From b6fbe05a3c7309ce3d50587cf0eb9926b1348812 Mon Sep 17 00:00:00 2001 From: anolis-bot Date: Wed, 22 Feb 2023 02:43:35 +0800 Subject: [PATCH 1/2] update to scap-security-guide-0.1.66-2.el8_7 Signed-off-by: anolis-bot --- disable-not-in-good-shape-profiles.patch | 16 +- dist | 2 +- download | 2 +- ...cept_sudoers_wihout_includes-PR_9283.patch | 92 - ...ue_compliance_kptr_rp_filter-PR_9286.patch | 238 - ..._rule_sysctl_ipv4_forwarding-PR_9277.patch | 180 - ...on_platform_to_relevant_rules-PR_9324.path | 98 - ...dd_platform_partition_exists-PR_9204.patch | 161 - ...e-0.1.64-aide_check_rsyslogd-PR_9282.patch | 102 - ...4-authselect_minimal_in_ospp-PR_9298.patch | 68 - ...nsible_partition_conditional-PR_9339.patch | 26 - ....64-readd-sshd_timeout-rules-PR_9318.patch | 94 - ...elect_grub2_disable_recovery-PR_9231.patch | 75 - ...64-update-rhel8-stig-to-v1r7-PR_9276.patch | 4477 ----------------- ...e_with_multivalue_compliance-PR_9147.patch | 801 --- ...-0.1.65-supports_anolis_os_8-PR_9770.patch | 2957 ----------- ...lld_sshd_port_enabled_tests-PR_10162.patch | 106 + ...de-0.1.67-pwhistory_control-PR_10175.patch | 122 + ...ssion_timeout_from_profiles-PR_10202.patch | 147 + ..._files_permissions_template-PR_10139.patch | 3148 ++++++++++++ ...log_files_rules_remediations-PR_9789.patch | 1950 +++++++ scap-security-guide.spec | 124 +- 22 files changed, 5536 insertions(+), 9450 deletions(-) delete mode 100644 scap-security-guide-0.1.64-accept_sudoers_wihout_includes-PR_9283.patch delete mode 100644 scap-security-guide-0.1.64-add_multivalue_compliance_kptr_rp_filter-PR_9286.patch delete mode 100644 scap-security-guide-0.1.64-add_new_rule_sysctl_ipv4_forwarding-PR_9277.patch delete mode 100644 scap-security-guide-0.1.64-add_partition_platform_to_relevant_rules-PR_9324.path delete mode 100644 scap-security-guide-0.1.64-add_platform_partition_exists-PR_9204.patch delete mode 100644 scap-security-guide-0.1.64-aide_check_rsyslogd-PR_9282.patch delete mode 100644 scap-security-guide-0.1.64-authselect_minimal_in_ospp-PR_9298.patch delete mode 100644 scap-security-guide-0.1.64-fix_ansible_partition_conditional-PR_9339.patch delete mode 100644 scap-security-guide-0.1.64-readd-sshd_timeout-rules-PR_9318.patch delete mode 100644 scap-security-guide-0.1.64-select_grub2_disable_recovery-PR_9231.patch delete mode 100644 scap-security-guide-0.1.64-update-rhel8-stig-to-v1r7-PR_9276.patch delete mode 100644 scap-security-guide-0.1.64-update_sysctl_template_with_multivalue_compliance-PR_9147.patch delete mode 100644 scap-security-guide-0.1.65-supports_anolis_os_8-PR_9770.patch create mode 100644 scap-security-guide-0.1.67-firewalld_sshd_port_enabled_tests-PR_10162.patch create mode 100644 scap-security-guide-0.1.67-pwhistory_control-PR_10175.patch create mode 100644 scap-security-guide-0.1.67-remove_logind_session_timeout_from_profiles-PR_10202.patch create mode 100644 scap-security-guide-0.1.67-rsyslog_files_permissions_template-PR_10139.patch create mode 100644 scap-security-guide-0.1.67-rsyslog_files_rules_remediations-PR_9789.patch diff --git a/disable-not-in-good-shape-profiles.patch b/disable-not-in-good-shape-profiles.patch index 047c3fd..f883e6a 100644 --- a/disable-not-in-good-shape-profiles.patch +++ b/disable-not-in-good-shape-profiles.patch @@ -1,12 +1,12 @@ -From eaa73e6d6e3de62e9ed895de7b4b1f2f1c1280ca Mon Sep 17 00:00:00 2001 +From 746381a4070fc561651ad65ec0fe9610e8590781 Mon Sep 17 00:00:00 2001 From: Watson Sato -Date: Tue, 9 Aug 2022 10:04:01 +0200 -Subject: [PATCH 1/8] Disable profiles not in a good shape +Date: Mon, 6 Feb 2023 14:44:17 +0100 +Subject: [PATCH] Disable profiles not in good shape Patch-name: disable-not-in-good-shape-profiles.patch -Patch-status: |- - Disable profiles that are not in good shape for products/rhel8 Patch-id: 0 +Patch-status: | + Patch prevents cjis, rht-ccp and standard profiles in RHEL8 datastream --- products/rhel8/CMakeLists.txt | 1 - products/rhel8/profiles/cjis.profile | 2 +- @@ -27,7 +27,7 @@ index 9c044b68ab..8f6ca03de8 100644 ssg_build_html_profile_table("table-${PRODUCT}-anssirefs-bp28_minimal" "${PRODUCT}" "anssi_bp28_minimal" "anssi") diff --git a/products/rhel8/profiles/cjis.profile b/products/rhel8/profiles/cjis.profile -index 30843b692e..18394802b9 100644 +index 22ae5aac72..f60b65bc06 100644 --- a/products/rhel8/profiles/cjis.profile +++ b/products/rhel8/profiles/cjis.profile @@ -1,4 +1,4 @@ @@ -37,7 +37,7 @@ index 30843b692e..18394802b9 100644 metadata: version: 5.4 diff --git a/products/rhel8/profiles/rht-ccp.profile b/products/rhel8/profiles/rht-ccp.profile -index e8e7e3a72f..d293c779bb 100644 +index b192461f95..ae1e7d5a15 100644 --- a/products/rhel8/profiles/rht-ccp.profile +++ b/products/rhel8/profiles/rht-ccp.profile @@ -1,4 +1,4 @@ @@ -57,5 +57,5 @@ index a63ae2cf32..da669bb843 100644 title: 'Standard System Security Profile for Red Hat Enterprise Linux 8' -- -2.37.1 +2.39.1 diff --git a/dist b/dist index 0ee7539..535c690 100644 --- a/dist +++ b/dist @@ -1 +1 @@ -an8_6 +an8_7 diff --git a/download b/download index 6576254..2e0cca5 100644 --- a/download +++ b/download @@ -1,2 +1,2 @@ -c9923cb0a1865045fb5bbba5f0581c15 scap-security-guide-0.1.63.tar.bz2 219c992603514558e5f6f3d29adaa534 scap-security-guide-0.1.52-2.el7_9-rhel6.tar.bz2 +17c756c568a7faf09831027c76764f1d scap-security-guide-0.1.66.tar.bz2 diff --git a/scap-security-guide-0.1.64-accept_sudoers_wihout_includes-PR_9283.patch b/scap-security-guide-0.1.64-accept_sudoers_wihout_includes-PR_9283.patch deleted file mode 100644 index fee7c4d..0000000 --- a/scap-security-guide-0.1.64-accept_sudoers_wihout_includes-PR_9283.patch +++ /dev/null @@ -1,92 +0,0 @@ -From 07261c69afcdc5f9afcdd5aefc2ee9510d705f37 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= -Date: Wed, 3 Aug 2022 13:08:25 +0200 -Subject: [PATCH 6/8] Merge pull request #9283 from - yuumasato/accept_sudoers_without_includes - -Patch-name: scap-security-guide-0.1.64-accept_sudoers_wihout_includes-PR_9283.patch -Patch-status: Accept sudoers files without includes as compliant ---- - .../oval/shared.xml | 24 +++++++++++++++---- - .../sudo/sudoers_default_includedir/rule.yml | 8 ++++--- - ...cludedir.fail.sh => no_includedir.pass.sh} | 2 +- - 3 files changed, 26 insertions(+), 8 deletions(-) - rename linux_os/guide/system/software/sudo/sudoers_default_includedir/tests/{no_includedir.fail.sh => no_includedir.pass.sh} (51%) - -diff --git a/linux_os/guide/system/software/sudo/sudoers_default_includedir/oval/shared.xml b/linux_os/guide/system/software/sudo/sudoers_default_includedir/oval/shared.xml -index 59cab0b89d..82095acc6e 100644 ---- a/linux_os/guide/system/software/sudo/sudoers_default_includedir/oval/shared.xml -+++ b/linux_os/guide/system/software/sudo/sudoers_default_includedir/oval/shared.xml -@@ -1,10 +1,16 @@ - - - {{{ oval_metadata("Check if sudo includes only the default includedir") }}} -- -- -- -- -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ - - - -@@ -32,6 +38,16 @@ - 1 - - -+ -+ -+ -+ -+ /etc/sudoers -+ ^#includedir[\s]+.*$ -+ 1 -+ -+ - - -diff --git a/linux_os/guide/system/software/sudo/sudoers_default_includedir/rule.yml b/linux_os/guide/system/software/sudo/sudoers_default_includedir/rule.yml -index aa2aaee19f..83bfb0183b 100644 ---- a/linux_os/guide/system/software/sudo/sudoers_default_includedir/rule.yml -+++ b/linux_os/guide/system/software/sudo/sudoers_default_includedir/rule.yml -@@ -8,9 +8,11 @@ description: |- - Administrators can configure authorized sudo users via drop-in files, and it is possible to include - other directories and configuration files from the file currently being parsed. - -- Make sure that /etc/sudoers only includes drop-in configuration files from /etc/sudoers.d. -- The /etc/sudoers should contain only one #includedir directive pointing to -- /etc/sudoers.d, and no file in /etc/sudoers.d/ should include other files or directories. -+ Make sure that /etc/sudoers only includes drop-in configuration files from /etc/sudoers.d, -+ or that no drop-in file is included. -+ Either the /etc/sudoers should contain only one #includedir directive pointing to -+ /etc/sudoers.d, and no file in /etc/sudoers.d/ should include other files or directories; -+ Or the /etc/sudoers should not contain any #include or #includedir directives. - Note that the '#' character doesn't denote a comment in the configuration file. - - rationale: |- -diff --git a/linux_os/guide/system/software/sudo/sudoers_default_includedir/tests/no_includedir.fail.sh b/linux_os/guide/system/software/sudo/sudoers_default_includedir/tests/no_includedir.pass.sh -similarity index 51% -rename from linux_os/guide/system/software/sudo/sudoers_default_includedir/tests/no_includedir.fail.sh -rename to linux_os/guide/system/software/sudo/sudoers_default_includedir/tests/no_includedir.pass.sh -index 1e0ab8aea9..fe73cb2507 100644 ---- a/linux_os/guide/system/software/sudo/sudoers_default_includedir/tests/no_includedir.fail.sh -+++ b/linux_os/guide/system/software/sudo/sudoers_default_includedir/tests/no_includedir.pass.sh -@@ -1,4 +1,4 @@ - #!/bin/bash - # platform = multi_platform_all - --sed -i "/#includedir.*/d" /etc/sudoers -+sed -i "/#include(dir)?.*/d" /etc/sudoers --- -2.37.1 - diff --git a/scap-security-guide-0.1.64-add_multivalue_compliance_kptr_rp_filter-PR_9286.patch b/scap-security-guide-0.1.64-add_multivalue_compliance_kptr_rp_filter-PR_9286.patch deleted file mode 100644 index 8b32f40..0000000 --- a/scap-security-guide-0.1.64-add_multivalue_compliance_kptr_rp_filter-PR_9286.patch +++ /dev/null @@ -1,238 +0,0 @@ -From b4f98a72871d3f8f277e3357eed843b041a248a3 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= -Date: Thu, 4 Aug 2022 14:20:20 +0200 -Subject: [PATCH 7/8] Merge pull request #9286 from - yuumasato/update_sysctl_rules_with_new_compliant_values - -Update few sysctl rules to accept multiple compliant values - -Patch-name: scap-security-guide-0.1.64-add_multivalue_compliance_kptr_rp_filter-PR_9286.patch -Patch-status: Update few sysctl rules to accept multiple compliant values ---- - .../rule.yml | 35 +++++++++++++++++-- - .../tests/value_1.pass.sh | 11 ++++++ - .../tests/value_2.pass.sh | 11 ++++++ - ...sctl_net_ipv4_conf_all_rp_filter_value.var | 2 +- - .../sysctl_kernel_kptr_restrict/rule.yml | 35 ++++++++++++++++++- - .../tests/value_1.pass.sh | 11 ++++++ - .../tests/value_2.pass.sh | 11 ++++++ - .../sysctl_kernel_kptr_restrict_value.var | 1 - - ...kernel_unprivileged_bpf_disabled_value.var | 1 - - 9 files changed, 112 insertions(+), 6 deletions(-) - create mode 100644 linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter/tests/value_1.pass.sh - create mode 100644 linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter/tests/value_2.pass.sh - create mode 100644 linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/tests/value_1.pass.sh - create mode 100644 linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/tests/value_2.pass.sh - -diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter/rule.yml -index 496a8491f3..4d31c6c3eb 100644 ---- a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter/rule.yml -+++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter/rule.yml -@@ -47,11 +47,36 @@ references: - stigid@rhel7: RHEL-07-040611 - stigid@rhel8: RHEL-08-040285 - --{{{ complete_ocil_entry_sysctl_option_value(sysctl="net.ipv4.conf.all.rp_filter", value="1") }}} -+ocil: |- -+ The runtime status of the net.ipv4.conf.all.rp_filter parameter can be queried -+ by running the following command: -+ 
$ sysctl net.ipv4.conf.all.rp_filter
-+ The output of the command should indicate either: -+ net.ipv4.conf.all.rp_filter = 1 -+ or: -+ net.ipv4.conf.all.rp_filter = 2 -+ The output of the command should not indicate: -+ net.ipv4.conf.all.rp_filter = 0 -+ -+ The preferable way how to assure the runtime compliance is to have -+ correct persistent configuration, and rebooting the system. -+ -+ The persistent sysctl parameter configuration is performed by specifying the appropriate -+ assignment in any file located in the 
/etc/sysctl.d
directory. -+ Verify that there is not any existing incorrect configuration by executing the following command: -+ 
$ grep -r '^\s*net.ipv4.conf.all.rp_filter\s*=' /etc/sysctl.conf /etc/sysctl.d
-+ The command should not find any assignments other than: -+ net.ipv4.conf.all.rp_filter = 1 -+ or: -+ net.ipv4.conf.all.rp_filter = 2 -+ -+ Conflicting assignments are not allowed. -+ -+ocil_clause: "the net.ipv4.conf.all.rp_filter is not set to 1 or 2 or is configured to be 0" - - fixtext: |- - Configure {{{ full_name }}} to use reverse path filtering on all IPv4 interfaces. -- {{{ fixtext_sysctl(sysctl="net.ipv4.conf.all.rp_filter", value="1") | indent(4) }}} -+ {{{ fixtext_sysctl(sysctl="net.ipv4.conf.all.rp_filter", value=xccdf_value("sysctl_net_ipv4_conf_all_rp_filter_value")) | indent(4) }}} - - srg_requirement: '{{{ full_name }}} must use reverse path filtering on all IPv4 interfaces.' - -@@ -59,4 +84,10 @@ template: - name: sysctl - vars: - sysctlvar: net.ipv4.conf.all.rp_filter -+ {{% if 'ol' in product or 'rhel' in product %}} -+ sysctlval: -+ - '1' -+ - '2' -+ wrong_sysctlval_for_testing: "0" -+ {{% endif %}} - datatype: int -diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter/tests/value_1.pass.sh b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter/tests/value_1.pass.sh -new file mode 100644 -index 0000000000..583b70a3b9 ---- /dev/null -+++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter/tests/value_1.pass.sh -@@ -0,0 +1,11 @@ -+#!/bin/bash -+# platform = multi_platform_ol,multi_platform_rhel -+ -+# Clean sysctl config directories -+rm -rf /usr/lib/sysctl.d/* /run/sysctl.d/* /etc/sysctl.d/* -+ -+sed -i "/net.ipv4.conf.all.rp_filter/d" /etc/sysctl.conf -+echo "net.ipv4.conf.all.rp_filter = 1" >> /etc/sysctl.conf -+ -+# set correct runtime value to check if the filesystem configuration is evaluated properly -+sysctl -w net.ipv4.conf.all.rp_filter="1" -diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter/tests/value_2.pass.sh b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter/tests/value_2.pass.sh -new file mode 100644 -index 0000000000..ef545976dc ---- /dev/null -+++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter/tests/value_2.pass.sh -@@ -0,0 +1,11 @@ -+#!/bin/bash -+# platform = multi_platform_ol,multi_platform_rhel -+ -+# Clean sysctl config directories -+rm -rf /usr/lib/sysctl.d/* /run/sysctl.d/* /etc/sysctl.d/* -+ -+sed -i "/net.ipv4.conf.all.rp_filter/d" /etc/sysctl.conf -+echo "net.ipv4.conf.all.rp_filter = 2" >> /etc/sysctl.conf -+ -+# set correct runtime value to check if the filesystem configuration is evaluated properly -+sysctl -w net.ipv4.conf.all.rp_filter="2" -diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter_value.var b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter_value.var -index e3fc78e3f0..1eae854f6b 100644 ---- a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter_value.var -+++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter_value.var -@@ -17,5 +17,5 @@ interactive: false - - options: - default: 1 -- disabled: "0" - enabled: 1 -+ loose: 2 -diff --git a/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/rule.yml b/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/rule.yml -index 1984b3c869..367934b567 100644 ---- a/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/rule.yml -+++ b/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/rule.yml -@@ -34,6 +34,33 @@ references: - - {{{ complete_ocil_entry_sysctl_option_value(sysctl="kernel.kptr_restrict", value="1") }}} - -+ocil: |- -+ The runtime status of the kernel.kptr_restrict kernel parameter can be queried -+ by running the following command: -+ 
$ sysctl kernel.kptr_restrict
-+ The output of the command should indicate either: -+ kernel.kptr_restrict = 1 -+ or: -+ kernel.kptr_restrict = 2 -+ The output of the command should not indicate: -+ kernel.kptr_restrict = 0 -+ -+ The preferable way how to assure the runtime compliance is to have -+ correct persistent configuration, and rebooting the system. -+ -+ The persistent kernel parameter configuration is performed by specifying the appropriate -+ assignment in any file located in the 
/etc/sysctl.d
directory. -+ Verify that there is not any existing incorrect configuration by executing the following command: -+ 
$ grep -r '^\s*kernel.kptr_restrict\s*=' /etc/sysctl.conf /etc/sysctl.d
-+ The command should not find any assignments other than: -+ kernel.kptr_restrict = 1 -+ or: -+ kernel.kptr_restrict = 2 -+ -+ Conflicting assignments are not allowed. -+ -+ocil_clause: "the kernel.kptr_restrict is not set to 1 or 2 or is configured to be 0" -+ - srg_requirement: '{{{ full_name }}} must restrict exposed kernel pointer addresses access.' - - platform: machine -@@ -42,8 +69,14 @@ template: - name: sysctl - vars: - sysctlvar: kernel.kptr_restrict -+ {{% if 'ol' in product or 'rhel' in product %}} -+ sysctlval: -+ - '1' -+ - '2' -+ wrong_sysctlval_for_testing: "0" -+ {{% endif %}} - datatype: int - - fixtext: |- - Configure {{{ full_name }}} to restrict exposed kernel pointer addresses access. -- {{{ fixtext_sysctl("kernel.kptr_restrict", "1") | indent(4) }}} -+ {{{ fixtext_sysctl("kernel.kptr_restrict", value=xccdf_value("sysctl_kernel_kptr_restrict_value")) | indent(4) }}} -diff --git a/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/tests/value_1.pass.sh b/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/tests/value_1.pass.sh -new file mode 100644 -index 0000000000..70189666c1 ---- /dev/null -+++ b/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/tests/value_1.pass.sh -@@ -0,0 +1,11 @@ -+#!/bin/bash -+# platform = multi_platform_ol,multi_platform_rhel -+ -+# Clean sysctl config directories -+rm -rf /usr/lib/sysctl.d/* /run/sysctl.d/* /etc/sysctl.d/* -+ -+sed -i "/kernel.kptr_restrict/d" /etc/sysctl.conf -+echo "kernel.kptr_restrict = 1" >> /etc/sysctl.conf -+ -+# set correct runtime value to check if the filesystem configuration is evaluated properly -+sysctl -w kernel.kptr_restrict="1" -diff --git a/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/tests/value_2.pass.sh b/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/tests/value_2.pass.sh -new file mode 100644 -index 0000000000..209395fa9a ---- /dev/null -+++ b/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/tests/value_2.pass.sh -@@ -0,0 +1,11 @@ -+#!/bin/bash -+# platform = multi_platform_ol,multi_platform_rhel -+ -+# Clean sysctl config directories -+rm -rf /usr/lib/sysctl.d/* /run/sysctl.d/* /etc/sysctl.d/* -+ -+sed -i "/kernel.kptr_restrict/d" /etc/sysctl.conf -+echo "kernel.kptr_restrict = 2" >> /etc/sysctl.conf -+ -+# set correct runtime value to check if the filesystem configuration is evaluated properly -+sysctl -w kernel.kptr_restrict="2" -diff --git a/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict_value.var b/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict_value.var -index 452328e3ef..268550de53 100644 ---- a/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict_value.var -+++ b/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict_value.var -@@ -12,6 +12,5 @@ interactive: false - - options: - default: 1 -- 0: 0 - 1: 1 - 2: 2 -diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_value.var b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_value.var -index b8bf965a25..cbfd9bafa9 100644 ---- a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_value.var -+++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_value.var -@@ -13,6 +13,5 @@ interactive: false - - options: - default: 2 -- 0: "0" - 1: "1" - 2: "2" --- -2.37.1 - diff --git a/scap-security-guide-0.1.64-add_new_rule_sysctl_ipv4_forwarding-PR_9277.patch b/scap-security-guide-0.1.64-add_new_rule_sysctl_ipv4_forwarding-PR_9277.patch deleted file mode 100644 index 56eb3de..0000000 --- a/scap-security-guide-0.1.64-add_new_rule_sysctl_ipv4_forwarding-PR_9277.patch +++ /dev/null @@ -1,180 +0,0 @@ -From 26ca545c89207d2ac2ba2fb68824c1c323fece79 Mon Sep 17 00:00:00 2001 -From: Matthew Burket -Date: Wed, 3 Aug 2022 07:44:35 -0500 -Subject: [PATCH 4/8] Merge pull request #9277 from - yuumasato/new_sysctl_ipv4_forwarding_rule - -Patch-name: scap-security-guide-0.1.64-add_new_rule_sysctl_ipv4_forwarding-PR_9277.patch -Patch-status: New sysctl ipv4 forwarding rule ---- - .../rule.yml | 44 +++++++++++++++++++ - ...ctl_net_ipv4_conf_all_forwarding_value.var | 17 +++++++ - .../sysctl_net_ipv4_ip_forward/rule.yml | 1 - - products/rhel8/profiles/stig.profile | 2 +- - shared/references/cce-redhat-avail.txt | 1 - - .../data/profile_stability/rhel8/stig.profile | 4 +- - .../profile_stability/rhel8/stig_gui.profile | 2 +- - 7 files changed, 65 insertions(+), 6 deletions(-) - create mode 100644 linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_forwarding/rule.yml - create mode 100644 linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_forwarding_value.var - -diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_forwarding/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_forwarding/rule.yml -new file mode 100644 -index 0000000000..7b0066f7c2 ---- /dev/null -+++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_forwarding/rule.yml -@@ -0,0 +1,44 @@ -+documentation_complete: true -+ -+prodtype: rhel8 -+ -+title: 'Disable Kernel Parameter for IPv4 Forwarding on all IPv4 Interfaces' -+ -+description: '{{{ describe_sysctl_option_value(sysctl="net.ipv4.conf.all.forwarding", value="0") }}}' -+ -+rationale: |- -+ IP forwarding permits the kernel to forward packets from one network -+ interface to another. The ability to forward packets between two networks is -+ only appropriate for systems acting as routers. -+ -+severity: medium -+ -+identifiers: -+ cce@rhel8: CCE-86220-1 -+ -+references: -+ disa: CCI-000366 -+ nist: CM-6(b) -+ srg: SRG-OS-000480-GPOS-00227 -+ stigid@rhel8: RHEL-08-040259 -+ -+ocil_clause: 'IP forwarding value is "1" and the system is not router' -+ -+ocil: |- -+ {{{ ocil_sysctl_option_value(sysctl="net.ipv4.conf.all.forwarding", value="0") }}} -+ The ability to forward packets is only appropriate for routers. -+ -+fixtext: |- -+ Configure {{{ full_name }}} to not allow packet forwarding unless the system is a router with the following commands: -+ {{{ fixtext_sysctl(sysctl="net.ipv4.conf.all.forwarding", value="0") | indent(4) }}} -+ -+srg_requirement: '{{{ full_name }}} must not perform packet forwarding unless the system is a router.' -+ -+platform: machine -+ -+template: -+ name: sysctl -+ vars: -+ sysctlvar: net.ipv4.conf.all.forwarding -+ datatype: int -+ -diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_forwarding_value.var b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_forwarding_value.var -new file mode 100644 -index 0000000000..2aedd6e643 ---- /dev/null -+++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_forwarding_value.var -@@ -0,0 +1,17 @@ -+documentation_complete: true -+ -+title: net.ipv4.conf.all.forwarding -+ -+description: 'Toggle IPv4 Forwarding' -+ -+type: number -+ -+operator: equals -+ -+interactive: false -+ -+options: -+ default: "0" -+ disabled: "0" -+ enabled: 1 -+ -diff --git a/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_ip_forward/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_ip_forward/rule.yml -index 5c449db7f3..7acfc0b05b 100644 ---- a/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_ip_forward/rule.yml -+++ b/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_ip_forward/rule.yml -@@ -45,7 +45,6 @@ references: - stigid@ol7: OL07-00-040740 - stigid@ol8: OL08-00-040260 - stigid@rhel7: RHEL-07-040740 -- stigid@rhel8: RHEL-08-040259 - stigid@sle12: SLES-12-030430 - stigid@sle15: SLES-15-040380 - -diff --git a/products/rhel8/profiles/stig.profile b/products/rhel8/profiles/stig.profile -index 4b480bd2c1..6b44436a2b 100644 ---- a/products/rhel8/profiles/stig.profile -+++ b/products/rhel8/profiles/stig.profile -@@ -1127,7 +1127,7 @@ selections: - - sysctl_net_ipv6_conf_default_accept_source_route - - # RHEL-08-040259 -- - sysctl_net_ipv4_ip_forward -+ - sysctl_net_ipv4_conf_all_forwarding - - # RHEL-08-040260 - - sysctl_net_ipv6_conf_all_forwarding -diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt -index a613a152ae..9480db3eae 100644 ---- a/shared/references/cce-redhat-avail.txt -+++ b/shared/references/cce-redhat-avail.txt -@@ -176,7 +176,6 @@ CCE-86216-9 - CCE-86217-7 - CCE-86218-5 - CCE-86219-3 --CCE-86220-1 - CCE-86221-9 - CCE-86222-7 - CCE-86223-5 -diff --git a/tests/data/profile_stability/rhel8/stig.profile b/tests/data/profile_stability/rhel8/stig.profile -index 4bee72830d..47f53a9d02 100644 ---- a/tests/data/profile_stability/rhel8/stig.profile -+++ b/tests/data/profile_stability/rhel8/stig.profile -@@ -1,7 +1,7 @@ - title: DISA STIG for Red Hat Enterprise Linux 8 - description: 'This profile contains configuration checks that align to the - -- DISA STIG for Red Hat Enterprise Linux 8 V1R7 -+ DISA STIG for Red Hat Enterprise Linux 8 V1R7. - - - In addition to being applicable to Red Hat Enterprise Linux 8, DISA recognizes -@@ -395,13 +395,13 @@ selections: - - sysctl_net_core_bpf_jit_harden - - sysctl_net_ipv4_conf_all_accept_redirects - - sysctl_net_ipv4_conf_all_accept_source_route -+- sysctl_net_ipv4_conf_all_forwarding - - sysctl_net_ipv4_conf_all_rp_filter - - sysctl_net_ipv4_conf_all_send_redirects - - sysctl_net_ipv4_conf_default_accept_redirects - - sysctl_net_ipv4_conf_default_accept_source_route - - sysctl_net_ipv4_conf_default_send_redirects - - sysctl_net_ipv4_icmp_echo_ignore_broadcasts --- sysctl_net_ipv4_ip_forward - - sysctl_net_ipv6_conf_all_accept_ra - - sysctl_net_ipv6_conf_all_accept_redirects - - sysctl_net_ipv6_conf_all_accept_source_route -diff --git a/tests/data/profile_stability/rhel8/stig_gui.profile b/tests/data/profile_stability/rhel8/stig_gui.profile -index ece32d06a6..c4e60ddcde 100644 ---- a/tests/data/profile_stability/rhel8/stig_gui.profile -+++ b/tests/data/profile_stability/rhel8/stig_gui.profile -@@ -405,13 +405,13 @@ selections: - - sysctl_net_core_bpf_jit_harden - - sysctl_net_ipv4_conf_all_accept_redirects - - sysctl_net_ipv4_conf_all_accept_source_route -+- sysctl_net_ipv4_conf_all_forwarding - - sysctl_net_ipv4_conf_all_rp_filter - - sysctl_net_ipv4_conf_all_send_redirects - - sysctl_net_ipv4_conf_default_accept_redirects - - sysctl_net_ipv4_conf_default_accept_source_route - - sysctl_net_ipv4_conf_default_send_redirects - - sysctl_net_ipv4_icmp_echo_ignore_broadcasts --- sysctl_net_ipv4_ip_forward - - sysctl_net_ipv6_conf_all_accept_ra - - sysctl_net_ipv6_conf_all_accept_redirects - - sysctl_net_ipv6_conf_all_accept_source_route --- -2.37.1 - diff --git a/scap-security-guide-0.1.64-add_partition_platform_to_relevant_rules-PR_9324.path b/scap-security-guide-0.1.64-add_partition_platform_to_relevant_rules-PR_9324.path deleted file mode 100644 index df6ca5e..0000000 --- a/scap-security-guide-0.1.64-add_partition_platform_to_relevant_rules-PR_9324.path +++ /dev/null @@ -1,98 +0,0 @@ -From 89687cb88490f24428ae553021c667303980d8f4 Mon Sep 17 00:00:00 2001 -From: Evgeny Kolesnikov -Date: Wed, 10 Aug 2022 16:16:54 +0200 -Subject: [PATCH 12/12] Merge pull request #9324 from - matejak/applicability_var_tmp - -Patch-name: scap-security-guide-0.1.64-add_partition_platform_to_relevant_rules-PR_9324.path -Patch-status: Add the platform applicability to relevant rules ---- - .../permissions/partitions/mount_option_tmp_nodev/rule.yml | 2 +- - .../permissions/partitions/mount_option_tmp_noexec/rule.yml | 2 +- - .../permissions/partitions/mount_option_tmp_nosuid/rule.yml | 2 +- - .../permissions/partitions/mount_option_var_tmp_bind/rule.yml | 2 +- - .../permissions/partitions/mount_option_var_tmp_noexec/rule.yml | 2 +- - .../permissions/partitions/mount_option_var_tmp_nosuid/rule.yml | 2 +- - 6 files changed, 6 insertions(+), 6 deletions(-) - -diff --git a/linux_os/guide/system/permissions/partitions/mount_option_tmp_nodev/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_tmp_nodev/rule.yml -index 45a73e0286..79a19a8d30 100644 ---- a/linux_os/guide/system/permissions/partitions/mount_option_tmp_nodev/rule.yml -+++ b/linux_os/guide/system/permissions/partitions/mount_option_tmp_nodev/rule.yml -@@ -45,7 +45,7 @@ references: - stigid@ol8: OL08-00-040123 - stigid@rhel8: RHEL-08-040123 - --platform: machine -+platform: machine and partition-tmp - - template: - name: mount_option -diff --git a/linux_os/guide/system/permissions/partitions/mount_option_tmp_noexec/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_tmp_noexec/rule.yml -index 7356183bab..d3f6d6175e 100644 ---- a/linux_os/guide/system/permissions/partitions/mount_option_tmp_noexec/rule.yml -+++ b/linux_os/guide/system/permissions/partitions/mount_option_tmp_noexec/rule.yml -@@ -44,7 +44,7 @@ references: - stigid@ol8: OL08-00-040125 - stigid@rhel8: RHEL-08-040125 - --platform: machine -+platform: machine and partition-tmp - - template: - name: mount_option -diff --git a/linux_os/guide/system/permissions/partitions/mount_option_tmp_nosuid/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_tmp_nosuid/rule.yml -index d153b86934..10790dc95a 100644 ---- a/linux_os/guide/system/permissions/partitions/mount_option_tmp_nosuid/rule.yml -+++ b/linux_os/guide/system/permissions/partitions/mount_option_tmp_nosuid/rule.yml -@@ -45,7 +45,7 @@ references: - stigid@ol8: OL08-00-040124 - stigid@rhel8: RHEL-08-040124 - --platform: machine -+platform: machine and partition-tmp - - template: - name: mount_option -diff --git a/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_bind/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_bind/rule.yml -index 133e7727ca..05992df4b4 100644 ---- a/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_bind/rule.yml -+++ b/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_bind/rule.yml -@@ -31,7 +31,7 @@ references: - nist: CM-7(a),CM-7(b),CM-6(a),AC-6,AC-6(1),MP-7 - nist-csf: PR.IP-1,PR.PT-3 - --platform: machine -+platform: machine and partition-var-tmp - - template: - name: mount_option -diff --git a/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_noexec/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_noexec/rule.yml -index 39fd458ec6..dc00b2f237 100644 ---- a/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_noexec/rule.yml -+++ b/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_noexec/rule.yml -@@ -38,7 +38,7 @@ references: - stigid@ol8: OL08-00-040134 - stigid@rhel8: RHEL-08-040134 - --platform: machine -+platform: machine and partition-var-tmp - - template: - name: mount_option -diff --git a/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_nosuid/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_nosuid/rule.yml -index 349f334895..f0c26b6d9c 100644 ---- a/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_nosuid/rule.yml -+++ b/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_nosuid/rule.yml -@@ -38,7 +38,7 @@ references: - stigid@ol8: OL08-00-040133 - stigid@rhel8: RHEL-08-040133 - --platform: machine -+platform: machine and partition-var-tmp - - template: - name: mount_option --- -2.37.1 - diff --git a/scap-security-guide-0.1.64-add_platform_partition_exists-PR_9204.patch b/scap-security-guide-0.1.64-add_platform_partition_exists-PR_9204.patch deleted file mode 100644 index 5c50f9c..0000000 --- a/scap-security-guide-0.1.64-add_platform_partition_exists-PR_9204.patch +++ /dev/null @@ -1,161 +0,0 @@ -From c4ce06ce707529c14376ca8bb6e2b03f072e81fd Mon Sep 17 00:00:00 2001 -From: Evgeny Kolesnikov -Date: Wed, 10 Aug 2022 13:20:29 +0200 -Subject: [PATCH 11/12] Merge pull request #9204 from - matejak/applicability_var_tmp - -Patch-name: scap-security-guide-0.1.64-add_platform_partition_exists-PR_9204.patch -Patch-status: Introduce and apply the "partition exists" platform ---- - .../mount_option_var_tmp_nodev/rule.yml | 3 ++- - .../tests/notapplicable.pass.sh | 5 +++++ - shared/applicability/general.yml | 14 +++++++++++++ - .../checks/oval/installed_env_mounts_tmp.xml | 10 ++++++++++ - .../oval/installed_env_mounts_var_tmp.xml | 10 ++++++++++ - shared/macros/10-ansible.jinja | 5 +++++ - shared/macros/10-bash.jinja | 5 +++++ - shared/macros/10-oval.jinja | 20 +++++++++++++++++++ - 8 files changed, 71 insertions(+), 1 deletion(-) - create mode 100644 linux_os/guide/system/permissions/partitions/mount_option_var_tmp_nodev/tests/notapplicable.pass.sh - create mode 100644 shared/checks/oval/installed_env_mounts_tmp.xml - create mode 100644 shared/checks/oval/installed_env_mounts_var_tmp.xml - -diff --git a/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_nodev/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_nodev/rule.yml -index 8ee8c8b12e..741d097328 100644 ---- a/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_nodev/rule.yml -+++ b/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_nodev/rule.yml -@@ -38,7 +38,8 @@ references: - stigid@ol8: OL08-00-040132 - stigid@rhel8: RHEL-08-040132 - --platform: machine -+platforms: -+ - machine and partition-var-tmp - - template: - name: mount_option -diff --git a/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_nodev/tests/notapplicable.pass.sh b/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_nodev/tests/notapplicable.pass.sh -new file mode 100644 -index 0000000000..241c0103d8 ---- /dev/null -+++ b/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_nodev/tests/notapplicable.pass.sh -@@ -0,0 +1,5 @@ -+#!/bin/bash -+ -+. $SHARED/partition.sh -+ -+clean_up_partition /var/tmp # Remove the partition from the system, and unmount it -diff --git a/shared/applicability/general.yml b/shared/applicability/general.yml -index 2d23d75314..e2f5d04ce0 100644 ---- a/shared/applicability/general.yml -+++ b/shared/applicability/general.yml -@@ -77,6 +77,20 @@ cpes: - bash_conditional: {{{ bash_pkg_conditional("pam") }}} - ansible_conditional: {{{ ansible_pkg_conditional("pam") }}} - -+ - partition-var-tmp: -+ name: "cpe:/a:partition-var-tmp" -+ title: "There is a /var/tmp partition" -+ check_id: installed_env_mounts_var_tmp -+ bash_conditional: {{{ bash_partition_conditional("/var/tmp") }}} -+ ansible_conditional: {{{ ansible_partition_conditional("/var/tmp") }}} -+ -+ - partition-tmp: -+ name: "cpe:/a:partition-tmp" -+ title: "There is a /tmp partition" -+ check_id: installed_env_mounts_tmp -+ bash_conditional: {{{ bash_partition_conditional("/tmp") }}} -+ ansible_conditional: {{{ ansible_partition_conditional("/tmp") }}} -+ - - polkit: - name: "cpe:/a:polkit" - title: "Package polkit is installed" -diff --git a/shared/checks/oval/installed_env_mounts_tmp.xml b/shared/checks/oval/installed_env_mounts_tmp.xml -new file mode 100644 -index 0000000000..edd8ad050f ---- /dev/null -+++ b/shared/checks/oval/installed_env_mounts_tmp.xml -@@ -0,0 +1,10 @@ -+ -+ -+ {{{ oval_metadata("", title="Partition /tmp exists", affected_platforms=[full_name]) }}} -+ -+ {{{ partition_exists_criterion("/tmp") }}} -+ -+ -+ -+ {{{ partition_exists_test_object("/tmp") }}} -+ -diff --git a/shared/checks/oval/installed_env_mounts_var_tmp.xml b/shared/checks/oval/installed_env_mounts_var_tmp.xml -new file mode 100644 -index 0000000000..cf9aafbdb0 ---- /dev/null -+++ b/shared/checks/oval/installed_env_mounts_var_tmp.xml -@@ -0,0 +1,10 @@ -+ -+ -+ {{{ oval_metadata("", title="Partition /var/tmp exists", affected_platforms=[full_name]) }}} -+ -+ {{{ partition_exists_criterion("/var/tmp") }}} -+ -+ -+ -+ {{{ partition_exists_test_object("/var/tmp") }}} -+ -diff --git a/shared/macros/10-ansible.jinja b/shared/macros/10-ansible.jinja -index 20dc2020e4..5e40fe4aa2 100644 ---- a/shared/macros/10-ansible.jinja -+++ b/shared/macros/10-ansible.jinja -@@ -1432,3 +1432,8 @@ Part of the grub2_bootloader_argument_absent template. - when: - - result_pam_file_present.stat.exists - {{%- endmacro -%}} -+ -+ -+{{%- macro ansible_partition_conditional(path) -%}} -+"ansible_facts.ansible_mounts | json_query(\"[?mount=='{{{ path }}}'].mount\") | length == 1" -+{{%- endmacro -%}} -diff --git a/shared/macros/10-bash.jinja b/shared/macros/10-bash.jinja -index 41d9e18a1e..b0f7f3cf4a 100644 ---- a/shared/macros/10-bash.jinja -+++ b/shared/macros/10-bash.jinja -@@ -2073,3 +2073,8 @@ else - echo "{{{ pam_file }}} was not found" >&2 - fi - {{%- endmacro -%}} -+ -+ -+{{%- macro bash_partition_conditional(path) -%}} -+'findmnt --mountpoint "{{{ path }}}" > /dev/null' -+{{%- endmacro -%}} -diff --git a/shared/macros/10-oval.jinja b/shared/macros/10-oval.jinja -index c8d7bbeffb..f302091f7d 100644 ---- a/shared/macros/10-oval.jinja -+++ b/shared/macros/10-oval.jinja -@@ -926,3 +926,23 @@ Generates the :code:`` tag for OVAL check using correct product platfo - {{%- else %}} - {{%- set user_list="nobody" %}} - {{%- endif %}} -+ -+ -+{{%- macro partition_exists_criterion(path) %}} -+{{%- set escaped_path = path | escape_id %}} -+ -+{{%- endmacro %}} -+ -+{{%- macro partition_exists_test_object(path) %}} -+{{%- set escaped_path = path | escape_id %}} -+ -+ -+ -+ -+ -+ {{{ path }}} -+ -+{{%- endmacro %}} --- -2.37.1 - diff --git a/scap-security-guide-0.1.64-aide_check_rsyslogd-PR_9282.patch b/scap-security-guide-0.1.64-aide_check_rsyslogd-PR_9282.patch deleted file mode 100644 index e937bbc..0000000 --- a/scap-security-guide-0.1.64-aide_check_rsyslogd-PR_9282.patch +++ /dev/null @@ -1,102 +0,0 @@ -From 04459c1b82cc495af2bfcaac301a3805ec0addf6 Mon Sep 17 00:00:00 2001 -From: Matthew Burket -Date: Wed, 3 Aug 2022 07:42:59 -0500 -Subject: [PATCH 5/8] Merge pull request #9282 from - yuumasato/rhel_align_aide_check_tools - -Patch-name: scap-security-guide-0.1.64-aide_check_rsyslogd-PR_9282.patch -Patch-status: Add rsyslogd to the list of tools checked by aide ---- - .../aide/aide_check_audit_tools/ansible/shared.yml | 1 + - .../aide/aide_check_audit_tools/bash/shared.sh | 3 +-- - .../aide/aide_check_audit_tools/oval/shared.xml | 2 +- - .../aide/aide_check_audit_tools/tests/correct.pass.sh | 2 +- - .../aide_check_audit_tools/tests/correct_with_selinux.pass.sh | 2 +- - .../aide/aide_check_audit_tools/tests/not_config.fail.sh | 2 +- - 6 files changed, 6 insertions(+), 6 deletions(-) - -diff --git a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_check_audit_tools/ansible/shared.yml b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_check_audit_tools/ansible/shared.yml -index 9d1b7b675c..5905ea8d0e 100644 ---- a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_check_audit_tools/ansible/shared.yml -+++ b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_check_audit_tools/ansible/shared.yml -@@ -22,6 +22,7 @@ - - /usr/sbin/aureport - - /usr/sbin/ausearch - - /usr/sbin/autrace -+ {{% if product == 'ol8' or 'rhel' in product %}}- /usr/sbin/rsyslogd{{% endif %}} - - - name: Ensure existing AIDE configuration for audit tools are correct - lineinfile: -diff --git a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_check_audit_tools/bash/shared.sh b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_check_audit_tools/bash/shared.sh -index d0a1ba2522..a81e25c395 100644 ---- a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_check_audit_tools/bash/shared.sh -+++ b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_check_audit_tools/bash/shared.sh -@@ -18,12 +18,11 @@ - {{% set auditfiles = auditfiles + ["/usr/sbin/audispd"] %}} - {{% endif %}} - --{{% if product == 'ol8' %}} -+{{% if product == 'ol8' or 'rhel' in product %}} - {{% set auditfiles = auditfiles + ["/usr/sbin/rsyslogd"] %}} - {{% endif %}} - - {{% for file in auditfiles %}} -- - if grep -i '^.*{{{file}}}.*$' {{{ aide_conf_path }}}; then - sed -i "s#.*{{{file}}}.