Fill gaps in the RHEL8/RHEL9 STIG

[Mab879]

Description:

• Add new rules for gaps in the RHEL8/RHEL9 STIG

Rationale:

Fixes #8643

[github-actions]

Start a new ephemeral environment with changes proposed in this pull request:

[github-actions]

This datastream diff is auto generated by the check Compare DS/Generate Diff

Click here to see the full diff

OCIL for rule 'xccdf_org.ssgproject.content_rule_no_empty_passwords_etc_shadow' differs:
--- old datastream
+++ new datastream
@@ -2,11 +2,5 @@
 $ sudo awk -F: '!$2 {print $1}' /etc/shadow
 If this produces any output, it may be possible to log into accounts
 with empty passwords.
-Configure all accounts on the system to have a password or lock
-the account with the following commands:
-Perform a password reset:
-$ sudo passwd [username]
-Lock an account:
-$ sudo passwd -l [username]
 Is it the case that Blank or NULL passwords can be used?
 
OCIL for rule 'xccdf_org.ssgproject.content_rule_audit_rules_login_events_faillock' differs:
--- old datastream
+++ new datastream
@@ -1,4 +1,4 @@
 To verify that auditing is configured for system administrator actions, run the following command:
-$ sudo auditctl -l | grep "watch=/var/run/faillock\|-w /var/run/faillock"
+$ sudo auditctl -l | grep "watch=/var/log/faillock\|-w /var/log/faillock"
 Is it the case that there is no output?
 
bash remediation for rule 'xccdf_org.ssgproject.content_rule_audit_rules_login_events_faillock' differs:
--- old datastream
+++ new datastream
@@ -26,7 +26,7 @@
 for audit_rules_file in "${files_to_inspect[@]}"
 do
 # Check if audit watch file system object rule for given path already present
- if grep -q -P -- "^[\s]*-w[\s]+/var/run/faillock" "$audit_rules_file"
+ if grep -q -P -- "^[\s]*-w[\s]+/var/log/faillock" "$audit_rules_file"
 then
 # Rule is found => verify yet if existing rule definition contains
 # all of the required access type bits
@@ -34,7 +34,7 @@
 # Define BRE whitespace class shortcut
 sp="[[:space:]]"
 # Extract current permission access types (e.g. -p [r|w|x|a] values) from audit rule
- current_access_bits=$(sed -ne "s#$sp*-w$sp\+/var/run/faillock $sp\+-p$sp\+\([rxwa]\{1,4\}\).*#\1#p" "$audit_rules_file")
+ current_access_bits=$(sed -ne "s#$sp*-w$sp\+/var/log/faillock $sp\+-p$sp\+\([rxwa]\{1,4\}\).*#\1#p" "$audit_rules_file")
 # Split required access bits string into characters array
 # (to check bit's presence for one bit at a time)
 for access_bit in $(echo "wa" | grep -o .)
@@ -50,12 +50,12 @@
 done
 # Propagate the updated rule's access bits (original + the required
 # ones) back into the /etc/audit/audit.rules file for that rule
- sed -i "s#\($sp*-w$sp\+/var/run/faillock$sp\+-p$sp\+\)\([rxwa]\{1,4\}\)\(.*\)#\1$current_access_bits\3#" "$audit_rules_file"
+ sed -i "s#\($sp*-w$sp\+/var/log/faillock$sp\+-p$sp\+\)\([rxwa]\{1,4\}\)\(.*\)#\1$current_access_bits\3#" "$audit_rules_file"
 else
 # Rule isn't present yet. Append it at the end of $audit_rules_file file
 # with proper key
 
- echo "-w /var/run/faillock -p wa -k logins" >> "$audit_rules_file"
+ echo "-w /var/log/faillock -p wa -k logins" >> "$audit_rules_file"
 fi
 done
 # Create a list of audit *.rules files that should be inspected for presence and correctness
@@ -74,7 +74,7 @@
 # If the audit is 'augenrules', then check if rule is already defined
 # If rule is defined, add '/etc/audit/rules.d/*.rules' to list of files for inspection.
 # If rule isn't defined, add '/etc/audit/rules.d/logins.rules' to list of files for inspection.
-readarray -t matches < <(grep -HP "[\s]*-w[\s]+/var/run/faillock" /etc/audit/rules.d/*.rules)
+readarray -t matches < <(grep -HP "[\s]*-w[\s]+/var/log/faillock" /etc/audit/rules.d/*.rules)
 
