From e94d7c9ab06c8c48bbc26db8685b9b1729526420 Mon Sep 17 00:00:00 2001 From: Vojtech Polasek Date: Wed, 25 Jan 2023 18:10:24 +0100 Subject: [PATCH 01/14] add definition checking that installed os is RHEL --- shared/checks/oval/installed_os_is_rhel.xml | 24 +++++++++++++++++++++ 1 file changed, 24 insertions(+) create mode 100644 shared/checks/oval/installed_os_is_rhel.xml diff --git a/shared/checks/oval/installed_os_is_rhel.xml b/shared/checks/oval/installed_os_is_rhel.xml new file mode 100644 index 00000000000..a7420f7487c --- /dev/null +++ b/shared/checks/oval/installed_os_is_rhel.xml @@ -0,0 +1,24 @@ + + + + {{{ oval_metadata("Installed OS is RHEL", affected_platforms=["multi_platform_all"]) }}} + + + + + + + + + + + /etc/os-release + ^ID=["']?(\w+)["']?$ + 1 + + + rhel + + + From 95fb5160fff017dd1257605fb7cac9b1f239f9c9 Mon Sep 17 00:00:00 2001 From: Vojtech Polasek Date: Wed, 25 Jan 2023 18:11:07 +0100 Subject: [PATCH 02/14] add platform checking that RHEL >= 8.7 --- .../applicability/rhel_greater_equal_8_7.yml | 3 +++ .../checks/oval/rhel8_greater_equal_8_7.xml | 26 +++++++++++++++++++ 2 files changed, 29 insertions(+) create mode 100644 shared/applicability/rhel_greater_equal_8_7.yml create mode 100644 shared/checks/oval/rhel8_greater_equal_8_7.xml diff --git a/shared/applicability/rhel_greater_equal_8_7.yml b/shared/applicability/rhel_greater_equal_8_7.yml new file mode 100644 index 00000000000..124db9dff13 --- /dev/null +++ b/shared/applicability/rhel_greater_equal_8_7.yml @@ -0,0 +1,3 @@ +name: "cpe:/o:rhel:ge:8:7" +title: "Operating System is RHEL and version is greater than or equal to 8.7" +check_id: rhel8_greater_equal_8_7 diff --git a/shared/checks/oval/rhel8_greater_equal_8_7.xml b/shared/checks/oval/rhel8_greater_equal_8_7.xml new file mode 100644 index 00000000000..f61d46c0d48 --- /dev/null +++ b/shared/checks/oval/rhel8_greater_equal_8_7.xml @@ -0,0 +1,26 @@ + + + + {{{ oval_metadata("RHEL version greater or equal to 8.7", affected_platforms=["multi_platform_all"]) }}} + + + + + + + + + + + + /etc/os-release + ^VERSION_ID=["']?([\d\.]+)["']?$ + 1 + + + 8.7 + + + From 78422066177ea8626da7a2a6178149618de71755 Mon Sep 17 00:00:00 2001 From: Vojtech Polasek Date: Thu, 26 Jan 2023 14:02:21 +0100 Subject: [PATCH 03/14] add platform which is applicable if RHEL <= 8.5 --- shared/applicability/rhel_less_equal_8_5.yml | 3 +++ shared/checks/oval/rhel8_less_equal_8_5.xml | 26 ++++++++++++++++++++ 2 files changed, 29 insertions(+) create mode 100644 shared/applicability/rhel_less_equal_8_5.yml create mode 100644 shared/checks/oval/rhel8_less_equal_8_5.xml diff --git a/shared/applicability/rhel_less_equal_8_5.yml b/shared/applicability/rhel_less_equal_8_5.yml new file mode 100644 index 00000000000..975732e3e89 --- /dev/null +++ b/shared/applicability/rhel_less_equal_8_5.yml @@ -0,0 +1,3 @@ +name: "cpe:/o:rhel:le:8:5" +title: "Operating System is RHEL and version is less than or equal to 8.5" +check_id: rhel8_less_equal_8_5 diff --git a/shared/checks/oval/rhel8_less_equal_8_5.xml b/shared/checks/oval/rhel8_less_equal_8_5.xml new file mode 100644 index 00000000000..d61330ecfae --- /dev/null +++ b/shared/checks/oval/rhel8_less_equal_8_5.xml @@ -0,0 +1,26 @@ + + + + {{{ oval_metadata("RHEL version less or equal to 8.5", affected_platforms=["multi_platform_all"]) }}} + + + + + + + + + + + + /etc/os-release + ^VERSION_ID=["']?