*#{{{file}}} {{{ aide_string() }}}#" {{{ aide_conf_path }}} - else -diff --git a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_check_audit_tools/oval/shared.xml b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_check_audit_tools/oval/shared.xml -index 6ce56c1137..ca9bf4f94d 100644 ---- a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_check_audit_tools/oval/shared.xml -+++ b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_check_audit_tools/oval/shared.xml -@@ -11,7 +11,7 @@ - {{% if 'rhel' not in product and product != 'ol8' %}} - - {{% endif %}} -- {{% if product == 'ol8' %}} -+ {{% if product == 'ol8' or 'rhel' in product %}} - - {{% endif %}} - -diff --git a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_check_audit_tools/tests/correct.pass.sh b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_check_audit_tools/tests/correct.pass.sh -index 756b88d8a2..071dde1329 100644 ---- a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_check_audit_tools/tests/correct.pass.sh -+++ b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_check_audit_tools/tests/correct.pass.sh -@@ -7,7 +7,7 @@ aide --init - - - declare -a bins --bins=('/usr/sbin/auditctl' '/usr/sbin/auditd' '/usr/sbin/augenrules' '/usr/sbin/aureport' '/usr/sbin/ausearch' '/usr/sbin/autrace') -+bins=('/usr/sbin/auditctl' '/usr/sbin/auditd' '/usr/sbin/augenrules' '/usr/sbin/aureport' '/usr/sbin/ausearch' '/usr/sbin/autrace' '/usr/sbin/rsyslogd') - - for theFile in "${bins[@]}" - do -diff --git a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_check_audit_tools/tests/correct_with_selinux.pass.sh b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_check_audit_tools/tests/correct_with_selinux.pass.sh -index f3a2a126d3..cb9bbfa735 100644 ---- a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_check_audit_tools/tests/correct_with_selinux.pass.sh -+++ b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_check_audit_tools/tests/correct_with_selinux.pass.sh -@@ -4,7 +4,7 @@ - yum -y install aide - - declare -a bins --bins=('/usr/sbin/auditctl' '/usr/sbin/auditd' '/usr/sbin/augenrules' '/usr/sbin/aureport' '/usr/sbin/ausearch' '/usr/sbin/autrace') -+bins=('/usr/sbin/auditctl' '/usr/sbin/auditd' '/usr/sbin/augenrules' '/usr/sbin/aureport' '/usr/sbin/ausearch' '/usr/sbin/autrace' '/usr/sbin/rsyslogd') - - for theFile in "${bins[@]}" - do -diff --git a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_check_audit_tools/tests/not_config.fail.sh b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_check_audit_tools/tests/not_config.fail.sh -index 4315cef207..a22aecb000 100644 ---- a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_check_audit_tools/tests/not_config.fail.sh -+++ b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_check_audit_tools/tests/not_config.fail.sh -@@ -6,7 +6,7 @@ yum -y install aide - aide --init - - declare -a bins --bins=('/usr/sbin/auditctl' '/usr/sbin/auditd' '/usr/sbin/augenrules' '/usr/sbin/aureport' '/usr/sbin/ausearch' '/usr/sbin/autrace') -+bins=('/usr/sbin/auditctl' '/usr/sbin/auditd' '/usr/sbin/augenrules' '/usr/sbin/aureport' '/usr/sbin/ausearch' '/usr/sbin/autrace' '/usr/sbin/rsyslogd') - - for theFile in "${bins[@]}" - do --- -2.37.1 - diff --git a/scap-security-guide-0.1.64-authselect_minimal_in_ospp-PR_9298.patch b/scap-security-guide-0.1.64-authselect_minimal_in_ospp-PR_9298.patch deleted file mode 100644 index aa184fd..0000000 --- a/scap-security-guide-0.1.64-authselect_minimal_in_ospp-PR_9298.patch +++ /dev/null @@ -1,68 +0,0 @@ -From f802557b2a84b830a8a8742b535a5602925e438d Mon Sep 17 00:00:00 2001 -From: Watson Yuuma Sato -Date: Mon, 8 Aug 2022 15:28:37 +0200 -Subject: [PATCH 09/10] Merge pull request #9298 from vojtapolasek/rhbz2114979 - -Patch-name: scap-security-guide-0.1.64-authselect_minimal_in_ospp-PR_9298.patch -Patch-status: Make OSPP profiles use minimal Authselect profile ---- - linux_os/guide/system/accounts/enable_authselect/rule.yml | 1 + - products/rhel8/profiles/ospp.profile | 2 +- - products/rhel9/profiles/ospp.profile | 2 +- - tests/data/profile_stability/rhel8/ospp.profile | 2 +- - 4 files changed, 4 insertions(+), 3 deletions(-) - -diff --git a/linux_os/guide/system/accounts/enable_authselect/rule.yml b/linux_os/guide/system/accounts/enable_authselect/rule.yml -index 8d1758e8c9..3edb3642df 100644 ---- a/linux_os/guide/system/accounts/enable_authselect/rule.yml -+++ b/linux_os/guide/system/accounts/enable_authselect/rule.yml -@@ -34,6 +34,7 @@ references: - disa: CCI-000213 - hipaa: 164.308(a)(1)(ii)(B),164.308(a)(7)(i),164.308(a)(7)(ii)(A),164.310(a)(1),164.310(a)(2)(i),164.310(a)(2)(ii),164.310(a)(2)(iii),164.310(b),164.310(c),164.310(d)(1),164.310(d)(2)(iii) # taken from require_singleuser_auth - nist: AC-3 -+ ospp: FIA_UAU.1,FIA_AFL.1 - srg: SRG-OS-000480-GPOS-00227 - - ocil: |- -diff --git a/products/rhel8/profiles/ospp.profile b/products/rhel8/profiles/ospp.profile -index 39ad1797c7..ebec8a3a6f 100644 ---- a/products/rhel8/profiles/ospp.profile -+++ b/products/rhel8/profiles/ospp.profile -@@ -220,7 +220,7 @@ selections: - - var_accounts_max_concurrent_login_sessions=10 - - accounts_max_concurrent_login_sessions - - securetty_root_login_console_only -- - var_authselect_profile=sssd -+ - var_authselect_profile=minimal - - enable_authselect - - var_password_pam_unix_remember=5 - - accounts_password_pam_unix_remember -diff --git a/products/rhel9/profiles/ospp.profile b/products/rhel9/profiles/ospp.profile -index f27f961a7a..b21ddcee6d 100644 ---- a/products/rhel9/profiles/ospp.profile -+++ b/products/rhel9/profiles/ospp.profile -@@ -115,7 +115,7 @@ selections: - - coredump_disable_storage - - coredump_disable_backtraces - - service_systemd-coredump_disabled -- - var_authselect_profile=sssd -+ - var_authselect_profile=minimal - - enable_authselect - - use_pam_wheel_for_su - -diff --git a/tests/data/profile_stability/rhel8/ospp.profile b/tests/data/profile_stability/rhel8/ospp.profile -index 5d73a8c6fe..21e93e310d 100644 ---- a/tests/data/profile_stability/rhel8/ospp.profile -+++ b/tests/data/profile_stability/rhel8/ospp.profile -@@ -242,7 +242,7 @@ selections: - - var_slub_debug_options=P - - var_auditd_flush=incremental_async - - var_accounts_max_concurrent_login_sessions=10 --- var_authselect_profile=sssd -+- var_authselect_profile=minimal - - var_password_pam_unix_remember=5 - - var_selinux_state=enforcing - - var_selinux_policy_name=targeted --- -2.37.1 - diff --git a/scap-security-guide-0.1.64-fix_ansible_partition_conditional-PR_9339.patch b/scap-security-guide-0.1.64-fix_ansible_partition_conditional-PR_9339.patch deleted file mode 100644 index bf1757f..0000000 --- a/scap-security-guide-0.1.64-fix_ansible_partition_conditional-PR_9339.patch +++ /dev/null @@ -1,26 +0,0 @@ -From 7db8ad5f312b632d6b8a176b615929ffa5cb1de3 Mon Sep 17 00:00:00 2001 -From: Gabriel Becker -Date: Mon, 15 Aug 2022 14:47:40 +0200 -Subject: [PATCH 13/13] Merge pull request #9339 from - yuumasato/fix_ansible_partition_conditionals - -Patch-name: scap-security-guide-0.1.64-fix_ansible_partition_conditional-PR_9339.patch -Patch-status: Fix ansible partition conditionals ---- - shared/macros/10-ansible.jinja | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/shared/macros/10-ansible.jinja b/shared/macros/10-ansible.jinja -index 5e40fe4aa2..55a78c3a8b 100644 ---- a/shared/macros/10-ansible.jinja -+++ b/shared/macros/10-ansible.jinja -@@ -1435,5 +1435,5 @@ Part of the grub2_bootloader_argument_absent template. - - - {{%- macro ansible_partition_conditional(path) -%}} --"ansible_facts.ansible_mounts | json_query(\"[?mount=='{{{ path }}}'].mount\") | length == 1" -+'"{{{ path }}}" in ansible_mounts | map(attribute="mount") | list' - {{%- endmacro -%}} --- -2.37.2 - diff --git a/scap-security-guide-0.1.64-readd-sshd_timeout-rules-PR_9318.patch b/scap-security-guide-0.1.64-readd-sshd_timeout-rules-PR_9318.patch deleted file mode 100644 index 5bc5ac5..0000000 --- a/scap-security-guide-0.1.64-readd-sshd_timeout-rules-PR_9318.patch +++ /dev/null @@ -1,94 +0,0 @@ -From 44bcccbe3a3b00ef1151089b0faacf82770bdc98 Mon Sep 17 00:00:00 2001 -From: Matthew Burket -Date: Tue, 9 Aug 2022 13:09:07 -0500 -Subject: [PATCH 8/8] Merge pull request #9318 from - ggbecker/reintroduce-sshd-timeout - -Patch-name: scap-security-guide-0.1.64-readd-sshd_timeout-rules-PR_9318.patch -Patch-status: Reintroduce back the sshd timeout rules in RHEL8 STIG profile ---- - .../ssh/ssh_server/sshd_set_idle_timeout/rule.yml | 1 + - .../ssh/ssh_server/sshd_set_keepalive_0/rule.yml | 1 + - products/rhel8/profiles/stig.profile | 14 +++++++------- - tests/data/profile_stability/rhel8/stig.profile | 2 ++ - .../data/profile_stability/rhel8/stig_gui.profile | 2 ++ - 5 files changed, 13 insertions(+), 7 deletions(-) - -diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_idle_timeout/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_set_idle_timeout/rule.yml -index 46ea0558a4..1e9c617275 100644 ---- a/linux_os/guide/services/ssh/ssh_server/sshd_set_idle_timeout/rule.yml -+++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_idle_timeout/rule.yml -@@ -57,6 +57,7 @@ references: - stigid@ol7: OL07-00-040320 - stigid@ol8: OL08-00-010201 - stigid@rhel7: RHEL-07-040320 -+ stigid@rhel8: RHEL-08-010201 - stigid@sle12: SLES-12-030190 - stigid@sle15: SLES-15-010280 - stigid@ubuntu2004: UBTU-20-010037 -diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive_0/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive_0/rule.yml -index 0f0693ddc6..f6e98a61d9 100644 ---- a/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive_0/rule.yml -+++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive_0/rule.yml -@@ -53,6 +53,7 @@ references: - stigid@ol7: OL07-00-040340 - stigid@ol8: OL08-00-010200 - stigid@rhel7: RHEL-07-040340 -+ stigid@rhel8: RHEL-08-010200 - stigid@sle12: SLES-12-030191 - stigid@sle15: SLES-15-010320 - vmmsrg: SRG-OS-000480-VMM-002000 -diff --git a/products/rhel8/profiles/stig.profile b/products/rhel8/profiles/stig.profile -index 6b44436a2b..124b7520d3 100644 ---- a/products/rhel8/profiles/stig.profile -+++ b/products/rhel8/profiles/stig.profile -@@ -170,13 +170,13 @@ selections: - # RHEL-08-010190 - - dir_perms_world_writable_sticky_bits - -- # These two items don't behave as they used to in RHEL8.6 and RHEL9 -- # anymore. They will be disabled for now until an alternative -- # solution is found. -- # # RHEL-08-010200 -- # - sshd_set_keepalive_0 -- # # RHEL-08-010201 -- # - sshd_set_idle_timeout -+ # Although these rules have a different behavior in RHEL>=8.6 -+ # they still need to be selected so it follows exactly what STIG -+ # states. -+ # RHEL-08-010200 -+ - sshd_set_keepalive_0 -+ # RHEL-08-010201 -+ - sshd_set_idle_timeout - - # RHEL-08-010210 - - file_permissions_var_log_messages -diff --git a/tests/data/profile_stability/rhel8/stig.profile b/tests/data/profile_stability/rhel8/stig.profile -index 47f53a9d02..6c75d0ae1b 100644 ---- a/tests/data/profile_stability/rhel8/stig.profile -+++ b/tests/data/profile_stability/rhel8/stig.profile -@@ -369,6 +369,8 @@ selections: - - sshd_enable_warning_banner - - sshd_print_last_log - - sshd_rekey_limit -+- sshd_set_idle_timeout -+- sshd_set_keepalive_0 - - sshd_use_strong_rng - - sshd_x11_use_localhost - - sssd_certificate_verification -diff --git a/tests/data/profile_stability/rhel8/stig_gui.profile b/tests/data/profile_stability/rhel8/stig_gui.profile -index c4e60ddcde..8a7a469b94 100644 ---- a/tests/data/profile_stability/rhel8/stig_gui.profile -+++ b/tests/data/profile_stability/rhel8/stig_gui.profile -@@ -379,6 +379,8 @@ selections: - - sshd_enable_warning_banner - - sshd_print_last_log - - sshd_rekey_limit -+- sshd_set_idle_timeout -+- sshd_set_keepalive_0 - - sshd_use_strong_rng - - sshd_x11_use_localhost - - sssd_certificate_verification --- -2.37.1 - diff --git a/scap-security-guide-0.1.64-select_grub2_disable_recovery-PR_9231.patch b/scap-security-guide-0.1.64-select_grub2_disable_recovery-PR_9231.patch deleted file mode 100644 index e0da12e..0000000 --- a/scap-security-guide-0.1.64-select_grub2_disable_recovery-PR_9231.patch +++ /dev/null @@ -1,75 +0,0 @@ -From 8d36cef25fc9d890f7ec9756246513a92110b3db Mon Sep 17 00:00:00 2001 -From: Watson Yuuma Sato -Date: Wed, 10 Aug 2022 10:53:26 +0200 -Subject: [PATCH 10/10] Merge pull request #9321 from - vojtapolasek/fix_rhel8_iboot - -Patch-name: scap-security-guide-0.1.64-select_grub2_disable_recovery-PR_9231.patch -Patch-status: change rules protecting boot in RHEL8 OSPP ---- - .../bootloader-grub2/grub2_disable_recovery/rule.yml | 1 + - products/rhel8/profiles/ospp.profile | 2 +- - shared/references/cce-redhat-avail.txt | 11 ----------- - tests/data/profile_stability/rhel8/ospp.profile | 2 +- - 4 files changed, 3 insertions(+), 13 deletions(-) - -diff --git a/linux_os/guide/system/bootloader-grub2/grub2_disable_recovery/rule.yml b/linux_os/guide/system/bootloader-grub2/grub2_disable_recovery/rule.yml -index 4f8d4ddcfd..fb126cbe7d 100644 ---- a/linux_os/guide/system/bootloader-grub2/grub2_disable_recovery/rule.yml -+++ b/linux_os/guide/system/bootloader-grub2/grub2_disable_recovery/rule.yml -@@ -17,6 +17,7 @@ rationale: |- - severity: medium - - identifiers: -+ cce@rhel8: CCE-86006-4 - cce@rhel9: CCE-85986-8 - - references: -diff --git a/products/rhel8/profiles/ospp.profile b/products/rhel8/profiles/ospp.profile -index ebec8a3a6f..6e3b30f64b 100644 ---- a/products/rhel8/profiles/ospp.profile -+++ b/products/rhel8/profiles/ospp.profile -@@ -304,7 +304,7 @@ selections: - ## Disable Unauthenticated Login (such as Guest Accounts) - ## FIA_UAU.1 - - require_singleuser_auth -- - grub2_disable_interactive_boot -+ - grub2_disable_recovery - - grub2_uefi_password - - no_empty_passwords - -diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt -index 9480db3eae..903fc848eb 100644 ---- a/shared/references/cce-redhat-avail.txt -+++ b/shared/references/cce-redhat-avail.txt -@@ -1,14 +1,3 @@ --CCE-85985-0 --CCE-85988-4 --CCE-85997-5 --CCE-85998-3 --CCE-85999-1 --CCE-86000-7 --CCE-86001-5 --CCE-86002-3 --CCE-86003-1 --CCE-86005-6 --CCE-86006-4 - CCE-86007-2 - CCE-86008-0 - CCE-86009-8 -diff --git a/tests/data/profile_stability/rhel8/ospp.profile b/tests/data/profile_stability/rhel8/ospp.profile -index 21e93e310d..267b66a4f8 100644 ---- a/tests/data/profile_stability/rhel8/ospp.profile -+++ b/tests/data/profile_stability/rhel8/ospp.profile -@@ -89,7 +89,7 @@ selections: - - ensure_redhat_gpgkey_installed - - grub2_audit_argument - - grub2_audit_backlog_limit_argument --- grub2_disable_interactive_boot -+- grub2_disable_recovery - - grub2_kernel_trust_cpu_rng - - grub2_page_poison_argument - - grub2_pti_argument --- -2.37.1 - diff --git a/scap-security-guide-0.1.64-update-rhel8-stig-to-v1r7-PR_9276.patch b/scap-security-guide-0.1.64-update-rhel8-stig-to-v1r7-PR_9276.patch deleted file mode 100644 index 9abae1d..0000000 --- a/scap-security-guide-0.1.64-update-rhel8-stig-to-v1r7-PR_9276.patch +++ /dev/null @@ -1,4477 +0,0 @@ -From 80088c6b60990dee44d45e59f0cfde7567b4702e Mon Sep 17 00:00:00 2001 -From: Matthew Burket -Date: Mon, 1 Aug 2022 11:12:56 -0500 -Subject: [PATCH 2/8] Merge pull request #9276 from - yuumasato/update-rhel8-stig-to-v1r7 - -Patch-name: scap-security-guide-0.1.64-update-rhel8-stig-to-v1r7-PR_9276.patch -Patch-status: Update RHEL8 STIG to V1R7 ---- - products/rhel8/profiles/stig.profile | 4 +- - products/rhel8/profiles/stig_gui.profile | 4 +- - ...ml => disa-stig-rhel8-v1r6-xccdf-scap.xml} | 945 ++++++++++-------- - ... => disa-stig-rhel8-v1r7-xccdf-manual.xml} | 437 ++++---- - .../data/profile_stability/rhel8/stig.profile | 4 +- - .../profile_stability/rhel8/stig_gui.profile | 4 +- - 6 files changed, 780 insertions(+), 618 deletions(-) - rename shared/references/{disa-stig-rhel8-v1r5-xccdf-scap.xml => disa-stig-rhel8-v1r6-xccdf-scap.xml} (96%) - rename shared/references/{disa-stig-rhel8-v1r6-xccdf-manual.xml => disa-stig-rhel8-v1r7-xccdf-manual.xml} (96%) - -diff --git a/products/rhel8/profiles/stig.profile b/products/rhel8/profiles/stig.profile -index 7adbfee555..4b480bd2c1 100644 ---- a/products/rhel8/profiles/stig.profile -+++ b/products/rhel8/profiles/stig.profile -@@ -1,7 +1,7 @@ - documentation_complete: true - - metadata: -- version: V1R6 -+ version: V1R7 - SMEs: - - mab879 - - ggbecker -@@ -12,7 +12,7 @@ title: 'DISA STIG for Red Hat Enterprise Linux 8' - - description: |- - This profile contains configuration checks that align to the -- DISA STIG for Red Hat Enterprise Linux 8 V1R6. -+ DISA STIG for Red Hat Enterprise Linux 8 V1R7. - - In addition to being applicable to Red Hat Enterprise Linux 8, DISA recognizes this - configuration baseline as applicable to the operating system tier of -diff --git a/products/rhel8/profiles/stig_gui.profile b/products/rhel8/profiles/stig_gui.profile -index 665bc1e059..fa8bc724a5 100644 ---- a/products/rhel8/profiles/stig_gui.profile -+++ b/products/rhel8/profiles/stig_gui.profile -@@ -1,7 +1,7 @@ - documentation_complete: true - - metadata: -- version: V1R6 -+ version: V1R7 - SMEs: - - mab879 - - ggbecker -@@ -12,7 +12,7 @@ title: 'DISA STIG with GUI for Red Hat Enterprise Linux 8' - - description: |- - This profile contains configuration checks that align to the -- DISA STIG with GUI for Red Hat Enterprise Linux 8 V1R6. -+ DISA STIG with GUI for Red Hat Enterprise Linux 8 V1R7. - - In addition to being applicable to Red Hat Enterprise Linux 8, DISA recognizes this - configuration baseline as applicable to the operating system tier of -diff --git a/shared/references/disa-stig-rhel8-v1r5-xccdf-scap.xml b/shared/references/disa-stig-rhel8-v1r6-xccdf-scap.xml -similarity index 96% -rename from shared/references/disa-stig-rhel8-v1r5-xccdf-scap.xml -rename to shared/references/disa-stig-rhel8-v1r6-xccdf-scap.xml -index 1bd2fb7b65..e87b16eb37 100644 ---- a/shared/references/disa-stig-rhel8-v1r5-xccdf-scap.xml -+++ b/shared/references/disa-stig-rhel8-v1r6-xccdf-scap.xml -@@ -1,36 +1,36 @@ - -- -- -+ -+ - -- -+ - -- -+ - - - - -- -+ - -- -+ - - - - -- -- -+ -+ - - -- -+ - - - Red Hat Enterprise Linux 8 -- oval:mil.disa.stig.rhel8:def:1 -+ oval:mil.disa.stig.rhel8:def:1 - - - -- -+ - -- accepted -+ accepted - Red Hat Enterprise Linux 8 Security Technical Implementation Guide - This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil. - -@@ -40,11 +40,11 @@ - DISA - STIG.DOD.MIL - -- Release: 1.5 Benchmark Date: 27 Apr 2022 -+ Release: 1.6 Benchmark Date: 27 Jul 2022 - 3.3.0.27375 - 1.10.0 - -- 001.005 -+ 001.006 - - DISA - DISA -@@ -2189,15 +2189,15 @@ - - - -- -- -- -- -- -- -+ -+ -+ -+ -+ -+ - - -- -+ - - - -@@ -2217,7 +2217,7 @@ - - - -- -+ - - - -@@ -2237,26 +2237,26 @@ - - - -- -+ - - -- -- -- -- -- -- -- -+ -+ -+ -+ -+ -+ -+ - - - - - -- -+ - - -- -- -+ -+ - - - -@@ -2337,7 +2337,7 @@ - - - -- -+ - - - -@@ -2355,21 +2355,21 @@ - - - -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ - - - -@@ -2379,9 +2379,9 @@ - - - -- -- -- -+ -+ -+ - - - SRG-OS-000480-GPOS-00227 -@@ -2403,7 +2403,7 @@ Red Hat offers the Extended Update Support (EUS) ad-on to a Red Hat Enterprise L - Upgrade to a supported version of RHEL 8. - - -- -+ - - - -@@ -2439,7 +2439,7 @@ $ sudo fips-mode-setup --enable - Reboot the system for the changes to take effect. - - -- -+ - - - -@@ -2469,7 +2469,7 @@ Edit/Modify the following line in the "/etc/login.defs" file and set "[ENCRYPT_M - ENCRYPT_METHOD SHA512 - - -- -+ - - - -@@ -2493,7 +2493,7 @@ Passwords need to be protected at all times, and encryption is the standard meth - Lock all interactive user accounts not using SHA-512 hashing until the passwords can be regenerated with SHA-512. - - -- -+ - - - -@@ -2521,7 +2521,7 @@ Edit/modify the following line in the "/etc/login.defs" file and set "SHA_CRYPT_ - SHA_CRYPT_MIN_ROUNDS 5000 - - -- -+ - - - -@@ -2549,7 +2549,7 @@ Enter password: - Confirm password: - - -- -+ - - - -@@ -2577,7 +2577,7 @@ Enter password: - Confirm password: - - -- -+ - - - -@@ -2601,7 +2601,7 @@ Confirm password: - ExecStart=-/usr/lib/systemd/systemd-sulogin-shell rescue - - -- -+ - - - -@@ -2631,7 +2631,7 @@ Edit/modify the following line in the "/etc/pam.d/password-auth" file to include - password sufficient pam_unix.so sha512 - - -- -+ - - - -@@ -2661,7 +2661,7 @@ FIPS 140-2 is the current standard for validating that mechanisms used to access - Remove any files with the .keytab extension from the operating system. - - -- -+ - - - -@@ -2691,7 +2691,7 @@ FIPS 140-2 is the current standard for validating that mechanisms used to access - $ sudo yum remove krb5-workstation - - -- -+ - - - -@@ -2717,7 +2717,7 @@ Policycoreutils contains the policy core utilities that are required for basic o - $ sudo yum install policycoreutils - - -- -+ - - - -@@ -2753,7 +2753,7 @@ In order for the changes to take effect, the SSH daemon must be restarted. - $ sudo systemctl restart sshd.service - - -- -+ - - - -@@ -2779,7 +2779,7 @@ The structure and content of error messages must be carefully considered by the - $ sudo chmod 0640 /var/log/messages - - -- -+ - - - -@@ -2805,7 +2805,7 @@ The structure and content of error messages must be carefully considered by the - $ sudo chown root /var/log/messages - - -- -+ - - - -@@ -2831,7 +2831,7 @@ The structure and content of error messages must be carefully considered by the - $ sudo chgrp root /var/log/messages - - -- -+ - - - -@@ -2857,7 +2857,7 @@ The structure and content of error messages must be carefully considered by the - $ sudo chmod 0755 /var/log - - -- -+ - - - -@@ -2883,7 +2883,7 @@ The structure and content of error messages must be carefully considered by the - $ sudo chown root /var/log - - -- -+ - - - -@@ -2909,7 +2909,7 @@ The structure and content of error messages must be carefully considered by the - $ sudo chgrp root /var/log - - -- -+ - - - -@@ -2939,7 +2939,7 @@ SSH_USE_STRONG_RNG=32 - The SSH service must be restarted for changes to take effect. - - -- -+ - - - -@@ -2977,7 +2977,7 @@ DTLS.MinProtocol = DTLSv1.2 - A reboot is required for the changes to take effect. - - -- -+ - - - -@@ -3005,7 +3005,7 @@ Run the following command, replacing "[FILE]" with any system command with a mod - $ sudo chmod 755 [FILE] - - -- -+ - - - -@@ -3033,7 +3033,7 @@ Run the following command, replacing "[FILE]" with any system command file not o - $ sudo chown root [FILE] - - -- -+ - - - -@@ -3061,7 +3061,7 @@ Run the following command, replacing "[FILE]" with any system command file not g - $ sudo chgrp root [FILE] - - -- -+ - - - -@@ -3089,7 +3089,7 @@ Verifying the authenticity of the software prior to installation validates the i - gpgcheck=1 - - -- -+ - - - -@@ -3119,14 +3119,14 @@ Set the "localpkg_gpgcheck" option to "True" in the "/etc/dnf/dnf.conf" file: - localpkg_gpgcheck=True - - -- -+ - - - - - SRG-OS-000366-GPOS-00153 - <GroupDescription></GroupDescription> -- -+ - RHEL-08-010372 - RHEL 8 must prevent the loading of a new kernel for later execution. - <VulnDiscussion>Changes to any software components can have significant effects on the overall security of the operating system. This requirement ensures the software has not been tampered with and that it has been provided by a trusted vendor. -@@ -3159,14 +3159,14 @@ Load settings from all system configuration files with the following command: - $ sudo sysctl --system - - -- -+ - - - - - SRG-OS-000312-GPOS-00122 - <GroupDescription></GroupDescription> -- -+ - RHEL-08-010373 - RHEL 8 must enable kernel parameters to enforce discretionary access control on symlinks. - <VulnDiscussion>Discretionary Access Control (DAC) is based on the notion that individual users are "owners" of objects and therefore have discretion over who should be authorized to access the object and in which mode (e.g., read or write). Ownership is usually acquired as a consequence of creating the object or via specified ownership assignment. DAC allows the owner to determine who will have access to objects they control. An example of DAC includes user-controlled file permissions. -@@ -3203,14 +3203,14 @@ Load settings from all system configuration files with the following command: - $ sudo sysctl --system - - -- -+ - - - - - SRG-OS-000312-GPOS-00122 - <GroupDescription></GroupDescription> -- -+ - RHEL-08-010374 - RHEL 8 must enable kernel parameters to enforce discretionary access control on hardlinks. - <VulnDiscussion>Discretionary Access Control (DAC) is based on the notion that individual users are "owners" of objects and therefore have discretion over who should be authorized to access the object and in which mode (e.g., read or write). Ownership is usually acquired as a consequence of creating the object or via specified ownership assignment. DAC allows the owner to determine who will have access to objects they control. An example of DAC includes user-controlled file permissions. -@@ -3247,14 +3247,14 @@ Load settings from all system configuration files with the following command: - $ sudo sysctl --system - - -- -+ - - - - - SRG-OS-000138-GPOS-00069 - <GroupDescription></GroupDescription> -- -+ - RHEL-08-010375 - RHEL 8 must restrict access to the kernel message buffer. - <VulnDiscussion>Preventing unauthorized information transfers mitigates the risk of information, including encrypted representations of information, produced by the actions of prior users/roles (or the actions of processes acting on behalf of prior users/roles) from being available to any current users/roles (or current processes) that obtain access to shared system resources (e.g., registers, main memory, hard disks) after those resources have been released back to information systems. The control of information in shared resources is also commonly referred to as object reuse and residual information protection. -@@ -3291,14 +3291,14 @@ Load settings from all system configuration files with the following command: - $ sudo sysctl --system - - -- -+ - - - - - SRG-OS-000138-GPOS-00069 - <GroupDescription></GroupDescription> -- -+ - RHEL-08-010376 - RHEL 8 must prevent kernel profiling by unprivileged users. - <VulnDiscussion>Preventing unauthorized information transfers mitigates the risk of information, including encrypted representations of information, produced by the actions of prior users/roles (or the actions of processes acting on behalf of prior users/roles) from being available to any current users/roles (or current processes) that obtain access to shared system resources (e.g., registers, main memory, hard disks) after those resources have been released back to information systems. The control of information in shared resources is also commonly referred to as object reuse and residual information protection. -@@ -3335,14 +3335,14 @@ Load settings from all system configuration files with the following command: - $ sudo sysctl --system - - -- -+ - - - - - SRG-OS-000373-GPOS-00156 - <GroupDescription></GroupDescription> -- -+ - RHEL-08-010380 - RHEL 8 must require users to provide a password for privilege escalation. - <VulnDiscussion>Without reauthentication, users may access resources or perform tasks for which they do not have authorization. -@@ -3358,10 +3358,20 @@ Satisfies: SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPO - 2921 - - CCI-002038 -- Remove any occurrence of "NOPASSWD" found in "/etc/sudoers" file or files in the "/etc/sudoers.d" directory. -- -+ Configure the operating system to require users to supply a password for privilege escalation. -+ -+Check the configuration of the "/etc/sudoers" file with the following command: -+$ sudo visudo -+ -+Remove any occurrences of "NOPASSWD" tags in the file. -+ -+Check the configuration of the /etc/sudoers.d/* files with the following command: -+$ sudo grep -ir nopasswd /etc/sudoers.d -+ -+Remove any occurrences of "NOPASSWD" tags in the file. -+ - -- -+ - - - -@@ -3387,7 +3397,7 @@ Satisfies: SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPO - Remove any occurrence of "!authenticate" found in "/etc/sudoers" file or files in the "/etc/sudoers.d" directory. - - -- -+ - - - -@@ -3419,14 +3429,14 @@ This requirement only applies to components where this is specific to the functi - $ sudo yum install openssl-pkcs11 - - -- -+ - - - - - SRG-OS-000433-GPOS-00193 - <GroupDescription></GroupDescription> -- -+ - RHEL-08-010430 - RHEL 8 must implement address space layout randomization (ASLR) to protect its memory from unauthorized code execution. - <VulnDiscussion>Some adversaries launch attacks with the intent of executing code in non-executable regions of memory or in memory locations that are prohibited. Security safeguards employed to protect memory include, for example, data execution prevention and address space layout randomization. Data execution prevention safeguards can be either hardware-enforced or software-enforced with hardware providing the greater strength of mechanism. -@@ -3459,7 +3469,7 @@ Issue the following command to make the changes take effect: - $ sudo sysctl --system - - -- -+ - - - -@@ -3485,7 +3495,7 @@ Set the "clean_requirements_on_remove" option to "True" in the "/etc/dnf/dnf.con - clean_requirements_on_remove=True - - -- -+ - - - -@@ -3515,7 +3525,7 @@ SELINUXTYPE=targeted - A reboot is required for the changes to take effect. - - -- -+ - - - -@@ -3539,7 +3549,7 @@ A reboot is required for the changes to take effect. - $ sudo rm /etc/ssh/shosts.equiv - - -- -+ - - - -@@ -3563,7 +3573,7 @@ $ sudo rm /etc/ssh/shosts.equiv - $ sudo rm /[path]/[to]/[file]/.shosts - - -- -+ - - - -@@ -3591,7 +3601,7 @@ The SSH daemon must be restarted for the changes to take effect. To restart the - $ sudo systemctl restart sshd.service - - -- -+ - - - -@@ -3619,7 +3629,7 @@ The SSH daemon must be restarted for the changes to take effect. To restart the - $ sudo systemctl restart sshd.service - - -- -+ - - - -@@ -3647,7 +3657,7 @@ The SSH daemon must be restarted for the changes to take effect. To restart the - $ sudo systemctl restart sshd.service - - -- -+ - - - -@@ -3673,7 +3683,7 @@ Compression no - The SSH service must be restarted for changes to take effect. - - -- -+ - - - -@@ -3703,7 +3713,7 @@ The SSH daemon must be restarted for the changes to take effect. To restart the - $ sudo systemctl restart sshd.service - - -- -+ - - - -@@ -3733,7 +3743,7 @@ The SSH daemon must be restarted for the changes to take effect. To restart the - $ sudo systemctl restart sshd.service - - -- -+ - - - -@@ -3755,7 +3765,7 @@ $ sudo systemctl restart sshd.service - Migrate the "/var" path onto a separate file system. - - -- -+ - - - -@@ -3777,7 +3787,7 @@ $ sudo systemctl restart sshd.service - Migrate the "/var/log" path onto a separate file system. - - -- -+ - - - -@@ -3799,7 +3809,7 @@ $ sudo systemctl restart sshd.service - Migrate the system audit data path onto a separate file system. - - -- -+ - - - -@@ -3821,7 +3831,7 @@ $ sudo systemctl restart sshd.service - Migrate the "/tmp" directory onto a separate file system/partition. - - -- -+ - - - -@@ -3851,7 +3861,7 @@ The SSH daemon must be restarted for the changes to take effect. To restart the - $ sudo systemctl restart sshd.service - - -- -+ - - - -@@ -3879,7 +3889,7 @@ $ sudo systemctl start rsyslog.service - $ sudo systemctl enable rsyslog.service - - -- -+ - - - -@@ -3901,7 +3911,7 @@ $ sudo systemctl enable rsyslog.service - Configure the "/etc/fstab" to use the "nosuid" option on the /boot directory. - - -- -+ - - - -@@ -3923,7 +3933,7 @@ $ sudo systemctl enable rsyslog.service - Configure the "/etc/fstab" to use the "nodev" option on all non-root local partitions. - - -- -+ - - - -@@ -3945,7 +3955,7 @@ $ sudo systemctl enable rsyslog.service - Configure the "/etc/fstab" to use the "noexec" option on file systems that are being imported via NFS. - - -- -+ - - - -@@ -3967,7 +3977,7 @@ $ sudo systemctl enable rsyslog.service - Configure the "/etc/fstab" to use the "nodev" option on file systems that are being imported via NFS. - - -- -+ - - - -@@ -3989,14 +3999,14 @@ $ sudo systemctl enable rsyslog.service - Configure the "/etc/fstab" to use the "nosuid" option on file systems that are being imported via NFS. - - -- -+ - - - - - SRG-OS-000480-GPOS-00227 - <GroupDescription></GroupDescription> -- -+ - RHEL-08-010671 - RHEL 8 must disable the kernel.core_pattern. - <VulnDiscussion>It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. -@@ -4027,7 +4037,7 @@ The system configuration files need to be reloaded for the changes to take effec - $ sudo sysctl --system - - -- -+ - - - -@@ -4055,7 +4065,7 @@ Add the following line to the top of the /etc/security/limits.conf or in a ".con - * hard core 0 - - -- -+ - - - -@@ -4083,7 +4093,7 @@ Add or modify the following line in /etc/systemd/coredump.conf: - Storage=none - - -- -+ - - - -@@ -4111,7 +4121,7 @@ Add or modify the following line in /etc/systemd/coredump.conf: - ProcessSizeMax=0 - - -- -+ - - - -@@ -4135,7 +4145,7 @@ ProcessSizeMax=0 - CREATE_HOME yes - - -- -+ - - - -@@ -4165,7 +4175,7 @@ The SSH daemon must be restarted for the changes to take effect. To restart the - $ sudo systemctl restart sshd.service - - -- -+ - - - -@@ -4203,7 +4213,7 @@ The "sssd" service must be restarted for the changes to take effect. To restart - $ sudo systemctl restart sssd.service - - -- -+ - - - -@@ -4235,7 +4245,7 @@ Add/Modify the "/etc/security/faillock.conf" file to match the following line: - deny = 3 - - -- -+ - - - -@@ -4273,7 +4283,7 @@ The "sssd" service must be restarted for the changes to take effect. To restart - $ sudo systemctl restart sssd.service - - -- -+ - - - -@@ -4305,7 +4315,7 @@ Add/Modify the "/etc/security/faillock.conf" file to match the following line: - fail_interval = 900 - - -- -+ - - - -@@ -4343,7 +4353,7 @@ The "sssd" service must be restarted for the changes to take effect. To restart - $ sudo systemctl restart sssd.service - - -- -+ - - - -@@ -4375,7 +4385,7 @@ Add/Modify the "/etc/security/faillock.conf" file to match the following line: - unlock_time = 0 - - -- -+ - - - -@@ -4413,7 +4423,7 @@ The "sssd" service must be restarted for the changes to take effect. To restart - $ sudo systemctl restart sssd.service - - -- -+ - - - -@@ -4445,7 +4455,7 @@ Add/Modify the "/etc/security/faillock.conf" file to match the following line: - silent - - -- -+ - - - -@@ -4485,7 +4495,7 @@ The "sssd" service must be restarted for the changes to take effect. To restart - $ sudo systemctl restart sssd.service - - -- -+ - - - -@@ -4517,7 +4527,7 @@ Add/Modify the "/etc/security/faillock.conf" file to match the following line: - audit - - -- -+ - - - -@@ -4557,7 +4567,7 @@ The "sssd" service must be restarted for the changes to take effect. To restart - $ sudo systemctl restart sssd.service - - -- -+ - - - -@@ -4589,7 +4599,7 @@ Add/Modify the "/etc/security/faillock.conf" file to match the following line: - even_deny_root - - -- -+ - - - -@@ -4617,7 +4627,7 @@ Add the following line to the top of the /etc/security/limits.conf or in a ".con - * hard maxlogins 10 - - -- -+ - - - -@@ -4649,21 +4659,21 @@ Create a global configuration file "/etc/tmux.conf" and add the following line: - set -g lock-command vlock - - -- -+ - - - - - SRG-OS-000028-GPOS-00009 - <GroupDescription></GroupDescription> -- -+ - RHEL-08-020041 - RHEL 8 must ensure session control is automatically started at shell initialization. - <VulnDiscussion>A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not want to log out because of the temporary nature of the absence. - - The session lock is implemented at the point where session activity can be determined. Rather than be forced to wait for a period of time to expire before the user session can be locked, RHEL 8 needs to provide users with the ability to manually invoke a session lock so users can secure their session if it is necessary to temporarily vacate the immediate physical vicinity. - --Tmux is a terminal multiplexer that enables a number of terminals to be created, accessed, and controlled from a single screen. Red Hat endorses tmux as the recommended session controlling package. -+Tmux is a terminal multiplexer that enables a number of terminals to be created, accessed, and controlled from a single screen. Red Hat endorses tmux as the recommended session controlling package. - - Satisfies: SRG-OS-000028-GPOS-00009, SRG-OS-000030-GPOS-00011</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - -@@ -4674,18 +4684,18 @@ Satisfies: SRG-OS-000028-GPOS-00009, SRG-OS-000030-GPOS-00011</VulnDiscussion - 2921 - - CCI-000056 -- Configure the operating system to initialize the tmux terminal multiplexer as each shell is called by adding the following lines to a custom.sh shell script in the /etc/profile.d/ directory: -+ Configure the operating system to initialize the tmux terminal multiplexer as each shell is called by adding the following lines to a custom.sh shell script in the /etc/profile.d/ directory: - --If [ "$PS1" ]; then -+if [ "$PS1" ]; then - parent=$(ps -o ppid= -p $$) - name=$(ps -o comm= -p $parent) - case "$name" in (sshd|login) exec tmux ;; esac - fi - - This setting will take effect at next logon. -- -+ - -- -+ - - - -@@ -4713,7 +4723,7 @@ Satisfies: SRG-OS-000028-GPOS-00009, SRG-OS-000030-GPOS-00011</VulnDiscussion - Configure the operating system to prevent users from disabling the tmux terminal multiplexer by editing the "/etc/shells" configuration file to remove any instances of tmux. - - -- -+ - - - -@@ -4743,14 +4753,14 @@ Add the following line to the "/etc/pam.d/password-auth" file (or modify the lin - password required pam_pwquality.so - - -- -+ - - - - - SRG-OS-000069-GPOS-00037 - <GroupDescription></GroupDescription> -- -+ - RHEL-08-020110 - RHEL 8 must enforce password complexity by requiring that at least one uppercase character be used. - <VulnDiscussion>Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. -@@ -4773,14 +4783,14 @@ Add the following line to /etc/security/pwquality.conf (or modify the line to ha - ucredit = -1 - - -- -+ - - - - - SRG-OS-000070-GPOS-00038 - <GroupDescription></GroupDescription> -- -+ - RHEL-08-020120 - RHEL 8 must enforce password complexity by requiring that at least one lower-case character be used. - <VulnDiscussion>Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. -@@ -4803,14 +4813,14 @@ Add the following line to /etc/security/pwquality.conf (or modify the line to ha - lcredit = -1 - - -- -+ - - - - - SRG-OS-000071-GPOS-00039 - <GroupDescription></GroupDescription> -- -+ - RHEL-08-020130 - RHEL 8 must enforce password complexity by requiring that at least one numeric character be used. - <VulnDiscussion>Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. -@@ -4833,14 +4843,14 @@ Add the following line to /etc/security/pwquality.conf (or modify the line to ha - dcredit = -1 - - -- -+ - - - - - SRG-OS-000072-GPOS-00040 - <GroupDescription></GroupDescription> -- -+ - RHEL-08-020140 - RHEL 8 must require the maximum number of repeating characters of the same character class be limited to four when passwords are changed. - <VulnDiscussion>Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. -@@ -4863,14 +4873,14 @@ Add the following line to "/etc/security/pwquality.conf" conf (or modify the lin - maxclassrepeat = 4 - - -- -+ - - - - - SRG-OS-000072-GPOS-00040 - <GroupDescription></GroupDescription> -- -+ - RHEL-08-020150 - RHEL 8 must require the maximum number of repeating characters be limited to three when passwords are changed. - <VulnDiscussion>Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. -@@ -4893,14 +4903,14 @@ Add the following line to "/etc/security/pwquality.conf conf" (or modify the lin - maxrepeat = 3 - - -- -+ - - - - - SRG-OS-000072-GPOS-00040 - <GroupDescription></GroupDescription> -- -+ - RHEL-08-020160 - RHEL 8 must require the change of at least four character classes when passwords are changed. - <VulnDiscussion>Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. -@@ -4923,14 +4933,14 @@ Add the following line to "/etc/security/pwquality.conf conf" (or modify the lin - minclass = 4 - - -- -+ - - - - - SRG-OS-000072-GPOS-00040 - <GroupDescription></GroupDescription> -- -+ - RHEL-08-020170 - RHEL 8 must require the change of at least 8 characters when passwords are changed. - <VulnDiscussion>Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. -@@ -4953,7 +4963,7 @@ Add the following line to "/etc/security/pwquality.conf" (or modify the line to - difok = 8 - - -- -+ - - - -@@ -4977,7 +4987,7 @@ difok = 8 - $ sudo chage -m 1 [user] - - -- -+ - - - -@@ -5003,7 +5013,7 @@ Add the following line in "/etc/login.defs" (or modify the line to have the requ - PASS_MIN_DAYS 1 - - -- -+ - - - -@@ -5029,7 +5039,7 @@ Add, or modify the following line in the "/etc/login.defs" file: - PASS_MAX_DAYS 60 - - -- -+ - - - -@@ -5053,7 +5063,7 @@ PASS_MAX_DAYS 60 - $ sudo chage -M 60 [user] - - -- -+ - - - -@@ -5085,14 +5095,14 @@ Add the following line in "/etc/pam.d/password-auth" (or modify the line to have - password required pam_pwhistory.so use_authtok remember=5 retry=3 - - -- -+ - - - - - SRG-OS-000078-GPOS-00046 - <GroupDescription></GroupDescription> -- -+ - RHEL-08-020230 - RHEL 8 passwords must have a minimum of 15 characters. - <VulnDiscussion>The shorter the password, the lower the number of possible combinations that need to be tested before the password is compromised. -@@ -5119,7 +5129,7 @@ Add the following line to "/etc/security/pwquality.conf" (or modify the line to - minlen = 15 - - -- -+ - - - -@@ -5149,7 +5159,7 @@ Add, or modify the following line in the "/etc/login.defs" file: - PASS_MIN_LEN 15 - - -- -+ - - - -@@ -5179,14 +5189,14 @@ $ sudo useradd -D -f 35 - DoD recommendation is 35 days, but a lower value is acceptable. The value "-1" will disable this feature, and "0" will disable the account immediately after the password expires. - - -- -+ - - - - - SRG-OS-000266-GPOS-00101 - <GroupDescription></GroupDescription> -- -+ - RHEL-08-020280 - All RHEL 8 passwords must contain at least one special character. - <VulnDiscussion>Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. -@@ -5209,14 +5219,14 @@ Add the following line to /etc/security/pwquality.conf (or modify the line to ha - ocredit = -1 - - -- -+ - - - - - SRG-OS-000480-GPOS-00225 - <GroupDescription></GroupDescription> -- -+ - RHEL-08-020300 - RHEL 8 must prevent the use of dictionary words for passwords. - <VulnDiscussion>If RHEL 8 allows the user to select passwords based on dictionary words, this increases the chances of password compromise by increasing the opportunity for successful guesses, and brute-force attacks.