 # For each of the matched entries
 for match in "${matches[@]}"
@@ -103,7 +103,7 @@
 for audit_rules_file in "${files_to_inspect[@]}"
 do
 # Check if audit watch file system object rule for given path already present
- if grep -q -P -- "^[\s]*-w[\s]+/var/run/faillock" "$audit_rules_file"
+ if grep -q -P -- "^[\s]*-w[\s]+/var/log/faillock" "$audit_rules_file"
 then
 # Rule is found => verify yet if existing rule definition contains
 # all of the required access type bits
@@ -111,7 +111,7 @@
 # Define BRE whitespace class shortcut
 sp="[[:space:]]"
 # Extract current permission access types (e.g. -p [r|w|x|a] values) from audit rule
- current_access_bits=$(sed -ne "s#$sp*-w$sp\+/var/run/faillock $sp\+-p$sp\+\([rxwa]\{1,4\}\).*#\1#p" "$audit_rules_file")
+ current_access_bits=$(sed -ne "s#$sp*-w$sp\+/var/log/faillock $sp\+-p$sp\+\([rxwa]\{1,4\}\).*#\1#p" "$audit_rules_file")
 # Split required access bits string into characters array
 # (to check bit's presence for one bit at a time)
 for access_bit in $(echo "wa" | grep -o .)
@@ -127,12 +127,12 @@
 done
 # Propagate the updated rule's access bits (original + the required
 # ones) back into the /etc/audit/audit.rules file for that rule
- sed -i "s#\($sp*-w$sp\+/var/run/faillock$sp\+-p$sp\+\)\([rxwa]\{1,4\}\)\(.*\)#\1$current_access_bits\3#" "$audit_rules_file"
+ sed -i "s#\($sp*-w$sp\+/var/log/faillock$sp\+-p$sp\+\)\([rxwa]\{1,4\}\)\(.*\)#\1$current_access_bits\3#" "$audit_rules_file"
 else
 # Rule isn't present yet. Append it at the end of $audit_rules_file file
 # with proper key
 
- echo "-w /var/run/faillock -p wa -k logins" >> "$audit_rules_file"
+ echo "-w /var/log/faillock -p wa -k logins" >> "$audit_rules_file"
 fi
 done
 

ansible remediation for rule 'xccdf_org.ssgproject.content_rule_audit_rules_login_events_faillock' differs:
--- old datastream
+++ new datastream
@@ -3,6 +3,7 @@
 manager: auto
 tags:
 - CCE-80718-0
+ - DISA-STIG-RHEL-08-030590
 - NIST-800-171-3.1.7
 - NIST-800-53-AC-6(9)
 - NIST-800-53-AU-12(c)
@@ -26,6 +27,7 @@
 when: '"audit" in ansible_facts.packages'
 tags:
 - CCE-80718-0
+ - DISA-STIG-RHEL-08-030590
 - NIST-800-171-3.1.7
 - NIST-800-53-AC-6(9)
 - NIST-800-53-AU-12(c)
@@ -49,6 +51,7 @@
 - find_faillock.matched is defined and find_faillock.matched == 0
 tags:
 - CCE-80718-0
+ - DISA-STIG-RHEL-08-030590
 - NIST-800-171-3.1.7
 - NIST-800-53-AC-6(9)
 - NIST-800-53-AU-12(c)
@@ -71,6 +74,7 @@
 - find_faillock.matched is defined and find_faillock.matched > 0
 tags:
 - CCE-80718-0
+ - DISA-STIG-RHEL-08-030590
 - NIST-800-171-3.1.7
 - NIST-800-53-AC-6(9)
 - NIST-800-53-AU-12(c)
@@ -87,11 +91,12 @@
 - name: Inserts/replaces the faillock rule in rules.d when on x86
 lineinfile:
 path: '{{ all_files[0] }}'
- line: -w /var/run/faillock -p wa -k logins
+ line: -w /var/log/faillock -p wa -k logins
 create: true
 when: '"audit" in ansible_facts.packages'
 tags:
 - CCE-80718-0
+ - DISA-STIG-RHEL-08-030590
 - NIST-800-171-3.1.7
 - NIST-800-53-AC-6(9)
 - NIST-800-53-AU-12(c)
@@ -107,13 +112,14 @@
 
 - name: Inserts/replaces the faillock rule in /etc/audit/audit.rules
 lineinfile:
- line: -w /var/run/faillock -p wa -k logins
+ line: -w /var/log/faillock -p wa -k logins
 state: present
 dest: /etc/audit/audit.rules
 create: true
 when: '"audit" in ansible_facts.packages'
 tags:
 - CCE-80718-0
+ - DISA-STIG-RHEL-08-030590
 - NIST-800-171-3.1.7
 - NIST-800-53-AC-6(9)
 - NIST-800-53-AU-12(c)

[ggbecker]

we need to respect some reasonable line length for these new rules... don't we have already something defined as maximum line length?

[jan-cerny]

@ggbecker What line length?

[codeclimate]

Code Climate has analyzed commit 9f21468 and detected 0 issues on this pull request.

The test coverage on the diff in this pull request is 100.0% (50% is the threshold).

This pull request will bring the total coverage in the repository to 42.7% (0.0% change).

View more on Code Climate.

[openshift-ci]

@Mab879: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/e2e-aws-rhcos4-moderate	9f21468	link	true	/test e2e-aws-rhcos4-moderate
ci/prow/e2e-aws-rhcos4-high	9f21468	link	true	/test e2e-aws-rhcos4-high

Full PR test history. Your PR dashboard.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.