-
Notifications
You must be signed in to change notification settings - Fork 671
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fill gaps in the RHEL8/RHEL9 STIG #9016
Conversation
Add * fixtext * srg_requirement
For RHEL8 STIG and RHEL9 STIG
For RHEL9 and RHEL8 STIG
For RHEL9 and RHEL8 STIG
Configure the path based on OS. Varibles don't work well with the template.
For RHEL8 STIG
For RHEL8 and RHEL9 STIG
This datastream diff is auto generated by the check Click here to see the full diffOCIL for rule 'xccdf_org.ssgproject.content_rule_no_empty_passwords_etc_shadow' differs:
--- old datastream
+++ new datastream
@@ -2,11 +2,5 @@
$ sudo awk -F: '!$2 {print $1}' /etc/shadow
If this produces any output, it may be possible to log into accounts
with empty passwords.
-Configure all accounts on the system to have a password or lock
-the account with the following commands:
-Perform a password reset:
-$ sudo passwd [username]
-Lock an account:
-$ sudo passwd -l [username]
Is it the case that Blank or NULL passwords can be used?
OCIL for rule 'xccdf_org.ssgproject.content_rule_audit_rules_login_events_faillock' differs:
--- old datastream
+++ new datastream
@@ -1,4 +1,4 @@
To verify that auditing is configured for system administrator actions, run the following command:
-$ sudo auditctl -l | grep "watch=/var/run/faillock\|-w /var/run/faillock"
+$ sudo auditctl -l | grep "watch=/var/log/faillock\|-w /var/log/faillock"
Is it the case that there is no output?
bash remediation for rule 'xccdf_org.ssgproject.content_rule_audit_rules_login_events_faillock' differs:
--- old datastream
+++ new datastream
@@ -26,7 +26,7 @@
for audit_rules_file in "${files_to_inspect[@]}"
do
# Check if audit watch file system object rule for given path already present
- if grep -q -P -- "^[\s]*-w[\s]+/var/run/faillock" "$audit_rules_file"
+ if grep -q -P -- "^[\s]*-w[\s]+/var/log/faillock" "$audit_rules_file"
then
# Rule is found => verify yet if existing rule definition contains
# all of the required access type bits
@@ -34,7 +34,7 @@
# Define BRE whitespace class shortcut
sp="[[:space:]]"
# Extract current permission access types (e.g. -p [r|w|x|a] values) from audit rule
- current_access_bits=$(sed -ne "s#$sp*-w$sp\+/var/run/faillock $sp\+-p$sp\+\([rxwa]\{1,4\}\).*#\1#p" "$audit_rules_file")
+ current_access_bits=$(sed -ne "s#$sp*-w$sp\+/var/log/faillock $sp\+-p$sp\+\([rxwa]\{1,4\}\).*#\1#p" "$audit_rules_file")
# Split required access bits string into characters array
# (to check bit's presence for one bit at a time)
for access_bit in $(echo "wa" | grep -o .)
@@ -50,12 +50,12 @@
done
# Propagate the updated rule's access bits (original + the required
# ones) back into the /etc/audit/audit.rules file for that rule
- sed -i "s#\($sp*-w$sp\+/var/run/faillock$sp\+-p$sp\+\)\([rxwa]\{1,4\}\)\(.*\)#\1$current_access_bits\3#" "$audit_rules_file"
+ sed -i "s#\($sp*-w$sp\+/var/log/faillock$sp\+-p$sp\+\)\([rxwa]\{1,4\}\)\(.*\)#\1$current_access_bits\3#" "$audit_rules_file"
else
# Rule isn't present yet. Append it at the end of $audit_rules_file file
# with proper key
- echo "-w /var/run/faillock -p wa -k logins" >> "$audit_rules_file"
+ echo "-w /var/log/faillock -p wa -k logins" >> "$audit_rules_file"
fi
done
# Create a list of audit *.rules files that should be inspected for presence and correctness
@@ -74,7 +74,7 @@
# If the audit is 'augenrules', then check if rule is already defined
# If rule is defined, add '/etc/audit/rules.d/*.rules' to list of files for inspection.
# If rule isn't defined, add '/etc/audit/rules.d/logins.rules' to list of files for inspection.
-readarray -t matches < <(grep -HP "[\s]*-w[\s]+/var/run/faillock" /etc/audit/rules.d/*.rules)
+readarray -t matches < <(grep -HP "[\s]*-w[\s]+/var/log/faillock" /etc/audit/rules.d/*.rules)
# For each of the matched entries
for match in "${matches[@]}"
@@ -103,7 +103,7 @@
for audit_rules_file in "${files_to_inspect[@]}"
do
# Check if audit watch file system object rule for given path already present
- if grep -q -P -- "^[\s]*-w[\s]+/var/run/faillock" "$audit_rules_file"
+ if grep -q -P -- "^[\s]*-w[\s]+/var/log/faillock" "$audit_rules_file"
then
# Rule is found => verify yet if existing rule definition contains
# all of the required access type bits
@@ -111,7 +111,7 @@
# Define BRE whitespace class shortcut
sp="[[:space:]]"
# Extract current permission access types (e.g. -p [r|w|x|a] values) from audit rule
- current_access_bits=$(sed -ne "s#$sp*-w$sp\+/var/run/faillock $sp\+-p$sp\+\([rxwa]\{1,4\}\).*#\1#p" "$audit_rules_file")
+ current_access_bits=$(sed -ne "s#$sp*-w$sp\+/var/log/faillock $sp\+-p$sp\+\([rxwa]\{1,4\}\).*#\1#p" "$audit_rules_file")
# Split required access bits string into characters array
# (to check bit's presence for one bit at a time)
for access_bit in $(echo "wa" | grep -o .)