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> -@@ -5235,7 +5245,7 @@ Add or update the following line in the "/etc/security/pwquality.conf" file or a - dictcheck=1 - - -- -+ - - - -@@ -5263,7 +5273,7 @@ Modify the "/etc/login.defs" file to set the "FAIL_DELAY" parameter to "4" or gr - FAIL_DELAY 4 - - -- -+ - - - -@@ -5291,7 +5301,7 @@ The SSH daemon must be restarted for the changes to take effect. To restart the - $ sudo systemctl restart sshd.service - - -- -+ - - - -@@ -5319,7 +5329,7 @@ PrintLastLog yes - The SSH service must be restarted for changes to "sshd_config" to take effect. - - -- -+ - - - -@@ -5345,7 +5355,7 @@ Add or edit the line for the "UMASK" parameter in "/etc/login.defs" file to "077 - UMASK 077 - - -- -+ - - - -@@ -5379,7 +5389,7 @@ Add or update the following file system rules to "/etc/audit/rules.d/audit.rules - The audit daemon must be restarted for the changes to take effect. - - -- -+ - - - -@@ -5409,7 +5419,7 @@ Edit the following line in "/etc/audit/auditd.conf" to ensure that administrator - action_mail_acct = root - - -- -+ - - - -@@ -5441,7 +5451,7 @@ disk_error_action = HALT - If availability has been determined to be more important, and this decision is documented with the ISSO, configure the operating system to notify system administration staff and ISSO staff in the event of an audit processing failure by setting the "disk_error_action" to "SYSLOG". - - -- -+ - - - -@@ -5475,7 +5485,7 @@ disk_full_action = HALT - If availability has been determined to be more important, and this decision is documented with the ISSO, configure the operating system to notify system administration staff and ISSO staff in the event of an audit processing failure by setting the "disk_full_action" to "SYSLOG". - - -- -+ - - - -@@ -5503,7 +5513,7 @@ Add or update the following line in "/etc/audit/auditd.conf" file: - local_events = yes - - -- -+ - - - -@@ -5535,7 +5545,7 @@ name_format = hostname - The audit daemon must be restarted for changes to take effect. - - -- -+ - - - -@@ -5565,7 +5575,7 @@ log_format = ENRICHED - The audit daemon must be restarted for changes to take effect. - - -- -+ - - - -@@ -5593,7 +5603,7 @@ Satisfies: SRG-OS-000057-GPOS-00027, SRG-OS-000058-GPOS-00028, SRG-OS-000059-GPO - log_group = root - - -- -+ - - - -@@ -5623,7 +5633,7 @@ $ sudo chown root [audit_log_file] - Replace "[audit_log_file]" to the correct audit log path, by default this location is "/var/log/audit/audit.log". - - -- -+ - - - -@@ -5651,7 +5661,7 @@ Satisfies: SRG-OS-000057-GPOS-00027, SRG-OS-000058-GPOS-00028, SRG-OS-000059-GPO - log_group = root - - -- -+ - - - -@@ -5681,7 +5691,7 @@ $ sudo chown root [audit_log_directory] - Replace "[audit_log_directory]" with the correct audit log directory path, by default this location is usually "/var/log/audit". - - -- -+ - - - -@@ -5711,7 +5721,7 @@ $ sudo chgrp root [audit_log_directory] - Replace "[audit_log_directory]" with the correct audit log directory path, by default this location is usually "/var/log/audit". - - -- -+ - - - -@@ -5741,7 +5751,7 @@ $ sudo chmod 0700 [audit_log_directory] - Replace "[audit_log_directory]" to the correct audit log directory path, by default this location is "/var/log/audit". - - -- -+ - - - -@@ -5773,7 +5783,7 @@ Satisfies: SRG-OS-000057-GPOS-00027, SRG-OS-000058-GPOS-00028, SRG-OS-000059-GPO - Note: Once set, the system must be rebooted for auditing to be changed. It is recommended to add this option as the last step in securing the system. - - -- -+ - - - -@@ -5803,7 +5813,7 @@ Satisfies: SRG-OS-000057-GPOS-00027, SRG-OS-000058-GPOS-00028, SRG-OS-000059-GPO - --loginuid-immutable - - -- -+ - - - -@@ -5835,7 +5845,7 @@ Add or update the following file system rule to "/etc/audit/rules.d/audit.rules" - The audit daemon must be restarted for the changes to take effect. - - -- -+ - - - -@@ -5867,7 +5877,7 @@ Add or update the following file system rule to "/etc/audit/rules.d/audit.rules" - The audit daemon must be restarted for the changes to take effect. - - -- -+ - - - -@@ -5899,7 +5909,7 @@ Add or update the following file system rule to "/etc/audit/rules.d/audit.rules" - The audit daemon must be restarted for the changes to take effect. - - -- -+ - - - -@@ -5931,7 +5941,7 @@ Add or update the following file system rule to "/etc/audit/rules.d/audit.rules" - The audit daemon must be restarted for the changes to take effect. - - -- -+ - - - -@@ -5963,7 +5973,7 @@ Add or update the following file system rule to "/etc/audit/rules.d/audit.rules" - The audit daemon must be restarted for the changes to take effect. - - -- -+ - - - -@@ -5995,7 +6005,7 @@ Add or update the following file system rule to "/etc/audit/rules.d/audit.rules" - The audit daemon must be restarted for the changes to take effect. - - -- -+ - - - -@@ -6027,7 +6037,7 @@ Add or update the following file system rule to "/etc/audit/rules.d/audit.rules" - The audit daemon must be restarted for the changes to take effect. - - -- -+ - - - -@@ -6059,7 +6069,7 @@ Install the audit service (if the audit service is not already installed) with t - $ sudo yum install audit - - -- -+ - - - -@@ -6091,7 +6101,7 @@ Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPO - The audit daemon must be restarted for the changes to take effect. - - -- -+ - - - -@@ -6136,7 +6146,7 @@ Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPO - The audit daemon must be restarted for the changes to take effect. - - -- -+ - - - -@@ -6168,7 +6178,7 @@ Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPO - The audit daemon must be restarted for the changes to take effect. - - -- -+ - - - -@@ -6200,7 +6210,7 @@ Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPO - The audit daemon must be restarted for the changes to take effect. - - -- -+ - - - -@@ -6232,7 +6242,7 @@ Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPO - The audit daemon must be restarted for the changes to take effect. - - -- -+ - - - -@@ -6264,7 +6274,7 @@ Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPO - The audit daemon must be restarted for the changes to take effect. - - -- -+ - - - -@@ -6296,7 +6306,7 @@ Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPO - The audit daemon must be restarted for the changes to take effect. - - -- -+ - - - -@@ -6328,7 +6338,7 @@ Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPO - The audit daemon must be restarted for the changes to take effect. - - -- -+ - - - -@@ -6361,7 +6371,7 @@ Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPO - The audit daemon must be restarted for the changes to take effect. - - -- -+ - - - -@@ -6393,7 +6403,7 @@ Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPO - The audit daemon must be restarted for the changes to take effect. - - -- -+ - - - -@@ -6425,7 +6435,7 @@ Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPO - The audit daemon must be restarted for the changes to take effect. - - -- -+ - - - -@@ -6457,7 +6467,7 @@ Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPO - The audit daemon must be restarted for the changes to take effect. - - -- -+ - - - -@@ -6489,7 +6499,7 @@ Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPO - The audit daemon must be restarted for the changes to take effect. - - -- -+ - - - -@@ -6521,7 +6531,7 @@ Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPO - The audit daemon must be restarted for the changes to take effect. - - -- -+ - - - -@@ -6553,7 +6563,7 @@ Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPO - The audit daemon must be restarted for the changes to take effect. - - -- -+ - - - -@@ -6585,7 +6595,7 @@ Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPO - The audit daemon must be restarted for the changes to take effect. - - -- -+ - - - -@@ -6617,7 +6627,7 @@ Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPO - The audit daemon must be restarted for the changes to take effect. - - -- -+ - - - -@@ -6649,7 +6659,7 @@ Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPO - The audit daemon must be restarted for the changes to take effect. - - -- -+ - - - -@@ -6681,7 +6691,7 @@ Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPO - The audit daemon must be restarted for the changes to take effect. - - -- -+ - - - -@@ -6713,7 +6723,7 @@ Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPO - The audit daemon must be restarted for the changes to take effect. - - -- -+ - - - -@@ -6745,7 +6755,7 @@ Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPO - The audit daemon must be restarted for the changes to take effect. - - -- -+ - - - -@@ -6780,7 +6790,7 @@ Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPO - The audit daemon must be restarted for the changes to take effect. - - -- -+ - - - -@@ -6820,7 +6830,7 @@ Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPO - The audit daemon must be restarted for the changes to take effect. - - -- -+ - - - -@@ -6852,7 +6862,7 @@ Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPO - The audit daemon must be restarted for the changes to take effect. - - -- -+ - - - -@@ -6885,7 +6895,7 @@ Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPO - The audit daemon must be restarted for the changes to take effect. - - -- -+ - - - -@@ -6917,7 +6927,7 @@ Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPO - The audit daemon must be restarted for the changes to take effect. - - -- -+ - - - -@@ -6949,7 +6959,7 @@ Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPO - The audit daemon must be restarted for the changes to take effect. - - -- -+ - - - -@@ -6992,7 +7002,7 @@ Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPO - The audit daemon must be restarted for the changes to take effect. - - -- -+ - - - -@@ -7031,7 +7041,7 @@ Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPO - The audit daemon must be restarted for the changes to take effect. - - -- -+ - - - -@@ -7069,7 +7079,7 @@ Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPO - The audit daemon must be restarted for the changes to take effect. - - -- -+ - - - -@@ -7101,7 +7111,7 @@ Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPO - The audit daemon must be restarted for the changes to take effect. - - -- -+ - - - -@@ -7133,7 +7143,7 @@ Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPO - The audit daemon must be restarted for the changes to take effect. - - -- -+ - - - -@@ -7165,7 +7175,7 @@ Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPO - The audit daemon must be restarted for the changes to take effect. - - -- -+ - - - -@@ -7207,7 +7217,7 @@ Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPO - The audit daemon must be restarted for the changes to take effect. - - -- -+ - - - -@@ -7249,7 +7259,7 @@ Satisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPO - The audit daemon must be restarted for the changes to take effect. - - -- -+ - - - -@@ -7275,7 +7285,7 @@ $ sudo chmod 0640 /etc/audit/rules.d/[customrulesfile].rules - $ sudo chmod 0640 /etc/audit/auditd.conf - - -- -+ - - - -@@ -7305,7 +7315,7 @@ $ sudo chmod 0755 [audit_tool] - Replace "[audit_tool]" with the audit tool that does not have the correct permissive mode. - - -- -+ - - - -@@ -7337,7 +7347,7 @@ $ sudo chown root [audit_tool] - Replace "[audit_tool]" with each audit tool not owned by "root". - - -- -+ - - - -@@ -7369,7 +7379,7 @@ $ sudo chgrp root [audit_tool] - Replace "[audit_tool]" with each audit tool not group-owned by "root". - - -- -+ - - - -@@ -7404,7 +7414,7 @@ Note that a port number was given as there is no standard port for RELP.</Vul - $ sudo yum install rsyslog - - -- -+ - - - -@@ -7439,7 +7449,7 @@ Note that a port number was given as there is no standard port for RELP.</Vul - $ sudo yum install rsyslog-gnutls - - -- -+ - - - -@@ -7471,7 +7481,7 @@ overflow_action = syslog - The audit daemon must be restarted for changes to take effect. - - -- -+ - - - -@@ -7497,7 +7507,7 @@ space_left = 25% - Note: Option names and values in the auditd.conf file are case insensitive. - - -- -+ - - - -@@ -7527,7 +7537,7 @@ Note that USNO offers authenticated NTP service to DoD and U.S. Government agenc - port 0 - - -- -+ - - - -@@ -7557,7 +7567,7 @@ Note that USNO offers authenticated NTP service to DoD and U.S. Government agenc - cmdport 0 - - -- -+ - - - -@@ -7591,7 +7601,7 @@ If a privileged user were to log on using this service, the privileged user pass - $ sudo yum remove telnet-server - - -- -+ - - - -@@ -7621,7 +7631,7 @@ Verify the operating system is configured to disable non-essential capabilities. - $ sudo yum remove abrt* - - -- -+ - - - -@@ -7651,7 +7661,7 @@ Verify the operating system is configured to disable non-essential capabilities. - $ sudo yum remove sendmail - - -- -+ - - - -@@ -7683,7 +7693,7 @@ Satisfies: SRG-OS-000095-GPOS-00049, SRG-OS-000074-GPOS-00042</VulnDiscussion - $ sudo yum remove rsh-server - - -- -+ - - - -@@ -7716,7 +7726,7 @@ blacklist atm - Reboot the system for the settings to take effect. - - -- -+ - - - -@@ -7749,7 +7759,7 @@ blacklist can - Reboot the system for the settings to take effect. - - -- -+ - - - -@@ -7782,7 +7792,7 @@ blacklist sctp - Reboot the system for the settings to take effect. - - -- -+ - - - -@@ -7815,7 +7825,7 @@ blacklist tipc - Reboot the system for the settings to take effect. - - -- -+ - - - -@@ -7848,7 +7858,7 @@ blacklist cramfs - Reboot the system for the settings to take effect. - - -- -+ - - - -@@ -7879,7 +7889,7 @@ blacklist firewire-core - Reboot the system for the settings to take effect. - - -- -+ - - - -@@ -7910,14 +7920,14 @@ blacklist usb-storage - Reboot the system for the settings to take effect. - - -- -+ - - - - - SRG-OS-000300-GPOS-00118 - <GroupDescription></GroupDescription> -- -+ - RHEL-08-040111 - RHEL 8 Bluetooth must be disabled. - <VulnDiscussion>Without protection of communications with wireless peripherals, confidentiality and integrity may be compromised because unprotected communications can be intercepted and either read, altered, or used to compromise the RHEL 8 operating system. -@@ -7933,16 +7943,24 @@ Protecting the confidentiality and integrity of communications with wireless per - 2921 - - CCI-001443 -- Configure the operating system to disable the Bluetooth adapter when not in use. -+ Configure the operating system to disable the Bluetooth adapter when not in use. - - Build or modify the "/etc/modprobe.d/bluetooth.conf" file with the following line: - - install bluetooth /bin/true - -+Disable the ability to use the Bluetooth kernel module. -+ -+$ sudo vi /etc/modprobe.d/blacklist.conf -+ -+Add or update the line: -+ -+blacklist bluetooth -+ - Reboot the system for the settings to take effect. -- -+ - -- -+ - - - -@@ -7972,7 +7990,7 @@ The "nosuid" mount option causes the system to not execute "setuid" and "setgid" - tmpfs /dev/shm tmpfs defaults,nodev,nosuid,noexec 0 0 - - -- -+ - - - -@@ -8000,7 +8018,7 @@ The "nosuid" mount option causes the system to not execute "setuid" and "setgid" - tmpfs /dev/shm tmpfs defaults,nodev,nosuid,noexec 0 0 - - -- -+ - - - -@@ -8030,7 +8048,7 @@ The "nosuid" mount option causes the system to not execute "setuid" and "setgid" - tmpfs /dev/shm tmpfs defaults,nodev,nosuid,noexec 0 0 - - -- -+ - - - -@@ -8060,7 +8078,7 @@ The "nosuid" mount option causes the system to not execute "setuid" and "setgid" - /dev/mapper/rhel-tmp /tmp xfs defaults,nodev,nosuid,noexec 0 0 - - -- -+ - - - -@@ -8088,7 +8106,7 @@ The "nosuid" mount option causes the system to not execute "setuid" and "setgid" - /dev/mapper/rhel-tmp /tmp xfs defaults,nodev,nosuid,noexec 0 0 - - -- -+ - - - -@@ -8118,7 +8136,7 @@ The "nosuid" mount option causes the system to not execute "setuid" and "setgid" - /dev/mapper/rhel-tmp /tmp xfs defaults,nodev,nosuid,noexec 0 0 - - -- -+ - - - -@@ -8148,7 +8166,7 @@ The "nosuid" mount option causes the system to not execute "setuid" and "setgid" - /dev/mapper/rhel-var-log /var/log xfs defaults,nodev,nosuid,noexec 0 0 - - -- -+ - - - -@@ -8178,7 +8196,7 @@ The "nosuid" mount option causes the system to not execute "setuid" and "setgid" - /dev/mapper/rhel-var-log /var/log xfs defaults,nodev,nosuid,noexec 0 0 - - -- -+ - - - -@@ -8208,7 +8226,7 @@ The "nosuid" mount option causes the system to not execute "setuid" and "setgid" - /dev/mapper/rhel-var-log /var/log xfs defaults,nodev,nosuid,noexec 0 0 - - -- -+ - - - -@@ -8238,7 +8256,7 @@ The "nosuid" mount option causes the system to not execute "setuid" and "setgid" - /dev/mapper/rhel-var-log-audit /var/log/audit xfs defaults,nodev,nosuid,noexec 0 0 - - -- -+ - - - -@@ -8268,7 +8286,7 @@ The "nosuid" mount option causes the system to not execute "setuid" and "setgid" - /dev/mapper/rhel-var-log-audit /var/log/audit xfs defaults,nodev,nosuid,noexec 0 0 - - -- -+ - - - -@@ -8298,7 +8316,7 @@ The "nosuid" mount option causes the system to not execute "setuid" and "setgid" - /dev/mapper/rhel-var-log-audit /var/log/audit xfs defaults,nodev,nosuid,noexec 0 0 - - -- -+ - - - -@@ -8328,7 +8346,7 @@ The "nosuid" mount option causes the system to not execute "setuid" and "setgid" - /dev/mapper/rhel-var-tmp /var/tmp xfs defaults,nodev,nosuid,noexec 0 0 - - -- -+ - - - -@@ -8358,7 +8376,7 @@ The "nosuid" mount option causes the system to not execute "setuid" and "setgid" - /dev/mapper/rhel-var-tmp /var/tmp xfs defaults,nodev,nosuid,noexec 0 0 - - -- -+ - - - -@@ -8388,7 +8406,7 @@ The "nosuid" mount option causes the system to not execute "setuid" and "setgid" - /dev/mapper/rhel-var-tmp /var/tmp xfs defaults,nodev,nosuid,noexec 0 0 - - -- -+ - - - -@@ -8418,7 +8436,7 @@ Satisfies: SRG-OS-000423-GPOS-00187, SRG-OS-000424-GPOS-00188, SRG-OS-000425-GPO - $ sudo systemctl enable sshd.service - - -- -+ - - - -@@ -8454,7 +8472,7 @@ Restart the SSH daemon for the settings to take effect. - $ sudo systemctl restart sshd.service - - -- -+ - - - -@@ -8482,7 +8500,7 @@ Reload the daemon for this change to take effect. - $ sudo systemctl daemon-reload - - -- -+ - - - -@@ -8506,7 +8524,7 @@ $ sudo systemctl daemon-reload - $ sudo yum remove tftp-server - - -- -+ - - - -@@ -8530,14 +8548,14 @@ $ sudo yum remove tftp-server - If the account is associated with system commands or applications, the UID should be changed to one greater than "0" but less than "1000". Otherwise, assign a UID of greater than "1000" that has not already been assigned. - - -- -+ - - - - - SRG-OS-000480-GPOS-00227 - <GroupDescription></GroupDescription> -- -+ - RHEL-08-040210 - RHEL 8 must prevent IPv6 Internet Control Message Protocol (ICMP) redirect messages from being accepted. - <VulnDiscussion>ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages modify the host's route table and are unauthenticated. An illicit ICMP redirect message could result in a man-in-the-middle attack. -@@ -8568,14 +8586,14 @@ Load settings from all system configuration files with the following command: - $ sudo sysctl --system - - -- -+ - - - - - SRG-OS-000480-GPOS-00227 - <GroupDescription></GroupDescription> -- -+ - RHEL-08-040220 - RHEL 8 must not send Internet Control Message Protocol (ICMP) redirects. - <VulnDiscussion>ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages contain information from the system's route table, possibly revealing portions of the network topology. -@@ -8608,14 +8626,14 @@ Load settings from all system configuration files with the following command: - $ sudo sysctl --system - - -- -+ - - - - - SRG-OS-000480-GPOS-00227 - <GroupDescription></GroupDescription> -- -+ - RHEL-08-040230 - RHEL 8 must not respond to Internet Control Message Protocol (ICMP) echoes sent to a broadcast address. - <VulnDiscussion>Responding to broadcast ICMP echoes facilitates network mapping and provides a vector for amplification attacks. -@@ -8647,14 +8665,14 @@ Load settings from all system configuration files with the following command: - $ sudo sysctl --system - - -- -+ - - - - - SRG-OS-000480-GPOS-00227 - <GroupDescription></GroupDescription> -- -+ - RHEL-08-040240 - RHEL 8 must not forward IPv6 source-routed packets. - <VulnDiscussion>Source-routed packets allow the source of the packet to suggest that routers forward the packet along a different path than configured on the router, which can be used to bypass network security measures. This requirement applies only to the forwarding of source-routed traffic, such as when forwarding is enabled and the system is functioning as a router. -@@ -8685,14 +8703,14 @@ Load settings from all system configuration files with the following command: - $ sudo sysctl --system - - -- -+ - - - - - SRG-OS-000480-GPOS-00227 - <GroupDescription></GroupDescription> -- -+ - RHEL-08-040250 - RHEL 8 must not forward IPv6 source-routed packets by default. - <VulnDiscussion>Source-routed packets allow the source of the packet to suggest that routers forward the packet along a different path than configured on the router, which can be used to bypass network security measures. This requirement applies only to the forwarding of source-routed traffic, such as when forwarding is enabled and the system is functioning as a router. -@@ -8723,14 +8741,14 @@ Load settings from all system configuration files with the following command: - $ sudo sysctl --system - - -- -+ - - - - - SRG-OS-000480-GPOS-00227 - <GroupDescription></GroupDescription> -- -+ - RHEL-08-040260 - RHEL 8 must not enable IPv6 packet forwarding unless the system is a router. - <VulnDiscussion>Routing protocol daemons are typically used on routers to exchange network topology information with other routers. If this software is used when not required, system network information may be unnecessarily transmitted across the network. -@@ -8761,14 +8779,14 @@ Load settings from all system configuration files with the following command: - $ sudo sysctl --system - - -- -+ - - - - - SRG-OS-000480-GPOS-00227 - <GroupDescription></GroupDescription> -- -+ - RHEL-08-040261 - RHEL 8 must not accept router advertisements on all IPv6 interfaces. - <VulnDiscussion>Routing protocol daemons are typically used on routers to exchange network topology information with other routers. If this software is used when not required, system network information may be unnecessarily transmitted across the network. -@@ -8801,14 +8819,14 @@ Load settings from all system configuration files with the following command: - $ sudo sysctl --system - - -- -+ - - - - - SRG-OS-000480-GPOS-00227 - <GroupDescription></GroupDescription> -- -+ - RHEL-08-040262 - RHEL 8 must not accept router advertisements on all IPv6 interfaces by default. - <VulnDiscussion>Routing protocol daemons are typically used on routers to exchange network topology information with other routers. If this software is used when not required, system network information may be unnecessarily transmitted across the network. -@@ -8841,14 +8859,14 @@ Load settings from all system configuration files with the following command: - $ sudo sysctl --system - - -- -+ - - - - - SRG-OS-000480-GPOS-00227 - <GroupDescription></GroupDescription> -- -+ - RHEL-08-040270 - RHEL 8 must not allow interfaces to perform Internet Control Message Protocol (ICMP) redirects by default. - <VulnDiscussion>ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages contain information from the system's route table, possibly revealing portions of the network topology. -@@ -8881,14 +8899,14 @@ Load settings from all system configuration files with the following command: - $ sudo sysctl --system - - -- -+ - - - - - SRG-OS-000480-GPOS-00227 - <GroupDescription></GroupDescription> -- -+ - RHEL-08-040280 - RHEL 8 must ignore IPv6 Internet Control Message Protocol (ICMP) redirect messages. - <VulnDiscussion>ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages modify the host's route table and are unauthenticated. An illicit ICMP redirect message could result in a man-in-the-middle attack. -@@ -8919,14 +8937,14 @@ Load settings from all system configuration files with the following command: - $ sudo sysctl --system - - -- -+ - - - - - SRG-OS-000480-GPOS-00227 - <GroupDescription></GroupDescription> -- -+ - RHEL-08-040281 - RHEL 8 must disable access to network bpf syscall from unprivileged processes. - <VulnDiscussion>It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. -@@ -8955,14 +8973,14 @@ The system configuration files need to be reloaded for the changes to take effec - $ sudo sysctl --system - - -- -+ - - - - - SRG-OS-000480-GPOS-00227 - <GroupDescription></GroupDescription> -- -+ - RHEL-08-040282 - RHEL 8 must restrict usage of ptrace to descendant processes. - <VulnDiscussion>It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. -@@ -8991,14 +9009,14 @@ The system configuration files need to be reloaded for the changes to take effec - $ sudo sysctl --system - - -- -+ - - - - - SRG-OS-000480-GPOS-00227 - <GroupDescription></GroupDescription> -- -+ - RHEL-08-040283 - RHEL 8 must restrict exposed kernel pointer addresses access. - <VulnDiscussion>It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. -@@ -9027,14 +9045,14 @@ The system configuration files need to be reloaded for the changes to take effec - $ sudo sysctl --system - - -- -+ - - - - - SRG-OS-000480-GPOS-00227 - <GroupDescription></GroupDescription> -- -+ - RHEL-08-040284 - RHEL 8 must disable the use of user namespaces. - <VulnDiscussion>It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. -@@ -9065,14 +9083,14 @@ The system configuration files need to be reloaded for the changes to take effec - $ sudo sysctl --system - - -- -+ - - - - - SRG-OS-000480-GPOS-00227 - <GroupDescription></GroupDescription> -- -+ - RHEL-08-040285 - RHEL 8 must use reverse path filtering on all IPv4 interfaces. - <VulnDiscussion>It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. -@@ -9101,7 +9119,7 @@ The system configuration files need to be reloaded for the changes to take effec - $ sudo sysctl --system - - -- -+ - - - -@@ -9125,7 +9143,7 @@ $ sudo sysctl --system - $ sudo postconf -e 'smtpd_client_restrictions = permit_mynetworks,reject' - - -- -+ - - - -@@ -9157,7 +9175,7 @@ The SSH service must be restarted for changes to take effect: - $ sudo systemctl restart sshd - - -- -+ - - - -@@ -9183,7 +9201,7 @@ Edit the "/etc/ssh/sshd_config" file to uncomment or add the line for the "X11Us - X11UseLocalhost yes - - -- -+ - - - -@@ -9207,7 +9225,7 @@ X11UseLocalhost yes - server_args = -s /var/lib/tftpboot - - -- -+ - - - -@@ -9231,7 +9249,7 @@ server_args = -s /var/lib/tftpboot - $ sudo yum remove vsftpd - - -- -+ - - - -@@ -9259,7 +9277,7 @@ The gssproxy package is a proxy for GSS API credential handling and could expose - $ sudo yum remove gssproxy - - -- -+ - - - -@@ -9287,7 +9305,7 @@ The iprutils package provides a suite of utilities to manage and configure SCSI - $ sudo yum remove iprutils - - -- -+ - - - -@@ -9315,7 +9333,7 @@ The tuned package contains a daemon that tunes the system settings dynamically. - $ sudo yum remove tuned - - -- -+ - - - -@@ -9345,7 +9363,7 @@ FIPS 140-2 is the current standard for validating that mechanisms used to access - $ sudo yum remove krb5-server - - -- -+ - - - -@@ -9369,14 +9387,14 @@ ALL ALL=(ALL) ALL - ALL ALL=(ALL:ALL) ALL - - -- -+ - - - - - SRG-OS-000480-GPOS-00227 - <GroupDescription></GroupDescription> -- -+ - RHEL-08-010383 - RHEL 8 must use the invoking user's password for privilege escalation when using "sudo". - <VulnDiscussion>The sudoers security policy requires that users authenticate themselves before they can use sudo. When sudoers requires authentication, it validates the invoking user's credentials. If the rootpw, targetpw, or runaspw flags are defined and not disabled, by default the operating system will prompt the invoking user for the "root" user password. -@@ -9395,14 +9413,14 @@ Defaults !rootpw - Defaults !runaspw - - -- -+ - - - - - SRG-OS-000373-GPOS-00156 - <GroupDescription></GroupDescription> -- -+ - RHEL-08-010384 - RHEL 8 must require re-authentication when using the "sudo" command. - <VulnDiscussion>Without re-authentication, users may access resources or perform tasks for which they do not have authorization. -@@ -9427,7 +9445,7 @@ Defaults timestamp_timeout=[value] - Note: The "[value]" must be a number that is greater than or equal to "0". - - -- -+ - - - -@@ -9451,7 +9469,7 @@ Note: The "[value]" must be a number that is greater than or equal to "0". - - -- -+ - - - -@@ -9475,14 +9493,14 @@ Note: Manual changes to the listed file may be overwritten by the "authselect" p - Note: Manual changes to the listed file may be overwritten by the "authselect" program. - - -- -+ - - - - - SRG-OS-000480-GPOS-00227 - <GroupDescription></GroupDescription> -- -+ - RHEL-08-040286 - RHEL 8 must enable hardening for the Berkeley Packet Filter Just-in-time compiler. - <VulnDiscussion>It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. -@@ -9513,7 +9531,7 @@ The system configuration files need to be reloaded for the changes to take effec - $ sudo sysctl --system - - -- -+ - - - -@@ -9540,18 +9558,18 @@ Lock an account: - $ sudo passwd -l [username] - - -- -+ - - - - - -- -+ - - - repotool - 5.10 -- 2022-03-28T12:45:12 -+ 2022-06-28T15:27:20 - - - -@@ -11139,17 +11157,16 @@ RHEL 8 utilizes "pwquality" as a mechanism to enforce password complexity. Note - - - -- -+ - -- RHEL-08-020300 - RHEL 8 must prevent the use of dictionary words for passwords. -+ RHEL-08-021400 - RHEL 8 must prevent the use of dictionary words for passwords. - - Red Hat Enterprise Linux 8 - - If RHEL 8 allows the user to select passwords based on dictionary words, this increases the chances of password compromise by increasing the opportunity for successful guesses, and brute-force attacks. - -- -+ - -- - - - -@@ -12630,7 +12647,7 @@ RHEL 8 incorporates OpenSSH as a default ssh provider. OpenSSH has been a 100 pe - - - -- -+ - - RHEL-08-040111 - RHEL 8 Bluetooth must be disabled. - -@@ -12644,6 +12661,7 @@ Protecting the confidentiality and integrity of communications with wireless per - - - -+ - - - -@@ -13523,7 +13541,7 @@ FIPS 140-2 is the current standard for validating that mechanisms used to access - - - -- -+ - - RHEL-08-010383 - RHEL 8 must use the invoking user's password for privilege escalation when using "sudo". - -@@ -13533,21 +13551,21 @@ FIPS 140-2 is the current standard for validating that mechanisms used to access - For more information on each of the listed configurations, reference the sudoers(5) manual page. - - -- -+ - - - -- -+ - - - -- -+ - - - - - -- -+ - - RHEL-08-010384 - RHEL 8 must require re-authentication when using the "sudo" command. - -@@ -13559,9 +13577,8 @@ When operating systems provide the capability to escalate a functional capabilit - - If the value is set to an integer less than 0, the user's time stamp will not expire and the user will not have to re-authenticate for privileged actions until the user's session is terminated. - -- -- -- -+ -+ - - - -@@ -13876,7 +13893,7 @@ The sysctl --system command will load settings from all system configuration fil - - - -- -+ - - - -@@ -14163,25 +14180,25 @@ The sysctl --system command will load settings from all system configuration fil - - - -- -- -+ -+ - - -- -- -+ -+ - - - - - - -- -- -+ -+ - - - -- -- -+ -+ - - - -@@ -14189,8 +14206,8 @@ The sysctl --system command will load settings from all system configuration fil - - - -- -- -+ -+ - - - -@@ -14228,8 +14245,8 @@ The sysctl --system command will load settings from all system configuration fil - - - -- -- -+ -+ - - - -@@ -14245,12 +14262,8 @@ The sysctl --system command will load settings from all system configuration fil - - - -- -- -- -- -- -- -+ -+ - - - -@@ -14788,6 +14801,9 @@ The sysctl --system command will load settings from all system configuration fil - - - -+ -+ -+ - - - -@@ -15031,29 +15047,33 @@ The sysctl --system command will load settings from all system configuration fil - - - -- -+ - - -+ - -- -+ - - -+ - - - - - -- -+ - - - -- -+ - - -+ - -- -+ - - -+ - - - -@@ -15096,30 +15116,26 @@ The sysctl --system command will load settings from all system configuration fil - - - -- -+ - - -- -+ - - -- -+ - - -- -+ - - -- -+ - - -- -+ - - -- -- -- -- -- -- -+ -+ - - - -@@ -15132,7 +15148,7 @@ The sysctl --system command will load settings from all system configuration fil - - - -- -+ - - - -@@ -15426,12 +15442,14 @@ The sysctl --system command will load settings from all system configuration fil - oval:mil.disa.stig.rhel8:obj:13602 - - -- -+ -+ - /etc/sudoers - ^(?!#).*\s+NOPASSWD.*$ - 1 - -- -+ -+ - /etc/sudoers.d - ^.*$ - ^(?!#).*\s+NOPASSWD.*$ -@@ -15861,41 +15879,109 @@ The sysctl --system command will load settings from all system configuration fil - ^\s*password\s+(?:required|requisite)\s+pam_pwquality\.so\b - 1 - -- -- /etc/security/pwquality.conf -+ -+ -+ /etc/security -+ ^pwquality\.conf.* - ^\s*ucredit\s*=\s*(-?\d*)\s*(?:#.*)?$ - 1 - -- -- /etc/security/pwquality.conf -+ -+ ^/etc/security/pwquality\.conf.* -+ ^.*$ -+ ^\s*ucredit\s*=\s*(-?\d*)\s*(?:#.*)?$ -+ 1 -+ -+ -+ -+ oval:mil.disa.stig.rhel8:obj:19700 -+ oval:mil.disa.stig.rhel8:obj:19701 -+ -+ -+ -+ /etc/security -+ ^pwquality\.conf.*$ - ^\s*lcredit\s*=\s*(-?\d*)\s*(?:#.*)?$ - 1 - -+ -+ ^/etc/security/pwquality\.conf.*$ -+ .* -+ ^\s*lcredit\s*=\s*(-?\d*)\s*(?:#.*)?$ -+ 1 -+ -+ -+ -+ oval:mil.disa.stig.rhel8:obj:19800 -+ oval:mil.disa.stig.rhel8:obj:19801 -+ -+ - - /etc/security/pwquality.conf - ^\s*dcredit\s*=\s*(-?\d*)\s*(?:#.*)?$ - 1 - -- -- /etc/security/pwquality.conf -+ -+ -+ /etc/security -+ ^pwquality\.conf.* - ^\s*maxclassrepeat\s*=\s*(\d*)\s*(?:#.*)?$ - 1 - -- -- /etc/security/pwquality.conf -+ -+ ^/etc/security/pwquality\.conf.* -+ ^.*$ -+ ^\s*maxclassrepeat\s*=\s*(-?\d*)\s*(?:#.*)?$ -+ 1 -+ -+ -+ -+ oval:mil.disa.stig.rhel8:obj:20000 -+ oval:mil.disa.stig.rhel8:obj:20001 -+ -+ -+ -+ /etc/security -+ ^pwquality\.conf.*$ - ^\s*maxrepeat\s*=\s*(\d*)\s*(?:#.*)?$ - 1 - -+ -+ ^/etc/security/pwquality\.conf.*$ -+ .* -+ ^\s*maxrepeat\s*=\s*(\d*)\s*(?:#.*)?$ -+ 1 -+ -+ -+ -+ oval:mil.disa.stig.rhel8:obj:20100 -+ oval:mil.disa.stig.rhel8:obj:20101 -+ -+ - - /etc/security/pwquality.conf - ^\s*minclass\s*=\s*(\d*)\s*(?:#.*)?$ - 1 - -- -- /etc/security/pwquality.conf -+ -+ -+ /etc/security -+ ^pwquality\.conf.* - ^\s*difok\s*=\s*(\d*)\s*(?:#.*)?$ - 1 - -+ -+ ^/etc/security/pwquality\.conf.* -+ ^.*$ -+ ^\s*difok\s*=\s*(-?\d*)\s*(?:#.*)?$ -+ 1 -+ -+ -+ -+ oval:mil.disa.stig.rhel8:obj:20300 -+ oval:mil.disa.stig.rhel8:obj:20301 -+ -+ - - /etc/shadow - ^root:[^:]*:[^:]*:0*: -@@ -15959,11 +16045,24 @@ The sysctl --system command will load settings from all system configuration fil - ^\s*password\s+(?:required|requisite)\s+pam_pwhistory\.so\s+[^#\n]*\bremember=(\d+)\b - 1 - -- -- /etc/security/pwquality.conf -+ -+ ^/etc/security/pwquality\.conf.*$ -+ .* - ^\s*minlen\s*=\s*(\d*)\s*(?:#.*)?$ - 1 - -+ -+ /etc/security -+ ^pwquality\.conf -+ ^\s*minlen\s*=\s*(\d*)\s*(?:#.*)?$ -+ 1 -+ -+ -+ -+ oval:mil.disa.stig.rhel8:obj:20900 -+ oval:mil.disa.stig.rhel8:obj:20901 -+ -+ - - /etc/login.defs - ^\s*PASS_MIN_LEN\s+(\d+)\s*$ -@@ -15979,17 +16078,25 @@ The sysctl --system command will load settings from all system configuration fil - ^\s*ocredit\s*=\s*(-?\d*)\s*(?:#.*)?$ - 1 - -- -- /etc/security/pwquality.conf -+ -+ -+ /etc/security -+ ^pwquality\.conf.* - ^\s*dictcheck\s*=\s*(\d*)\s*(?:#.*)?$ - 1 - -- -- /etc/pwquality.conf.d/ -- ^.*\.conf$ -+ -+ ^/etc/security/pwquality\.conf.* -+ ^.*$ - ^\s*dictcheck\s*=\s*(\d*)\s*(?:#.*)?$ - 1 - -+ -+ -+ oval:mil.disa.stig.rhel8:obj:21400 -+ oval:mil.disa.stig.rhel8:obj:21401 -+ -+ - - /etc/login.defs - ^\s*FAIL_DELAY\s+(\d+)\s*$ -@@ -16795,6 +16902,12 @@ The sysctl --system command will load settings from all system configuration fil - ^[ \t]*install[ \t]+bluetooth[ \t]+/bin/true[ \t]*$ - 1 - -+ -+ /etc/modprobe.d -+ .* -+ ^[ \t]*blacklist[ \t]+bluetooth[ \t]*$ -+ 1 -+ - - /dev/shm - -@@ -17240,17 +17353,25 @@ The sysctl --system command will load settings from all system configuration fil - ^\s*Defaults\s+\!runaspw\s*$ - 1 - -- -+ -+ - /etc/sudoers -- ^\s*Defaults\s+timestamp_timeout\s*=\s*(\d+)\s*$ -+ ^\s*Defaults\s+timestamp_timeout\s*=\s*([-\d]+)\s*$ - 1 - -- -+ -+ - /etc/sudoers.d - ^.*$ -- ^\s*Defaults\s+timestamp_timeout\s*=\s*(\d+)\s*$ -+ ^\s*Defaults\s+timestamp_timeout\s*=\s*([-\d]+)\s*$ - 1 - -+ -+ -+ oval:mil.disa.stig.rhel8:obj:41600 -+ oval:mil.disa.stig.rhel8:obj:41601 -+ -+ - - /etc/pam.d/system-auth - \bnullok\b -@@ -17791,12 +17912,24 @@ The sysctl --system command will load settings from all system configuration fil - - 1 - -+ -+ 2 -+ -+ -+ 2 -+ - - 0 - - - 0 - -+ -+ 2 -+ -+ -+ 2 -+ - - ^(no|"no")$ - -@@ -17896,12 +18029,12 @@ The sysctl --system command will load settings from all system configuration fil - - - -- -+ - - - repotool - 5.10 -- 2022-03-28T12:45:12 -+ 2022-06-28T15:27:20 - - - -diff --git a/shared/references/disa-stig-rhel8-v1r6-xccdf-manual.xml b/shared/references/disa-stig-rhel8-v1r7-xccdf-manual.xml -similarity index 96% -rename from shared/references/disa-stig-rhel8-v1r6-xccdf-manual.xml -rename to shared/references/disa-stig-rhel8-v1r7-xccdf-manual.xml -index 849ab06f66..a02819d300 100644 ---- a/shared/references/disa-stig-rhel8-v1r6-xccdf-manual.xml -+++ b/shared/references/disa-stig-rhel8-v1r7-xccdf-manual.xml -@@ -1,4 +1,4 @@ --acceptedRed Hat Enterprise Linux 8 Security Technical Implementation GuideThis Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.DISASTIG.DOD.MILRelease: 6 Benchmark Date: 27 Apr 20223.3.0.273751.10.01I - Mission Critical Classified<ProfileDescription></ProfileDescription>I - Mission Critical Sensitive<ProfileDescription></ProfileDescription>II - Mission Support Public<ProfileDescription></ProfileDescription>III - Administrative Classified<ProfileDescription></ProfileDescription>III - Administrative Sensitive<ProfileDescription></ProfileDescription>I - Mission Critical Public<ProfileDescription></ProfileDescription>II - Mission Support Classified<ProfileDescription></ProfileDescription>II - Mission Support Sensitive<ProfileDescription></ProfileDescription>III - Administrative Public<ProfileDescription></ProfileDescription>SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-08-010000RHEL 8 must be a vendor-supported release.<VulnDiscussion>An operating system release is considered "supported" if the vendor continues to provide security patches for the product. With an unsupported release, it will not be possible to resolve security issues discovered in the system software. - - Red Hat offers the Extended Update Support (EUS) ad-on to a Red Hat Enterprise Linux subscription, for a fee, for those customers who wish to standardize on a specific minor release for an extended period. The RHEL 8 minor releases eligible for EUS are 8.1, 8.2, 8.4, 8.6, and 8.8. Each RHEL 8 EUS stream is available for 24 months from the availability of the minor release. RHEL 8.10 will be the final minor release overall. For more details on the Red Hat Enterprise Linux Life Cycle visit https://access.redhat.com/support/policy/updates/errata.