([\d\.]+)["']?$ + 1 + + + 8.5 + + + From 864ac63cb92dfbf00dff0564e9f3ac8166780d60 Mon Sep 17 00:00:00 2001 From: Vojtech Polasek Date: Wed, 25 Jan 2023 18:11:29 +0100 Subject: [PATCH 04/14] add platform checking that RHEL == 9.0 --- shared/applicability/rhel_equals_9_0.yml | 3 +++ shared/checks/oval/rhel9_equals_9_0.xml | 26 ++++++++++++++++++++++++ 2 files changed, 29 insertions(+) create mode 100644 shared/applicability/rhel_equals_9_0.yml create mode 100644 shared/checks/oval/rhel9_equals_9_0.xml diff --git a/shared/applicability/rhel_equals_9_0.yml b/shared/applicability/rhel_equals_9_0.yml new file mode 100644 index 00000000000..2a2f331911a --- /dev/null +++ b/shared/applicability/rhel_equals_9_0.yml @@ -0,0 +1,3 @@ +name: "cpe:/o:rhel:eq:9:0" +title: "Operating System is RHEL and version equals 9.0" +check_id: rhel9_equals_9_0 diff --git a/shared/checks/oval/rhel9_equals_9_0.xml b/shared/checks/oval/rhel9_equals_9_0.xml new file mode 100644 index 00000000000..d56a5de3f1b --- /dev/null +++ b/shared/checks/oval/rhel9_equals_9_0.xml @@ -0,0 +1,26 @@ + + + + {{{ oval_metadata("RHEL version equals 9.0", affected_platforms=["multi_platform_all"]) }}} + + + + + + + + + + + + /etc/os-release + ^VERSION_ID=["']?([\d\.]+)["']?$ + 1 + + + 9.0 + + + From 65434d359715b670bda13c60fc7af19c430d563d Mon Sep 17 00:00:00 2001 From: Vojtech Polasek Date: Wed, 25 Jan 2023 18:11:52 +0100 Subject: [PATCH 05/14] apply platforms to logind_session_timeout rule --- .../accounts/accounts-physical/logind_session_timeout/rule.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/linux_os/guide/system/accounts/accounts-physical/logind_session_timeout/rule.yml b/linux_os/guide/system/accounts/accounts-physical/logind_session_timeout/rule.yml index bfaafa0bda1..1de021221dd 100644 --- a/linux_os/guide/system/accounts/accounts-physical/logind_session_timeout/rule.yml +++ b/linux_os/guide/system/accounts/accounts-physical/logind_session_timeout/rule.yml @@ -18,6 +18,9 @@ rationale: |- severity: medium +platforms: + - rhel_greater_equal_8_7 and not rhel_equals_9_0 + identifiers: cce@rhel8: CCE-90784-0 cce@rhel9: CCE-90785-7 From c9363383f4f28b09dbd3df26171a365b66e1189c Mon Sep 17 00:00:00 2001 From: Vojtech Polasek Date: Thu, 26 Jan 2023 11:41:58 +0100 Subject: [PATCH 06/14] make rule sshd_idle_timeout applicable on RHEL <= 8.6 --- .../services/ssh/ssh_server/sshd_set_idle_timeout/rule.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_idle_timeout/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_set_idle_timeout/rule.yml index b8b037d4633..ac0194f7bbc 100644 --- a/linux_os/guide/services/ssh/ssh_server/sshd_set_idle_timeout/rule.yml +++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_idle_timeout/rule.yml @@ -24,6 +24,9 @@ rationale: |- severity: medium +platforms: + - rhel_less_equal_8_5 + identifiers: cce@rhcos4: CCE-82549-7 cce@rhel7: CCE-27433-2 From 35d8e445278e7d010b9054cd991814e5bf48b25a Mon Sep 17 00:00:00 2001 From: Vojtech Polasek Date: Thu, 