[WIP] Add scap lockdown #120
Conversation
Added a class to interface with the sshd_config file and a method that will apply the SCAP settings. https://bugzilla.redhat.com/show_bug.cgi?id=1219227 https://bugzilla.redhat.com/show_bug.cgi?id=1219228 https://bugzilla.redhat.com/show_bug.cgi?id=1219229 https://bugzilla.redhat.com/show_bug.cgi?id=1219230 https://bugzilla.redhat.com/show_bug.cgi?id=1219231
Currently disables the atd and autofs services. https://bugzilla.redhat.com/show_bug.cgi?id=1219224 https://bugzilla.redhat.com/show_bug.cgi?id=1219226
These edits include changes to how the appliance reacts to various types of network packets. https://bugzilla.redhat.com/show_bug.cgi?id=1219235 https://bugzilla.redhat.com/show_bug.cgi?id=1219236 https://bugzilla.redhat.com/show_bug.cgi?id=1219237 https://bugzilla.redhat.com/show_bug.cgi?id=1219238 https://bugzilla.redhat.com/show_bug.cgi?id=1219239 https://bugzilla.redhat.com/show_bug.cgi?id=1219240 https://bugzilla.redhat.com/show_bug.cgi?id=1219241 https://bugzilla.redhat.com/show_bug.cgi?id=1219242 https://bugzilla.redhat.com/show_bug.cgi?id=1219243 https://bugzilla.redhat.com/show_bug.cgi?id=1219244 https://bugzilla.redhat.com/show_bug.cgi?id=1219245
…mits.conf file This class will apply the fixes for two SCAP issues - no core dumps and limiting the number of simultaneous non-root logins to 10. https://bugzilla.redhat.com/show_bug.cgi?id=1219246 https://bugzilla.redhat.com/show_bug.cgi?id=1219247
The Securetty.remove_vcs method will remove all virtual console entries from the /etc/securetty file. https://bugzilla.redhat.com/show_bug.cgi?id=1219248
The key value syntax used with this method will be the same for many files we are editing.
Currently the class will set the minimum password age to one day. https://bugzilla.redhat.com/show_bug.cgi?id=1219250
Currently sets INACTIVE to 35 days for SCAP requirements https://bugzilla.redhat.com/show_bug.cgi?id=1219252
…t for the other classes
This file dictates that specific files or actions on the system should be watched by auditd. https://bugzilla.redhat.com/show_bug.cgi?id=1219256
…ectory This class will disable loading a specified module into the kernel by setting the module install to stub to /bin/true in a file in the /etc/modprobe.d directory. https://bugzilla.redhat.com/show_bug.cgi?id=1219257 https://bugzilla.redhat.com/show_bug.cgi?id=1219258 https://bugzilla.redhat.com/show_bug.cgi?id=1219259 https://bugzilla.redhat.com/show_bug.cgi?id=1219260
|
Are these OS specific? That is, do the file paths only apply to a particular OS? If so, we might have to put this in a subclass and call it via Distros or something. |
|
Most I would assume are not, I can check a sampling of distros though. What would be good coverage for that? |
There was a problem hiding this comment.
This pattern simplifies to just File.write(filename, new_text) If you need the extra new_line from the puts at the end you can append it to new_text manually above
BTW, this is really nice...was this extracted from some other code or a script, or did you have to research this all yourself. |
lib/linux_admin/security.rb
Outdated
There was a problem hiding this comment.
Should this method be named apply_scap_settings? Same question for AuditRules.
If they are all named the same, this could be written as:
[SshdConfig, Service, SysctlConf, LimitsConf, Securetty, LoginDefs, Useradd, AuditRules, AuditRules, Modprobe].each do |klass|
klass.public_send(:apply_scap_settings)
endor you can multiline the class array if you prefer.
There was a problem hiding this comment.
Yeah, I thought about that, but removing access to the vcs didn't seem really SCAP specific. I could make the method more generic then create an apply_scap_settings method or just have one that calls remove_vcs with the intention of creating other methods to edit this file in the future.
|
@Fryguy What should I do around the gem version for this PR? |
|
Nothing. When we release we'll decide on the version number
|
|
Looks like everything is where we expect it to be in RHEL 7.1 |
There was a problem hiding this comment.
I feel like this logic belongs right inside service.restart. That way the caller just calls service.restart, and the Service class takes care of it all. What do you think? Doesn't have to be in this PR.
There was a problem hiding this comment.
Just did a quick test and it looks like restart will succeed even if the service is stopped. So I can just take the method out and call to LinuxAdmin::Service directly.
There was a problem hiding this comment.
Sorry, this seems strange to me. I'd prefer to see the [ ] syntax instead of the %w here.
There was a problem hiding this comment.
I have no preference, I did it this was to appease RuboCop.
spec/security/modprobe_spec.rb
Outdated
There was a problem hiding this comment.
You can use FileUtils.rm or rm_f to avoid the existence check
|
Checked commits carbonin@36ea797 .. carbonin@4d5b5f2 with rubocop 0.32.1 and haml-lint 0.13.0 |
|
@carbonin Let's investigate OpenSCAP and see if we should proceed with this PR. |
|
Closing in favor of #121 |
4 participants
Exposes access to various SCAP settings through linux admin. A full list of items can be found on Trello (https://trello.com/c/Zh1TAxfm/50-8-7-1-phase-2-config-scap-stig-security)