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-000366Upgrade to a supported version of RHEL 8.Verify the version of the operating system is vendor supported. - -@@ -849,7 +849,7 @@ $ sudo grep -i localpkg_gpgcheck /etc/dnf/dnf.conf - - localpkg_gpgcheck =True - --If "localpkg_gpgcheck" is not set to either "1", "True", or "yes", commented out, or is missing from "/etc/dnf/dnf.conf", this is a finding.SRG-OS-000366-GPOS-00153<GroupDescription></GroupDescription>RHEL-08-010372RHEL 8 must prevent the loading of a new kernel for later execution.<VulnDiscussion>Changes to any software components can have significant effects on the overall security of the operating system. This requirement ensures the software has not been tampered with and that it has been provided by a trusted vendor. -+If "localpkg_gpgcheck" is not set to either "1", "True", or "yes", commented out, or is missing from "/etc/dnf/dnf.conf", this is a finding.SRG-OS-000366-GPOS-00153<GroupDescription></GroupDescription>RHEL-08-010372RHEL 8 must prevent the loading of a new kernel for later execution.<VulnDiscussion>Changes to any software components can have significant effects on the overall security of the operating system. This requirement ensures the software has not been tampered with and that it has been provided by a trusted vendor. - - Disabling kexec_load prevents an unsigned kernel image (that could be a windows kernel or modified vulnerable kernel) from being loaded. Kexec can be used subvert the entire secureboot process and should be avoided at all costs especially since it can load unsigned kernel images. - -@@ -867,7 +867,7 @@ kernel.kexec_load_disabled = 1 - - Load settings from all system configuration files with the following command: - --$ sudo sysctl --systemVerify the operating system is configured to disable kernel image loading with the following commands: -+$ sudo sysctl --systemVerify the operating system is configured to disable kernel image loading with the following commands: - - Check the status of the kernel.kexec_load_disabled kernel parameter. - -@@ -885,7 +885,7 @@ $ sudo grep -r kernel.kexec_load_disabled /run/sysctl.d/*.conf /usr/local/lib/sy - - If "kernel.kexec_load_disabled" is not set to "1", is missing or commented out, this is a finding. - --If results are returned from more than one file location, this is a finding.SRG-OS-000312-GPOS-00122<GroupDescription></GroupDescription>RHEL-08-010373RHEL 8 must enable kernel parameters to enforce discretionary access control on symlinks.<VulnDiscussion>Discretionary Access Control (DAC) is based on the notion that individual users are "owners" of objects and therefore have discretion over who should be authorized to access the object and in which mode (e.g., read or write). Ownership is usually acquired as a consequence of creating the object or via specified ownership assignment. DAC allows the owner to determine who will have access to objects they control. An example of DAC includes user-controlled file permissions. -+If conflicting results are returned, this is a finding.SRG-OS-000312-GPOS-00122<GroupDescription></GroupDescription>RHEL-08-010373RHEL 8 must enable kernel parameters to enforce discretionary access control on symlinks.<VulnDiscussion>Discretionary Access Control (DAC) is based on the notion that individual users are "owners" of objects and therefore have discretion over who should be authorized to access the object and in which mode (e.g., read or write). Ownership is usually acquired as a consequence of creating the object or via specified ownership assignment. DAC allows the owner to determine who will have access to objects they control. An example of DAC includes user-controlled file permissions. - - When discretionary access control policies are implemented, subjects are not constrained with regard to what actions they can take with information for which they have already been granted access. Thus, subjects that have been granted access to information are not prevented from passing (i.e., the subjects have the discretion to pass) the information to other subjects or objects. A subject that is constrained in its operation by Mandatory Access Control policies is still able to operate under the less rigorous constraints of this requirement. Thus, while Mandatory Access Control imposes constraints preventing a subject from passing information to another subject operating at a different sensitivity level, this requirement permits the subject to pass the information to any subject at the same sensitivity level. The policy is bounded by the information system boundary. Once the information is passed outside the control of the information system, additional means may be required to ensure the constraints remain in effect. While the older, more traditional definitions of discretionary access control require identity-based access control, that limitation is not required for this use of discretionary access control. - -@@ -907,7 +907,7 @@ fs.protected_symlinks = 1 - - Load settings from all system configuration files with the following command: - --$ sudo sysctl --systemVerify the operating system is configured to enable DAC on symlinks with the following commands: -+$ sudo sysctl --systemVerify the operating system is configured to enable DAC on symlinks with the following commands: - - Check the status of the fs.protected_symlinks kernel parameter. - -@@ -925,7 +925,7 @@ $ sudo grep -r fs.protected_symlinks /run/sysctl.d/*.conf /usr/local/lib/sysctl. - - If "fs.protected_symlinks" is not set to "1", is missing or commented out, this is a finding. - --If results are returned from more than one file location, this is a finding.SRG-OS-000312-GPOS-00122<GroupDescription></GroupDescription>RHEL-08-010374RHEL 8 must enable kernel parameters to enforce discretionary access control on hardlinks.<VulnDiscussion>Discretionary Access Control (DAC) is based on the notion that individual users are "owners" of objects and therefore have discretion over who should be authorized to access the object and in which mode (e.g., read or write). Ownership is usually acquired as a consequence of creating the object or via specified ownership assignment. DAC allows the owner to determine who will have access to objects they control. An example of DAC includes user-controlled file permissions. -+If conflicting results are returned, this is a finding.SRG-OS-000312-GPOS-00122<GroupDescription></GroupDescription>RHEL-08-010374RHEL 8 must enable kernel parameters to enforce discretionary access control on hardlinks.<VulnDiscussion>Discretionary Access Control (DAC) is based on the notion that individual users are "owners" of objects and therefore have discretion over who should be authorized to access the object and in which mode (e.g., read or write). Ownership is usually acquired as a consequence of creating the object or via specified ownership assignment. DAC allows the owner to determine who will have access to objects they control. An example of DAC includes user-controlled file permissions. - - When discretionary access control policies are implemented, subjects are not constrained with regard to what actions they can take with information for which they have already been granted access. Thus, subjects that have been granted access to information are not prevented from passing (i.e., the subjects have the discretion to pass) the information to other subjects or objects. A subject that is constrained in its operation by Mandatory Access Control policies is still able to operate under the less rigorous constraints of this requirement. Thus, while Mandatory Access Control imposes constraints preventing a subject from passing information to another subject operating at a different sensitivity level, this requirement permits the subject to pass the information to any subject at the same sensitivity level. The policy is bounded by the information system boundary. Once the information is passed outside the control of the information system, additional means may be required to ensure the constraints remain in effect. While the older, more traditional definitions of discretionary access control require identity-based access control, that limitation is not required for this use of discretionary access control. - -@@ -947,7 +947,7 @@ fs.protected_hardlinks = 1 - - Load settings from all system configuration files with the following command: - --$ sudo sysctl --systemVerify the operating system is configured to enable DAC on hardlinks with the following commands: -+$ sudo sysctl --systemVerify the operating system is configured to enable DAC on hardlinks with the following commands: - - Check the status of the fs.protected_hardlinks kernel parameter. - -@@ -965,7 +965,7 @@ $ sudo grep -r fs.protected_hardlinks /run/sysctl.d/*.conf /usr/local/lib/sysctl - - If "fs.protected_hardlinks" is not set to "1", is missing or commented out, this is a finding. - --If results are returned from more than one file location, this is a finding.SRG-OS-000138-GPOS-00069<GroupDescription></GroupDescription>RHEL-08-010375RHEL 8 must restrict access to the kernel message buffer.<VulnDiscussion>Preventing unauthorized information transfers mitigates the risk of information, including encrypted representations of information, produced by the actions of prior users/roles (or the actions of processes acting on behalf of prior users/roles) from being available to any current users/roles (or current processes) that obtain access to shared system resources (e.g., registers, main memory, hard disks) after those resources have been released back to information systems. The control of information in shared resources is also commonly referred to as object reuse and residual information protection. -+If conflicting results are returned, this is a finding.SRG-OS-000138-GPOS-00069<GroupDescription></GroupDescription>RHEL-08-010375RHEL 8 must restrict access to the kernel message buffer.<VulnDiscussion>Preventing unauthorized information transfers mitigates the risk of information, including encrypted representations of information, produced by the actions of prior users/roles (or the actions of processes acting on behalf of prior users/roles) from being available to any current users/roles (or current processes) that obtain access to shared system resources (e.g., registers, main memory, hard disks) after those resources have been released back to information systems. The control of information in shared resources is also commonly referred to as object reuse and residual information protection. - - This requirement generally applies to the design of an information technology product, but it can also apply to the configuration of particular information system components that are, or use, such products. This can be verified by acceptance/validation processes in DoD or other government agencies. - -@@ -987,7 +987,7 @@ kernel.dmesg_restrict = 1 - - Load settings from all system configuration files with the following command: - --$ sudo sysctl --systemVerify the operating system is configured to restrict access to the kernel message buffer with the following commands: -+$ sudo sysctl --systemVerify the operating system is configured to restrict access to the kernel message buffer with the following commands: - - Check the status of the kernel.dmesg_restrict kernel parameter. - -@@ -1005,7 +1005,7 @@ $ sudo grep -r kernel.dmesg_restrict /run/sysctl.d/*.conf /usr/local/lib/sysctl. - - If "kernel.dmesg_restrict" is not set to "1", is missing or commented out, this is a finding. - --If results are returned from more than one file location, this is a finding.SRG-OS-000138-GPOS-00069<GroupDescription></GroupDescription>RHEL-08-010376RHEL 8 must prevent kernel profiling by unprivileged users.<VulnDiscussion>Preventing unauthorized information transfers mitigates the risk of information, including encrypted representations of information, produced by the actions of prior users/roles (or the actions of processes acting on behalf of prior users/roles) from being available to any current users/roles (or current processes) that obtain access to shared system resources (e.g., registers, main memory, hard disks) after those resources have been released back to information systems. The control of information in shared resources is also commonly referred to as object reuse and residual information protection. -+If conflicting results are returned, this is a finding.SRG-OS-000138-GPOS-00069<GroupDescription></GroupDescription>RHEL-08-010376RHEL 8 must prevent kernel profiling by unprivileged users.<VulnDiscussion>Preventing unauthorized information transfers mitigates the risk of information, including encrypted representations of information, produced by the actions of prior users/roles (or the actions of processes acting on behalf of prior users/roles) from being available to any current users/roles (or current processes) that obtain access to shared system resources (e.g., registers, main memory, hard disks) after those resources have been released back to information systems. The control of information in shared resources is also commonly referred to as object reuse and residual information protection. - - This requirement generally applies to the design of an information technology product, but it can also apply to the configuration of particular information system components that are, or use, such products. This can be verified by acceptance/validation processes in DoD or other government agencies. - -@@ -1027,7 +1027,7 @@ kernel.perf_event_paranoid = 2 - - Load settings from all system configuration files with the following command: - --$ sudo sysctl --systemVerify the operating system is configured to prevent kernel profiling by unprivileged users with the following commands: -+$ sudo sysctl --systemVerify the operating system is configured to prevent kernel profiling by unprivileged users with the following commands: - - Check the status of the kernel.perf_event_paranoid kernel parameter. - -@@ -1045,15 +1045,25 @@ $ sudo grep -r kernel.perf_event_paranoid /run/sysctl.d/*.conf /usr/local/lib/sy - - If "kernel.perf_event_paranoid" is not set to "2", is missing or commented out, this is a finding. - --If results are returned from more than one file location, this is a finding.SRG-OS-000373-GPOS-00156<GroupDescription></GroupDescription>RHEL-08-010380RHEL 8 must require users to provide a password for privilege escalation.<VulnDiscussion>Without reauthentication, users may access resources or perform tasks for which they do not have authorization. -+If conflicting results are returned, this is a finding.SRG-OS-000373-GPOS-00156<GroupDescription></GroupDescription>RHEL-08-010380RHEL 8 must require users to provide a password for privilege escalation.<VulnDiscussion>Without reauthentication, users may access resources or perform tasks for which they do not have authorization. - - When operating systems provide the capability to escalate a functional capability, it is critical the user reauthenticate. - --Satisfies: SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-002038Remove any occurrence of "NOPASSWD" found in "/etc/sudoers" file or files in the "/etc/sudoers.d" directory.Verify that "/etc/sudoers" has no occurrences of "NOPASSWD". -+Satisfies: SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-002038Configure the operating system to require users to supply a password for privilege escalation. -+ -+Check the configuration of the "/etc/sudoers" file with the following command: -+$ sudo visudo -+ -+Remove any occurrences of "NOPASSWD" tags in the file. -+ -+Check the configuration of the /etc/sudoers.d/* files with the following command: -+$ sudo grep -ir nopasswd /etc/sudoers.d -+ -+Remove any occurrences of "NOPASSWD" tags in the file.Verify that "/etc/sudoers" has no occurrences of "NOPASSWD". - - Check that the "/etc/sudoers" file has no occurrences of "NOPASSWD" by running the following command: - --$ sudo grep -i nopasswd /etc/sudoers /etc/sudoers.d/* -+$ sudo grep -ir nopasswd /etc/sudoers /etc/sudoers.d - - %admin ALL=(ALL) NOPASSWD: ALL - -@@ -1222,7 +1232,7 @@ $ sudo grep slub_debug /etc/default/grub - - GRUB_CMDLINE_LINUX="slub_debug=P" - --If "slub_debug" is not set to "P", is missing or commented out, this is a finding.SRG-OS-000433-GPOS-00193<GroupDescription></GroupDescription>RHEL-08-010430RHEL 8 must implement address space layout randomization (ASLR) to protect its memory from unauthorized code execution.<VulnDiscussion>Some adversaries launch attacks with the intent of executing code in non-executable regions of memory or in memory locations that are prohibited. Security safeguards employed to protect memory include, for example, data execution prevention and address space layout randomization. Data execution prevention safeguards can be either hardware-enforced or software-enforced with hardware providing the greater strength of mechanism. -+If "slub_debug" is not set to "P", is missing or commented out, this is a finding.SRG-OS-000433-GPOS-00193<GroupDescription></GroupDescription>RHEL-08-010430RHEL 8 must implement address space layout randomization (ASLR) to protect its memory from unauthorized code execution.<VulnDiscussion>Some adversaries launch attacks with the intent of executing code in non-executable regions of memory or in memory locations that are prohibited. Security safeguards employed to protect memory include, for example, data execution prevention and address space layout randomization. Data execution prevention safeguards can be either hardware-enforced or software-enforced with hardware providing the greater strength of mechanism. - - Examples of attacks are buffer overflow attacks. - -@@ -1240,7 +1250,7 @@ kernel.randomize_va_space=2 - - Issue the following command to make the changes take effect: - --$ sudo sysctl --systemVerify RHEL 8 implements ASLR with the following command: -+$ sudo sysctl --systemVerify RHEL 8 implements ASLR with the following command: - - $ sudo sysctl kernel.randomize_va_space - -@@ -1256,7 +1266,7 @@ $ sudo grep -r kernel.randomize_va_space /run/sysctl.d/*.conf /usr/local/lib/sys - - If "kernel.randomize_va_space" is not set to "2", is missing or commented out, this is a finding. - --If results are returned from more than one file location, this is a finding.SRG-OS-000437-GPOS-00194<GroupDescription></GroupDescription>RHEL-08-010440YUM must remove all software components after updated versions have been installed on RHEL 8.<VulnDiscussion>Previous versions of software components that are not removed from the information system after updates have been installed may be exploited by adversaries. Some information technology products may remove older versions of software automatically from the information system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-002617Configure the operating system to remove all software components after updated versions have been installed. -+If conflicting results are returned, this is a finding.SRG-OS-000437-GPOS-00194<GroupDescription></GroupDescription>RHEL-08-010440YUM must remove all software components after updated versions have been installed on RHEL 8.<VulnDiscussion>Previous versions of software components that are not removed from the information system after updates have been installed may be exploited by adversaries. Some information technology products may remove older versions of software automatically from the information system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-002617Configure the operating system to remove all software components after updated versions have been installed. - - Set the "clean_requirements_on_remove" option to "True" in the "/etc/dnf/dnf.conf" file: - -@@ -1590,7 +1600,7 @@ Main PID: 1130 (code=exited, status=0/SUCCESS) - - If the "kdump" service is active, ask the System Administrator if the use of the service is required and documented with the Information System Security Officer (ISSO). - --If the service is active and is not documented, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-08-010671RHEL 8 must disable the kernel.core_pattern.<VulnDiscussion>It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. -+If the service is active and is not documented, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-08-010671RHEL 8 must disable the kernel.core_pattern.<VulnDiscussion>It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. - - The sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of which of the directories they reside in. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored. - /etc/sysctl.d/*.conf -@@ -1606,7 +1616,7 @@ kernel.core_pattern = |/bin/false - - The system configuration files need to be reloaded for the changes to take effect. To reload the contents of the files, run the following command: - --$ sudo sysctl --systemVerify RHEL 8 disables storing core dumps with the following commands: -+$ sudo sysctl --systemVerify RHEL 8 disables storing core dumps with the following commands: - - $ sudo sysctl kernel.core_pattern - -@@ -1622,24 +1632,26 @@ $ sudo grep -r kernel.core_pattern /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/ - - If "kernel.core_pattern" is not set to "|/bin/false", is missing or commented out, this is a finding. - --If results are returned from more than one file location, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-08-010672RHEL 8 must disable acquiring, saving, and processing core dumps.<VulnDiscussion>It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. -- --A core dump includes a memory image taken at the time the operating system terminates an application. The memory image could contain sensitive data and is generally useful only for developers trying to debug problems. -- --When the kernel invokes systemd-coredumpt to handle a core dump, it runs in privileged mode, and will connect to the socket created by the systemd-coredump.socket unit. This, in turn, will spawn an unprivileged systemd-coredump@.service instance to process the core dump.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-000366Configure the system to disable the systemd-coredump.socket with the following command: -- --$ sudo systemctl mask systemd-coredump.socket -- --Created symlink /etc/systemd/system/systemd-coredump.socket -> /dev/null -- --Reload the daemon for this change to take effect. -- --$ sudo systemctl daemon-reloadVerify RHEL 8 is not configured to acquire, save, or process core dumps with the following command: -+If conflicting results are returned, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-08-010672RHEL 8 must disable acquiring, saving, and processing core dumps.<VulnDiscussion>It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. -+ -+A core dump includes a memory image taken at the time the operating system terminates an application. The memory image could contain sensitive data and is generally useful only for developers trying to debug problems. -+ -+When the kernel invokes systemd-coredumpt to handle a core dump, it runs in privileged mode, and will connect to the socket created by the systemd-coredump.socket unit. This, in turn, will spawn an unprivileged systemd-coredump@.service instance to process the core dump.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-000366Configure the system to disable the systemd-coredump.socket with the following commands: -+ -+$ sudo systemctl disable --now systemd-coredump.socket -+ -+$ sudo systemctl mask systemd-coredump.socket -+ -+Created symlink /etc/systemd/system/systemd-coredump.socket -> /dev/null -+ -+Reload the daemon for this change to take effect. -+ -+$ sudo systemctl daemon-reloadVerify RHEL 8 is not configured to acquire, save, or process core dumps with the following command: - - $ sudo systemctl status systemd-coredump.socket - - systemd-coredump.socket --Loaded: masked (Reason: Unit ctrl-alt-del.target is masked.) -+Loaded: masked (Reason: Unit systemd-coredump.socket is masked.) - Active: inactive (dead) - - If the "systemd-coredump.socket" is loaded and not masked and the need for core dumps is not documented with the Information System Security Officer (ISSO) as an operational requirement, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-08-010673RHEL 8 must disable core dumps for all users.<VulnDiscussion>It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. -@@ -2347,40 +2359,40 @@ $ sudo grep -i lock-command /etc/tmux.conf - - set -g lock-command vlock - --If the "lock-command" is not set in the global settings to call "vlock", this is a finding.SRG-OS-000028-GPOS-00009<GroupDescription></GroupDescription>RHEL-08-020041RHEL 8 must ensure session control is automatically started at shell initialization.<VulnDiscussion>A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not want to log out because of the temporary nature of the absence. -+If the "lock-command" is not set in the global settings to call "vlock", this is a finding.SRG-OS-000028-GPOS-00009<GroupDescription></GroupDescription>RHEL-08-020041RHEL 8 must ensure session control is automatically started at shell initialization.<VulnDiscussion>A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not want to log out because of the temporary nature of the absence. - - The session lock is implemented at the point where session activity can be determined. Rather than be forced to wait for a period of time to expire before the user session can be locked, RHEL 8 needs to provide users with the ability to manually invoke a session lock so users can secure their session if it is necessary to temporarily vacate the immediate physical vicinity. - --Tmux is a terminal multiplexer that enables a number of terminals to be created, accessed, and controlled from a single screen. Red Hat endorses tmux as the recommended session controlling package. -+Tmux is a terminal multiplexer that enables a number of terminals to be created, accessed, and controlled from a single screen. Red Hat endorses tmux as the recommended session controlling package. - --Satisfies: SRG-OS-000028-GPOS-00009, SRG-OS-000030-GPOS-00011</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-000056Configure the operating system to initialize the tmux terminal multiplexer as each shell is called by adding the following lines to a custom.sh shell script in the /etc/profile.d/ directory: -+Satisfies: SRG-OS-000028-GPOS-00009, SRG-OS-000030-GPOS-00011</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-000056Configure the operating system to initialize the tmux terminal multiplexer as each shell is called by adding the following lines to a custom.sh shell script in the /etc/profile.d/ directory: - --If [ "$PS1" ]; then -+if [ "$PS1" ]; then -+parent=$(ps -o ppid= -p $$) -+name=$(ps -o comm= -p $parent) -+case "$name" in (sshd|login) exec tmux ;; esac -+fi -+ -+This setting will take effect at next logon.Verify the operating system shell initialization file is configured to start each shell with the tmux terminal multiplexer with the following commands: -+ -+Determine if tmux is currently running: -+$ sudo ps all | grep tmux | grep -v grep -+ -+If the command does not produce output, this is a finding. -+ -+Determine the location of the tmux script: -+$ sudo grep -r tmux /etc/bashrc /etc/profile.d -+ -+/etc/profile.d/tmux.sh: case "$name" in (sshd|login) exec tmux ;; esac -+ -+Review the tmux script by using the following example: -+$ sudo cat /etc/profile.d/tmux.sh -+if [ "$PS1" ]; then - parent=$(ps -o ppid= -p $$) - name=$(ps -o comm= -p $parent) - case "$name" in (sshd|login) exec tmux ;; esac - fi - --This setting will take effect at next logon.Verify the operating system shell initialization file is configured to start each shell with the tmux terminal multiplexer with the following commands: -- --Determine if tmux is currently running: --$ sudo ps all | grep tmux | grep -v grep -- --If the command does not produce output, this is a finding. -- --Determine the location of the tmux script: --$ sudo grep tmux /etc/bashrc/etc/profile.d/* -- --/etc/profile.d/tmux.sh: case "$name" in (sshd|login) exec tmux ;; esac -- --Review the tmux script by using the following example: --$ sudo cat /etc/profile.d/tmux.sh --If [ "$PS1" ]; then --parent=$(ps -o ppid= -p $$) --name=$(ps -o comm= -p $parent) --case "$name" in (sshd|login) exec tmux ;; esac --fi -- - If "tmux" is not configured as the example above, is commented out, or is missing, this is a finding.SRG-OS-000028-GPOS-00009<GroupDescription></GroupDescription>RHEL-08-020042RHEL 8 must prevent users from disabling session control mechanisms.<VulnDiscussion>A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not want to log out because of the temporary nature of the absence. - - The session lock is implemented at the point where session activity can be determined. Rather than be forced to wait for a period of time to expire before the user session can be locked, RHEL 8 needs to provide users with the ability to manually invoke a session lock so users can secure their session if it is necessary to temporarily vacate the immediate physical vicinity. -@@ -2540,7 +2552,7 @@ $ sudo cat /etc/pam.d/password-auth | grep pam_pwquality - - password required pam_pwquality.so - --If the command does not return a line containing the value "pam_pwquality.so", or the line is commented out, this is a finding.SRG-OS-000069-GPOS-00037<GroupDescription></GroupDescription>RHEL-08-020110RHEL 8 must enforce password complexity by requiring that at least one uppercase character be used.<VulnDiscussion>Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. -+If the command does not return a line containing the value "pam_pwquality.so", or the line is commented out, this is a finding.SRG-OS-000069-GPOS-00037<GroupDescription></GroupDescription>RHEL-08-020110RHEL 8 must enforce password complexity by requiring that at least one uppercase character be used.<VulnDiscussion>Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. - - Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised. - -@@ -2548,13 +2560,14 @@ RHEL 8 utilizes pwquality as a mechanism to enforce password complexity. Note th - - Add the following line to /etc/security/pwquality.conf (or modify the line to have the required value): - --ucredit = -1Verify the value for "ucredit" in "/etc/security/pwquality.conf" with the following command: -+ucredit = -1Verify the value for "ucredit" with the following command: - --$ sudo grep ucredit /etc/security/pwquality.conf -+$ sudo grep -r ucredit /etc/security/pwquality.conf* - --ucredit = -1 -+/etc/security/pwquality.conf:ucredit = -1 - --If the value of "ucredit" is a positive number or is commented out, this is a finding.SRG-OS-000070-GPOS-00038<GroupDescription></GroupDescription>RHEL-08-020120RHEL 8 must enforce password complexity by requiring that at least one lower-case character be used.<VulnDiscussion>Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. -+If the value of "ucredit" is a positive number or is commented out, this is a finding. -+If conflicting results are returned, this is a finding.SRG-OS-000070-GPOS-00038<GroupDescription></GroupDescription>RHEL-08-020120RHEL 8 must enforce password complexity by requiring that at least one lower-case character be used.<VulnDiscussion>Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. - - Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised. - -@@ -2562,13 +2575,14 @@ RHEL 8 utilizes pwquality as a mechanism to enforce password complexity. Note th - - Add the following line to /etc/security/pwquality.conf (or modify the line to have the required value): - --lcredit = -1Verify the value for "lcredit" in "/etc/security/pwquality.conf" with the following command: -+lcredit = -1Verify the value for "lcredit" with the following command: - --$ sudo grep lcredit /etc/security/pwquality.conf -+$ sudo grep -r lcredit /etc/security/pwquality.conf* - --lcredit = -1 -+/etc/security/pwquality.conf:lcredit = -1 - --If the value of "lcredit" is a positive number or is commented out, this is a finding.SRG-OS-000071-GPOS-00039<GroupDescription></GroupDescription>RHEL-08-020130RHEL 8 must enforce password complexity by requiring that at least one numeric character be used.<VulnDiscussion>Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. -+If the value of "lcredit" is a positive number or is commented out, this is a finding. -+If conflicting results are returned, this is a finding.SRG-OS-000071-GPOS-00039<GroupDescription></GroupDescription>RHEL-08-020130RHEL 8 must enforce password complexity by requiring that at least one numeric character be used.<VulnDiscussion>Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. - - Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised. - -@@ -2576,13 +2590,14 @@ RHEL 8 utilizes "pwquality" as a mechanism to enforce password complexity. Note - - Add the following line to /etc/security/pwquality.conf (or modify the line to have the required value): - --dcredit = -1Verify the value for "dcredit" in "/etc/security/pwquality.conf" with the following command: -+dcredit = -1Verify the value for "dcredit" with the following command: - --$ sudo grep dcredit /etc/security/pwquality.conf -+$ sudo grep -r dcredit /etc/security/pwquality.conf* - --dcredit = -1 -+/etc/security/pwquality.conf:dcredit = -1 - --If the value of "dcredit" is a positive number or is commented out, this is a finding.SRG-OS-000072-GPOS-00040<GroupDescription></GroupDescription>RHEL-08-020140RHEL 8 must require the maximum number of repeating characters of the same character class be limited to four when passwords are changed.<VulnDiscussion>Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. -+If the value of "dcredit" is a positive number or is commented out, this is a finding. -+If conflicting results are returned, this is a finding.SRG-OS-000072-GPOS-00040<GroupDescription></GroupDescription>RHEL-08-020140RHEL 8 must require the maximum number of repeating characters of the same character class be limited to four when passwords are changed.<VulnDiscussion>Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. - - Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised. - -@@ -2590,13 +2605,14 @@ RHEL 8 utilizes "pwquality" as a mechanism to enforce password complexity. The " - - Add the following line to "/etc/security/pwquality.conf" conf (or modify the line to have the required value): - --maxclassrepeat = 4Check for the value of the "maxclassrepeat" option in "/etc/security/pwquality.conf" with the following command: -+maxclassrepeat = 4Check for the value of the "maxclassrepeat" option with the following command: - --$ sudo grep maxclassrepeat /etc/security/pwquality.conf -+$ sudo grep -r maxclassrepeat /etc/security/pwquality.conf* - --maxclassrepeat = 4 -+/etc/security/pwquality.conf:maxclassrepeat = 4 - --If the value of "maxclassrepeat" is set to "0", more than "4" or is commented out, this is a finding.SRG-OS-000072-GPOS-00040<GroupDescription></GroupDescription>RHEL-08-020150RHEL 8 must require the maximum number of repeating characters be limited to three when passwords are changed.<VulnDiscussion>Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. -+If the value of "maxclassrepeat" is set to "0", more than "4" or is commented out, this is a finding. -+If conflicting results are returned, this is a finding.SRG-OS-000072-GPOS-00040<GroupDescription></GroupDescription>RHEL-08-020150RHEL 8 must require the maximum number of repeating characters be limited to three when passwords are changed.<VulnDiscussion>Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. - - Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised. - -@@ -2604,13 +2620,14 @@ RHEL 8 utilizes "pwquality" as a mechanism to enforce password complexity. The " - - Add the following line to "/etc/security/pwquality.conf conf" (or modify the line to have the required value): - --maxrepeat = 3Check for the value of the "maxrepeat" option in "/etc/security/pwquality.conf" with the following command: -+maxrepeat = 3Check for the value of the "maxrepeat" option with the following command: - --$ sudo grep maxrepeat /etc/security/pwquality.conf -+$ sudo grep -r maxrepeat /etc/security/pwquality.conf* - --maxrepeat = 3 -+/etc/security/pwquality.conf:maxrepeat = 3 - --If the value of "maxrepeat" is set to more than "3" or is commented out, this is a finding.SRG-OS-000072-GPOS-00040<GroupDescription></GroupDescription>RHEL-08-020160RHEL 8 must require the change of at least four character classes when passwords are changed.<VulnDiscussion>Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. -+If the value of "maxrepeat" is set to more than "3" or is commented out, this is a finding. -+If conflicting results are returned, this is a finding.SRG-OS-000072-GPOS-00040<GroupDescription></GroupDescription>RHEL-08-020160RHEL 8 must require the change of at least four character classes when passwords are changed.<VulnDiscussion>Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. - - Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised. - -@@ -2618,12 +2635,14 @@ RHEL 8 utilizes "pwquality" as a mechanism to enforce password complexity. The " - - Add the following line to "/etc/security/pwquality.conf conf" (or modify the line to have the required value): - --minclass = 4Verify the value of the "minclass" option in "/etc/security/pwquality.conf" with the following command: -+minclass = 4Verify the value of the "minclass" option with the following command: -+ -+$ sudo grep -r minclass /etc/security/pwquality.conf* - --$ sudo grep minclass /etc/security/pwquality.conf --minclass = 4 -+/etc/security/pwquality.conf:minclass = 4 - --If the value of "minclass" is set to less than "4" or is commented out, this is a finding.SRG-OS-000072-GPOS-00040<GroupDescription></GroupDescription>RHEL-08-020170RHEL 8 must require the change of at least 8 characters when passwords are changed.<VulnDiscussion>Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. -+If the value of "minclass" is set to less than "4" or is commented out, this is a finding. -+If conflicting results are returned, this is a finding.SRG-OS-000072-GPOS-00040<GroupDescription></GroupDescription>RHEL-08-020170RHEL 8 must require the change of at least 8 characters when passwords are changed.<VulnDiscussion>Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. - - Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised. - -@@ -2631,13 +2650,14 @@ RHEL 8 utilizes "pwquality" as a mechanism to enforce password complexity. The " - - Add the following line to "/etc/security/pwquality.conf" (or modify the line to have the required value): - --difok = 8Verify the value of the "difok" option in "/etc/security/pwquality.conf" with the following command: -+difok = 8Verify the value of the "difok" option with the following command: - --$ sudo grep difok /etc/security/pwquality.conf -+$ sudo grep -r difok /etc/security/pwquality.conf* - --difok = 8 -+/etc/security/pwquality.conf:difok = 8 - --If the value of "difok" is set to less than "8" or is commented out, this is a finding.SRG-OS-000075-GPOS-00043<GroupDescription></GroupDescription>RHEL-08-020180RHEL 8 passwords must have a 24 hours/1 day minimum password lifetime restriction in /etc/shadow.<VulnDiscussion>Enforcing a minimum password lifetime helps to prevent repeated password changes to defeat the password reuse or history enforcement requirement. If users are allowed to immediately and continually change their password, the password could be repeatedly changed in a short period of time to defeat the organization's policy regarding password reuse.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-000198Configure non-compliant accounts to enforce a 24 hours/1 day minimum password lifetime: -+If the value of "difok" is set to less than "8" or is commented out, this is a finding. -+If conflicting results are returned, this is a finding.SRG-OS-000075-GPOS-00043<GroupDescription></GroupDescription>RHEL-08-020180RHEL 8 passwords must have a 24 hours/1 day minimum password lifetime restriction in /etc/shadow.<VulnDiscussion>Enforcing a minimum password lifetime helps to prevent repeated password changes to defeat the password reuse or history enforcement requirement. If users are allowed to immediately and continually change their password, the password could be repeatedly changed in a short period of time to defeat the organization's policy regarding password reuse.