@@ -127,12 +127,12 @@
done
# Propagate the updated rule's access bits (original + the required
# ones) back into the /etc/audit/audit.rules file for that rule
- sed -i "s#\($sp*-w$sp\+/var/run/faillock$sp\+-p$sp\+\)\([rxwa]\{1,4\}\)\(.*\)#\1$current_access_bits\3#" "$audit_rules_file"
+ sed -i "s#\($sp*-w$sp\+/var/log/faillock$sp\+-p$sp\+\)\([rxwa]\{1,4\}\)\(.*\)#\1$current_access_bits\3#" "$audit_rules_file"
else
# Rule isn't present yet. Append it at the end of $audit_rules_file file
# with proper key
- echo "-w /var/run/faillock -p wa -k logins" >> "$audit_rules_file"
+ echo "-w /var/log/faillock -p wa -k logins" >> "$audit_rules_file"
fi
done
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_audit_rules_login_events_faillock' differs:
--- old datastream
+++ new datastream
@@ -3,6 +3,7 @@
manager: auto
tags:
- CCE-80718-0
+ - DISA-STIG-RHEL-08-030590
- NIST-800-171-3.1.7
- NIST-800-53-AC-6(9)
- NIST-800-53-AU-12(c)
@@ -26,6 +27,7 @@
when: '"audit" in ansible_facts.packages'
tags:
- CCE-80718-0
+ - DISA-STIG-RHEL-08-030590
- NIST-800-171-3.1.7
- NIST-800-53-AC-6(9)
- NIST-800-53-AU-12(c)
@@ -49,6 +51,7 @@
- find_faillock.matched is defined and find_faillock.matched == 0
tags:
- CCE-80718-0
+ - DISA-STIG-RHEL-08-030590
- NIST-800-171-3.1.7
- NIST-800-53-AC-6(9)
- NIST-800-53-AU-12(c)
@@ -71,6 +74,7 @@
- find_faillock.matched is defined and find_faillock.matched > 0
tags:
- CCE-80718-0
+ - DISA-STIG-RHEL-08-030590
- NIST-800-171-3.1.7
- NIST-800-53-AC-6(9)
- NIST-800-53-AU-12(c)
@@ -87,11 +91,12 @@
- name: Inserts/replaces the faillock rule in rules.d when on x86
lineinfile:
path: '{{ all_files[0] }}'
- line: -w /var/run/faillock -p wa -k logins
+ line: -w /var/log/faillock -p wa -k logins
create: true
when: '"audit" in ansible_facts.packages'
tags:
- CCE-80718-0
+ - DISA-STIG-RHEL-08-030590
- NIST-800-171-3.1.7
- NIST-800-53-AC-6(9)
- NIST-800-53-AU-12(c)
@@ -107,13 +112,14 @@
- name: Inserts/replaces the faillock rule in /etc/audit/audit.rules
lineinfile:
- line: -w /var/run/faillock -p wa -k logins
+ line: -w /var/log/faillock -p wa -k logins
state: present
dest: /etc/audit/audit.rules
create: true
when: '"audit" in ansible_facts.packages'
tags:
- CCE-80718-0
+ - DISA-STIG-RHEL-08-030590
- NIST-800-171-3.1.7
- NIST-800-53-AC-6(9)
- NIST-800-53-AU-12(c) |
linux_os/guide/services/fapolicyd/fapolicy_default_deny/rule.yml
Outdated
Show resolved
Hide resolved
linux_os/guide/services/fapolicyd/fapolicy_default_deny/rule.yml
Outdated
Show resolved
Hide resolved
...ounts-pam/locking_out_password_attempts/account_password_pam_faillock_password_auth/rule.yml
Outdated
Show resolved
Hide resolved
...ts/accounts-pam/locking_out_password_attempts/account_password_selinux_faillock_dir/rule.yml
Outdated
Show resolved
Hide resolved
...nts/accounts-pam/locking_out_password_attempts/account_passwords_pam_faillock_audit/rule.yml
Outdated
Show resolved
Hide resolved
...nts/accounts-pam/locking_out_password_attempts/account_passwords_pam_faillock_audit/rule.yml
Outdated
Show resolved
Hide resolved
linux_os/guide/system/permissions/restrictions/kernel_module_uvcvideo_disabled/rule.yml
Outdated
Show resolved
Hide resolved
Add * fixtext * srg_requirement
Add * fixtext * srg_requirement
we need to respect some reasonable line length for these new rules... don't we have already something defined as maximum line length? |
@ggbecker What line length? |
linux_os/guide/services/fapolicyd/fapolicy_default_deny/rule.yml
Outdated
Show resolved
Hide resolved
linux_os/guide/system/accounts/accounts-pam/disallow_bypass_password_sudo/rule.yml
Outdated
Show resolved
Hide resolved
...ccounts-pam/locking_out_password_attempts/account_password_pam_faillock_system_auth/rule.yml
Outdated
Show resolved
Hide resolved
Co-authored-by: Jan Černý <jcerny@redhat.com>
Code Climate has analyzed commit 9f21468 and detected 0 issues on this pull request. The test coverage on the diff in this pull request is 100.0% (50% is the threshold). This pull request will bring the total coverage in the repository to 42.7% (0.0% change). View more on Code Climate. |
@Mab879: The following tests failed, say
Full PR test history. Your PR dashboard. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
Description:
Rationale:
Fixes #8643