Merge branch 'SLE-15-SP4' into merge-SLE-15-SP4

doc/security_policies.md

@@ -0,0 +1,103 @@
+# Security Policies
+
+https://www.suse.com/c/applying-disa-stig-hardening-to-sles-installations/
+
+The DISA ([Defense Information Systems Agency](https://disa.mil)) and SUSE have authored a STIG
+(Secure Technical Implementation Guide) that describes how to harden a SUSE Linux Enterprise system.
+
+The STIG is a long list of rules, each containing description, detection of problems and how to
+remediate problems on a per rule basis.
+
+While originally STIGs are supposed to applied manually, a large percentage of the rules can be and
+were automated in so called SCAP format (Secure Content Automation Protocol).
+
+We can classify rules into multiple cases:
+
+* rules that need to be applied during installation of a system
+* rules where remediation can be automatically applied after installation
+* rules that are not able to be checked automatically nor remediated
+* rules without automated remediation
+
+## YaST and Security Policies
+
+The YaST installer supports security policies. At this moment, the installer only offers the DISA
+STIG policy, although more policies are expected to be added.
+
+There are two ways for enabling a security policy in YaST: in the Installation Summary dialog at
+the end of the installation or by using the `YAST_SECURITY_POLICY` boot parameter. A policy can also
+be enabled in the AutoYaST profile.
+
+The Installation Summary has a Security Policies section that shows the policies and reports the
+failing rules for the enabled policy. The policy is also checked by some YaST clients. For
+example, the Guided Partitioning and the Expert Partitioner show the failing rules related to the
+storage configuration. A warning is shown if you proceed with the installation and there still are
+failing rules.
+
+In the Security Policies section, some rules offer a link to easily remediate the issue. For others
+rules, the link will go to the proper installation client (e.g., the Storage Proposal) where the
+user is expected to manually fix the security problem.
+
+## DISA STIG Checks
+
+The YaST installer only checks a subset of the rules defined by a security policy. YaST is mainly
+focused on such rules that need to be applied during the installation. For example, for DISA STIG
+the following rules should be checked:
+
+* [SLES-15-010330](http://static.open-scap.org/ssg-guides/ssg-sle15-guide-stig.html#xccdf_org.ssgproject.content_rule_encrypt_partitions]) All file systems are encrypted ([stigviewer](https://www.stigviewer.com/stig/suse_linux_enterprise_server_15/2022-06-06/finding/V-234831)).
+* [SLES-15-040200](http://static.open-scap.org/ssg-guides/ssg-sle15-guide-stig.html#xccdf_org.ssgproject.content_rule_partition_for_home) The system has a separate mount point for */home* ([stigviewer](https://www.stigviewer.com/stig/suse_linux_enterprise_server_15/2021-03-04/finding/V-235004)).
+* [SLES-15-040210](http://static.open-scap.org/ssg-guides/ssg-sle15-guide-stig.html#xccdf_org.ssgproject.content_rule_partition_for_var) The system has a separate mount point for */var* ([stigviewer](https://www.stigviewer.com/stig/suse_linux_enterprise_server_15/2021-06-14/finding/V-235005)).
+* [SLES-15-040210](http://static.open-scap.org/ssg-guides/ssg-sle15-guide-stig.html#xccdf_org.ssgproject.content_rule_partition_for_var_log_audit) The system has a separate file system for */var/log/audit* ([stigviewer](https://www.stigviewer.com/stig/suse_linux_enterprise_server_15/2022-06-06/finding/V-234980)).