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-000198Configure non-compliant accounts to enforce a 24 hours/1 day minimum password lifetime: - - $ sudo chage -m 1 [user]Check whether the minimum time period between password changes for each user account is one day or greater. - -@@ -2689,7 +2709,7 @@ $ sudo grep -i remember /etc/pam.d/password-auth - - password required pam_pwhistory.so use_authtok remember=5 retry=3 - --If the line containing "pam_pwhistory.so" does not have the "remember" module argument set, is commented out, or the value of the "remember" module argument is set to less than "5", this is a finding.SRG-OS-000078-GPOS-00046<GroupDescription></GroupDescription>RHEL-08-020230RHEL 8 passwords must have a minimum of 15 characters.<VulnDiscussion>The shorter the password, the lower the number of possible combinations that need to be tested before the password is compromised. -+If the line containing "pam_pwhistory.so" does not have the "remember" module argument set, is commented out, or the value of the "remember" module argument is set to less than "5", this is a finding.SRG-OS-000078-GPOS-00046<GroupDescription></GroupDescription>RHEL-08-020230RHEL 8 passwords must have a minimum of 15 characters.<VulnDiscussion>The shorter the password, the lower the number of possible combinations that need to be tested before the password is compromised. - - Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password length is one factor of several that helps to determine strength and how long it takes to crack a password. Use of more characters in a password helps to increase exponentially the time and/or resources required to compromise the password. - -@@ -2701,14 +2721,16 @@ The DoD minimum password requirement is 15 characters.</VulnDiscussion>< - - Add the following line to "/etc/security/pwquality.conf" (or modify the line to have the required value): - --minlen = 15Verify the operating system enforces a minimum 15-character password length. The "minlen" option sets the minimum number of characters in a new password. -+minlen = 15Verify the operating system enforces a minimum 15-character password length. The "minlen" option sets the minimum number of characters in a new password. - --Check for the value of the "minlen" option in "/etc/security/pwquality.conf" with the following command: -+Check for the value of the "minlen" option with the following command: - --$ sudo grep minlen /etc/security/pwquality.conf --minlen = 15 -+$ sudo grep -r minlen /etc/security/pwquality.conf* - --If the command does not return a "minlen" value of 15 or greater, this is a finding.SRG-OS-000078-GPOS-00046<GroupDescription></GroupDescription>RHEL-08-020231RHEL 8 passwords for new users must have a minimum of 15 characters.<VulnDiscussion>The shorter the password, the lower the number of possible combinations that need to be tested before the password is compromised. -+/etc/security/pwquality.conf:minlen = 15 -+ -+If the command does not return a "minlen" value of 15 or greater, this is a finding. -+If conflicting results are returned, this is a finding.SRG-OS-000078-GPOS-00046<GroupDescription></GroupDescription>RHEL-08-020231RHEL 8 passwords for new users must have a minimum of 15 characters.<VulnDiscussion>The shorter the password, the lower the number of possible combinations that need to be tested before the password is compromised. - - Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password length is one factor of several that helps to determine strength and how long it takes to crack a password. Use of more characters in a password helps to increase exponentially the time and/or resources required to compromise the password. - -@@ -2804,7 +2826,7 @@ For every existing emergency account, run the following command to obtain its ac - $ sudo chage -l system_account_name - - Verify each of these accounts has an expiration date set within 72 hours. --If any emergency accounts have no expiration date set or do not expire within 72 hours, this is a finding.SRG-OS-000266-GPOS-00101<GroupDescription></GroupDescription>RHEL-08-020280All RHEL 8 passwords must contain at least one special character.<VulnDiscussion>Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. -+If any emergency accounts have no expiration date set or do not expire within 72 hours, this is a finding.SRG-OS-000266-GPOS-00101<GroupDescription></GroupDescription>RHEL-08-020280All RHEL 8 passwords must contain at least one special character.<VulnDiscussion>Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. - - Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised. - -@@ -2812,13 +2834,14 @@ RHEL 8 utilizes "pwquality" as a mechanism to enforce password complexity. Note - - Add the following line to /etc/security/pwquality.conf (or modify the line to have the required value): - --ocredit = -1Verify the value for "ocredit" in "/etc/security/pwquality.conf" with the following command: -+ocredit = -1Verify the value for "ocredit" with the following command: - --$ sudo grep ocredit /etc/security/pwquality.conf -+$ sudo grep -r ocredit /etc/security/pwquality.conf* - --ocredit = -1 -+/etc/security/pwquality.conf:ocredit = -1 - --If the value of "ocredit" is a positive number or is commented out, this is a finding.SRG-OS-000383-GPOS-00166<GroupDescription></GroupDescription>RHEL-08-020290RHEL 8 must prohibit the use of cached authentications after one day.<VulnDiscussion>If cached authentication information is out-of-date, the validity of the authentication information may be questionable. -+If the value of "ocredit" is a positive number or is commented out, this is a finding. -+If conflicting results are returned, this is a finding.SRG-OS-000383-GPOS-00166<GroupDescription></GroupDescription>RHEL-08-020290RHEL 8 must prohibit the use of cached authentications after one day.<VulnDiscussion>If cached authentication information is out-of-date, the validity of the authentication information may be questionable. - - RHEL 8 includes multiple options for configuring authentication, but this requirement will be focus on the System Security Services Daemon (SSSD). By default sssd does not cache credentials.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-002007Configure the SSSD to prohibit the use of cached authentications after one day. - -@@ -2842,19 +2865,20 @@ $ sudo grep offline_credentials_expiration /etc/sssd/sssd.conf - - offline_credentials_expiration = 1 - --If "offline_credentials_expiration" is not set to a value of "1", this is a finding.SRG-OS-000480-GPOS-00225<GroupDescription></GroupDescription>RHEL-08-020300RHEL 8 must prevent the use of dictionary words for passwords.<VulnDiscussion>If RHEL 8 allows the user to select passwords based on dictionary words, this increases the chances of password compromise by increasing the opportunity for successful guesses, and brute-force attacks.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-000366Configure RHEL 8 to prevent the use of dictionary words for passwords. -+If "offline_credentials_expiration" is not set to a value of "1", this is a finding.SRG-OS-000480-GPOS-00225<GroupDescription></GroupDescription>RHEL-08-020300RHEL 8 must prevent the use of dictionary words for passwords.<VulnDiscussion>If RHEL 8 allows the user to select passwords based on dictionary words, this increases the chances of password compromise by increasing the opportunity for successful guesses, and brute-force attacks.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-000366Configure RHEL 8 to prevent the use of dictionary words for passwords. - - Add or update the following line in the "/etc/security/pwquality.conf" file or a configuration file in the /etc/pwquality.conf.d/ directory to contain the "dictcheck" parameter: - --dictcheck=1Verify RHEL 8 prevents the use of dictionary words for passwords. -+dictcheck=1Verify RHEL 8 prevents the use of dictionary words for passwords. - --Determine if the field "dictcheck" is set in the "/etc/security/pwquality.conf" or "/etc/pwquality.conf.d/*.conf" files with the following command: -+Determine if the field "dictcheck" is set with the following command: - --$ sudo grep dictcheck /etc/security/pwquality.conf /etc/pwquality.conf.d/*.conf -+$ sudo grep -r dictcheck /etc/security/pwquality.conf* - --dictcheck=1 -+/etc/security/pwquality.conf:dictcheck=1 - --If the "dictcheck" parameter is not set to "1", or is commented out, this is a finding.SRG-OS-000480-GPOS-00226<GroupDescription></GroupDescription>RHEL-08-020310RHEL 8 must enforce a delay of at least four seconds between logon prompts following a failed logon attempt.<VulnDiscussion>Configuring the operating system to implement organization-wide security implementation guides and security checklists verifies compliance with federal standards and establishes a common security baseline across the DoD that reflects the most restrictive security posture consistent with operational requirements. -+If the "dictcheck" parameter is not set to "1", or is commented out, this is a finding. -+If conflicting results are returned, this is a finding.SRG-OS-000480-GPOS-00226<GroupDescription></GroupDescription>RHEL-08-020310RHEL 8 must enforce a delay of at least four seconds between logon prompts following a failed logon attempt.<VulnDiscussion>Configuring the operating system to implement organization-wide security implementation guides and security checklists verifies compliance with federal standards and establishes a common security baseline across the DoD that reflects the most restrictive security posture consistent with operational requirements. - - Configuration settings are the set of parameters that can be changed in hardware, software, or firmware components of the system that affect the security posture and/or functionality of the system. Security-related parameters are those parameters impacting the security state of the system, including the parameters required to satisfy other security control requirements. Security-related parameters include, for example, registry settings; account, file, and directory permission settings; and settings for functions, ports, protocols, services, and remote connections.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-000366Configure the operating system to enforce a delay of at least four seconds between logon prompts following a failed console logon attempt. - -@@ -4281,7 +4305,7 @@ root /sbin/auditd - root /sbin/rsyslogd - root /sbin/augenrules - --If any of the audit tools are not group-owned by "root", this is a finding.SRG-OS-000278-GPOS-00108<GroupDescription></GroupDescription>RHEL-08-030650RHEL 8 must use cryptographic mechanisms to protect the integrity of audit tools.<VulnDiscussion>Protecting the integrity of the tools used for auditing purposes is a critical step toward ensuring the integrity of audit information. Audit information includes all information (e.g., audit records, audit settings, and audit reports) needed to successfully audit information system activity. -+If any of the audit tools are not group-owned by "root", this is a finding.SRG-OS-000278-GPOS-00108<GroupDescription></GroupDescription>RHEL-08-030650RHEL 8 must use cryptographic mechanisms to protect the integrity of audit tools.<VulnDiscussion>Protecting the integrity of the tools used for auditing purposes is a critical step toward ensuring the integrity of audit information. Audit information includes all information (e.g., audit records, audit settings, and audit reports) needed to successfully audit information system activity. - - Audit tools include, but are not limited to, vendor-provided and open source audit tools needed to successfully view and manipulate audit information system activity and records. Audit tools include custom queries and report generators. - -@@ -4296,13 +4320,13 @@ To address this risk, audit tools must be cryptographically signed to provide th - /usr/sbin/aureport p+i+n+u+g+s+b+acl+xattrs+sha512 - /usr/sbin/autrace p+i+n+u+g+s+b+acl+xattrs+sha512 - /usr/sbin/rsyslogd p+i+n+u+g+s+b+acl+xattrs+sha512 --/usr/sbin/augenrules p+i+n+u+g+s+b+acl+xattrs+sha512Verify that Advanced Intrusion Detection Environment (AIDE) is properly configured to use cryptographic mechanisms to protect the integrity of audit tools. -+/usr/sbin/augenrules p+i+n+u+g+s+b+acl+xattrs+sha512Verify that Advanced Intrusion Detection Environment (AIDE) is properly configured to use cryptographic mechanisms to protect the integrity of audit tools. - - If AIDE is not installed, ask the System Administrator how file integrity checks are performed on the system. - - Check the selection lines to ensure AIDE is configured to add/check with the following command: - --$ sudo egrep '(\/usr\/sbin\/(audit|au))' /etc/aide.conf -+$ sudo egrep '(\/usr\/sbin\/(audit|au|rsys))' /etc/aide.conf - - /usr/sbin/auditctl p+i+n+u+g+s+b+acl+xattrs+sha512 - /usr/sbin/auditd p+i+n+u+g+s+b+acl+xattrs+sha512 -@@ -4312,7 +4336,7 @@ $ sudo egrep '(\/usr\/sbin\/(audit|au))' /etc/aide.conf - /usr/sbin/rsyslogd p+i+n+u+g+s+b+acl+xattrs+sha512 - /usr/sbin/augenrules p+i+n+u+g+s+b+acl+xattrs+sha512 - --If any of the audit tools listed above do not have an appropriate selection line, ask the system administrator to indicate what cryptographic mechanisms are being used to protect the integrity of the audit tools. If there is no evidence of integrity protection, this is a finding.SRG-OS-000341-GPOS-00132<GroupDescription></GroupDescription>RHEL-08-030660RHEL 8 must allocate audit record storage capacity to store at least one week of audit records, when audit records are not immediately sent to a central audit record storage facility.<VulnDiscussion>To ensure RHEL 8 systems have a sufficient storage capacity in which to write the audit logs, RHEL 8 needs to be able to allocate audit record storage capacity. -+If any of the audit tools listed above do not have an appropriate selection line, ask the system administrator to indicate what cryptographic mechanisms are being used to protect the integrity of the audit tools. If there is no evidence of integrity protection, this is a finding.SRG-OS-000341-GPOS-00132<GroupDescription></GroupDescription>RHEL-08-030660RHEL 8 must allocate audit record storage capacity to store at least one week of audit records, when audit records are not immediately sent to a central audit record storage facility.<VulnDiscussion>To ensure RHEL 8 systems have a sufficient storage capacity in which to write the audit logs, RHEL 8 needs to be able to allocate audit record storage capacity. - - The task of allocating audit record storage capacity is usually performed during initial installation of RHEL 8.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-001849Allocate enough storage capacity for at least one week of audit records when audit records are not immediately sent to a central audit record storage facility. - -@@ -4951,17 +4975,25 @@ p2p-dev-wlp7s0 wifi-p2p disconnected -- - lo loopback unmanaged -- - virbr0-nic tun unmanaged -- - --If a wireless interface is configured and has not been documented and approved by the Information System Security Officer (ISSO), this is a finding.SRG-OS-000300-GPOS-00118<GroupDescription></GroupDescription>RHEL-08-040111RHEL 8 Bluetooth must be disabled.<VulnDiscussion>Without protection of communications with wireless peripherals, confidentiality and integrity may be compromised because unprotected communications can be intercepted and either read, altered, or used to compromise the RHEL 8 operating system. -+If a wireless interface is configured and has not been documented and approved by the Information System Security Officer (ISSO), this is a finding.SRG-OS-000300-GPOS-00118<GroupDescription></GroupDescription>RHEL-08-040111RHEL 8 Bluetooth must be disabled.<VulnDiscussion>Without protection of communications with wireless peripherals, confidentiality and integrity may be compromised because unprotected communications can be intercepted and either read, altered, or used to compromise the RHEL 8 operating system. - - This requirement applies to wireless peripheral technologies (e.g., wireless mice, keyboards, displays, etc.) used with RHEL 8 systems. Wireless peripherals (e.g., Wi-Fi/Bluetooth/IR Keyboards, Mice, and Pointing Devices and Near Field Communications [NFC]) present a unique challenge by creating an open, unsecured port on a computer. Wireless peripherals must meet DoD requirements for wireless data transmission and be approved for use by the Authorizing Official (AO). Even though some wireless peripherals, such as mice and pointing devices, do not ordinarily carry information that need to be protected, modification of communications with these wireless peripherals may be used to compromise the RHEL 8 operating system. Communication paths outside the physical protection of a controlled boundary are exposed to the possibility of interception and modification. - --Protecting the confidentiality and integrity of communications with wireless peripherals can be accomplished by physical means (e.g., employing physical barriers to wireless radio frequencies) or by logical means (e.g., employing cryptographic techniques). If physical means of protection are employed, then logical means (cryptography) do not have to be employed, and vice versa. If the wireless peripheral is only passing telemetry data, encryption of the data may not be required.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-001443Configure the operating system to disable the Bluetooth adapter when not in use. -+Protecting the confidentiality and integrity of communications with wireless peripherals can be accomplished by physical means (e.g., employing physical barriers to wireless radio frequencies) or by logical means (e.g., employing cryptographic techniques). If physical means of protection are employed, then logical means (cryptography) do not have to be employed, and vice versa. If the wireless peripheral is only passing telemetry data, encryption of the data may not be required.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-001443Configure the operating system to disable the Bluetooth adapter when not in use. - - Build or modify the "/etc/modprobe.d/bluetooth.conf" file with the following line: - - install bluetooth /bin/true - --Reboot the system for the settings to take effect.If the device or operating system does not have a Bluetooth adapter installed, this requirement is not applicable. -+Disable the ability to use the Bluetooth kernel module. -+ -+$ sudo vi /etc/modprobe.d/blacklist.conf -+ -+Add or update the line: -+ -+blacklist bluetooth -+ -+Reboot the system for the settings to take effect.If the device or operating system does not have a Bluetooth adapter installed, this requirement is not applicable. - - This requirement is not applicable to mobile devices (smartphones and tablets), where the use of Bluetooth is a local AO decision. - -@@ -4971,7 +5003,15 @@ $ sudo grep bluetooth /etc/modprobe.d/* - - /etc/modprobe.d/bluetooth.conf:install bluetooth /bin/true - --If the Bluetooth driver blacklist entry is missing, a Bluetooth driver is determined to be in use, and the collaborative computing device has not been authorized for use, this is a finding.SRG-OS-000368-GPOS-00154<GroupDescription></GroupDescription>RHEL-08-040120RHEL 8 must mount /dev/shm with the nodev option.<VulnDiscussion>The organization must identify authorized software programs and permit execution of authorized software. The process used to identify software programs that are authorized to execute on organizational information systems is commonly referred to as whitelisting. -+If the Bluetooth driver blacklist entry is missing, a Bluetooth driver is determined to be in use, and the collaborative computing device has not been authorized for use, this is a finding. -+ -+Verify the operating system disables the ability to use Bluetooth with the following command: -+ -+$ sudo grep -r bluetooth /etc/modprobe.d | grep -i "blacklist" | grep -v "^#" -+ -+blacklist bluetooth -+ -+If the command does not return any output or the output is not "blacklist bluetooth", and use of Bluetooth is not documented with the ISSO as an operational requirement, this is a finding.SRG-OS-000368-GPOS-00154<GroupDescription></GroupDescription>RHEL-08-040120RHEL 8 must mount /dev/shm with the nodev option.<VulnDiscussion>The organization must identify authorized software programs and permit execution of authorized software. The process used to identify software programs that are authorized to execute on organizational information systems is commonly referred to as whitelisting. - - The "noexec" mount option causes the system to not execute binary files. This option must be used for mounting any file system not containing approved binary files, as they may be incompatible. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access. - -@@ -5361,15 +5401,17 @@ $ sudo grep -i RekeyLimit /etc/ssh/sshd_config - - RekeyLimit 1G 1h - --If "RekeyLimit" does not have a maximum data amount and maximum time defined, is missing or commented out, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-08-040170The x86 Ctrl-Alt-Delete key sequence must be disabled on RHEL 8.<VulnDiscussion>A locally logged-on user, who presses Ctrl-Alt-Delete when at the console, can reboot the system. If accidentally pressed, as could happen in the case of a mixed OS environment, this can create the risk of short-term loss of availability of systems due to unintentional reboot. In a graphical user environment, risk of unintentional reboot from the Ctrl-Alt-Delete sequence is reduced because the user will be prompted before any action is taken.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-000366Configure the system to disable the Ctrl-Alt-Delete sequence for the command line with the following command: -- --$ sudo systemctl mask ctrl-alt-del.target -- --Created symlink /etc/systemd/system/ctrl-alt-del.target -> /dev/null -- --Reload the daemon for this change to take effect. -- --$ sudo systemctl daemon-reloadVerify RHEL 8 is not configured to reboot the system when Ctrl-Alt-Delete is pressed with the following command: -+If "RekeyLimit" does not have a maximum data amount and maximum time defined, is missing or commented out, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-08-040170The x86 Ctrl-Alt-Delete key sequence must be disabled on RHEL 8.<VulnDiscussion>A locally logged-on user, who presses Ctrl-Alt-Delete when at the console, can reboot the system. If accidentally pressed, as could happen in the case of a mixed OS environment, this can create the risk of short-term loss of availability of systems due to unintentional reboot. In a graphical user environment, risk of unintentional reboot from the Ctrl-Alt-Delete sequence is reduced because the user will be prompted before any action is taken.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-000366Configure the system to disable the Ctrl-Alt-Delete sequence for the command line with the following commands: -+ -+$ sudo systemctl disable ctrl-alt-del.target -+ -+$ sudo systemctl mask ctrl-alt-del.target -+ -+Created symlink /etc/systemd/system/ctrl-alt-del.target -> /dev/null -+ -+Reload the daemon for this change to take effect. -+ -+$ sudo systemctl daemon-reloadVerify RHEL 8 is not configured to reboot the system when Ctrl-Alt-Delete is pressed with the following command: - - $ sudo systemctl status ctrl-alt-del.target - -@@ -5438,7 +5480,7 @@ If the account is associated with system commands or applications, the UID shoul - - $ sudo awk -F: '$3 == 0 {print $1}' /etc/passwd - --If any accounts other than root have a UID of "0", this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-08-040210RHEL 8 must prevent IPv6 Internet Control Message Protocol (ICMP) redirect messages from being accepted.<VulnDiscussion>ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages modify the host's route table and are unauthenticated. An illicit ICMP redirect message could result in a man-in-the-middle attack. -+If any accounts other than root have a UID of "0", this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-08-040210RHEL 8 must prevent IPv6 Internet Control Message Protocol (ICMP) redirect messages from being accepted.<VulnDiscussion>ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages modify the host's route table and are unauthenticated. An illicit ICMP redirect message could result in a man-in-the-middle attack. - - The sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of which of the directories they reside in. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored. - /etc/sysctl.d/*.conf -@@ -5454,7 +5496,7 @@ net.ipv6.conf.default.accept_redirects = 0 - - Load settings from all system configuration files with the following command: - --$ sudo sysctl --systemVerify RHEL 8 will not accept IPv6 ICMP redirect messages. -+$ sudo sysctl --systemVerify RHEL 8 will not accept IPv6 ICMP redirect messages. - - Note: If IPv6 is disabled on the system, this requirement is Not Applicable. - -@@ -5474,7 +5516,7 @@ $ sudo grep -r net.ipv6.conf.default.accept_redirects /run/sysctl.d/*.conf /usr/ - - If "net.ipv6.conf.default.accept_redirects" is not set to "0", is missing or commented out, this is a finding. - --If results are returned from more than one file location, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-08-040220RHEL 8 must not send Internet Control Message Protocol (ICMP) redirects.<VulnDiscussion>ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages contain information from the system's route table, possibly revealing portions of the network topology. -+If conflicting results are returned, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-08-040220RHEL 8 must not send Internet Control Message Protocol (ICMP) redirects.<VulnDiscussion>ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages contain information from the system's route table, possibly revealing portions of the network topology. - - There are notable differences between Internet Protocol version 4 (IPv4) and Internet Protocol version 6 (IPv6). There is only a directive to disable sending of IPv4 redirected packets. Refer to RFC4294 for an explanation of "IPv6 Node Requirements", which resulted in this difference between IPv4 and IPv6. - -@@ -5492,9 +5534,7 @@ net.ipv4.conf.all.send_redirects=0 - - Load settings from all system configuration files with the following command: - --$ sudo sysctl --systemVerify RHEL 8 does not IPv4 ICMP redirect messages. -- --Note: If IPv4 is disabled on the system, this requirement is Not Applicable. -+$ sudo sysctl --systemVerify RHEL 8 does not IPv4 ICMP redirect messages. - - Check the value of the "all send_redirects" variables with the following command: - -@@ -5512,7 +5552,7 @@ $ sudo grep -r net.ipv4.conf.all.send_redirects /run/sysctl.d/*.conf /usr/local/ - - If "net.ipv4.conf.all.send_redirects" is not set to "0", is missing or commented out, this is a finding. - --If results are returned from more than one file location, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-08-040230RHEL 8 must not respond to Internet Control Message Protocol (ICMP) echoes sent to a broadcast address.<VulnDiscussion>Responding to broadcast ICMP echoes facilitates network mapping and provides a vector for amplification attacks. -+If conflicting results are returned, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-08-040230RHEL 8 must not respond to Internet Control Message Protocol (ICMP) echoes sent to a broadcast address.<VulnDiscussion>Responding to broadcast ICMP echoes facilitates network mapping and provides a vector for amplification attacks. - - There are notable differences between Internet Protocol version 4 (IPv4) and Internet Protocol version 6 (IPv6). IPv6 does not implement the same method of broadcast as IPv4. Instead, IPv6 uses multicast addressing to the all-hosts multicast group. Refer to RFC4294 for an explanation of "IPv6 Node Requirements", which resulted in this difference between IPv4 and IPv6. - The sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of which of the directories they reside in. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored. -@@ -5529,9 +5569,7 @@ net.ipv4.icmp_echo_ignore_broadcasts=1 - - Load settings from all system configuration files with the following command: - --$ sudo sysctl --systemVerify RHEL 8 does not respond to ICMP echoes sent to a broadcast address. -- --Note: If IPv4 is disabled on the system, this requirement is Not Applicable. -+$ sudo sysctl --systemVerify RHEL 8 does not respond to ICMP echoes sent to a broadcast address. - - Check the value of the "icmp_echo_ignore_broadcasts" variable with the following command: - -@@ -5549,7 +5587,7 @@ $ sudo grep -r net.ipv4.icmp_echo_ignore_broadcasts /run/sysctl.d/*.conf /usr/lo - - If "net.ipv4.icmp_echo_ignore_broadcasts" is not set to "1", is missing or commented out, this is a finding. - --If results are returned from more than one file location, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-08-040240RHEL 8 must not forward IPv6 source-routed packets.<VulnDiscussion>Source-routed packets allow the source of the packet to suggest that routers forward the packet along a different path than configured on the router, which can be used to bypass network security measures. This requirement applies only to the forwarding of source-routed traffic, such as when forwarding is enabled and the system is functioning as a router. -+If conflicting results are returned, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-08-040240RHEL 8 must not forward IPv6 source-routed packets.<VulnDiscussion>Source-routed packets allow the source of the packet to suggest that routers forward the packet along a different path than configured on the router, which can be used to bypass network security measures. This requirement applies only to the forwarding of source-routed traffic, such as when forwarding is enabled and the system is functioning as a router. - - The sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of which of the directories they reside in. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored. - /etc/sysctl.d/*.conf -@@ -5565,7 +5603,7 @@ net.ipv6.conf.all.accept_source_route=0 - - Load settings from all system configuration files with the following command: - --$ sudo sysctl --systemVerify RHEL 8 does not accept IPv6 source-routed packets. -+$ sudo sysctl --systemVerify RHEL 8 does not accept IPv6 source-routed packets. - - Note: If IPv6 is disabled on the system, this requirement is Not Applicable. - -@@ -5585,7 +5623,7 @@ $ sudo grep -r net.ipv6.conf.all.accept_source_route /run/sysctl.d/*.conf /usr/l - - If "net.ipv6.conf.all.accept_source_route" is not set to "0", is missing or commented out, this is a finding. - --If results are returned from more than one file location, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-08-040250RHEL 8 must not forward IPv6 source-routed packets by default.<VulnDiscussion>Source-routed packets allow the source of the packet to suggest that routers forward the packet along a different path than configured on the router, which can be used to bypass network security measures. This requirement applies only to the forwarding of source-routed traffic, such as when forwarding is enabled and the system is functioning as a router. -+If conflicting results are returned, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-08-040250RHEL 8 must not forward IPv6 source-routed packets by default.<VulnDiscussion>Source-routed packets allow the source of the packet to suggest that routers forward the packet along a different path than configured on the router, which can be used to bypass network security measures. This requirement applies only to the forwarding of source-routed traffic, such as when forwarding is enabled and the system is functioning as a router. - - The sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of which of the directories they reside in. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored. - /etc/sysctl.d/*.conf -@@ -5601,7 +5639,7 @@ net.ipv6.conf.default.accept_source_route=0 - - Load settings from all system configuration files with the following command: - --$ sudo sysctl --systemVerify RHEL 8 does not accept IPv6 source-routed packets by default. -+$ sudo sysctl --systemVerify RHEL 8 does not accept IPv6 source-routed packets by default. - - Note: If IPv6 is disabled on the system, this requirement is Not Applicable. - -@@ -5621,7 +5659,7 @@ $ sudo grep -r net.ipv6.conf.default.accept_source_route /run/sysctl.d/*.conf /u - - If "net.ipv6.conf.default.accept_source_route" is not set to "0", is missing or commented out, this is a finding. - --If results are returned from more than one file location, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-08-040260RHEL 8 must not enable IPv6 packet forwarding unless the system is a router.<VulnDiscussion>Routing protocol daemons are typically used on routers to exchange network topology information with other routers. If this software is used when not required, system network information may be unnecessarily transmitted across the network. -+If conflicting results are returned, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-08-040260RHEL 8 must not enable IPv6 packet forwarding unless the system is a router.<VulnDiscussion>Routing protocol daemons are typically used on routers to exchange network topology information with other routers. If this software is used when not required, system network information may be unnecessarily transmitted across the network. - - The sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of which of the directories they reside in. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored. - /etc/sysctl.d/*.conf -@@ -5637,7 +5675,7 @@ net.ipv6.conf.all.forwarding=0 - - Load settings from all system configuration files with the following command: - --$ sudo sysctl --systemVerify RHEL 8 is not performing IPv6 packet forwarding, unless the system is a router. -+$ sudo sysctl --systemVerify RHEL 8 is not performing IPv6 packet forwarding, unless the system is a router. - - Note: If IPv6 is disabled on the system, this requirement is Not Applicable. - -@@ -5657,7 +5695,7 @@ $ sudo grep -r net.ipv6.conf.all.forwarding /run/sysctl.d/*.conf /usr/local/lib/ - - If "net.ipv6.conf.all.forwarding" is not set to "0", is missing or commented out, this is a finding. - --If results are returned from more than one file location, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-08-040261RHEL 8 must not accept router advertisements on all IPv6 interfaces.<VulnDiscussion>Routing protocol daemons are typically used on routers to exchange network topology information with other routers. If this software is used when not required, system network information may be unnecessarily transmitted across the network. -+If conflicting results are returned, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-08-040261RHEL 8 must not accept router advertisements on all IPv6 interfaces.<VulnDiscussion>Routing protocol daemons are typically used on routers to exchange network topology information with other routers. If this software is used when not required, system network information may be unnecessarily transmitted across the network. - - An illicit router advertisement message could result in a man-in-the-middle attack. - -@@ -5675,7 +5713,7 @@ net.ipv6.conf.all.accept_ra=0 - - Load settings from all system configuration files with the following command: - --$ sudo sysctl --systemVerify RHEL 8 does not accept router advertisements on all IPv6 interfaces, unless the system is a router. -+$ sudo sysctl --systemVerify RHEL 8 does not accept router advertisements on all IPv6 interfaces, unless the system is a router. - - Note: If IPv6 is disabled on the system, this requirement is not applicable. - -@@ -5695,7 +5733,7 @@ $ sudo grep -r net.ipv6.conf.all.accept_ra /run/sysctl.d/*.conf /usr/local/lib/s - - If "net.ipv6.conf.all.accept_ra" is not set to "0", is missing or commented out, this is a finding. - --If results are returned from more than one file location, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-08-040262RHEL 8 must not accept router advertisements on all IPv6 interfaces by default.<VulnDiscussion>Routing protocol daemons are typically used on routers to exchange network topology information with other routers. If this software is used when not required, system network information may be unnecessarily transmitted across the network. -+If conflicting results are returned, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-08-040262RHEL 8 must not accept router advertisements on all IPv6 interfaces by default.<VulnDiscussion>Routing protocol daemons are typically used on routers to exchange network topology information with other routers. If this software is used when not required, system network information may be unnecessarily transmitted across the network. - - An illicit router advertisement message could result in a man-in-the-middle attack. - -@@ -5713,7 +5751,7 @@ net.ipv6.conf.default.accept_ra=0 - - Load settings from all system configuration files with the following command: - --$ sudo sysctl --systemVerify RHEL 8 does not accept router advertisements on all IPv6 interfaces by default, unless the system is a router. -+$ sudo sysctl --systemVerify RHEL 8 does not accept router advertisements on all IPv6 interfaces by default, unless the system is a router. - - Note: If IPv6 is disabled on the system, this requirement is not applicable. - -@@ -5733,7 +5771,7 @@ $ sudo grep -r net.ipv6.conf.default.accept_ra /run/sysctl.d/*.conf /usr/local/l - - If "net.ipv6.conf.default.accept_ra" is not set to "0", is missing or commented out, this is a finding. - --If results are returned from more than one file location, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-08-040270RHEL 8 must not allow interfaces to perform Internet Control Message Protocol (ICMP) redirects by default.<VulnDiscussion>ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages contain information from the system's route table, possibly revealing portions of the network topology. -+If conflicting results are returned, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-08-040270RHEL 8 must not allow interfaces to perform Internet Control Message Protocol (ICMP) redirects by default.<VulnDiscussion>ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages contain information from the system's route table, possibly revealing portions of the network topology. - - There are notable differences between Internet Protocol version 4 (IPv4) and Internet Protocol version 6 (IPv6). There is only a directive to disable sending of IPv4 redirected packets. Refer to RFC4294 for an explanation of "IPv6 Node Requirements", which resulted in this difference between IPv4 and IPv6. - -@@ -5751,9 +5789,7 @@ net.ipv4.conf.default.send_redirects = 0 - - Load settings from all system configuration files with the following command: - --$ sudo sysctl --systemVerify RHEL 8 does not allow interfaces to perform Internet Protocol version 4 (IPv4) ICMP redirects by default. -- --Note: If IPv4 is disabled on the system, this requirement is Not Applicable. -+$ sudo sysctl --systemVerify RHEL 8 does not allow interfaces to perform Internet Protocol version 4 (IPv4) ICMP redirects by default. - - Check the value of the "default send_redirects" variables with the following command: - -@@ -5771,7 +5807,7 @@ $ sudo grep -r net.ipv4.conf.default.send_redirects /run/sysctl.d/*.conf /usr/lo - - If "net.ipv4.conf.default.send_redirects" is not set to "0", is missing or commented out, this is a finding. - --If results are returned from more than one file location, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-08-040280RHEL 8 must ignore IPv6 Internet Control Message Protocol (ICMP) redirect messages.<VulnDiscussion>ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages modify the host's route table and are unauthenticated. An illicit ICMP redirect message could result in a man-in-the-middle attack. -+If conflicting results are returned, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-08-040280RHEL 8 must ignore IPv6 Internet Control Message Protocol (ICMP) redirect messages.