.7</ind:subexpression>
+  </ind:textfilecontent54_state>
+
+</def-group>

shared/checks/oval/rhel8_less_equal_8_5.xml

@@ -0,0 +1,26 @@
+<def-group>
+
+  <definition class="inventory" id="rhel8_less_equal_8_5" version="1">
+    {{{ oval_metadata("RHEL version less or equal to 8.5", affected_platforms=["multi_platform_all"]) }}}
+    <criteria operator="AND">
+      <extend_definition comment="The operating system installed on the system is RHEL"
+      definition_ref="installed_os_is_rhel" />
+      <criterion comment="The version of operating system RHEL is less than or equal 8.5"
+      test_ref="test_rhel_version_id_is_lt_8_5" />
+    </criteria>
+  </definition>
+
+  <ind:textfilecontent54_test check="all" comment="VERSION_ID in os-release is less than or equal to 8.5" id="test_rhel_version_id_is_lt_8_5" version="1">
+    <ind:object object_ref="obj_rhel_version_id_is_lt_8_5" />
+    <ind:state state_ref="state_rhel_version_id_is_lt_8_5" />
+  </ind:textfilecontent54_test>
+  <ind:textfilecontent54_object id="obj_rhel_version_id_is_lt_8_5" version="1">
+    <ind:filepath>/etc/os-release</ind:filepath>
+    <ind:pattern operation="pattern match">^VERSION_ID=[&quot;&apos;]?([\d\.]+)[&quot;&apos;]?$</ind:pattern>
+    <ind:instance operation="less than or equal" datatype="int">1</ind:instance>
+  </ind:textfilecontent54_object>
+  <ind:textfilecontent54_state id="state_rhel_version_id_is_lt_8_5" version="1">
+    <ind:subexpression datatype="evr_string" operation="less than or equal">8.5</ind:subexpression>
+  </ind:textfilecontent54_state>
+
+</def-group>

shared/checks/oval/rhel9_equals_9_0.xml

@@ -0,0 +1,26 @@
+<def-group>
+
+  <definition class="inventory" id="rhel9_equals_9_0" version="1">
+    {{{ oval_metadata("RHEL version equals 9.0", affected_platforms=["multi_platform_all"]) }}}
+    <criteria operator="AND">
+      <extend_definition comment="The operating system installed on the system is RHEL"
+      definition_ref="installed_os_is_rhel" />
+      <criterion comment="The version of operating system RHEL equals 9.0"
+      test_ref="test_rhel_version_id_is_eq_9_0" />
+    </criteria>
+  </definition>
+
+  <ind:textfilecontent54_test check="all" comment="VERSION_ID in os-release equals 9.0" id="test_rhel_version_id_is_eq_9_0" version="1">
+    <ind:object object_ref="obj_rhel_version_id_is_eq_9_0" />
+    <ind:state state_ref="state_rhel_version_id_is_eq_9_0" />
+  </ind:textfilecontent54_test>
+  <ind:textfilecontent54_object id="obj_rhel_version_id_is_eq_9_0" version="1">
+    <ind:filepath>/etc/os-release</ind:filepath>
+    <ind:pattern operation="pattern match">^VERSION_ID=[&quot;&apos;]?([\d\.]+)[&quot;&apos;]?$</ind:pattern>
+    <ind:instance operation="greater than or equal" datatype="int">1</ind:instance>
+  </ind:textfilecontent54_object>
+  <ind:textfilecontent54_state id="state_rhel_version_id_is_eq_9_0" version="1">
+    <ind:subexpression datatype="evr_string" operation="equals">9.0</ind:subexpression>
+  </ind:textfilecontent54_state>
+
+</def-group>

tests/data/profile_stability/rhel8/ospp.profile

@@ -104,6 +104,7 @@ selections:
 - kernel_module_firewire-core_disabled
 - kernel_module_sctp_disabled
 - kernel_module_tipc_disabled
+- logind_session_timeout
 - mount_option_boot_nodev
 - mount_option_boot_nosuid
 - mount_option_dev_shm_nodev
@@ -253,6 +254,7 @@ selections:
 - var_password_pam_ucredit=1
 - var_password_pam_lcredit=1
 - sshd_idle_timeout_value=14_minutes
+- var_logind_session_timeout=14_minutes
 - var_accounts_passwords_pam_faillock_deny=3
 - var_accounts_passwords_pam_faillock_fail_interval=900
 - var_accounts_passwords_pam_faillock_unlock_time=never

tests/data/profile_stability/rhel8/pci-dss.profile

@@ -109,6 +109,7 @@ selections:
 - gid_passwd_group_same
 - grub2_audit_argument
 - install_hids
+- logind_session_timeout
 - no_empty_passwords
 - package_aide_installed
 - package_audispd-plugins_installed
@@ -136,6 +137,7 @@ selections:
 - var_accounts_passwords_pam_faillock_deny=6
 - var_accounts_passwords_pam_faillock_unlock_time=1800
 - sshd_idle_timeout_value=15_minutes
+- var_logind_session_timeout=15_minutes
 - var_password_pam_minlen=7
 - var_password_pam_minclass=2
 - var_accounts_maximum_age_login_defs=90