+* [SLES-15-030660](http://static.open-scap.org/ssg-guides/ssg-sle15-guide-stig.html#xccdf_org.ssgproject.content_rule_auditd_audispd_configure_sufficiently_large_partition) The file system /var/log/audit has enough capacity for audit records ([stigviewer](https://www.stigviewer.com/stig/suse_linux_enterprise_server_15/2022-06-06/finding/V-234965)).
+* [SLES-15-010200](http://static.open-scap.org/ssg-guides/ssg-sle15-guide-stig.html#xccdf_org.ssgproject.content_group_uefi) A bootloader password (for grub2) is configured (UEFI) ([stigviewer](https://www.stigviewer.com/stig/suse_linux_enterprise_server_15/2021-11-30/finding/V-234820)).
+* [SLES-15-010190](http://static.open-scap.org/ssg-guides/ssg-sle15-guide-stig.html#xccdf_org.ssgproject.content_group_non-uefi) A bootloader password (for grub2) is configured (BIOS) ([stigviewer](https://www.stigviewer.com/stig/suse_linux_enterprise_server_15/2022-02-11/finding/V-234819)).
+
+Apart from the rules above, YaST also checks these other rules at installation time:
+
+* [SLES-15-010220](http://static.open-scap.org/ssg-guides/ssg-sle15-guide-stig.html#xccdf_org.ssgproject.content_rule_service_firewalld_enabled) Firewalld is enabled ([stigviewer](https://www.stigviewer.com/stig/suse_linux_enterprise_server_15/2021-11-30/finding/V-234821)).
+* [SLES-15-010380](http://static.open-scap.org/ssg-guides/ssg-sle15-guide-stig.html#xccdf_org.ssgproject.content_rule_wireless_disable_interfaces) Wireless Network Interfaces are deactivated ([stigviewer](https://www.stigviewer.com/stig/suse_linux_enterprise_server_15/2021-11-30/finding/V-234847)).
+
+
+## YaST API
+
+This section describes some implementation details of the security policies in YaST.
+
+Everything related to security policies is defined under the `Y2Security::SecurityPolicies`
+name space. Each policy is defined by its own class, for example
+`Y2Security::SecurityPolicies::DisaStigPolicy`. The policy classes provide a `#failing_rules` method
+which checks the policy rules and reports the failing rules. The rules are represented by instances
+of a subclass of `Y2Security::SecurityPolicies::Rule`. Some rules are fixable, that is, they offer
+a method for automatically fix the issue.
+
+The security policies are managed by the singleton class `Y2Security::SecurityPolicies::Manager`.
+That class provides an API for enabling and disabling policies and for getting the failing rules
+from all the enabled policies. YaST clients (e.g., `Y2Security::Clients::SecurityPolicyProposal`)
+use the policies manager to interact with the policies. In *yast-storage-ng*, the Guided Setup and
+the Expert Partitoner also use the manager to get the failing rules related to the storage
+configuration. The configuration to check by the policies can be configured with a
+`Y2Security::SecurityPolicies::TargetConfig` object.
+
+~~~ruby
+#                 Manager
+#                   |
+#          _ _ _ _ _ _ _ _ _ _
+#         |                   |
+#         |                   |
+#      Policy A            Policy B
+#         |
+#      _ _ _ _ _ _ _ _
+#     |               |
+#   rule1           rule2
+
+require "y2security/security_policies"
+
+manager = Y2Security::SecurityPolicies::Manager.instance
+
+config = Y2Security::SecurityPolicies::TargetConfig.new
+
+failing_rules = manager.failing_rules(config, scope: :network)
+failing_rules.first.fixable?  #=> true
+failing_rules.first.fix
+
+policy = manager.find_policy(:disa_stig)
+policy.rules.each(&:disable)
+~~~