<VulnDiscussion>ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages modify the host's route table and are unauthenticated. An illicit ICMP redirect message could result in a man-in-the-middle attack. - - The sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of which of the directories they reside in. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored. - /etc/sysctl.d/*.conf -@@ -5787,7 +5823,7 @@ net.ipv6.conf.all.accept_redirects = 0 - - Load settings from all system configuration files with the following command: - --$ sudo sysctl --systemVerify RHEL 8 ignores IPv6 ICMP redirect messages. -+$ sudo sysctl --systemVerify RHEL 8 ignores IPv6 ICMP redirect messages. - - Note: If IPv6 is disabled on the system, this requirement is Not Applicable. - -@@ -5807,7 +5843,7 @@ $ sudo grep -r net.ipv6.conf.all.accept_redirects /run/sysctl.d/*.conf /usr/loca - - If "net.ipv6.conf.all.accept_redirects" is not set to "0", is missing or commented out, this is a finding. - --If results are returned from more than one file location, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-08-040281RHEL 8 must disable access to network bpf syscall from unprivileged processes.<VulnDiscussion>It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. -+If conflicting results are returned, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-08-040281RHEL 8 must disable access to network bpf syscall from unprivileged processes.<VulnDiscussion>It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. - - The sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of which of the directories they reside in. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored. - /etc/sysctl.d/*.conf -@@ -5821,7 +5857,7 @@ kernel.unprivileged_bpf_disabled = 1 - - The system configuration files need to be reloaded for the changes to take effect. To reload the contents of the files, run the following command: - --$ sudo sysctl --systemVerify RHEL 8 prevents privilege escalation thru the kernel by disabling access to the bpf syscall with the following commands: -+$ sudo sysctl --systemVerify RHEL 8 prevents privilege escalation thru the kernel by disabling access to the bpf syscall with the following commands: - - $ sudo sysctl kernel.unprivileged_bpf_disabled - -@@ -5837,7 +5873,7 @@ $ sudo grep -r kernel.unprivileged_bpf_disabled /run/sysctl.d/*.conf /usr/local/ - - If "kernel.unprivileged_bpf_disabled" is not set to "1", is missing or commented out, this is a finding. - --If results are returned from more than one file location, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-08-040282RHEL 8 must restrict usage of ptrace to descendant processes.<VulnDiscussion>It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. -+If conflicting results are returned, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-08-040282RHEL 8 must restrict usage of ptrace to descendant processes.<VulnDiscussion>It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. - - The sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of which of the directories they reside in. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored. - /etc/sysctl.d/*.conf -@@ -5851,7 +5887,7 @@ kernel.yama.ptrace_scope = 1 - - The system configuration files need to be reloaded for the changes to take effect. To reload the contents of the files, run the following command: - --$ sudo sysctl --systemVerify RHEL 8 restricts usage of ptrace to descendant processes with the following commands: -+$ sudo sysctl --systemVerify RHEL 8 restricts usage of ptrace to descendant processes with the following commands: - - $ sudo sysctl kernel.yama.ptrace_scope - -@@ -5867,7 +5903,7 @@ $ sudo grep -r kernel.yama.ptrace_scope /run/sysctl.d/*.conf /usr/local/lib/sysc - - If "kernel.yama.ptrace_scope" is not set to "1", is missing or commented out, this is a finding. - --If results are returned from more than one file location, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-08-040283RHEL 8 must restrict exposed kernel pointer addresses access.<VulnDiscussion>It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. -+If conflicting results are returned, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-08-040283RHEL 8 must restrict exposed kernel pointer addresses access.<VulnDiscussion>It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. - - The sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of which of the directories they reside in. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored. - /etc/sysctl.d/*.conf -@@ -5881,13 +5917,13 @@ kernel.kptr_restrict = 1 - - The system configuration files need to be reloaded for the changes to take effect. To reload the contents of the files, run the following command: - --$ sudo sysctl --systemVerify RHEL 8 restricts exposed kernel pointer addresses access with the following commands: -+$ sudo sysctl --systemVerify RHEL 8 restricts exposed kernel pointer addresses access with the following commands: - - $ sudo sysctl kernel.kptr_restrict - - kernel.kptr_restrict = 1 - --If the returned line does not have a value of "1", or a line is not returned, this is a finding. -+If the returned line does not have a value of "1" or "2", or a line is not returned, this is a finding. - - Check that the configuration files are present to enable this network parameter. - -@@ -5895,9 +5931,9 @@ $ sudo grep -r kernel.kptr_restrict /run/sysctl.d/*.conf /usr/local/lib/sysctl.d - - /etc/sysctl.d/99-sysctl.conf: kernel.kptr_restrict = 1 - --If "kernel.kptr_restrict" is not set to "1", is missing or commented out, this is a finding. -+If "kernel.kptr_restrict" is not set to "1" or "2", is missing or commented out, this is a finding. - --If results are returned from more than one file location, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-08-040284RHEL 8 must disable the use of user namespaces.<VulnDiscussion>It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. -+If conflicting results are returned, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-08-040284RHEL 8 must disable the use of user namespaces.<VulnDiscussion>It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. - - The sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of which of the directories they reside in. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored. - /etc/sysctl.d/*.conf -@@ -5913,7 +5949,7 @@ user.max_user_namespaces = 0 - - The system configuration files need to be reloaded for the changes to take effect. To reload the contents of the files, run the following command: - --$ sudo sysctl --systemVerify RHEL 8 disables the use of user namespaces with the following commands: -+$ sudo sysctl --systemVerify RHEL 8 disables the use of user namespaces with the following commands: - - Note: User namespaces are used primarily for Linux containers. If containers are in use, this requirement is not applicable. - -@@ -5931,7 +5967,7 @@ $ sudo grep -r user.max_user_namespaces /run/sysctl.d/*.conf /usr/local/lib/sysc - - If "user.max_user_namespaces" is not set to "0", is missing or commented out, this is a finding. - --If results are returned from more than one file location, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-08-040285RHEL 8 must use reverse path filtering on all IPv4 interfaces.<VulnDiscussion>It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. -+If conflicting results are returned, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-08-040285RHEL 8 must use reverse path filtering on all IPv4 interfaces.<VulnDiscussion>It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. - - The sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of which of the directories they reside in. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored. - /etc/sysctl.d/*.conf -@@ -5945,13 +5981,13 @@ net.ipv4.conf.all.rp_filter = 1 - - The system configuration files need to be reloaded for the changes to take effect. To reload the contents of the files, run the following command: - --$ sudo sysctl --systemVerify RHEL 8 uses reverse path filtering on all IPv4 interfaces with the following commands: -+$ sudo sysctl --systemVerify RHEL 8 uses reverse path filtering on all IPv4 interfaces with the following commands: - - $ sudo sysctl net.ipv4.conf.all.rp_filter - - net.ipv4.conf.all.rp_filter = 1 - --If the returned line does not have a value of "1", or a line is not returned, this is a finding. -+If the returned line does not have a value of "1" or "2", or a line is not returned, this is a finding. - - Check that the configuration files are present to enable this network parameter. - -@@ -5959,9 +5995,9 @@ $ sudo grep -r net.ipv4.conf.all.rp_filter /run/sysctl.d/*.conf /usr/local/lib/s - - /etc/sysctl.d/99-sysctl.conf: net.ipv4.conf.all.rp_filter = 1 - --If "net.ipv4.conf.all.rp_filter" is not set to "1", is missing or commented out, this is a finding. -+If "net.ipv4.conf.all.rp_filter" is not set to "1" or "2", is missing or commented out, this is a finding. - --If results are returned from more than one file location, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-08-040290RHEL 8 must be configured to prevent unrestricted mail relaying.<VulnDiscussion>If unrestricted mail relaying is permitted, unauthorized senders could use this host as a mail relay for the purpose of sending spam or other unauthorized activity.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-000366If "postfix" is installed, modify the "/etc/postfix/main.cf" file to restrict client connections to the local network with the following command: -+If conflicting results are returned, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-08-040290RHEL 8 must be configured to prevent unrestricted mail relaying.<VulnDiscussion>If unrestricted mail relaying is permitted, unauthorized senders could use this host as a mail relay for the purpose of sending spam or other unauthorized activity.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-000366If "postfix" is installed, modify the "/etc/postfix/main.cf" file to restrict client connections to the local network with the following command: - - $ sudo postconf -e 'smtpd_client_restrictions = permit_mynetworks,reject'Verify the system is configured to prevent unrestricted mail relaying. - -@@ -6155,23 +6191,22 @@ $ sudo grep -iw 'ALL' /etc/sudoers /etc/sudoers.d/* - - If the either of the following entries are returned, this is a finding: - ALL ALL=(ALL) ALL --ALL ALL=(ALL:ALL) ALLSRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-08-010383RHEL 8 must use the invoking user's password for privilege escalation when using "sudo".<VulnDiscussion>The sudoers security policy requires that users authenticate themselves before they can use sudo. When sudoers requires authentication, it validates the invoking user's credentials. If the rootpw, targetpw, or runaspw flags are defined and not disabled, by default the operating system will prompt the invoking user for the "root" user password. -+ALL ALL=(ALL:ALL) ALLSRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-08-010383RHEL 8 must use the invoking user's password for privilege escalation when using "sudo".<VulnDiscussion>The sudoers security policy requires that users authenticate themselves before they can use sudo. When sudoers requires authentication, it validates the invoking user's credentials. If the rootpw, targetpw, or runaspw flags are defined and not disabled, by default the operating system will prompt the invoking user for the "root" user password. - For more information on each of the listed configurations, reference the sudoers(5) manual page.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-002227Define the following in the Defaults section of the /etc/sudoers file or a configuration file in the /etc/sudoers.d/ directory: - Defaults !targetpw - Defaults !rootpw --Defaults !runaspwVerify that the sudoers security policy is configured to use the invoking user's password for privilege escalation. -+Defaults !runaspwVerify that the sudoers security policy is configured to use the invoking user's password for privilege escalation. - --$ sudo egrep -i '(!rootpw|!targetpw|!runaspw)' /etc/sudoers /etc/sudoers.d/* | grep -v '#' -+$ sudo egrep -ir '(rootpw|targetpw|runaspw)' /etc/sudoers /etc/sudoers.d* | grep -v '#' - - /etc/sudoers:Defaults !targetpw - /etc/sudoers:Defaults !rootpw - /etc/sudoers:Defaults !runaspw - --If no results are returned, this is a finding. --If results are returned from more than one file location, this is a finding. -+If conflicting results are returned, this is a finding. - If "Defaults !targetpw" is not defined, this is a finding. - If "Defaults !rootpw" is not defined, this is a finding. --If "Defaults !runaspw" is not defined, this is a finding.SRG-OS-000373-GPOS-00156<GroupDescription></GroupDescription>RHEL-08-010384RHEL 8 must require re-authentication when using the "sudo" command.<VulnDiscussion>Without re-authentication, users may access resources or perform tasks for which they do not have authorization. -+If "Defaults !runaspw" is not defined, this is a finding.SRG-OS-000373-GPOS-00156<GroupDescription></GroupDescription>RHEL-08-010384RHEL 8 must require re-authentication when using the "sudo" command.<VulnDiscussion>Without re-authentication, users may access resources or perform tasks for which they do not have authorization. - - When operating systems provide the capability to escalate a functional capability, it is critical the organization requires the user to re-authenticate when using the "sudo" command. - -@@ -6181,12 +6216,12 @@ $ sudo visudo - - Add or modify the following line: - Defaults timestamp_timeout=[value] --Note: The "[value]" must be a number that is greater than or equal to "0".Verify the operating system requires re-authentication when using the "sudo" command to elevate privileges. -+Note: The "[value]" must be a number that is greater than or equal to "0".Verify the operating system requires re-authentication when using the "sudo" command to elevate privileges. - --$ sudo grep -i 'timestamp_timeout' /etc/sudoers /etc/sudoers.d/* -+$ sudo grep -ir 'timestamp_timeout' /etc/sudoers /etc/sudoers.d - /etc/sudoers:Defaults timestamp_timeout=0 - --If results are returned from more than one file location, this is a finding. -+If conflicting results are returned, this is a finding. - - If "timestamp_timeout" is set to a negative number, is commented out, or no results are returned, this is a finding.SRG-OS-000023-GPOS-00006<GroupDescription></GroupDescription>RHEL-08-010049RHEL 8 must display a banner before granting local or remote access to the system via a graphical user logon.<VulnDiscussion>Display of a standardized and approved use notification before granting access to the operating system ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance. - -@@ -6735,7 +6770,7 @@ $ sudo yum list installed openssh-server - - openssh-server.x86_64 8.0p1-5.el8 @anaconda - --If the "SSH server" package is not installed, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-08-040209RHEL 8 must prevent IPv4 Internet Control Message Protocol (ICMP) redirect messages from being accepted.<VulnDiscussion>ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages modify the host's route table and are unauthenticated. An illicit ICMP redirect message could result in a man-in-the-middle attack. -+If the "SSH server" package is not installed, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-08-040209RHEL 8 must prevent IPv4 Internet Control Message Protocol (ICMP) redirect messages from being accepted.<VulnDiscussion>ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages modify the host's route table and are unauthenticated. An illicit ICMP redirect message could result in a man-in-the-middle attack. - - The sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of which of the directories they reside in. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored. - /etc/sysctl.d/*.conf -@@ -6751,9 +6786,7 @@ net.ipv4.conf.default.accept_redirects = 0 - - Load settings from all system configuration files with the following command: - --$ sudo sysctl --systemVerify RHEL 8 will not accept IPv4 ICMP redirect messages. -- --Note: If IPv4 is disabled on the system, this requirement is Not Applicable. -+$ sudo sysctl --systemVerify RHEL 8 will not accept IPv4 ICMP redirect messages. - - Check the value of the default "accept_redirects" variables with the following command: - -@@ -6771,7 +6804,7 @@ $ sudo grep -r net.ipv4.conf.default.accept_redirects /run/sysctl.d/*.conf /usr/ - - If "net.ipv4.conf.default.accept_redirects" is not set to "0", is missing or commented out, this is a finding. - --If results are returned from more than one file location, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-08-040239RHEL 8 must not forward IPv4 source-routed packets.<VulnDiscussion>Source-routed packets allow the source of the packet to suggest that routers forward the packet along a different path than configured on the router, which can be used to bypass network security measures. This requirement applies only to the forwarding of source-routed traffic, such as when forwarding is enabled and the system is functioning as a router. -+If conflicting results are returned, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-08-040239RHEL 8 must not forward IPv4 source-routed packets.<VulnDiscussion>Source-routed packets allow the source of the packet to suggest that routers forward the packet along a different path than configured on the router, which can be used to bypass network security measures. This requirement applies only to the forwarding of source-routed traffic, such as when forwarding is enabled and the system is functioning as a router. - - The sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of which of the directories they reside in. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored. - /etc/sysctl.d/*.conf -@@ -6787,9 +6820,7 @@ net.ipv4.conf.all.accept_source_route=0 - - Load settings from all system configuration files with the following command: - --$ sudo sysctl --systemVerify RHEL 8 does not accept IPv4 source-routed packets. -- --Note: If IPv4 is disabled on the system, this requirement is Not Applicable. -+$ sudo sysctl --systemVerify RHEL 8 does not accept IPv4 source-routed packets. - - Check the value of the accept source route variable with the following command: - -@@ -6807,7 +6838,7 @@ $ sudo grep -r net.ipv4.conf.all.accept_source_route /run/sysctl.d/*.conf /usr/l - - If "net.ipv4.conf.all.accept_source_route" is not set to "0", is missing or commented out, this is a finding. - --If results are returned from more than one file location, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-08-040249RHEL 8 must not forward IPv4 source-routed packets by default.<VulnDiscussion>Source-routed packets allow the source of the packet to suggest that routers forward the packet along a different path than configured on the router, which can be used to bypass network security measures. This requirement applies only to the forwarding of source-routed traffic, such as when forwarding is enabled and the system is functioning as a router. -+If conflicting results are returned, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-08-040249RHEL 8 must not forward IPv4 source-routed packets by default.<VulnDiscussion>Source-routed packets allow the source of the packet to suggest that routers forward the packet along a different path than configured on the router, which can be used to bypass network security measures. This requirement applies only to the forwarding of source-routed traffic, such as when forwarding is enabled and the system is functioning as a router. - - The sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of which of the directories they reside in. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored. - /etc/sysctl.d/*.conf -@@ -6823,9 +6854,7 @@ net.ipv4.conf.default.accept_source_route=0 - - Load settings from all system configuration files with the following command: - --$ sudo sysctl --systemVerify RHEL 8 does not accept IPv4 source-routed packets by default. -- --Note: If IPv4 is disabled on the system, this requirement is Not Applicable. -+$ sudo sysctl --systemVerify RHEL 8 does not accept IPv4 source-routed packets by default. - - Check the value of the accept source route variable with the following command: - -@@ -6843,7 +6872,7 @@ $ sudo grep -r net.ipv4.conf.default.accept_source_route /run/sysctl.d/*.conf /u - - If "net.ipv4.conf.default.accept_source_route" is not set to "0", is missing or commented out, this is a finding. - --If results are returned from more than one file location, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-08-040279RHEL 8 must ignore IPv4 Internet Control Message Protocol (ICMP) redirect messages.<VulnDiscussion>ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages modify the host's route table and are unauthenticated. An illicit ICMP redirect message could result in a man-in-the-middle attack. -+If conflicting results are returned, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-08-040279RHEL 8 must ignore IPv4 Internet Control Message Protocol (ICMP) redirect messages.<VulnDiscussion>ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages modify the host's route table and are unauthenticated. An illicit ICMP redirect message could result in a man-in-the-middle attack. - - The sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of which of the directories they reside in. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored. - /etc/sysctl.d/*.conf -@@ -6859,9 +6888,7 @@ net.ipv4.conf.all.accept_redirects = 0 - - Load settings from all system configuration files with the following command: - --$ sudo sysctl --systemVerify RHEL 8 ignores IPv4 ICMP redirect messages. -- --Note: If IPv4 is disabled on the system, this requirement is Not Applicable. -+$ sudo sysctl --systemVerify RHEL 8 ignores IPv4 ICMP redirect messages. - - Check the value of the "accept_redirects" variables with the following command: - -@@ -6879,7 +6906,7 @@ $ sudo grep -r net.ipv4.conf.all.accept_redirects /run/sysctl.d/*.conf /usr/loca - - If "net.ipv4.conf.all.accept_redirects" is not set to "0", is missing or commented out, this is a finding. - --If results are returned from more than one file location, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-08-040286RHEL 8 must enable hardening for the Berkeley Packet Filter Just-in-time compiler.<VulnDiscussion>It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. -+If conflicting results are returned, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-08-040286RHEL 8 must enable hardening for the Berkeley Packet Filter Just-in-time compiler.<VulnDiscussion>It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. - - Enabling hardening for the Berkeley Packet Filter (BPF) Just-in-time (JIT) compiler aids in mitigating JIT spraying attacks. Setting the value to "2" enables JIT hardening for all users. - -@@ -6895,7 +6922,7 @@ net.core.bpf_jit_harden = 2 - - The system configuration files need to be reloaded for the changes to take effect. To reload the contents of the files, run the following command: - --$ sudo sysctl --systemVerify RHEL 8 enables hardening for the BPF JIT with the following commands: -+$ sudo sysctl --systemVerify RHEL 8 enables hardening for the BPF JIT with the following commands: - - $ sudo sysctl net.core.bpf_jit_harden - -@@ -6911,7 +6938,7 @@ $ sudo grep -r net.core.bpf_jit_harden /run/sysctl.d/*.conf /usr/local/lib/sysct - - If "net.core.bpf_jit_harden" is not set to "2", is missing or commented out, this is a finding. - --If results are returned from more than one file location, this is a finding.SRG-OS-000191-GPOS-00080<GroupDescription></GroupDescription>RHEL-08-010001The RHEL 8 operating system must implement the Endpoint Security for Linux Threat Prevention tool.<VulnDiscussion>Adding endpoint security tools can provide the capability to automatically take actions in response to malicious behavior, which can provide additional agility in reacting to network threats. These tools also often include a reporting capability to provide network awareness of the system, which may not otherwise exist in an organization's systems management regime.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-001233Install and enable the latest McAfee ENSLTP package.Per OPORD 16-0080, the preferred endpoint security tool is McAfee Endpoint Security for Linux (ENSL) in conjunction with SELinux. -+If conflicting results are returned, this is a finding.SRG-OS-000191-GPOS-00080<GroupDescription></GroupDescription>RHEL-08-010001The RHEL 8 operating system must implement the Endpoint Security for Linux Threat Prevention tool.<VulnDiscussion>Adding endpoint security tools can provide the capability to automatically take actions in response to malicious behavior, which can provide additional agility in reacting to network threats. These tools also often include a reporting capability to provide network awareness of the system, which may not otherwise exist in an organization's systems management regime.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-001233Install and enable the latest McAfee ENSLTP package.Per OPORD 16-0080, the preferred endpoint security tool is McAfee Endpoint Security for Linux (ENSL) in conjunction with SELinux. - - Procedure: - Check that the following package has been installed: -@@ -6985,7 +7012,7 @@ $ sudo ls -Zd /var/log/faillock - - unconfined_u:object_r:faillog_t:s0 /var/log/faillock - --If the security context type of the non-default tally directory is not "faillog_t", this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-08-040259RHEL 8 must not enable IPv4 packet forwarding unless the system is a router.<VulnDiscussion>Routing protocol daemons are typically used on routers to exchange network topology information with other routers. If this software is used when not required, system network information may be unnecessarily transmitted across the network. -+If the security context type of the non-default tally directory is not "faillog_t", this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-08-040259RHEL 8 must not enable IPv4 packet forwarding unless the system is a router.<VulnDiscussion>Routing protocol daemons are typically used on routers to exchange network topology information with other routers. If this software is used when not required, system network information may be unnecessarily transmitted across the network. - - The sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of which of the directories they reside in. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored. - /etc/sysctl.d/*.conf -@@ -7001,15 +7028,13 @@ net.ipv4.conf.all.forwarding=0 - - Load settings from all system configuration files with the following command: - --$ sudo sysctl --systemVerify RHEL 8 is not performing IPv4 packet forwarding, unless the system is a router. -- --Note: If IPv4 is disabled on the system, this requirement is Not Applicable. -+$ sudo sysctl --systemVerify RHEL 8 is not performing IPv4 packet forwarding, unless the system is a router. - - Check that IPv4 forwarding is disabled using the following command: - --$ sudo sysctl net.ipv4.ip_forward -+$ sudo sysctl net.ipv4.conf.all.forwarding - --net.ipv4.ip_forward = 0 -+net.ipv4.conf.all.forwarding = 0 - If the IPv4 forwarding value is not "0" and is not documented with the Information System Security Officer (ISSO) as an operational requirement, this is a finding. - - Check that the configuration files are present to enable this network parameter. -@@ -7020,7 +7045,7 @@ $ sudo grep -r net.ipv4.conf.all.forwarding /run/sysctl.d/*.conf /usr/local/lib/ - - If "net.ipv4.conf.all.forwarding" is not set to "0", is missing or commented out, this is a finding. - --If results are returned from more than one file location, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-08-010121The RHEL 8 operating system must not have accounts configured with blank or null passwords.<VulnDiscussion>If an account has an empty password, anyone could log on and run commands with the privileges of that account. Accounts with empty passwords should never be used in operational environments.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-000366Configure all accounts on the system to have a password or lock the account with the following commands: -+If conflicting results are returned, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-08-010121The RHEL 8 operating system must not have accounts configured with blank or null passwords.<VulnDiscussion>If an account has an empty password, anyone could log on and run commands with the privileges of that account. Accounts with empty passwords should never be used in operational environments.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-000366Configure all accounts on the system to have a password or lock the account with the following commands: - - Perform a password reset: - $ sudo passwd [username] -@@ -7071,8 +7096,8 @@ aide-0.16-14.el8.x86_64 - - If AIDE is not installed, ask the System Administrator how file integrity checks are performed on the system. - --If there is no application installed to perform integrity checks, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-08-010379RHEL 8 must specify the default "include" directory for the /etc/sudoers file.<VulnDiscussion>The "sudo" command allows authorized users to run programs (including shells) as other users, system users, and root. The "/etc/sudoers" file is used to configure authorized "sudo" users as well as the programs they are allowed to run. Some configuration options in the "/etc/sudoers" file allow configured users to run programs without re-authenticating. Use of these configuration options makes it easier for one compromised account to be used to compromise other accounts. -- -+If there is no application installed to perform integrity checks, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-08-010379RHEL 8 must specify the default "include" directory for the /etc/sudoers file.<VulnDiscussion>The "sudo" command allows authorized users to run programs (including shells) as other users, system users, and root. The "/etc/sudoers" file is used to configure authorized "sudo" users as well as the programs they are allowed to run. Some configuration options in the "/etc/sudoers" file allow configured users to run programs without re-authenticating. Use of these configuration options makes it easier for one compromised account to be used to compromise other accounts. -+ - It is possible to include other sudoers files from within the sudoers file currently being parsed using the #include and #includedir directives. When sudo reaches this line it will suspend processing of the current file (/etc/sudoers) and switch to the specified file/directory. Once the end of the included file(s) is reached, the rest of /etc/sudoers will be processed. Files that are included may themselves include other files. A hard limit of 128 nested include files is enforced to prevent include file loops.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-000366Configure the /etc/sudoers file to only include the /etc/sudoers.d directory. - - Edit the /etc/sudoers file with the following command: -@@ -7080,7 +7105,9 @@ Edit the /etc/sudoers file with the following command: - $ sudo visudo - - Add or modify the following line: --#includedir /etc/sudoers.dVerify the operating system specifies only the default "include" directory for the /etc/sudoers file with the following command: -+#includedir /etc/sudoers.dNote: If the "include" and "includedir" directives are not present in the /etc/sudoers file, this requirement is not applicable. -+ -+Verify the operating system specifies only the default "include" directory for the /etc/sudoers file with the following command: - - $ sudo grep include /etc/sudoers - -@@ -7090,7 +7117,7 @@ If the results are not "/etc/sudoers.d" or additional files or directories are s - - Verify the operating system does not have nested "include" files or directories within the /etc/sudoers.d directory with the following command: - --$ sudo grep include /etc/sudoers.d/* -+$ sudo grep -r include /etc/sudoers.d - - If results are returned, this is a finding.SRG-OS-000373-GPOS-00156<GroupDescription></GroupDescription>RHEL-08-010385The RHEL 8 operating system must not be configured to bypass password requirements for privilege escalation.<VulnDiscussion>Without re-authentication, users may access resources or perform tasks for which they do not have authorization. - -@@ -7163,7 +7190,7 @@ $ sudo cat /etc/pam.d/password-auth | grep pam_pwquality - - password required pam_pwquality.so retry=3 - --If the value of "retry" is set to "0" or greater than "3", this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-08-020104RHEL 8 systems, version 8.4 and above, must ensure the password complexity module is configured for three retries or less.<VulnDiscussion>Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. "pwquality" enforces complex password construction configuration and has the ability to limit brute-force attacks on the system. -+If the value of "retry" is set to "0" or greater than "3", this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-08-020104RHEL 8 systems, version 8.4 and above, must ensure the password complexity module is configured for three retries or less.<VulnDiscussion>Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. "pwquality" enforces complex password construction configuration and has the ability to limit brute-force attacks on the system. - - RHEL 8 utilizes "pwquality" as a mechanism to enforce password complexity. This is set in both: - /etc/pam.d/password-auth -@@ -7172,18 +7199,20 @@ By limiting the number of attempts to meet the pwquality module complexity requi - - Add the following line to the "/etc/security/pwquality.conf" file(or modify the line to have the required value): - --retry = 3Note: This requirement applies to RHEL versions 8.4 or newer. If the system is RHEL below version 8.4, this requirement is not applicable. -+retry = 3Note: This requirement applies to RHEL versions 8.4 or newer. If the system is RHEL below version 8.4, this requirement is not applicable. - - Verify the operating system is configured to limit the "pwquality" retry option to 3. - - Check for the use of the "pwquality" retry option with the following command: - --$ sudo grep retry /etc/security/pwquality.conf -+$ sudo grep -r retry /etc/security/pwquality.conf* - --retry = 3 -+/etc/security/pwquality.conf:retry = 3 - - If the value of "retry" is set to "0" or greater than "3", is commented out or missing, this is a finding. - -+If conflicting results are returned, this is a finding. -+ - Check for the use of the "pwquality" retry option in the system-auth and password-auth files with the following command: - - $ sudo grep retry /etc/pam.d/system-auth /etc/pam.d/password-auth -diff --git a/tests/data/profile_stability/rhel8/stig.profile b/tests/data/profile_stability/rhel8/stig.profile -index 2a16a82889..4bee72830d 100644 ---- a/tests/data/profile_stability/rhel8/stig.profile -+++ b/tests/data/profile_stability/rhel8/stig.profile -@@ -1,7 +1,7 @@ - title: DISA STIG for Red Hat Enterprise Linux 8 - description: 'This profile contains configuration checks that align to the - -- DISA STIG for Red Hat Enterprise Linux 8 V1R6. -+ DISA STIG for Red Hat Enterprise Linux 8 V1R7 - - - In addition to being applicable to Red Hat Enterprise Linux 8, DISA recognizes -@@ -23,7 +23,7 @@ description: 'This profile contains configuration checks that align to the - - Red Hat Containers with a Red Hat Enterprise Linux 8 image' - extends: null - metadata: -- version: V1R6 -+ version: V1R7 - SMEs: - - mab879 - - ggbecker -diff --git a/tests/data/profile_stability/rhel8/stig_gui.profile b/tests/data/profile_stability/rhel8/stig_gui.profile -index e79776f8e9..ece32d06a6 100644 ---- a/tests/data/profile_stability/rhel8/stig_gui.profile -+++ b/tests/data/profile_stability/rhel8/stig_gui.profile -@@ -1,7 +1,7 @@ - title: DISA STIG with GUI for Red Hat Enterprise Linux 8 - description: 'This profile contains configuration checks that align to the - -- DISA STIG with GUI for Red Hat Enterprise Linux 8 V1R6. -+ DISA STIG with GUI for Red Hat Enterprise Linux 8 V1R7. - - - In addition to being applicable to Red Hat Enterprise Linux 8, DISA recognizes -@@ -34,7 +34,7 @@ description: 'This profile contains configuration checks that align to the - standard DISA STIG for Red Hat Enterprise Linux 8 profile.' - extends: null - metadata: -- version: V1R6 -+ version: V1R7 - SMEs: - - mab879 - - ggbecker --- -2.37.1 - diff --git a/scap-security-guide-0.1.64-update_sysctl_template_with_multivalue_compliance-PR_9147.patch b/scap-security-guide-0.1.64-update_sysctl_template_with_multivalue_compliance-PR_9147.patch deleted file mode 100644 index 916116c..0000000 --- a/scap-security-guide-0.1.64-update_sysctl_template_with_multivalue_compliance-PR_9147.patch +++ /dev/null @@ -1,801 +0,0 @@ -From 48a361a41eff571e8c0d6f8c759c56d41cec5c5a Mon Sep 17 00:00:00 2001 -From: vojtapolasek -Date: Tue, 2 Aug 2022 13:21:45 +0200 -Subject: [PATCH 3/8] Merge pull request #9147 from jan-cerny/rhbz2081728 - -Patch-name: scap-security-guide-0.1.64-update_sysctl_template_with_multivalue_compliance-PR_9147.patch -Patch-status: Refresh BPF related rules in RHEL 9 OSPP profile ---- - docs/templates/template_reference.md | 24 +- - .../rule.yml | 82 +++++++ - .../tests/system_default.pass.sh | 5 + - .../tests/test_config.yml | 6 + - .../tests/value_0.fail.sh | 11 + - .../tests/value_1.pass.sh | 11 + - .../tests/value_2.pass.sh | 11 + - ...kernel_unprivileged_bpf_disabled_value.var | 18 ++ - products/rhel9/profiles/ospp.profile | 4 +- - .../oval/sysctl_kernel_ipv6_disable.xml | 4 +- - shared/references/cce-redhat-avail.txt | 1 - - shared/templates/sysctl/ansible.template | 2 +- - shared/templates/sysctl/bash.template | 2 +- - shared/templates/sysctl/oval.template | 213 +++++++++++------- - shared/templates/sysctl/template.py | 24 +- - 15 files changed, 316 insertions(+), 102 deletions(-) - create mode 100644 linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/rule.yml - create mode 100644 linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/tests/system_default.pass.sh - create mode 100644 linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/tests/test_config.yml - create mode 100644 linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/tests/value_0.fail.sh - create mode 100644 linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/tests/value_1.pass.sh - create mode 100644 linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/tests/value_2.pass.sh - create mode 100644 linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_value.var - -diff --git a/docs/templates/template_reference.md b/docs/templates/template_reference.md -index a439e3dca9..e73b95450f 100644 ---- a/docs/templates/template_reference.md -+++ b/docs/templates/template_reference.md -@@ -815,8 +815,28 @@ The selected value can be changed in the profile (consult the actual variable fo - - - **datatype** - data type of the sysctl value, eg. `int`. - -- - **sysctlval** - value of the sysctl value, eg. `'1'`. If this -- parameter is not specified, XCCDF Value is used instead. -+ - **sysctlval** - value of the sysctl value. This can be either not -+ specified, or an atomic value, eg. `'1'`, or a list of values, -+ eg. `['1','2']`. -+ - If this parameter is not specified, an XCCDF Value is used instead -+ in OVAL check and remediations. The XCCDF Value should have a file -+ name in the form `"sysctl_" + $escaped_sysctlvar + "_value.var"`, -+ where the `escaped_sysctlvar` is a value of the **sysctlvar** -+ parameter in which all characters that don't match the `\w` regular -+ expression are replaced by an underscore (`_`). -+ - If this parameter is set to an atomic value, this atomic value -+ will be used in OVAL check and remediations. -+ - If this parameter is set to a list of values, the list will be used -+ in the OVAL check, but won't be used in the remediations. -+ All remediations will use an XCCDF value instead. -+ -+ - **wrong_sysctlval_for_testing** - the value that is always wrong. This -+ will be used in templated test scenarios when **sysctlval** is a list. -+ -+ - **missing_parameter_pass** - if set to `true` the check will pass if the -+ setting for the given **sysctlvar** is not present in sysctl -+ configuration files. In other words, the check will pass if the system -+ default isn't overriden by configuration. Default value: `false`. - - - **operation** - operation used for comparison of collected object - with **sysctlval**. Default value: `equals`. -diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/rule.yml b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/rule.yml -new file mode 100644 -index 0000000000..259d1f901c ---- /dev/null -+++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/rule.yml -@@ -0,0 +1,82 @@ -+documentation_complete: true -+ -+prodtype: rhel9 -+ -+title: 'Disable Access to Network bpf() Syscall From Unprivileged Processes' -+ -+description: |- -+ To prevent unprivileged processes from using the bpf() syscall -+ the kernel.unprivileged_bpf_disabled kernel parameter must -+ be set to 1 or 2. -+ -+ Writing 1 to this entry will disable unprivileged calls to bpf(); once -+ disabled, calling bpf() without CAP_SYS_ADMIN or CAP_BPF will return -EPERM. -+ Once set to 1, this can't be cleared from the running kernel anymore. -+ -+ {{{ describe_sysctl_option_value(sysctl="kernel.unprivileged_bpf_disabled", value="1") }}} -+ -+ Writing 2 to this entry will also disable unprivileged calls to bpf(), -+ however, an admin can still change this setting later on, if needed, by -+ writing 0 or 1 to this entry. -+ -+ {{{ describe_sysctl_option_value(sysctl="kernel.unprivileged_bpf_disabled", value="2") }}} -+ -+rationale: |- -+ Loading and accessing the packet filters programs and maps using the bpf() -+ syscall has the potential of revealing sensitive information about the kernel state. -+ -+severity: medium -+ -+identifiers: -+ cce@rhel9: CCE-87712-6 -+ -+references: -+ disa: CCI-000366 -+ nist: AC-6,SC-7(10) -+ ospp: FMT_SMF_EXT.1 -+ srg: SRG-OS-000132-GPOS-00067,SRG-OS-000480-GPOS-00227 -+ -+ocil: |- -+ The runtime status of the kernel.unprivileged_bpf_disabled -+ kernel parameter can be queried by running the following command: -+ 