26 Jan 2023 14:16:20 +0100 Subject: [PATCH 07/14] update references of rule logind_session_timeout --- .../logind_session_timeout/rule.yml | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/linux_os/guide/system/accounts/accounts-physical/logind_session_timeout/rule.yml b/linux_os/guide/system/accounts/accounts-physical/logind_session_timeout/rule.yml index 1de021221dd..d6543cb2e05 100644 --- a/linux_os/guide/system/accounts/accounts-physical/logind_session_timeout/rule.yml +++ b/linux_os/guide/system/accounts/accounts-physical/logind_session_timeout/rule.yml @@ -26,7 +26,20 @@ identifiers: cce@rhel9: CCE-90785-7 references: + anssi: BP28(R29) + cis-csc: 1,12,13,14,15,16,18,3,5,7,8 + cjis: 5.5.6 + cobit5: APO13.01,BAI03.01,BAI03.02,BAI03.03,DSS01.03,DSS03.05,DSS05.04,DSS05.05,DSS05.07,DSS05.10,DSS06.03,DSS06.10 + cui: 3.1.11 + isa-62443-2009: 4.3.3.2.2,4.3.3.5.1,4.3.3.5.2,4.3.3.6.1,4.3.3.6.2,4.3.3.6.3,4.3.3.6.4,4.3.3.6.5,4.3.3.6.6,4.3.3.6.7,4.3.3.6.8,4.3.3.6.9,4.3.3.7.2,4.3.3.7.3,4.3.3.7.4,4.3.4.3.3 + isa-62443-2013: 'SR 1.1,SR 1.10,SR 1.2,SR 1.3,SR 1.4,SR 1.5,SR 1.7,SR 1.8,SR 1.9,SR 2.1,SR 6.2' + iso27001-2013: A.12.4.1,A.12.4.3,A.14.1.1,A.14.2.1,A.14.2.5,A.18.1.4,A.6.1.2,A.6.1.5,A.7.1.1,A.9.1.2,A.9.2.1,A.9.2.2,A.9.2.3,A.9.2.4,A.9.2.6,A.9.3.1,A.9.4.1,A.9.4.2,A.9.4.3,A.9.4.4,A.9.4.5 + nerc-cip: CIP-004-6 R2.2.3,CIP-007-3 R5.1,CIP-007-3 R5.2,CIP-007-3 R5.3.1,CIP-007-3 R5.3.2,CIP-007-3 R5.3.3 + nist: CM-6(a),AC-17(a),AC-2(5),AC-12,AC-17(a),SC-10,CM-6(a) + nist-csf: DE.CM-1,DE.CM-3,PR.AC-1,PR.AC-4,PR.AC-6,PR.AC-7,PR.IP-2 ospp: FMT_SMF_EXT.1.1 + pcidss: Req-8.1.8 + vmmsrg: SRG-OS-000480-VMM-002000 ocil_clause: "The option is not configured" From 6a388c3d69fee466614f5a7e44426e509bff6c38 Mon Sep 17 00:00:00 2001 From: Vojtech Polasek Date: Thu, 26 Jan 2023 14:43:04 +0100 Subject: [PATCH 08/14] add rule to RHEL8 CJIS profile --- products/rhel8/profiles/cjis.profile | 2 ++ 1 file changed, 2 insertions(+) diff --git a/products/rhel8/profiles/cjis.profile b/products/rhel8/profiles/cjis.profile index 30843b692ef..22ae5aac728 100644 --- a/products/rhel8/profiles/cjis.profile +++ b/products/rhel8/profiles/cjis.profile @@ -104,6 +104,7 @@ selections: - sshd_allow_only_protocol2 - sshd_set_idle_timeout - var_sshd_set_keepalive=0 + - logind_session_timeout - sshd_set_keepalive_0 - disable_host_auth - sshd_disable_root_login @@ -119,6 +120,7 @@ selections: - set_firewalld_default_zone - firewalld_sshd_port_enabled - sshd_idle_timeout_value=30_minutes + - var_logind_session_timeout=30_minutes - inactivity_timeout_value=30_minutes - sysctl_net_ipv4_conf_default_accept_source_route - sysctl_net_ipv4_tcp_syncookies From 9a3e5021af8196060af591ab93b601574670b37d Mon Sep 17 00:00:00 2001 From: Vojtech Polasek Date: Thu, 26 Jan 2023 14:44:00 +0100 Subject: [PATCH 09/14] add rule to RHEL8 OSPP profile --- products/rhel8/profiles/ospp.profile | 2 ++ tests/data/profile_stability/rhel8/ospp.profile | 2 ++ 2 files changed, 4 insertions(+) diff --git a/products/rhel8/profiles/ospp.profile b/products/rhel8/profiles/ospp.profile index fb46ab4c0c9..0fe17b20854 100644 --- a/products/rhel8/profiles/ospp.profile +++ b/products/rhel8/profiles/ospp.profile @@ -300,6 +300,8 @@ selections: ## We deliberately set sshd timeout to 1 minute before tmux lock timeout - sshd_idle_timeout_value=14_minutes - sshd_set_idle_timeout + - logind_session_timeout + - var_logind_session_timeout=14_minutes ## Disable Unauthenticated Login (such as Guest Accounts) ## FIA_UAU.1 diff --git a/tests/data/profile_stability/rhel8/ospp.profile b/tests/data/profile_stability/rhel8/ospp.profile index 267b66a4f89..a31f3245d84 100644 --- a/tests/data/profile_stability/rhel8/ospp.profile +++ b/tests/data/profile_stability/rhel8/ospp.profile @@ -104,6 +104,7 @@ selections: - kernel_module_firewire-core_disabled - kernel_module_sctp_disabled - kernel_module_tipc_disabled +- logind_session_timeout - mount_option_boot_nodev - mount_option_boot_nosuid - mount_option_dev_shm_nodev @@ -253,6 +254,7 @@ selections: - var_password_pam_ucredit=1 - var_password_pam_lcredit=1 - sshd_idle_timeout_value=14_minutes +- var_logind_session_timeout=14_minutes - var_accounts_passwords_pam_faillock_deny=3 - var_accounts_passwords_pam_faillock_fail_interval=900 - var_accounts_passwords_pam_faillock_unlock_time=never From 4e2a81e9fc0e994c1b3de0e778030db8adb8d489 Mon Sep 17 00:00:00 2001 From: Vojtech Polasek Date: Thu, 26 Jan 2023 14:45:37 +0100 Subject: [PATCH 10/14] update RHEL8 PCI-DSS profile --- products/rhel8/profiles/pci-dss.profile | 2 ++ tests/data/profile_stability/rhel8/pci-dss.profile | 2 ++ 2 files changed, 4 insertions(+) diff --git a/products/rhel8/profiles/pci-dss.profile b/products/rhel8/profiles/pci-dss.profile index c0c9b12773c..c63c5f4a075 100644 --- a/products/rhel8/profiles/pci-dss.profile +++ b/products/rhel8/profiles/pci-dss.profile @@ -17,6 +17,7 @@ selections: - var_accounts_passwords_pam_faillock_deny=6 - var_accounts_passwords_pam_faillock_unlock_time=1800 - sshd_idle_timeout_value=15_minutes + - var_logind_session_timeout=15_minutes - var_password_pam_minlen=7 - var_password_pam_minclass=2 - var_accounts_maximum_age_login_defs=90 @@ -109,6 +110,7 @@ selections: - dconf_gnome_screensaver_lock_enabled - dconf_gnome_screensaver_mode_blank - sshd_set_idle_timeout + - logind_session_timeout - var_sshd_set_keepalive=0 - sshd_set_keepalive_0 - accounts_password_pam_minlen diff --git a/tests/data/profile_stability/rhel8/pci-dss.profile b/tests/data/profile_stability/rhel8/pci-dss.profile index 902d0084fcc..5c77ea6a852 100644 --- a/tests/data/profile_stability/rhel8/pci-dss.profile +++ b/tests/data/profile_stability/rhel8/pci-dss.profile @@ -109,6 +109,7 @@ selections: - gid_passwd_group_same - grub2_audit_argument - install_hids +- logind_session_timeout - no_empty_passwords - package_aide_installed - package_audispd-plugins_installed @@ -136,6 +137,7 @@ selections: - var_accounts_passwords_pam_faillock_deny=6 - var_accounts_passwords_pam_faillock_unlock_time=1800 - sshd_idle_timeout_value=15_minutes +- var_logind_session_timeout=15_minutes - var_password_pam_minlen=7 - var_password_pam_minclass=2 - var_accounts_maximum_age_login_defs=90 From 50441c4d8187de6cb9680d30c4ca457b94753793 Mon Sep 17 00:00:00 2001 From: Vojtech Polasek Date: Thu, 26 Jan 2023 14:46:20 +0100 Subject: [PATCH 11/14] add rule to RHEL8 RHT-CCP profile --- products/rhel8/profiles/rht-ccp.profile | 2 ++ 1 file changed, 2 insertions(+) diff --git a/products/rhel8/profiles/rht-ccp.profile b/products/rhel8/profiles/rht-ccp.profile index e8e7e3a72f2..b192461f95a 100644 --- a/products/rhel8/profiles/rht-ccp.profile +++ b/products/rhel8/profiles/rht-ccp.profile @@ -14,6 +14,7 @@ selections: - file_owner_logfiles_value=root - file_groupowner_logfiles_value=root - sshd_idle_timeout_value=5_minutes + - var_logind_session_timeout=5_minutes - var_accounts_minimum_age_login_defs=7 - var_accounts_passwords_pam_faillock_deny=5 - var_accounts_password_warn_age_login_defs=7 @@ -90,6 +91,7 @@ selections: - package_telnet_removed - sshd_allow_only_protocol2 - sshd_set_idle_timeout + - logind_session_timeout - var_sshd_set_keepalive=0 - sshd_set_keepalive_0 - disable_host_auth From 355beb1eeed6ba56e0f53e38515b5144112de110 Mon Sep 17 00:00:00 2001 From: Vojtech Polasek Date: Thu, 26 Jan 2023 14:48:32 +0100 Subject: [PATCH 12/14] add rule to ANSSI profiles --- controls/anssi.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/controls/anssi.yml b/controls/anssi.yml index 9e631d1de47..607ce976ef9 100644 --- a/controls/anssi.yml +++ b/controls/anssi.yml @@ -676,6 +676,8 @@ controls: - var_accounts_tmout=10_min - sshd_set_idle_timeout - sshd_idle_timeout_value=10_minutes + - logind_session_timeout + - var_logind_session_timeout=10_minutes - sshd_set_keepalive - id: R30 From 219a65277e7d5f0342797804c98f1e14ec7ff644 Mon Sep 17 00:00:00 2001 From: vojtapolasek Date: Fri, 27 Jan 2023 10:21:03 +0100 Subject: [PATCH 13/14] Update linux_os/guide/system/accounts/accounts-physical/logind_session_timeout/rule.yml Co-authored-by: Matthew Burket --- .../accounts/accounts-physical/logind_session_timeout/rule.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/linux_os/guide/system/accounts/accounts-physical/logind_session_timeout/rule.yml b/linux_os/guide/system/accounts/accounts-physical/logind_session_timeout/rule.yml index d6543cb2e05..5fb6d22622b 100644 --- a/linux_os/guide/system/accounts/accounts-physical/logind_session_timeout/rule.yml +++ b/linux_os/guide/system/accounts/accounts-physical/logind_session_timeout/rule.yml @@ -41,7 +41,7 @@ references: pcidss: Req-8.1.8 vmmsrg: SRG-OS-000480-VMM-002000 -ocil_clause: "The option is not configured" +ocil_clause: "the option is not configured" ocil: |- Display the contents of the file /etc/systemd/logind.conf: From eeef8c386d6bd3dadc4a3491798c2084cce7c44a Mon Sep 17 00:00:00 2001 From: Vojtech Polasek Date: Mon, 30 Jan 2023 11:07:39 +0100 Subject: [PATCH 14/14] apply the platform only in context of RHEL products --- .../services/ssh/ssh_server/sshd_set_idle_timeout/rule.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_idle_timeout/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_set_idle_timeout/rule.yml index ac0194f7bbc..abfed89d114 100644 --- a/linux_os/guide/services/ssh/ssh_server/sshd_set_idle_timeout/rule.yml +++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_idle_timeout/rule.yml @@ -24,8 +24,10 @@ rationale: |- severity: medium +{{% if "rhel" in product %}} platforms: - rhel_less_equal_8_5 +{{% endif %}} identifiers: cce@rhcos4: CCE-82549-7