package/yast2-security.changes

@@ -1,3 +1,12 @@
+-------------------------------------------------------------------
+Tue Nov  8 17:40:12 UTC 2022 - Imobach Gonzalez Sosa <igonzalezsosa@suse.com>
+
+- Add support for DISA STIG security policy validation
+  (jsc#SLE-24764).
+- Disable the ssg-apply service if the selected SCAP action is
+  "do nothing" (related to jsc#SLE-24764).
+- 4.5.3
+
 -------------------------------------------------------------------
 Wed Nov  2 15:46:44 UTC 2022 - Martin Vidner <mvidner@suse.com>
 

package/yast2-security.spec

@@ -17,7 +17,7 @@
 
 
 Name:           yast2-security
-Version:        4.5.2
+Version:        4.5.3
 Release:        0
 Group:          System/YaST
 License:        GPL-2.0-only
@@ -43,6 +43,8 @@ BuildRequires:  yast2 >= 4.4.47
 BuildRequires:  augeas-lenses
 # Y2Storage::StorageManager
 BuildRequires:  yast2-storage-ng
+# Yast::Lan and Y2Network
+BuildRequires:  yast2-network
 # Unfortunately we cannot move this to macros.yast,
 # bcond within macros are ignored by osc/OBS.
 %bcond_with yast_run_ci_tests
@@ -63,6 +65,8 @@ Requires:       yast2-bootloader
 Requires:       augeas-lenses
 # Y2Storage::StorageManager
 Requires:       yast2-storage-ng
+# Yast::Lan and Y2Network
+Requires:       yast2-network
 
 Provides:       y2c_sec yast2-config-security
 Provides:       yast2-trans-security y2t_sec

src/autoyast-rnc/security.rnc

@@ -46,6 +46,13 @@ runlevel3_mandatory_services = element runlevel3_mandatory_services { STRING }
 runlevel5_extra_services = element runlevel5_extra_services { STRING }
 runlevel5_mandatory_services = element runlevel5_mandatory_services { STRING }
 smtpd_listen_remote = element smtpd_listen_remote { STRING }
+security_policy = element security_policy {
+    MAP,
+    (
+      element policy { STRING } &
+      element action { "none" | "scan" | "remediate" }?
+    )
+}
 syslog_on_no_error = element syslog_on_no_error { STRING }
 system_gid_max = element system_gid_max { STRING }
 system_gid_min = element system_gid_min { STRING }
@@ -104,6 +111,7 @@ y2_security =
   | runlevel3_mandatory_services
   | runlevel5_extra_services
   | runlevel5_mandatory_services
+  | security_policy
   | smtpd_listen_remote
   | syslog_on_no_error
   | system_gid_max

src/clients/security_policy_proposal.rb

@@ -0,0 +1,22 @@
+# Copyright (c) [2022] SUSE LLC
+#
+# All Rights Reserved.
+#
+# This program is free software; you can redistribute it and/or modify it
+# under the terms of version 2 of the GNU General Public License as published
+# by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful, but WITHOUT
+# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+# FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License for
+# more details.
+#
+# You should have received a copy of the GNU General Public License along
+# with this program; if not, contact SUSE LLC.
+#
+# To contact SUSE LLC about this file by physical or electronic mail, you may
+# find current contact information at www.suse.com.
+
+require "y2security/clients/security_policy_proposal"
+
+Y2Security::Clients::SecurityPolicyProposal.new.run