$ sysctl kernel.unprivileged_bpf_disabled
-+ The output of the command should indicate either: -+ kernel.unprivileged_bpf_disabled = 1 -+ or: -+ kernel.unprivileged_bpf_disabled = 2 -+ The output of the command should not indicate: -+ kernel.unprivileged_bpf_disabled = 0 -+ -+ The preferable way how to assure the runtime compliance is to have -+ correct persistent configuration, and rebooting the system. -+ -+ The persistent kernel parameter configuration is performed by specifying the appropriate -+ assignment in any file located in the 
/etc/sysctl.d
directory. -+ Verify that there is not any existing incorrect configuration by executing the following command: -+ 
$ grep -r '^\s*{{{ sysctl }}}\s*=' /etc/sysctl.conf /etc/sysctl.d
-+ The command should not find any assignments other than: -+ kernel.unprivileged_bpf_disabled = 1 -+ or: -+ kernel.unprivileged_bpf_disabled = 2 -+ -+ Duplicate assignments are not allowed. Empty output is allowed, because the system default is 2. -+ -+ocil_clause: "the kernel.unprivileged_bpf_disabled is not set to 1 or 2 or is configured to be 0" -+ -+fixtext: |- -+ Configure {{{ full_name }}} to prevent privilege escalation through the kernel by disabling access to the bpf syscall. -+ -+srg_requirement: '{{{ full_name }}} must disable access to network bpf syscall from unprivileged processes.' -+ -+platform: machine -+ -+template: -+ name: sysctl -+ vars: -+ sysctlvar: kernel.unprivileged_bpf_disabled -+ sysctlval: -+ - '1' -+ - '2' -+ wrong_sysctlval_for_testing: "0" -+ missing_parameter_pass: "true" -+ datatype: int -diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/tests/system_default.pass.sh b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/tests/system_default.pass.sh -new file mode 100644 -index 0000000000..b9776227bd ---- /dev/null -+++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/tests/system_default.pass.sh -@@ -0,0 +1,5 @@ -+#!/bin/bash -+# platform = Red Hat Enterprise Linux 9 -+ -+# Clean sysctl config directories -+rm -rf /usr/lib/sysctl.d/* /run/sysctl.d/* /etc/sysctl.d/* -diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/tests/test_config.yml b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/tests/test_config.yml -new file mode 100644 -index 0000000000..5cf6807405 ---- /dev/null -+++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/tests/test_config.yml -@@ -0,0 +1,6 @@ -+deny_templated_scenarios: -+ # this rule uses missing_parameter_pass: true which means the check should pass -+ # if the configuration is missing (or commented out) therefore we disable -+ # line_not_there.fail.sh and comment.fail.sh test scenarios -+ - line_not_there.fail.sh -+ - comment.fail.sh -diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/tests/value_0.fail.sh b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/tests/value_0.fail.sh -new file mode 100644 -index 0000000000..9f19e0140b ---- /dev/null -+++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/tests/value_0.fail.sh -@@ -0,0 +1,11 @@ -+#!/bin/bash -+# platform = Red Hat Enterprise Linux 9 -+ -+# Clean sysctl config directories -+rm -rf /usr/lib/sysctl.d/* /run/sysctl.d/* /etc/sysctl.d/* -+ -+sed -i "/kernel.unprivileged_bpf_disabled/d" /etc/sysctl.conf -+echo "kernel.unprivileged_bpf_disabled = 0" >> /etc/sysctl.conf -+ -+# set correct runtime value to check if the filesystem configuration is evaluated properly -+sysctl -w kernel.unprivileged_bpf_disabled="0" -diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/tests/value_1.pass.sh b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/tests/value_1.pass.sh -new file mode 100644 -index 0000000000..e976db594c ---- /dev/null -+++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/tests/value_1.pass.sh -@@ -0,0 +1,11 @@ -+#!/bin/bash -+# platform = Red Hat Enterprise Linux 9 -+ -+# Clean sysctl config directories -+rm -rf /usr/lib/sysctl.d/* /run/sysctl.d/* /etc/sysctl.d/* -+ -+sed -i "/kernel.unprivileged_bpf_disabled/d" /etc/sysctl.conf -+echo "kernel.unprivileged_bpf_disabled = 1" >> /etc/sysctl.conf -+ -+# set correct runtime value to check if the filesystem configuration is evaluated properly -+sysctl -w kernel.unprivileged_bpf_disabled="1" -diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/tests/value_2.pass.sh b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/tests/value_2.pass.sh -new file mode 100644 -index 0000000000..b1537175eb ---- /dev/null -+++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/tests/value_2.pass.sh -@@ -0,0 +1,11 @@ -+#!/bin/bash -+# platform = Red Hat Enterprise Linux 9 -+ -+# Clean sysctl config directories -+rm -rf /usr/lib/sysctl.d/* /run/sysctl.d/* /etc/sysctl.d/* -+ -+sed -i "/kernel.unprivileged_bpf_disabled/d" /etc/sysctl.conf -+echo "kernel.unprivileged_bpf_disabled = 2" >> /etc/sysctl.conf -+ -+# set correct runtime value to check if the filesystem configuration is evaluated properly -+sysctl -w kernel.unprivileged_bpf_disabled="2" -diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_value.var b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_value.var -new file mode 100644 -index 0000000000..b8bf965a25 ---- /dev/null -+++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_value.var -@@ -0,0 +1,18 @@ -+documentation_complete: true -+ -+title: kernel.unprivileged_bpf_disabled -+ -+description: |- -+ Prevent unprivileged processes from using the bpf() syscall. -+ -+type: number -+ -+operator: equals -+ -+interactive: false -+ -+options: -+ default: 2 -+ 0: "0" -+ 1: "1" -+ 2: "2" -diff --git a/products/rhel9/profiles/ospp.profile b/products/rhel9/profiles/ospp.profile -index feb96501a9..f27f961a7a 100644 ---- a/products/rhel9/profiles/ospp.profile -+++ b/products/rhel9/profiles/ospp.profile -@@ -74,8 +74,8 @@ selections: - - sysctl_kernel_yama_ptrace_scope - - sysctl_kernel_perf_event_paranoid - - sysctl_user_max_user_namespaces -- - sysctl_kernel_unprivileged_bpf_disabled -- - sysctl_net_core_bpf_jit_harden -+ - sysctl_kernel_unprivileged_bpf_disabled_accept_default -+ - sysctl_kernel_unprivileged_bpf_disabled_value=2 - - service_kdump_disabled - - ### Audit -diff --git a/shared/checks/oval/sysctl_kernel_ipv6_disable.xml b/shared/checks/oval/sysctl_kernel_ipv6_disable.xml -index 1195cea518..f971d28a04 100644 ---- a/shared/checks/oval/sysctl_kernel_ipv6_disable.xml -+++ b/shared/checks/oval/sysctl_kernel_ipv6_disable.xml -@@ -19,8 +19,8 @@ - - - -- -- -+ -+ - - - -diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt -index fb2f59fd09..a613a152ae 100644 ---- a/shared/references/cce-redhat-avail.txt -+++ b/shared/references/cce-redhat-avail.txt -@@ -1443,7 +1443,6 @@ CCE-87708-4 - CCE-87709-2 - CCE-87710-0 - CCE-87711-8 --CCE-87712-6 - CCE-87713-4 - CCE-87714-2 - CCE-87715-9 -diff --git a/shared/templates/sysctl/ansible.template b/shared/templates/sysctl/ansible.template -index c13bb6637f..edc4d3fb66 100644 ---- a/shared/templates/sysctl/ansible.template -+++ b/shared/templates/sysctl/ansible.template -@@ -21,7 +21,7 @@ - replace: '#{{{ SYSCTLVAR }}}' - loop: "{{ find_sysctl_d.files }}" - --{{%- if SYSCTLVAL == "" %}} -+{{%- if SYSCTLVAL == "" or SYSCTLVAL is not string %}} - - (xccdf-var sysctl_{{{ SYSCTLID }}}_value) - - - name: Ensure sysctl {{{ SYSCTLVAR }}} is set -diff --git a/shared/templates/sysctl/bash.template b/shared/templates/sysctl/bash.template -index d67a59c388..cd3424b022 100644 ---- a/shared/templates/sysctl/bash.template -+++ b/shared/templates/sysctl/bash.template -@@ -20,7 +20,7 @@ for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf; do - fi - done - --{{%- if SYSCTLVAL == "" %}} -+{{%- if SYSCTLVAL == "" or SYSCTLVAL is not string %}} - {{{ bash_instantiate_variables("sysctl_" + SYSCTLID + "_value") }}} - - # -diff --git a/shared/templates/sysctl/oval.template b/shared/templates/sysctl/oval.template -index 74583dbee1..1a7c4979bb 100644 ---- a/shared/templates/sysctl/oval.template -+++ b/shared/templates/sysctl/oval.template -@@ -1,12 +1,20 @@ - {{%- if SYSCTLVAL == "" %}} - {{%- set COMMENT_VALUE="the appropriate value" %}} -+{{%- elif SYSCTLVAL is sequence %}} -+{{%- set COMMENT_VALUE = SYSCTLVAL | join(" or " ) %}} - {{%- else %}} - {{%- set COMMENT_VALUE=SYSCTLVAL %}} - {{%- endif %}} - - {{% macro state_static_sysctld(prefix) -%}} -- -- -+ -+{{% if SYSCTLVAL is string %}} -+ -+{{% elif SYSCTLVAL is sequence %}} -+{{% for x in SYSCTLVAL %}} -+ -+{{% endfor %}} -+{{% endif %}} - {{%- endmacro -%}} - {{%- macro sysctl_match() -%}} - {{%- if SYSCTLVAL == "" -%}} -@@ -20,13 +28,13 @@ - {{%- if "P" in FLAGS -%}} - - -- -+ - {{{ oval_metadata("The '" + SYSCTLVAR + "' kernel parameter should be set to the appropriate value in both system configuration and system runtime.") }}} - - -+ definition_ref="{{{ rule_id }}}_static"/> - -+ definition_ref="{{{ rule_id }}}_runtime"/> - - - -@@ -34,7 +42,7 @@ - {{%- elif "I" in FLAGS -%}} - - -- -+ - {{{ oval_metadata("The kernel '" + SYSCTLVAR + "' parameter should be set to the appropriate value in both system configuration and system runtime.") }}} - - {{% if product in ["ubuntu1604", "ubuntu1804"] %}} -@@ -46,9 +54,9 @@ - {{% endif %}} - - -+ definition_ref="{{{ rule_id }}}_static"/> - -+ definition_ref="{{{ rule_id }}}_runtime"/> - - - -@@ -58,33 +66,41 @@ - {{%- if "R" in FLAGS -%}} - - -- -+ - {{{ oval_metadata("The kernel '" + SYSCTLVAR + "' parameter should be set to " + COMMENT_VALUE + " in the system runtime.") }}} - - -+ test_ref="test_{{{ rule_id }}}_runtime"/> - - -- -- -- -+ check="all" check_existence="all_exist" state_operator="OR"> -+ -+{{% if SYSCTLVAL is string %}} -+ -+{{% elif SYSCTLVAL is sequence %}} -+{{% for x in SYSCTLVAL %}} -+ -+{{% endfor %}} -+{{% endif %}} - - -- -+ - {{{ SYSCTLVAR }}} - -+{{% if SYSCTLVAL is string %}} - {{% if SYSCTLVAL == "" %}} -- -+ - -+ var_ref="{{{ rule_id }}}_value"/> - - -- - {{%- else %}} -- -+ - {{% if OPERATION == "pattern match" %}} - {{{ SYSCTLVAL_REGEX }}} -@@ -94,133 +110,156 @@ - {{% endif %}} - - {{%- endif %}} -+{{% elif SYSCTLVAL is sequence %}} -+{{% for x in SYSCTLVAL %}} -+ -+ {{{ x }}} -+ -+{{% endfor %}} -+{{% endif %}} - - - {{%- endif -%}} - {{%- if "S" in FLAGS -%}} - - -- -+ - {{{ oval_metadata("The kernel '" + SYSCTLVAR + "' parameter should be set to " + COMMENT_VALUE + " in the system configuration.") }}} -+{{% if MISSING_PARAMETER_PASS == "true" %}} -+ -+{{% endif %}} - - - -+ test_ref="test_{{{ rule_id }}}_static"/> - - -+ test_ref="test_{{{ rule_id }}}_static_etc_sysctld"/> - -+ test_ref="test_{{{ rule_id }}}_static_run_sysctld"/> - {{% if product not in [ "ol7", "ol8", "ol9", "rhcos4", "rhel7", "rhel8", "rhel9"] %}} - -+ test_ref="test_{{{ rule_id }}}_static_usr_lib_sysctld"/> - {{% endif %}} - - {{% if target_oval_version >= [5, 11] %}} -- -+ - {{% endif %}} - -+{{% if MISSING_PARAMETER_PASS == "true" %}} -+ -+ -+{{% endif %}} - - -- -+ -+ -+{{% endif %}} -+ -+ - {{{ state_static_sysctld("sysctl") }}} - - -- -+ - {{{ state_static_sysctld("etc_sysctld") }}} - - -- -+ - {{{ state_static_sysctld("run_sysctld") }}} - - - {{% if product not in [ "ol7", "ol8", "ol9", "rhcos4", "rhel7", "rhel8", "rhel9"] %}} -- -+ comment="{{{ SYSCTLVAR }}} static configuration in /usr/lib/sysctl.d/*.conf" state_operator="OR"> - {{{ state_static_sysctld("usr_lib_sysctld") }}} - - {{% endif %}} - - {{% if target_oval_version >= [5, 11] %}} - -- -- -+ id="test_{{{ rule_id }}}_defined_in_one_file" version="1"> -+ -+ - - -- -- local_var_unique_sysctl_{{{ SYSCTLID }}}_counter -+ -+ local_var_{{{ rule_id }}}_counter - - -- -+ - 1 - - -- -+ - - -- -+ - - - - -- -+ - -- object_static_set_unfiltered_sysctls_{{{ SYSCTLID }}} -- state_{{{ SYSCTLID }}}_filepath_is_symlink -+ object_{{{ rule_id }}}_static_set_sysctls_unfiltered -+ state_{{{ rule_id }}}_filepath_is_symlink - - - -- -- -+ -+ - - -- -+ - -- -+ - -- -+ - - - -- -+ - -- var_obj_symlink_{{{ SYSCTLID }}} -- var_obj_blank_{{{ SYSCTLID }}} -+ var_obj_symlink_{{{ rule_id }}} -+ var_obj_blank_{{{ rule_id }}} - - - -- -- local_var_blank_path_{{{ SYSCTLID }}} -+ -+ local_var_blank_path_{{{ rule_id }}} - - -- -+ - - - -- -- local_var_symlinks_{{{ SYSCTLID }}} -+ -+ local_var_symlinks_{{{ rule_id }}} - -- -+ - -- -+ - -- -+ - - - - -- -- -- state_symlink_points_outside_usual_dirs_{{{ SYSCTLID }}} -+ -+ -+ state_symlink_points_outside_usual_dirs_{{{ rule_id }}} - - - -- -+ - ^(?!(\/etc\/sysctl\.conf$|(\/etc|\/run|\/usr\/lib)\/sysctl\.d\/)).*$ - - {{% endif %}} - -- -- -+ -+ - - - -- -+ - -- object_static_etc_sysctls_{{{ SYSCTLID }}} -- object_static_run_usr_sysctls_{{{ SYSCTLID }}} -+ object_static_etc_sysctls_{{{ rule_id }}} -+ object_static_run_usr_sysctls_{{{ rule_id }}} - - - -- -+ - -- object_static_sysctl_{{{ SYSCTLID }}} -- object_static_etc_sysctld_{{{ SYSCTLID }}} -+ object_static_sysctl_{{{ rule_id }}} -+ object_static_etc_sysctld_{{{ rule_id }}} - - - -- -+ - -- object_static_run_sysctld_{{{ SYSCTLID }}} -+ object_static_run_sysctld_{{{ rule_id }}} - {{% if product not in [ "ol7", "ol8", "ol9", "rhcos4", "rhel7", "rhel8", "rhel9"] %}} -- object_static_usr_lib_sysctld_{{{ SYSCTLID }}} -+ object_static_usr_lib_sysctld_{{{ rule_id }}} - {{% endif %}} - - - -- -+ - /etc/sysctl.conf - {{{ sysctl_match() }}} - - -- -+ - /etc/sysctl.d - ^.*\.conf$ - {{{ sysctl_match() }}} - - -- -+ - /run/sysctl.d - ^.*\.conf$ - {{{ sysctl_match() }}} - - - {{% if product not in [ "ol7", "ol8", "ol9", "rhcos4", "rhel7", "rhel8", "rhel9"] %}} -- -+ - /usr/lib/sysctl.d - ^.*\.conf$ - {{{ sysctl_match() }}} - - {{% endif %}} -+{{% if SYSCTLVAL is string %}} - {{% if SYSCTLVAL == "" %}} - -- -- -+ - - -- - {{% else %}} -- -+ - {{% if OPERATION == "pattern match" %}} - {{{ SYSCTLVAL_REGEX }}} - {{% else %}} -@@ -304,5 +344,12 @@ - {{% endif %}} - - {{% endif %}} -+{{% elif SYSCTLVAL is sequence %}} -+{{% for x in SYSCTLVAL %}} -+ -+ {{{ x }}} -+ -+{{% endfor %}} -+{{% endif %}} - - {{%- endif -%}} -diff --git a/shared/templates/sysctl/template.py b/shared/templates/sysctl/template.py -index fa981a9dce..9083a6a418 100644 ---- a/shared/templates/sysctl/template.py -+++ b/shared/templates/sysctl/template.py -@@ -11,8 +11,19 @@ def preprocess(data, lang): - data["flags"] = "SR" + ipv6_flag - if "operation" not in data: - data["operation"] = "equals" -+ if isinstance(data["sysctlval"], list) and len(data["sysctlval"]) == 0: -+ raise ValueError( -+ "The sysctlval parameter of {0} is an empty list".format( -+ data["_rule_id"])) - - # Configure data for test scenarios -+ if data["datatype"] not in ["string", "int"]: -+ raise ValueError( -+ "Test scenarios for data type '{0}' are not implemented yet.\n" -+ "Please check if rule '{1}' has correct data type and edit " -+ "{2} to add tests for it.".format( -+ data["datatype"], data["_rule_id"], __file__)) -+ - if data["sysctlval"] == "": - if data["datatype"] == "int": - data["sysctl_correct_value"] = "0" -@@ -20,20 +31,13 @@ def preprocess(data, lang): - elif data["datatype"] == "string": - data["sysctl_correct_value"] = "correct_value" - data["sysctl_wrong_value"] = "wrong_value" -- else: -- raise ValueError( -- "Test scenarios for data type '{0}' are not implemented yet.\n" -- "Please check if rule '{1}' has correct data type and edit " -- "{2} to add tests for it.".format(data["datatype"], data["_rule_id"], __file__)) -+ elif isinstance(data["sysctlval"], list): -+ data["sysctl_correct_value"] = data["sysctlval"][0] -+ data["sysctl_wrong_value"] = data["wrong_sysctlval_for_testing"] - else: - data["sysctl_correct_value"] = data["sysctlval"] - if data["datatype"] == "int": - data["sysctl_wrong_value"] = "1" + data["sysctlval"] - elif data["datatype"] == "string": - data["sysctl_wrong_value"] = "wrong_value" -- else: -- raise ValueError( -- "Test scenarios for data type '{0}' are not implemented yet.\n" -- "Please check if rule '{1}' has correct data type and edit " -- "{2} to add tests for it.".format(data["datatype"], data["_rule_id"], __file__)) - return data --- -2.37.1 - diff --git a/scap-security-guide-0.1.65-supports_anolis_os_8-PR_9770.patch b/scap-security-guide-0.1.65-supports_anolis_os_8-PR_9770.patch deleted file mode 100644 index 7cd6a2d..0000000 --- a/scap-security-guide-0.1.65-supports_anolis_os_8-PR_9770.patch +++ /dev/null @@ -1,2957 +0,0 @@ -From b9a5b670570ad914167f4f5efb85f2f9e3e7479e Mon Sep 17 00:00:00 2001 -From: YuQing -Date: Thu, 29 Dec 2022 16:57:11 +0800 -Subject: [PATCH] support anolis8 - ---- - CMakeLists.txt | 5 + - build_product | 1 + - .../service_avahi-daemon_disabled/rule.yml | 2 +- - .../base/service_abrtd_disabled/rule.yml | 2 +- - .../base/service_qpidd_disabled/rule.yml | 2 +- - .../base/service_rdisc_disabled/rule.yml | 2 +- - .../file_groupowner_cron_d/rule.yml | 2 +- - .../file_groupowner_cron_daily/rule.yml | 2 +- - .../file_groupowner_cron_hourly/rule.yml | 2 +- - .../file_groupowner_cron_monthly/rule.yml | 2 +- - .../file_groupowner_cron_weekly/rule.yml | 2 +- - .../file_groupowner_crontab/rule.yml | 2 +- - .../cron_and_at/file_owner_cron_d/rule.yml | 2 +- - .../file_owner_cron_daily/rule.yml | 2 +- - .../file_owner_cron_hourly/rule.yml | 2 +- - .../file_owner_cron_monthly/rule.yml | 2 +- - .../file_owner_cron_weekly/rule.yml | 2 +- - .../cron_and_at/file_owner_crontab/rule.yml | 2 +- - .../file_permissions_cron_d/rule.yml | 2 +- - .../file_permissions_cron_daily/rule.yml | 2 +- - .../file_permissions_cron_hourly/rule.yml | 2 +- - .../file_permissions_cron_monthly/rule.yml | 2 +- - .../file_permissions_cron_weekly/rule.yml | 2 +- - .../file_permissions_crontab/rule.yml | 2 +- - .../file_at_deny_not_exist/rule.yml | 2 +- - .../file_cron_deny_not_exist/rule.yml | 2 +- - .../file_groupowner_at_allow/rule.yml | 2 +- - .../file_groupowner_cron_allow/rule.yml | 2 +- - .../file_owner_at_allow/rule.yml | 2 +- - .../file_owner_cron_allow/rule.yml | 2 +- - .../file_permissions_at_allow/rule.yml | 2 +- - .../file_permissions_cron_allow/rule.yml | 2 +- - .../cron_and_at/service_atd_disabled/rule.yml | 2 +- - .../service_crond_enabled/rule.yml | 2 +- - .../service_dhcpd_disabled/rule.yml | 2 +- - .../package_bind_removed/rule.yml | 2 +- - .../service_named_disabled/rule.yml | 2 +- - .../service_vsftpd_disabled/rule.yml | 2 +- - .../service_httpd_disabled/rule.yml | 2 +- - .../service_dovecot_disabled/rule.yml | 2 +- - .../service_slapd_disabled/rule.yml | 2 +- - .../service_rpcbind_disabled/rule.yml | 2 +- - .../service_nfs_disabled/rule.yml | 2 +- - .../nis/service_ypserv_disabled/rule.yml | 2 +- - .../obsolete/service_rsyncd_disabled/rule.yml | 2 +- - .../printing/service_cups_disabled/rule.yml | 2 +- - .../service_squid_disabled/rule.yml | 2 +- - .../service_smb_disabled/rule.yml | 2 +- - .../service_snmpd_disabled/rule.yml | 2 +- - .../ssh/file_groupowner_sshd_config/rule.yml | 2 +- - .../ssh/file_owner_sshd_config/rule.yml | 2 +- - .../ssh/file_permissions_sshd_config/rule.yml | 2 +- - .../banner_etc_issue/rule.yml | 2 +- - .../accounts-banners/banner_etc_motd/rule.yml | 2 +- - .../file_groupowner_etc_issue/rule.yml | 2 +- - .../file_groupowner_etc_motd/rule.yml | 2 +- - .../file_owner_etc_issue/rule.yml | 2 +- - .../file_owner_etc_motd/rule.yml | 2 +- - .../file_permissions_etc_issue/rule.yml | 2 +- - .../file_permissions_etc_motd/rule.yml | 2 +- - .../rule.yml | 2 +- - .../rule.yml | 2 +- - .../accounts_password_pam_minclass/rule.yml | 2 +- - .../accounts_password_pam_minlen/rule.yml | 2 +- - .../accounts_password_pam_retry/rule.yml | 2 +- - .../rule.yml | 2 +- - .../require_emergency_target_auth/rule.yml | 2 +- - .../require_singleuser_auth/rule.yml | 2 +- - .../rule.yml | 2 +- - .../account_unique_id/rule.yml | 2 +- - .../group_unique_id/rule.yml | 2 +- - .../group_unique_name/rule.yml | 2 +- - .../rule.yml | 2 +- - .../rule.yml | 2 +- - .../no_shelllogin_for_systemaccounts/rule.yml | 2 +- - .../root_logins/use_pam_wheel_for_su/rule.yml | 2 +- - .../accounts-session/accounts_tmout/rule.yml | 2 +- - .../rule.yml | 2 +- - .../file_ownership_home_directories/rule.yml | 2 +- - .../accounts_umask_etc_bashrc/rule.yml | 2 +- - .../audit_rules_file_deletion_events/rule.yml | 2 +- - .../rule.yml | 2 +- - .../rule.yml | 2 +- - .../rule.yml | 2 +- - .../rule.yml | 2 +- - .../rule.yml | 2 +- - .../rule.yml | 2 +- - .../rule.yml | 2 +- - .../rule.yml | 2 +- - .../rule.yml | 2 +- - .../rule.yml | 2 +- - .../rule.yml | 2 +- - .../file_groupowner_grub2_cfg/rule.yml | 2 +- - .../non-uefi/file_owner_grub2_cfg/rule.yml | 2 +- - .../file_permissions_grub2_cfg/rule.yml | 2 +- - .../non-uefi/grub2_password/rule.yml | 2 +- - .../file_groupowner_efi_grub2_cfg/rule.yml | 2 +- - .../uefi/file_owner_efi_grub2_cfg/rule.yml | 2 +- - .../file_permissions_efi_grub2_cfg/rule.yml | 2 +- - .../uefi/grub2_uefi_password/rule.yml | 2 +- - .../journald/journald_compress/rule.yml | 2 +- - .../journald_forward_to_syslog/rule.yml | 2 +- - .../journald/journald_storage/rule.yml | 2 +- - .../package_firewalld_installed/rule.yml | 2 +- - .../service_firewalld_enabled/rule.yml | 2 +- - .../package_libreswan_installed/rule.yml | 2 +- - .../rule.yml | 2 +- - .../rule.yml | 2 +- - .../rule.yml | 2 +- - .../rule.yml | 2 +- - .../rule.yml | 2 +- - .../rule.yml | 2 +- - .../rule.yml | 2 +- - .../rule.yml | 2 +- - .../rule.yml | 2 +- - .../rule.yml | 2 +- - .../rule.yml | 2 +- - .../rule.yml | 2 +- - .../rule.yml | 2 +- - .../rule.yml | 2 +- - .../rule.yml | 2 +- - .../rule.yml | 2 +- - .../rule.yml | 2 +- - .../rule.yml | 2 +- - .../rule.yml | 2 +- - .../sysctl_net_ipv4_tcp_syncookies/rule.yml | 2 +- - .../rule.yml | 2 +- - .../rule.yml | 2 +- - .../sysctl_net_ipv4_ip_forward/rule.yml | 2 +- - .../kernel_module_dccp_disabled/rule.yml | 2 +- - .../kernel_module_sctp_disabled/rule.yml | 2 +- - .../wireless_disable_interfaces/rule.yml | 2 +- - .../rule.yml | 2 +- - .../rule.yml | 2 +- - .../file_permissions_ungroupowned/rule.yml | 2 +- - .../mounting/service_autofs_disabled/rule.yml | 2 +- - .../disable_users_coredumps/rule.yml | 2 +- - .../configure_bind_crypto_policy/rule.yml | 2 +- - .../crypto/configure_crypto_policy/rule.yml | 2 +- - .../configure_kerberos_crypto_policy/rule.yml | 2 +- - .../rule.yml | 2 +- - .../configure_openssl_crypto_policy/rule.yml | 2 +- - .../configure_ssh_crypto_policy/rule.yml | 2 +- - .../aide/aide_periodic_cron_checking/rule.yml | 2 +- - .../aide/package_aide_installed/rule.yml | 2 +- - .../rpm_verify_hashes/rule.yml | 2 +- - .../rpm_verify_permissions/rule.yml | 2 +- - .../rule.yml | 2 +- - .../ensure_redhat_gpgkey_installed/rule.yml | 2 +- - .../security_patches_up_to_date/rule.yml | 2 +- - products/anolis8/CMakeLists.txt | 6 + - products/anolis8/overlays/.gitkeep | 0 - products/anolis8/product.yml | 23 + - products/anolis8/profiles/standard.profile | 728 ++++++++++++++++++ - products/anolis8/transforms/constants.xslt | 10 + - products/anolis8/transforms/table-style.xslt | 5 + - .../transforms/xccdf-apply-overlay-stig.xslt | 8 + - .../anolis8/transforms/xccdf2table-cce.xslt | 9 + - .../xccdf2table-profileccirefs.xslt | 9 + - .../checks/oval/installed_OS_is_anolis8.xml | 28 + - .../oval/sysctl_kernel_ipv6_disable.xml | 1 + - ssg/constants.py | 6 +- - tests/unit/ssg-module/test_utils.py | 2 +- - 163 files changed, 987 insertions(+), 150 deletions(-) - create mode 100644 products/anolis8/CMakeLists.txt - create mode 100644 products/anolis8/overlays/.gitkeep - create mode 100644 products/anolis8/product.yml - create mode 100644 products/anolis8/profiles/standard.profile - create mode 100644 products/anolis8/transforms/constants.xslt - create mode 100644 products/anolis8/transforms/table-style.xslt - create mode 100644 products/anolis8/transforms/xccdf-apply-overlay-stig.xslt - create mode 100644 products/anolis8/transforms/xccdf2table-cce.xslt - create mode 100644 products/anolis8/transforms/xccdf2table-profileccirefs.xslt - create mode 100644 shared/checks/oval/installed_OS_is_anolis8.xml - -diff --git a/CMakeLists.txt b/CMakeLists.txt -index e7a1ee7f1b..b25c043536 100644 ---- a/CMakeLists.txt -+++ b/CMakeLists.txt -@@ -69,6 +69,7 @@ option(SSG_PRODUCT_DEFAULT "If enabled, all default release products will be bui - # unless explicitly asked for. - option(SSG_PRODUCT_ALINUX2 "If enabled, the Alinux 2 SCAP content will be built" ${SSG_PRODUCT_DEFAULT}) - option(SSG_PRODUCT_ALINUX3 "If enabled, the Alinux 3 SCAP content will be built" ${SSG_PRODUCT_DEFAULT}) -+option(SSG_PRODUCT_ANOLIS8 "If enabled, the Anolis OS 8 SCAP content will be built" ${SSG_PRODUCT_DEFAULT}) - option(SSG_PRODUCT_CHROMIUM "If enabled, the Chromium SCAP content will be built" ${SSG_PRODUCT_DEFAULT}) - option(SSG_PRODUCT_DEBIAN9 "If enabled, the Debian 9 SCAP content will be built" ${SSG_PRODUCT_DEFAULT}) - option(SSG_PRODUCT_DEBIAN10 "If enabled, the Debian 10 SCAP content will be built" ${SSG_PRODUCT_DEFAULT}) -@@ -274,6 +275,7 @@ message(STATUS " ") - message(STATUS "Products:") - message(STATUS "Alinux 2: ${SSG_PRODUCT_ALINUX2}") - message(STATUS "Alinux 3: ${SSG_PRODUCT_ALINUX3}") -+message(STATUS "Anolis OS 8: ${SSG_PRODUCT_ANOLIS8}") - message(STATUS "Chromium: ${SSG_PRODUCT_CHROMIUM}") - message(STATUS "Debian 9: ${SSG_PRODUCT_DEBIAN9}") - message(STATUS "Debian 10: ${SSG_PRODUCT_DEBIAN10}") -@@ -345,6 +347,9 @@ endif() - if (SSG_PRODUCT_ALINUX3) - add_subdirectory("products/alinux3" "alinux3") - endif() -+if (SSG_PRODUCT_ANOLIS8) -+ add_subdirectory("products/anolis8" "anolis8") -+endif() - if (SSG_PRODUCT_CHROMIUM) - add_subdirectory("products/chromium" "chromium") - endif() -diff --git a/build_product b/build_product -index 24ca39b408..011d23afc4 100755 ---- a/build_product -+++ b/build_product -@@ -299,6 +299,7 @@ set_explict_build_targets() { - all_cmake_products=( - ALINUX2 - ALINUX3 -+ ANOLIS8 - CHROMIUM - DEBIAN9 - DEBIAN10 -diff --git a/linux_os/guide/services/avahi/disable_avahi_group/service_avahi-daemon_disabled/rule.yml b/linux_os/guide/services/avahi/disable_avahi_group/service_avahi-daemon_disabled/rule.yml -index a8c094ecb2..0ff67a5f08 100644 ---- a/linux_os/guide/services/avahi/disable_avahi_group/service_avahi-daemon_disabled/rule.yml -+++ b/linux_os/guide/services/avahi/disable_avahi_group/service_avahi-daemon_disabled/rule.yml -@@ -1,6 +1,6 @@ - documentation_complete: true - --prodtype: alinux2,alinux3,ol7,ol8,rhel7,rhel8,rhel9,sle12,sle15,ubuntu2004 -+prodtype: alinux2,alinux3,anolis8,ol7,ol8,rhel7,rhel8,rhel9,sle12,sle15,ubuntu2004 - - title: 'Disable Avahi Server Software' - -diff --git a/linux_os/guide/services/base/service_abrtd_disabled/rule.yml b/linux_os/guide/services/base/service_abrtd_disabled/rule.yml -index 6abe7b263b..38557afea1 100644 ---- a/linux_os/guide/services/base/service_abrtd_disabled/rule.yml -+++ b/linux_os/guide/services/base/service_abrtd_disabled/rule.yml -@@ -1,6 +1,6 @@ - documentation_complete: true - --prodtype: alinux2,alinux3,ol7,ol8,ol9,rhel7,rhel8,uos20 -+prodtype: alinux2,alinux3,anolis8,ol7,ol8,ol9,rhel7,rhel8,uos20 - - title: 'Disable Automatic Bug Reporting Tool (abrtd)' - -diff --git a/linux_os/guide/services/base/service_qpidd_disabled/rule.yml b/linux_os/guide/services/base/service_qpidd_disabled/rule.yml -index e33eba2efa..c71ce1b230 100644 ---- a/linux_os/guide/services/base/service_qpidd_disabled/rule.yml -+++ b/linux_os/guide/services/base/service_qpidd_disabled/rule.yml -@@ -1,7 +1,7 @@ - documentation_complete: true - - # package is unlikely to appear on a RHEL9 system, don't extend to RHEL10 --prodtype: alinux2,alinux3,ol7,ol8,ol9,rhel7,rhel8,rhel9,uos20 -+prodtype: alinux2,alinux3,anolis8,ol7,ol8,ol9,rhel7,rhel8,rhel9,uos20 - - title: 'Disable Apache Qpid (qpidd)' - -diff --git a/linux_os/guide/services/base/service_rdisc_disabled/rule.yml b/linux_os/guide/services/base/service_rdisc_disabled/rule.yml -index 75e2ada151..7ca16e3864 100644 ---- a/linux_os/guide/services/base/service_rdisc_disabled/rule.yml -+++ b/linux_os/guide/services/base/service_rdisc_disabled/rule.yml -@@ -1,6 +1,6 @@ - documentation_complete: true - --prodtype: alinux2,alinux3,ol7,ol8,ol9,rhel7,rhel8,rhel9,uos20 -+prodtype: alinux2,alinux3,anolis8,ol7,ol8,ol9,rhel7,rhel8,rhel9,uos20 - - title: 'Disable Network Router Discovery Daemon (rdisc)' - -diff --git a/linux_os/guide/services/cron_and_at/file_groupowner_cron_d/rule.yml b/linux_os/guide/services/cron_and_at/file_groupowner_cron_d/rule.yml -index 908087499e..9916a189e6 100644 ---- a/linux_os/guide/services/cron_and_at/file_groupowner_cron_d/rule.yml -+++ b/linux_os/guide/services/cron_and_at/file_groupowner_cron_d/rule.yml -@@ -1,6 +1,6 @@ - documentation_complete: true - --prodtype: alinux2,alinux3,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004 -+prodtype: alinux2,alinux3,anolis8,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004 - - title: 'Verify Group Who Owns cron.d' - -diff --git a/linux_os/guide/services/cron_and_at/file_groupowner_cron_daily/rule.yml b/linux_os/guide/services/cron_and_at/file_groupowner_cron_daily/rule.yml -index 821cd13890..100b65a4fd 100644 ---- a/linux_os/guide/services/cron_and_at/file_groupowner_cron_daily/rule.yml -+++ b/linux_os/guide/services/cron_and_at/file_groupowner_cron_daily/rule.yml -@@ -1,6 +1,6 @@ - documentation_complete: true - --prodtype: alinux2,alinux3,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004 -+prodtype: alinux2,alinux3,anolis8,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004 - - title: 'Verify Group Who Owns cron.daily' - -diff --git a/linux_os/guide/services/cron_and_at/file_groupowner_cron_hourly/rule.yml b/linux_os/guide/services/cron_and_at/file_groupowner_cron_hourly/rule.yml -index ab2a16f811..f82f02dd85 100644 ---- a/linux_os/guide/services/cron_and_at/file_groupowner_cron_hourly/rule.yml -+++ b/linux_os/guide/services/cron_and_at/file_groupowner_cron_hourly/rule.yml -@@ -1,6 +1,6 @@ - documentation_complete: true - --prodtype: alinux2,alinux3,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004 -+prodtype: alinux2,alinux3,anolis8,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004 - - title: 'Verify Group Who Owns cron.hourly' - -diff --git a/linux_os/guide/services/cron_and_at/file_groupowner_cron_monthly/rule.yml b/linux_os/guide/services/cron_and_at/file_groupowner_cron_monthly/rule.yml -index 0716370105..c0e0d5c9a6 100644 ---- a/linux_os/guide/services/cron_and_at/file_groupowner_cron_monthly/rule.yml -+++ b/linux_os/guide/services/cron_and_at/file_groupowner_cron_monthly/rule.yml -@@ -1,6 +1,6 @@ - documentation_complete: true - --prodtype: alinux2,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004 -+prodtype: alinux2,rhel7,anolis8,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004 - - title: 'Verify Group Who Owns cron.monthly' - -diff --git a/linux_os/guide/services/cron_and_at/file_groupowner_cron_weekly/rule.yml b/linux_os/guide/services/cron_and_at/file_groupowner_cron_weekly/rule.yml -index 32c5f6f8f8..f8f0ec7b2a 100644 ---- a/linux_os/guide/services/cron_and_at/file_groupowner_cron_weekly/rule.yml -+++ b/linux_os/guide/services/cron_and_at/file_groupowner_cron_weekly/rule.yml -@@ -1,6 +1,6 @@ - documentation_complete: true - --prodtype: alinux2,alinux3,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004 -+prodtype: alinux2,alinux3,anolis8,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004 - - title: 'Verify Group Who Owns cron.weekly' - -diff --git a/linux_os/guide/services/cron_and_at/file_groupowner_crontab/rule.yml b/linux_os/guide/services/cron_and_at/file_groupowner_crontab/rule.yml -index 2865d54d83..49eab068de 100644 ---- a/linux_os/guide/services/cron_and_at/file_groupowner_crontab/rule.yml -+++ b/linux_os/guide/services/cron_and_at/file_groupowner_crontab/rule.yml -@@ -1,6 +1,6 @@ - documentation_complete: true - --prodtype: alinux2,alinux3,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004 -+prodtype: alinux2,alinux3,anolis8,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004 - - title: 'Verify Group Who Owns Crontab' - -diff --git a/linux_os/guide/services/cron_and_at/file_owner_cron_d/rule.yml b/linux_os/guide/services/cron_and_at/file_owner_cron_d/rule.yml -index 68ad645a56..46dcd7834d 100644 ---- a/linux_os/guide/services/cron_and_at/file_owner_cron_d/rule.yml -+++ b/linux_os/guide/services/cron_and_at/file_owner_cron_d/rule.yml -@@ -1,6 +1,6 @@ - documentation_complete: true - --prodtype: alinux2,alinux3,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004 -+prodtype: alinux2,alinux3,anolis8,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004 - - title: 'Verify Owner on cron.d' - -diff --git a/linux_os/guide/services/cron_and_at/file_owner_cron_daily/rule.yml b/linux_os/guide/services/cron_and_at/file_owner_cron_daily/rule.yml -index 371fc9d396..8276930669 100644 ---- a/linux_os/guide/services/cron_and_at/file_owner_cron_daily/rule.yml -+++ b/linux_os/guide/services/cron_and_at/file_owner_cron_daily/rule.yml -@@ -1,6 +1,6 @@ - documentation_complete: true - --prodtype: alinux2,alinux3,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004 -+prodtype: alinux2,alinux3,anolis8,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004 - - title: 'Verify Owner on cron.daily' - -diff --git a/linux_os/guide/services/cron_and_at/file_owner_cron_hourly/rule.yml b/linux_os/guide/services/cron_and_at/file_owner_cron_hourly/rule.yml -index f24897bdad..2d440fb041 100644 ---- a/linux_os/guide/services/cron_and_at/file_owner_cron_hourly/rule.yml -+++ b/linux_os/guide/services/cron_and_at/file_owner_cron_hourly/rule.yml -@@ -1,6 +1,6 @@ - documentation_complete: true - --prodtype: alinux2,alinux3,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004 -+prodtype: alinux2,alinux3,anolis8,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004 - - title: 'Verify Owner on cron.hourly' - -diff --git a/linux_os/guide/services/cron_and_at/file_owner_cron_monthly/rule.yml b/linux_os/guide/services/cron_and_at/file_owner_cron_monthly/rule.yml -index 187eec8edb..3f67f4460f 100644 ---- a/linux_os/guide/services/cron_and_at/file_owner_cron_monthly/rule.yml -+++ b/linux_os/guide/services/cron_and_at/file_owner_cron_monthly/rule.yml -@@ -1,6 +1,6 @@ - documentation_complete: true - --prodtype: alinux2,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004 -+prodtype: alinux2,anolis8,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004 - - title: 'Verify Owner on cron.monthly' - -diff --git a/linux_os/guide/services/cron_and_at/file_owner_cron_weekly/rule.yml b/linux_os/guide/services/cron_and_at/file_owner_cron_weekly/rule.yml -index f1d67d9bd9..815e388dd0 100644 ---- a/linux_os/guide/services/cron_and_at/file_owner_cron_weekly/rule.yml -+++ b/linux_os/guide/services/cron_and_at/file_owner_cron_weekly/rule.yml -@@ -1,6 +1,6 @@ - documentation_complete: true - --prodtype: alinux2,alinux3,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004 -+prodtype: alinux2,alinux3,anolis8,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004 - - title: 'Verify Owner on cron.weekly' - -diff --git a/linux_os/guide/services/cron_and_at/file_owner_crontab/rule.yml b/linux_os/guide/services/cron_and_at/file_owner_crontab/rule.yml -index da2c8fad6d..17f6ad6104 100644 ---- a/linux_os/guide/services/cron_and_at/file_owner_crontab/rule.yml -+++ b/linux_os/guide/services/cron_and_at/file_owner_crontab/rule.yml -@@ -1,6 +1,6 @@ - documentation_complete: true - --prodtype: alinux2,alinux3,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004 -+prodtype: alinux2,alinux3,anolis8,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004 - - title: 'Verify Owner on crontab' - -diff --git a/linux_os/guide/services/cron_and_at/file_permissions_cron_d/rule.yml b/linux_os/guide/services/cron_and_at/file_permissions_cron_d/rule.yml -index a9130cefd5..8739f52446 100644 ---- a/linux_os/guide/services/cron_and_at/file_permissions_cron_d/rule.yml -+++ b/linux_os/guide/services/cron_and_at/file_permissions_cron_d/rule.yml -@@ -1,6 +1,6 @@ - documentation_complete: true - --prodtype: alinux2,alinux3,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004 -+prodtype: alinux2,alinux3,anolis8,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004 - - title: 'Verify Permissions on cron.d' - -diff --git a/linux_os/guide/services/cron_and_at/file_permissions_cron_daily/rule.yml b/linux_os/guide/services/cron_and_at/file_permissions_cron_daily/rule.yml -index 514ec15e05..787c56cd04 100644 ---- a/linux_os/guide/services/cron_and_at/file_permissions_cron_daily/rule.yml -+++ b/linux_os/guide/services/cron_and_at/file_permissions_cron_daily/rule.yml -@@ -1,6 +1,6 @@ - documentation_complete: true - --prodtype: alinux2,alinux3,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004 -+prodtype: alinux2,alinux3,anolis8,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004 - - title: 'Verify Permissions on cron.daily' - -diff --git a/linux_os/guide/services/cron_and_at/file_permissions_cron_hourly/rule.yml b/linux_os/guide/services/cron_and_at/file_permissions_cron_hourly/rule.yml -index 1a7934b24a..969c1d5e3a 100644 ---- a/linux_os/guide/services/cron_and_at/file_permissions_cron_hourly/rule.yml -+++ b/linux_os/guide/services/cron_and_at/file_permissions_cron_hourly/rule.yml -@@ -1,6 +1,6 @@ - documentation_complete: true - --prodtype: alinux2,alinux3,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004 -+prodtype: alinux2,alinux3,anolis8,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004 - - title: 'Verify Permissions on cron.hourly' - -diff --git a/linux_os/guide/services/cron_and_at/file_permissions_cron_monthly/rule.yml b/linux_os/guide/services/cron_and_at/file_permissions_cron_monthly/rule.yml -index b05c8eab1b..3b3b0eb0ee 100644 ---- a/linux_os/guide/services/cron_and_at/file_permissions_cron_monthly/rule.yml -+++ b/linux_os/guide/services/cron_and_at/file_permissions_cron_monthly/rule.yml -@@ -1,6 +1,6 @@ - documentation_complete: true - --prodtype: alinux2,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004 -+prodtype: alinux2,anolis8,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004 - - title: 'Verify Permissions on cron.monthly' - -diff --git a/linux_os/guide/services/cron_and_at/file_permissions_cron_weekly/rule.yml