src/lib/cfa/ssg_apply.rb

@@ -0,0 +1,98 @@
+# Copyright (c) [2022] SUSE LLC
+#
+# All Rights Reserved.
+#
+# This program is free software; you can redistribute it and/or modify it
+# under the terms of version 2 of the GNU General Public License as published
+# by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful, but WITHOUT
+# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+# FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License for
+# more details.
+#
+# You should have received a copy of the GNU General Public License along
+# with this program; if not, contact SUSE LLC.
+#
+# To contact SUSE LLC about this file by physical or electronic mail, you may
+# find current contact information at www.suse.com.
+
+require "yast"
+require "cfa/base_model"
+require "yast2/target_file"
+
+module CFA
+  # CFA-based class to handle the ssg-apply configuration file
+  #
+  # @example Writing the base configuration
+  #   file = SsgApply.new
+  #   file.profile = "disa_stig"
+  #   file.remedy = "yes"
+  #   file.save
+  class SsgApply < BaseModel
+    extend Yast::Logger
+    include Yast::Logger
+
+    # Original configuration file
+    DEFAULT_PATH = "/etc/ssg-apply/default.conf".freeze
+
+    # Configuration file used for customizing the ssg-apply configuration
+    OVERRIDE_PATH = "/etc/ssg-apply/override.conf".freeze
+    LENS = "simplevars.lns".freeze
+    private_constant :DEFAULT_PATH, :OVERRIDE_PATH, :LENS
+
+    attributes(profile: "profile", remediate: "remediate")
+
+    class << self
+      # Loads a file
+      #
+      # @param file_handler [#read,#write] an object able to read/write a string (like File)
+      # @param file_path    [String] File path
+      # @return [SsgApply] File with the already loaded content
+      def load(file_handler: Yast::TargetFile, file_path: OVERRIDE_PATH)
+        file = new(file_handler: file_handler, file_path: file_path)
+        file.load
+        file
+      rescue Errno::ENOENT
+        log.info("#{file_path} couldn't be loaded. Probably the file does not exist yet.")
+
+        file
+      end
+
+      # Returns the default file path
+      #
+      # @return [String]
+      def default_file_path
+        DEFAULT_PATH
+      end
+
+      # Returns the path of the file to customize the ssg-apply configuration
+      #
+      # @return [String]
+      def override_file_path
+        OVERRIDE_PATH
+      end
+    end
+
+    # @param file_handler [#read,#write] an object able to read/write a string (like File)
+    # @param file_path    [String] File path
+    def initialize(file_handler: Yast::TargetFile, file_path: OVERRIDE_PATH)
+      super(AugeasParser.new(LENS), file_path, file_handler: file_handler)
+    end
+
+    # Removes empty values before saving, otherwise the lens complains
+    def save
+      matcher = CFA::Matcher.new { |_, v| v.strip.empty? }
+      empty_elements = data.select(matcher).map { |e| e[:key] }
+      empty_elements.each { |e| data.delete(e) }
+      super
+    end
+
+    # Determines whether the file is empty
+    #
+    # @return [Boolean] true if it is empty; false otherwise
+    def empty?
+      data.data.empty?
+    end
+  end
+end

src/lib/y2security/autoinst/lsm_config_reader.rb

@@ -18,7 +18,6 @@
 # find current contact information at www.suse.com.
 
 require "y2security/lsm/config"
-require "y2security/autoinst_profile/security_section"
 
 module Y2Security
   module Autoinst

src/lib/y2security/autoinst_profile.rb

@@ -18,3 +18,4 @@
 # find current contact information at www.suse.com.
 
 require "y2security/autoinst_profile/security_section"
+require "y2security/autoinst_profile/security_policy_section"

src/lib/y2security/autoinst_profile/security_policy_section.rb

@@ -0,0 +1,47 @@
+# Copyright (c) [2022] SUSE LLC
+#
+# All Rights Reserved.
+#
+# This program is free software; you can redistribute it and/or modify it
+# under the terms of version 2 of the GNU General Public License as published
+# by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful, but WITHOUT
+# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+# FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License for
+# more details.
+#
+# You should have received a copy of the GNU General Public License along
+# with this program; if not, contact SUSE LLC.
+#
+# To contact SUSE LLC about this file by physical or electronic mail, you may
+# find current contact information at www.suse.com.
+
+require "installation/autoinst_profile/section_with_attributes"
+
+module Y2Security
+  module AutoinstProfile
+    # This class represents the <security_policy> section of an AutoYaST profile
+    #
+    # @example Enabling DISA STIG except one of the rules
+    #   <security_policy>
+    #     <action>none</action>
+    #     <name>stig</name>
+    #   </security_policy>
+    class SecurityPolicySection < ::Installation::AutoinstProfile::SectionWithAttributes
+      def self.attributes
+        [
+          { name: :action },
+          { name: :policy }
+        ]
+      end
+
+      define_attr_accessors
+
+      # @!attribute action
+      #   @return [String,nil] SCAP action to apply on first boot ("none", "scan" or "remediate")
+      # @!attribute policy
+      #   @return [String,nil] Enabled policy
+    end
+  end
+end