b/linux_os/guide/services/cron_and_at/file_permissions_cron_weekly/rule.yml -index d5d4e8db18..112e429da4 100644 ---- a/linux_os/guide/services/cron_and_at/file_permissions_cron_weekly/rule.yml -+++ b/linux_os/guide/services/cron_and_at/file_permissions_cron_weekly/rule.yml -@@ -1,6 +1,6 @@ - documentation_complete: true - --prodtype: alinux2,alinux3,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004 -+prodtype: alinux2,alinux3,anolis8,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004 - - title: 'Verify Permissions on cron.weekly' - -diff --git a/linux_os/guide/services/cron_and_at/file_permissions_crontab/rule.yml b/linux_os/guide/services/cron_and_at/file_permissions_crontab/rule.yml -index ffa87a2702..044c6c4ac9 100644 ---- a/linux_os/guide/services/cron_and_at/file_permissions_crontab/rule.yml -+++ b/linux_os/guide/services/cron_and_at/file_permissions_crontab/rule.yml -@@ -1,6 +1,6 @@ - documentation_complete: true - --prodtype: alinux2,alinux3,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004 -+prodtype: alinux2,alinux3,anolis8,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004 - - title: 'Verify Permissions on crontab' - -diff --git a/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_at_deny_not_exist/rule.yml b/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_at_deny_not_exist/rule.yml -index 31a2180bcb..677d75d666 100644 ---- a/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_at_deny_not_exist/rule.yml -+++ b/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_at_deny_not_exist/rule.yml -@@ -1,6 +1,6 @@ - documentation_complete: true - --prodtype: alinux2,alinux3,fedora,rhel7,rhel8,rhel9 -+prodtype: alinux2,alinux3,anolis8,fedora,rhel7,rhel8,rhel9 - - title: 'Ensure that /etc/at.deny does not exist' - -diff --git a/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_cron_deny_not_exist/rule.yml b/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_cron_deny_not_exist/rule.yml -index 9fb0d5b39d..8c79dfde16 100644 ---- a/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_cron_deny_not_exist/rule.yml -+++ b/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_cron_deny_not_exist/rule.yml -@@ -1,6 +1,6 @@ - documentation_complete: true - --prodtype: alinux2,alinux3,fedora,rhel7,rhel8,rhel9,sle15 -+prodtype: alinux2,alinux3,anolis8,fedora,rhel7,rhel8,rhel9,sle15 - - title: 'Ensure that /etc/cron.deny does not exist' - -diff --git a/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_groupowner_at_allow/rule.yml b/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_groupowner_at_allow/rule.yml -index ae516b961a..d78a713258 100644 ---- a/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_groupowner_at_allow/rule.yml -+++ b/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_groupowner_at_allow/rule.yml -@@ -1,6 +1,6 @@ - documentation_complete: true - --prodtype: alinux2,alinux3,rhel8,rhel9,sle12,sle15,ubuntu2004 -+prodtype: alinux2,alinux3,anolis8,rhel8,rhel9,sle12,sle15,ubuntu2004 - - title: 'Verify Group Who Owns /etc/at.allow file' - -diff --git a/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_groupowner_cron_allow/rule.yml b/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_groupowner_cron_allow/rule.yml -index 8879c0fa2b..58df895763 100644 ---- a/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_groupowner_cron_allow/rule.yml -+++ b/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_groupowner_cron_allow/rule.yml -@@ -1,6 +1,6 @@ - documentation_complete: true - --prodtype: alinux2,alinux3,ol7,ol8,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004 -+prodtype: alinux2,alinux3,anolis8,ol7,ol8,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004 - - title: 'Verify Group Who Owns /etc/cron.allow file' - -diff --git a/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_owner_at_allow/rule.yml b/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_owner_at_allow/rule.yml -index c8d7092226..f9b421a587 100644 ---- a/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_owner_at_allow/rule.yml -+++ b/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_owner_at_allow/rule.yml -@@ -1,6 +1,6 @@ - documentation_complete: true - --prodtype: alinux2,alinux3,sle12,sle15,ubuntu2004 -+prodtype: alinux2,alinux3,anolis8,sle12,sle15,ubuntu2004 - - title: 'Verify User Who Owns /etc/at.allow file' - -diff --git a/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_owner_cron_allow/rule.yml b/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_owner_cron_allow/rule.yml -index 9e6670911d..cc75d54f87 100644 ---- a/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_owner_cron_allow/rule.yml -+++ b/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_owner_cron_allow/rule.yml -@@ -1,6 +1,6 @@ - documentation_complete: true - --prodtype: alinux2,alinux3,ol7,ol8,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004 -+prodtype: alinux2,alinux3,anolis8,ol7,ol8,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004 - - title: 'Verify User Who Owns /etc/cron.allow file' - -diff --git a/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_permissions_at_allow/rule.yml b/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_permissions_at_allow/rule.yml -index 279d36347e..776c0db6cf 100644 ---- a/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_permissions_at_allow/rule.yml -+++ b/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_permissions_at_allow/rule.yml -@@ -1,6 +1,6 @@ - documentation_complete: true - --prodtype: alinux2,alinux3,rhel8,rhel9,sle12,sle15,ubuntu2004 -+prodtype: alinux2,alinux3,anolis8,rhel8,rhel9,sle12,sle15,ubuntu2004 - - title: 'Verify Permissions on /etc/at.allow file' - -diff --git a/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_permissions_cron_allow/rule.yml b/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_permissions_cron_allow/rule.yml -index adb16ec6b8..ef366a7927 100644 ---- a/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_permissions_cron_allow/rule.yml -+++ b/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_permissions_cron_allow/rule.yml -@@ -1,6 +1,6 @@ - documentation_complete: true - --prodtype: alinux2,alinux3,rhel7,rhel8,rhel9,sle15,ubuntu2004 -+prodtype: alinux2,alinux3,anolis8,rhel7,rhel8,rhel9,sle15,ubuntu2004 - - title: 'Verify Permissions on /etc/cron.allow file' - -diff --git a/linux_os/guide/services/cron_and_at/service_atd_disabled/rule.yml b/linux_os/guide/services/cron_and_at/service_atd_disabled/rule.yml -index de88deaa2a..91f458db00 100644 ---- a/linux_os/guide/services/cron_and_at/service_atd_disabled/rule.yml -+++ b/linux_os/guide/services/cron_and_at/service_atd_disabled/rule.yml -@@ -1,6 +1,6 @@ - documentation_complete: true - --prodtype: alinux2,alinux3,fedora,ol7,ol8,ol9,rhel7,rhel8,rhel9,uos20 -+prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,ol9,rhel7,rhel8,rhel9,uos20 - - title: 'Disable At Service (atd)' - -diff --git a/linux_os/guide/services/cron_and_at/service_crond_enabled/rule.yml b/linux_os/guide/services/cron_and_at/service_crond_enabled/rule.yml -index dbb7c7a06b..ace9ba592f 100644 ---- a/linux_os/guide/services/cron_and_at/service_crond_enabled/rule.yml -+++ b/linux_os/guide/services/cron_and_at/service_crond_enabled/rule.yml -@@ -1,6 +1,6 @@ - documentation_complete: true - --prodtype: alinux2,alinux3,fedora,ol7,ol8,rhel7,rhel8,rhel9,rhv4,sle12,sle15 -+prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,rhel7,rhel8,rhel9,rhv4,sle12,sle15 - - title: 'Enable cron Service' - -diff --git a/linux_os/guide/services/dhcp/disabling_dhcp_server/service_dhcpd_disabled/rule.yml b/linux_os/guide/services/dhcp/disabling_dhcp_server/service_dhcpd_disabled/rule.yml -index 0eb3829b17..fb9629af78 100644 ---- a/linux_os/guide/services/dhcp/disabling_dhcp_server/service_dhcpd_disabled/rule.yml -+++ b/linux_os/guide/services/dhcp/disabling_dhcp_server/service_dhcpd_disabled/rule.yml -@@ -1,6 +1,6 @@ - documentation_complete: true - --prodtype: alinux2,alinux3,rhel7,rhel8,rhel9,sle15 -+prodtype: alinux2,alinux3,anolis8,rhel7,rhel8,rhel9,sle15 - - title: 'Disable DHCP Service' - -diff --git a/linux_os/guide/services/dns/disabling_dns_server/package_bind_removed/rule.yml b/linux_os/guide/services/dns/disabling_dns_server/package_bind_removed/rule.yml -index bc2e7411cf..d0a4064ce3 100644 ---- a/linux_os/guide/services/dns/disabling_dns_server/package_bind_removed/rule.yml -+++ b/linux_os/guide/services/dns/disabling_dns_server/package_bind_removed/rule.yml -@@ -1,6 +1,6 @@ - documentation_complete: true - --prodtype: fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,uos20 -+prodtype: anolis8,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,uos20 - - title: 'Uninstall bind Package' - -diff --git a/linux_os/guide/services/dns/disabling_dns_server/service_named_disabled/rule.yml b/linux_os/guide/services/dns/disabling_dns_server/service_named_disabled/rule.yml -index 2acaf85bec..e0cf2d773e 100644 ---- a/linux_os/guide/services/dns/disabling_dns_server/service_named_disabled/rule.yml -+++ b/linux_os/guide/services/dns/disabling_dns_server/service_named_disabled/rule.yml -@@ -1,6 +1,6 @@ - documentation_complete: true - --prodtype: alinux2,alinux3,rhel7,rhel8,rhel9,sle15 -+prodtype: alinux2,alinux3,anolis8,rhel7,rhel8,rhel9,sle15 - - title: 'Disable named Service' - -diff --git a/linux_os/guide/services/ftp/disabling_vsftpd/service_vsftpd_disabled/rule.yml b/linux_os/guide/services/ftp/disabling_vsftpd/service_vsftpd_disabled/rule.yml -index 1b723ce761..dc2813b11d 100644 ---- a/linux_os/guide/services/ftp/disabling_vsftpd/service_vsftpd_disabled/rule.yml -+++ b/linux_os/guide/services/ftp/disabling_vsftpd/service_vsftpd_disabled/rule.yml -@@ -1,6 +1,6 @@ - documentation_complete: true - --prodtype: alinux2,alinux3,rhel7,rhel8,rhel9,sle15 -+prodtype: alinux2,alinux3,anolis8,rhel7,rhel8,rhel9,sle15 - - title: 'Disable vsftpd Service' - -diff --git a/linux_os/guide/services/http/disabling_httpd/service_httpd_disabled/rule.yml b/linux_os/guide/services/http/disabling_httpd/service_httpd_disabled/rule.yml -index ade2d740c2..27cbd7418f 100644 ---- a/linux_os/guide/services/http/disabling_httpd/service_httpd_disabled/rule.yml -+++ b/linux_os/guide/services/http/disabling_httpd/service_httpd_disabled/rule.yml -@@ -1,6 +1,6 @@ - documentation_complete: true - --prodtype: alinux2,alinux3,rhel7,rhel8,rhel9,sle15 -+prodtype: alinux2,alinux3,anolis8,rhel7,rhel8,rhel9,sle15 - - title: 'Disable httpd Service' - -diff --git a/linux_os/guide/services/imap/disabling_dovecot/service_dovecot_disabled/rule.yml b/linux_os/guide/services/imap/disabling_dovecot/service_dovecot_disabled/rule.yml -index 920de88bd0..ef3e17c687 100644 ---- a/linux_os/guide/services/imap/disabling_dovecot/service_dovecot_disabled/rule.yml -+++ b/linux_os/guide/services/imap/disabling_dovecot/service_dovecot_disabled/rule.yml -@@ -1,6 +1,6 @@ - documentation_complete: true - --prodtype: alinux3,rhel7,rhel8,rhel9,sle15 -+prodtype: alinux3,anolis8,rhel7,rhel8,rhel9,sle15 - - title: 'Disable Dovecot Service' - -diff --git a/linux_os/guide/services/ldap/openldap_server/service_slapd_disabled/rule.yml b/linux_os/guide/services/ldap/openldap_server/service_slapd_disabled/rule.yml -index 9780397e50..8501b6286f 100644 ---- a/linux_os/guide/services/ldap/openldap_server/service_slapd_disabled/rule.yml -+++ b/linux_os/guide/services/ldap/openldap_server/service_slapd_disabled/rule.yml -@@ -1,6 +1,6 @@ - documentation_complete: true - --prodtype: alinux2,alinux3,rhel8,rhel9 -+prodtype: alinux2,alinux3,anolis8,rhel8,rhel9 - - title: 'Disable LDAP Server (slapd)' - -diff --git a/linux_os/guide/services/nfs_and_rpc/disabling_nfs/disabling_nfs_services/service_rpcbind_disabled/rule.yml b/linux_os/guide/services/nfs_and_rpc/disabling_nfs/disabling_nfs_services/service_rpcbind_disabled/rule.yml -index 222dafa3ef..13a1224483 100644 ---- a/linux_os/guide/services/nfs_and_rpc/disabling_nfs/disabling_nfs_services/service_rpcbind_disabled/rule.yml -+++ b/linux_os/guide/services/nfs_and_rpc/disabling_nfs/disabling_nfs_services/service_rpcbind_disabled/rule.yml -@@ -1,6 +1,6 @@ - documentation_complete: true - --prodtype: alinux2,alinux3,ol7,ol8,rhel7,rhel8,rhel9,sle12,sle15 -+prodtype: alinux2,alinux3,anolis8,ol7,ol8,rhel7,rhel8,rhel9,sle12,sle15 - - title: 'Disable rpcbind Service' - -diff --git a/linux_os/guide/services/nfs_and_rpc/nfs_configuring_clients/disabling_nfsd/service_nfs_disabled/rule.yml b/linux_os/guide/services/nfs_and_rpc/nfs_configuring_clients/disabling_nfsd/service_nfs_disabled/rule.yml -index ed3d8881db..42cc6befde 100644 ---- a/linux_os/guide/services/nfs_and_rpc/nfs_configuring_clients/disabling_nfsd/service_nfs_disabled/rule.yml -+++ b/linux_os/guide/services/nfs_and_rpc/nfs_configuring_clients/disabling_nfsd/service_nfs_disabled/rule.yml -@@ -1,6 +1,6 @@ - documentation_complete: true - --prodtype: alinux2,alinux3,fedora,rhel7,rhel8,rhel9 -+prodtype: alinux2,alinux3,anolis8,fedora,rhel7,rhel8,rhel9 - - title: 'Disable Network File System (nfs)' - -diff --git a/linux_os/guide/services/obsolete/nis/service_ypserv_disabled/rule.yml b/linux_os/guide/services/obsolete/nis/service_ypserv_disabled/rule.yml -index 99e527ef10..4f414d3af1 100644 ---- a/linux_os/guide/services/obsolete/nis/service_ypserv_disabled/rule.yml -+++ b/linux_os/guide/services/obsolete/nis/service_ypserv_disabled/rule.yml -@@ -1,6 +1,6 @@ - documentation_complete: true - --prodtype: alinux2,alinux3,rhel8,rhel9 -+prodtype: alinux2,alinux3,anolis8,rhel8,rhel9 - - title: 'Disable ypserv Service' - -diff --git a/linux_os/guide/services/obsolete/service_rsyncd_disabled/rule.yml b/linux_os/guide/services/obsolete/service_rsyncd_disabled/rule.yml -index e3e56f5ea1..cac6fe082b 100644 ---- a/linux_os/guide/services/obsolete/service_rsyncd_disabled/rule.yml -+++ b/linux_os/guide/services/obsolete/service_rsyncd_disabled/rule.yml -@@ -1,6 +1,6 @@ - documentation_complete: true - --prodtype: alinux2,alinux3,fedora,ol7,ol8,rhel7,rhel8,rhel9,rhv4,sle12,sle15 -+prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,rhel7,rhel8,rhel9,rhv4,sle12,sle15 - - title: 'Ensure rsyncd service is diabled' - -diff --git a/linux_os/guide/services/printing/service_cups_disabled/rule.yml b/linux_os/guide/services/printing/service_cups_disabled/rule.yml -index bf9ddbb5f3..dfd5918cf2 100644 ---- a/linux_os/guide/services/printing/service_cups_disabled/rule.yml -+++ b/linux_os/guide/services/printing/service_cups_disabled/rule.yml -@@ -1,6 +1,6 @@ - documentation_complete: true - --prodtype: alinux3,rhel7,rhel8,rhel9,sle15,ubuntu2004 -+prodtype: alinux3,anolis8,rhel7,rhel8,rhel9,sle15,ubuntu2004 - - title: 'Disable the CUPS Service' - -diff --git a/linux_os/guide/services/proxy/disabling_squid/service_squid_disabled/rule.yml b/linux_os/guide/services/proxy/disabling_squid/service_squid_disabled/rule.yml -index 3e3f0f4f26..23d21f512a 100644 ---- a/linux_os/guide/services/proxy/disabling_squid/service_squid_disabled/rule.yml -+++ b/linux_os/guide/services/proxy/disabling_squid/service_squid_disabled/rule.yml -@@ -1,6 +1,6 @@ - documentation_complete: true - --prodtype: alinux2,alinux3,ol7,ol8,rhel7,rhel8,rhel9,sle15 -+prodtype: alinux2,alinux3,anolis8,ol7,ol8,rhel7,rhel8,rhel9,sle15 - - title: 'Disable Squid' - -diff --git a/linux_os/guide/services/smb/disabling_samba/service_smb_disabled/rule.yml b/linux_os/guide/services/smb/disabling_samba/service_smb_disabled/rule.yml -index ee7b76b185..4aaeec5dc1 100644 ---- a/linux_os/guide/services/smb/disabling_samba/service_smb_disabled/rule.yml -+++ b/linux_os/guide/services/smb/disabling_samba/service_smb_disabled/rule.yml -@@ -1,6 +1,6 @@ - documentation_complete: true - --prodtype: alinux2,alinux3,rhel7,rhel8,rhel9,sle15 -+prodtype: alinux2,alinux3,anolis8,rhel7,rhel8,rhel9,sle15 - - title: 'Disable Samba' - -diff --git a/linux_os/guide/services/snmp/disabling_snmp_service/service_snmpd_disabled/rule.yml b/linux_os/guide/services/snmp/disabling_snmp_service/service_snmpd_disabled/rule.yml -index 0bd8a0129b..fec9e270f3 100644 ---- a/linux_os/guide/services/snmp/disabling_snmp_service/service_snmpd_disabled/rule.yml -+++ b/linux_os/guide/services/snmp/disabling_snmp_service/service_snmpd_disabled/rule.yml -@@ -1,6 +1,6 @@ - documentation_complete: true - --prodtype: alinux2,alinux3,debian10,debian11,debian9,rhel7,rhel8,rhel9,sle15 -+prodtype: alinux2,alinux3,anolis8,debian10,debian11,debian9,rhel7,rhel8,rhel9,sle15 - - title: 'Disable snmpd Service' - -diff --git a/linux_os/guide/services/ssh/file_groupowner_sshd_config/rule.yml b/linux_os/guide/services/ssh/file_groupowner_sshd_config/rule.yml -index feed2148e2..ae9297fb43 100644 ---- a/linux_os/guide/services/ssh/file_groupowner_sshd_config/rule.yml -+++ b/linux_os/guide/services/ssh/file_groupowner_sshd_config/rule.yml -@@ -1,6 +1,6 @@ - documentation_complete: true - --prodtype: alinux2,alinux3,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004 -+prodtype: alinux2,alinux3,anolis8,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004 - - title: 'Verify Group Who Owns SSH Server config file' - -diff --git a/linux_os/guide/services/ssh/file_owner_sshd_config/rule.yml b/linux_os/guide/services/ssh/file_owner_sshd_config/rule.yml -index f04aa5563c..6b34f4e3de 100644 ---- a/linux_os/guide/services/ssh/file_owner_sshd_config/rule.yml -+++ b/linux_os/guide/services/ssh/file_owner_sshd_config/rule.yml -@@ -1,6 +1,6 @@ - documentation_complete: true - --prodtype: alinux2,alinux3,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004 -+prodtype: alinux2,alinux3,anolis8,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004 - - title: 'Verify Owner on SSH Server config file' - -diff --git a/linux_os/guide/services/ssh/file_permissions_sshd_config/rule.yml b/linux_os/guide/services/ssh/file_permissions_sshd_config/rule.yml -index ddad4da469..895528c371 100644 ---- a/linux_os/guide/services/ssh/file_permissions_sshd_config/rule.yml -+++ b/linux_os/guide/services/ssh/file_permissions_sshd_config/rule.yml -@@ -1,6 +1,6 @@ - documentation_complete: true - --prodtype: alinux2,alinux3,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004 -+prodtype: alinux2,alinux3,anolis8,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004 - - title: 'Verify Permissions on SSH Server config file' - -diff --git a/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/rule.yml b/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/rule.yml -index bbb16cd644..ab5eff0320 100644 ---- a/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/rule.yml -+++ b/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/rule.yml -@@ -1,6 +1,6 @@ - documentation_complete: true - --prodtype: alinux2,alinux3,fedora,ol7,ol8,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15 -+prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15 - - title: 'Modify the System Login Banner' - -diff --git a/linux_os/guide/system/accounts/accounts-banners/banner_etc_motd/rule.yml b/linux_os/guide/system/accounts/accounts-banners/banner_etc_motd/rule.yml -index cdc981fc3d..3d318ef46b 100644 ---- a/linux_os/guide/system/accounts/accounts-banners/banner_etc_motd/rule.yml -+++ b/linux_os/guide/system/accounts/accounts-banners/banner_etc_motd/rule.yml -@@ -1,6 +1,6 @@ - documentation_complete: true - --prodtype: alinux2,alinux3,fedora,ol7,ol8,rhel7,rhel8,rhel9,rhv4,sle12,sle15 -+prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,rhel7,rhel8,rhel9,rhv4,sle12,sle15 - - title: 'Modify the System Message of the Day Banner' - -diff --git a/linux_os/guide/system/accounts/accounts-banners/file_groupowner_etc_issue/rule.yml b/linux_os/guide/system/accounts/accounts-banners/file_groupowner_etc_issue/rule.yml -index 66a7f83077..f0fd86e8e3 100644 ---- a/linux_os/guide/system/accounts/accounts-banners/file_groupowner_etc_issue/rule.yml -+++ b/linux_os/guide/system/accounts/accounts-banners/file_groupowner_etc_issue/rule.yml -@@ -1,6 +1,6 @@ - documentation_complete: true - --prodtype: alinux2,alinux3,fedora,ol7,ol8,rhcos4,rhel7,rhel8,rhv4,sle12,sle15,ubuntu2004 -+prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,rhcos4,rhel7,rhel8,rhv4,sle12,sle15,ubuntu2004 - - title: 'Verify Group Ownership of System Login Banner' - -diff --git a/linux_os/guide/system/accounts/accounts-banners/file_groupowner_etc_motd/rule.yml b/linux_os/guide/system/accounts/accounts-banners/file_groupowner_etc_motd/rule.yml -index 4be94f2b2c..ebcb659853 100644 ---- a/linux_os/guide/system/accounts/accounts-banners/file_groupowner_etc_motd/rule.yml -+++ b/linux_os/guide/system/accounts/accounts-banners/file_groupowner_etc_motd/rule.yml -@@ -1,6 +1,6 @@ - documentation_complete: true - --prodtype: alinux2,alinux3,fedora,ol7,ol8,rhel7,rhel8,rhv4,sle12,sle15,ubuntu2004 -+prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,rhel7,rhel8,rhv4,sle12,sle15,ubuntu2004 - - title: 'Verify Group Ownership of Message of the Day Banner' - -diff --git a/linux_os/guide/system/accounts/accounts-banners/file_owner_etc_issue/rule.yml b/linux_os/guide/system/accounts/accounts-banners/file_owner_etc_issue/rule.yml -index a3d6b97b56..0b6012d2a9 100644 ---- a/linux_os/guide/system/accounts/accounts-banners/file_owner_etc_issue/rule.yml -+++ b/linux_os/guide/system/accounts/accounts-banners/file_owner_etc_issue/rule.yml -@@ -1,6 +1,6 @@ - documentation_complete: true - --prodtype: alinux2,alinux3,fedora,ol7,ol8,rhcos4,rhel7,rhel8,rhv4,sle12,sle15,ubuntu2004 -+prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,rhcos4,rhel7,rhel8,rhv4,sle12,sle15,ubuntu2004 - - title: 'Verify ownership of System Login Banner' - -diff --git a/linux_os/guide/system/accounts/accounts-banners/file_owner_etc_motd/rule.yml b/linux_os/guide/system/accounts/accounts-banners/file_owner_etc_motd/rule.yml -index d42b843421..5701faa68d 100644 ---- a/linux_os/guide/system/accounts/accounts-banners/file_owner_etc_motd/rule.yml -+++ b/linux_os/guide/system/accounts/accounts-banners/file_owner_etc_motd/rule.yml -@@ -1,6 +1,6 @@ - documentation_complete: true - --prodtype: alinux2,alinux3,fedora,ol7,ol8,rhel7,rhel8,rhv4,sle12,sle15,ubuntu2004 -+prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,rhel7,rhel8,rhv4,sle12,sle15,ubuntu2004 - - title: 'Verify ownership of Message of the Day Banner' - -diff --git a/linux_os/guide/system/accounts/accounts-banners/file_permissions_etc_issue/rule.yml b/linux_os/guide/system/accounts/accounts-banners/file_permissions_etc_issue/rule.yml -index 2b9349f75b..111143de2e 100644 ---- a/linux_os/guide/system/accounts/accounts-banners/file_permissions_etc_issue/rule.yml -+++ b/linux_os/guide/system/accounts/accounts-banners/file_permissions_etc_issue/rule.yml -@@ -1,6 +1,6 @@ - documentation_complete: true - --prodtype: alinux2,alinux3,fedora,ol7,ol8,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004 -+prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004 - - title: 'Verify permissions on System Login Banner' - -diff --git a/linux_os/guide/system/accounts/accounts-banners/file_permissions_etc_motd/rule.yml b/linux_os/guide/system/accounts/accounts-banners/file_permissions_etc_motd/rule.yml -index f5d9279b90..8043b9c07e 100644 ---- a/linux_os/guide/system/accounts/accounts-banners/file_permissions_etc_motd/rule.yml -+++ b/linux_os/guide/system/accounts/accounts-banners/file_permissions_etc_motd/rule.yml -@@ -1,6 +1,6 @@ - documentation_complete: true - --prodtype: alinux2,alinux3,fedora,ol7,ol8,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004 -+prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004 - - title: 'Verify permissions on Message of the Day Banner' - -diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember_password_auth/rule.yml b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember_password_auth/rule.yml -index 73f2afff87..b4972e25e6 100644 ---- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember_password_auth/rule.yml -+++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember_password_auth/rule.yml -@@ -1,6 +1,6 @@ - documentation_complete: true - --prodtype: alinux2,alinux3,fedora,ol7,ol8,rhel7,rhel8,rhel9,rhv4 -+prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,rhel7,rhel8,rhel9,rhv4 - - title: 'Limit Password Reuse: password-auth' - -diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember_system_auth/rule.yml b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember_system_auth/rule.yml -index fd85b25e98..2bb70d9762 100644 ---- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember_system_auth/rule.yml -+++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember_system_auth/rule.yml -@@ -1,6 +1,6 @@ - documentation_complete: true - --prodtype: alinux2,alinux3,fedora,ol7,ol8,rhel7,rhel8,rhel9,rhv4 -+prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,rhel7,rhel8,rhel9,rhv4 - - title: 'Limit Password Reuse: system-auth' - -diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_minclass/rule.yml b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_minclass/rule.yml -index 37bd49f696..31327aa03f 100644 ---- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_minclass/rule.yml -+++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_minclass/rule.yml -@@ -1,6 +1,6 @@ - documentation_complete: true - --prodtype: alinux2,alinux3,fedora,ol7,ol8,rhel7,rhel8,rhel9,rhv4,ubuntu2004 -+prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,rhel7,rhel8,rhel9,rhv4,ubuntu2004 - - title: 'Ensure PAM Enforces Password Requirements - Minimum Different Categories' - -diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_minlen/rule.yml b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_minlen/rule.yml -index 3dc5600b26..267c81b5ae 100644 ---- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_minlen/rule.yml -+++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_minlen/rule.yml -@@ -1,6 +1,6 @@ - documentation_complete: true - --prodtype: alinux2,alinux3,fedora,ol7,ol8,ol9,rhel7,rhel8,rhel9,rhv4,sle15,ubuntu2004 -+prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,ol9,rhel7,rhel8,rhel9,rhv4,sle15,ubuntu2004 - - title: 'Ensure PAM Enforces Password Requirements - Minimum Length' - -diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_retry/rule.yml b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_retry/rule.yml -index 4d1b5ebe4a..733777d0ce 100644 ---- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_retry/rule.yml -+++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_retry/rule.yml -@@ -1,6 +1,6 @@ - documentation_complete: true - --prodtype: alinux3,fedora,ol7,ol8,rhel7,rhel8,rhel9,rhv4,sle15,ubuntu2004 -+prodtype: alinux3,anolis8,fedora,ol7,ol8,rhel7,rhel8,rhel9,rhv4,sle15,ubuntu2004 - - title: 'Ensure PAM Enforces Password Requirements - Authentication Retry Prompts Permitted Per-Session' - -diff --git a/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_systemauth/rule.yml b/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_systemauth/rule.yml -index b35b01c467..4aaf3ff64f 100644 ---- a/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_systemauth/rule.yml -+++ b/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_systemauth/rule.yml -@@ -1,6 +1,6 @@ - documentation_complete: true - --prodtype: alinux2,alinux3,fedora,ol7,ol8,rhel7,rhel8,rhel9,rhv4,sle12,sle15 -+prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,rhel7,rhel8,rhel9,rhv4,sle12,sle15 - - title: "Set PAM''s Password Hashing Algorithm" - -diff --git a/linux_os/guide/system/accounts/accounts-physical/require_emergency_target_auth/rule.yml b/linux_os/guide/system/accounts/accounts-physical/require_emergency_target_auth/rule.yml -index 1a247ecfb9..a8445adbf7 100644 ---- a/linux_os/guide/system/accounts/accounts-physical/require_emergency_target_auth/rule.yml -+++ b/linux_os/guide/system/accounts/accounts-physical/require_emergency_target_auth/rule.yml -@@ -1,6 +1,6 @@ - documentation_complete: true - --prodtype: alinux2,alinux3,fedora,ol7,ol8,rhel7,rhel8,rhel9,rhv4,sle12,sle15 -+prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,rhel7,rhel8,rhel9,rhv4,sle12,sle15 - - title: 'Require Authentication for Emergency Systemd Target' - -diff --git a/linux_os/guide/system/accounts/accounts-physical/require_singleuser_auth/rule.yml b/linux_os/guide/system/accounts/accounts-physical/require_singleuser_auth/rule.yml -index 932d76c36d..318e9c862d 100644 ---- a/linux_os/guide/system/accounts/accounts-physical/require_singleuser_auth/rule.yml -+++ b/linux_os/guide/system/accounts/accounts-physical/require_singleuser_auth/rule.yml -@@ -1,6 +1,6 @@ - documentation_complete: true - --prodtype: alinux2,alinux3,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15 -+prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15 - - title: 'Require Authentication for Single User Mode' - -diff --git a/linux_os/guide/system/accounts/accounts-restrictions/account_expiration/account_disable_post_pw_expiration/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/account_expiration/account_disable_post_pw_expiration/rule.yml -index 0cb369e82f..01767ce542 100644 ---- a/linux_os/guide/system/accounts/accounts-restrictions/account_expiration/account_disable_post_pw_expiration/rule.yml -+++ b/linux_os/guide/system/accounts/accounts-restrictions/account_expiration/account_disable_post_pw_expiration/rule.yml -@@ -1,6 +1,6 @@ - documentation_complete: true - --prodtype: alinux2,alinux3,fedora,ol7,ol8,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004 -+prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004 - - title: 'Set Account Expiration Following Inactivity' - -diff --git a/linux_os/guide/system/accounts/accounts-restrictions/account_unique_id/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/account_unique_id/rule.yml -index de96fd58c4..3469cbf01c 100644 ---- a/linux_os/guide/system/accounts/accounts-restrictions/account_unique_id/rule.yml -+++ b/linux_os/guide/system/accounts/accounts-restrictions/account_unique_id/rule.yml -@@ -1,6 +1,6 @@ - documentation_complete: true - --prodtype: alinux2,alinux3,fedora,ol7,ol8,rhel7,rhel8,rhel9,sle12,sle15 -+prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,rhel7,rhel8,rhel9,sle12,sle15 - - title: 'Ensure All Accounts on the System Have Unique User IDs' - -diff --git a/linux_os/guide/system/accounts/accounts-restrictions/group_unique_id/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/group_unique_id/rule.yml -index 42a5c3a7b3..4a660ab92e 100644 ---- a/linux_os/guide/system/accounts/accounts-restrictions/group_unique_id/rule.yml -+++ b/linux_os/guide/system/accounts/accounts-restrictions/group_unique_id/rule.yml -@@ -1,6 +1,6 @@ - documentation_complete: true - --prodtype: alinux2,alinux3,fedora,rhel7,rhel8,rhel9,sle15 -+prodtype: alinux2,alinux3,anolis8,fedora,rhel7,rhel8,rhel9,sle15 - - title: 'Ensure All Groups on the System Have Unique Group ID' - -diff --git a/linux_os/guide/system/accounts/accounts-restrictions/group_unique_name/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/group_unique_name/rule.yml -index 756b2ae5bf..33554937a0 100644 ---- a/linux_os/guide/system/accounts/accounts-restrictions/group_unique_name/rule.yml -+++ b/linux_os/guide/system/accounts/accounts-restrictions/group_unique_name/rule.yml -@@ -1,6 +1,6 @@ - documentation_complete: true - --prodtype: alinux2,alinux3,fedora,rhel7,rhel8,sle15 -+prodtype: alinux2,alinux3,anolis8,fedora,rhel7,rhel8,sle15 - - title: 'Ensure All Groups on the System Have Unique Group Names' - -diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_set_max_life_existing/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_set_max_life_existing/rule.yml -index 9384d5a981..ccb42a9749 100644 ---- a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_set_max_life_existing/rule.yml -+++ b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_set_max_life_existing/rule.yml -@@ -1,6 +1,6 @@ - documentation_complete: true - --prodtype: alinux3,ol7,ol8,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004 -+prodtype: alinux3,anolis8,ol7,ol8,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004 - - title: 'Set Existing Passwords Maximum Age' - -diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_set_min_life_existing/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_set_min_life_existing/rule.yml -index 8e4beddc05..378e2f4c49 100644 ---- a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_set_min_life_existing/rule.yml -+++ b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_set_min_life_existing/rule.yml -@@ -1,6 +1,6 @@ - documentation_complete: true - --prodtype: alinux3,ol7,ol8,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004 -+prodtype: alinux3,anolis8,ol7,ol8,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004 - - title: 'Set Existing Passwords Minimum Age' - -diff --git a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_shelllogin_for_systemaccounts/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_shelllogin_for_systemaccounts/rule.yml -index af6e93ebf7..bc6e82e93d 100644 ---- a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_shelllogin_for_systemaccounts/rule.yml -+++ b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_shelllogin_for_systemaccounts/rule.yml -@@ -1,6 +1,6 @@ - documentation_complete: true - --prodtype: alinux2,alinux3,fedora,ol7,ol8,rhcos4,rhel7,rhel8,rhel9,sle12,sle15,ubuntu2004 -+prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,rhcos4,rhel7,rhel8,rhel9,sle12,sle15,ubuntu2004 - - title: 'Ensure that System Accounts Do Not Run a Shell Upon Login' - -diff --git a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/use_pam_wheel_for_su/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/use_pam_wheel_for_su/rule.yml -index 9213cc472d..f9a2464f92 100644 ---- a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/use_pam_wheel_for_su/rule.yml -+++ b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/use_pam_wheel_for_su/rule.yml -@@ -1,6 +1,6 @@ - documentation_complete: true - --prodtype: alinux2,alinux3,fedora,ol7,ol8,ol9,rhel7,rhel8,rhel9,rhv4,ubuntu2004 -+prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,ol9,rhel7,rhel8,rhel9,rhv4,ubuntu2004 - - title: 'Enforce usage of pam_wheel for su authentication' - -diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_tmout/rule.yml b/linux_os/guide/system/accounts/accounts-session/accounts_tmout/rule.yml -index 978ddff0ca..f4e0dee229 100644 ---- a/linux_os/guide/system/accounts/accounts-session/accounts_tmout/rule.yml -+++ b/linux_os/guide/system/accounts/accounts-session/accounts_tmout/rule.yml -@@ -1,6 +1,6 @@ - documentation_complete: true - --prodtype: alinux2,alinux3,fedora,ol7,ol8,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004 -+prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004 - - title: 'Set Interactive Session Timeout' - -diff --git a/linux_os/guide/system/accounts/accounts-session/file_groupownership_home_directories/rule.yml b/linux_os/guide/system/accounts/accounts-session/file_groupownership_home_directories/rule.yml -index 2bd171f3fd..ee8ce9a668 100644 ---- a/linux_os/guide/system/accounts/accounts-session/file_groupownership_home_directories/rule.yml -+++ b/linux_os/guide/system/accounts/accounts-session/file_groupownership_home_directories/rule.yml -@@ -1,6 +1,6 @@ - documentation_complete: true - --prodtype: alinux3,ol7,ol8,rhel7,rhel8,rhel9,rhv4,sle12,sle15 -+prodtype: alinux3,anolis8,ol7,ol8,rhel7,rhel8,rhel9,rhv4,sle12,sle15 - - title: 'All Interactive User Home Directories Must Be Group-Owned By The Primary User' - -diff --git a/linux_os/guide/system/accounts/accounts-session/file_ownership_home_directories/rule.yml b/linux_os/guide/system/accounts/accounts-session/file_ownership_home_directories/rule.yml -index 4ed84ef0a8..827bb124f4 100644 ---- a/linux_os/guide/system/accounts/accounts-session/file_ownership_home_directories/rule.yml -+++ b/linux_os/guide/system/accounts/accounts-session/file_ownership_home_directories/rule.yml -@@ -1,6 +1,6 @@ - documentation_complete: true - --prodtype: alinux2,alinux3,ol7,ol8,rhel7,rhel8,rhv4,sle12,sle15 -+prodtype: alinux2,alinux3,anolis8,ol7,ol8,rhel7,rhel8,rhv4,sle12,sle15 - - title: 'All Interactive User Home Directories Must Be Owned By The Primary User' - -diff --git a/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_bashrc/rule.yml b/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_bashrc/rule.yml -index a1e472043f..fd8fcebe81 100644 ---- a/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_bashrc/rule.yml -+++ b/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_bashrc/rule.yml -@@ -1,6 +1,6 @@ - documentation_complete: true - --prodtype: alinux2,alinux3,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,sle12,sle15,ubuntu2004 -+prodtype: alinux2,alinux3,anolis8,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,sle12,sle15,ubuntu2004 - - title: 'Ensure the Default Bash Umask is Set Correctly' - -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events/rule.yml -index 14e3d2e07b..406b78f8c9 100644 ---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events/rule.yml -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events/rule.yml -@@ -1,6 +1,6 @@ - documentation_complete: true - --prodtype: alinux2,alinux3,debian10,debian11,debian9,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,uos20 -+prodtype: alinux2,alinux3,anolis8,debian10,debian11,debian9,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,uos20 - - title: 'Ensure auditd Collects File Deletion Events by User' - -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification/rule.yml -index ab60d66375..63028b39ec 100644 ---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification/rule.yml -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification/rule.yml -@@ -1,6 +1,6 @@ - documentation_complete: true - --prodtype: alinux2,alinux3,debian10,debian11,debian9,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15 -+prodtype: alinux2,alinux3,anolis8,debian10,debian11,debian9,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15 - - title: 'Ensure auditd Collects Unauthorized Access Attempts to Files (unsuccessful)' - -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_creat/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_creat/rule.yml -index 3e28446e61..2e2b31ec06 100644 ---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_creat/rule.yml -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_creat/rule.yml -@@ -1,6 +1,6 @@ - documentation_complete: true - --prodtype: alinux2,debian10,debian11,debian9,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004 -+prodtype: alinux2,anolis8,debian10,debian11,debian9,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004 - - title: 'Record Unsuccessful Access Attempts to Files - creat' - -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_ftruncate/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_ftruncate/rule.yml -index 32ef125722..7f22f2cee8 100644 ---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_ftruncate/rule.yml -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_ftruncate/rule.yml -@@ -1,6 +1,6 @@ - documentation_complete: true - --prodtype: alinux2,debian10,debian11,debian9,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004 -+prodtype: alinux2,anolis8,debian10,debian11,debian9,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004 - - title: 'Record Unsuccessful Access Attempts to Files - ftruncate' - -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_open/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_open/rule.yml -index 1587662730..3e0220853d 100644 ---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_open/rule.yml -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_open/rule.yml -@@ -1,6 +1,6 @@ - documentation_complete: true - --prodtype: alinux2,debian10,debian11,debian9,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004 -+prodtype: alinux2,anolis8,debian10,debian11,debian9,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004 - - title: 'Record Unsuccessful Access Attempts to Files - open' - -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_open_by_handle_at/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_open_by_handle_at/rule.yml -index 3738f202fc..e44c876b23 100644 ---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_open_by_handle_at/rule.yml -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_open_by_handle_at/rule.yml -@@ -1,6 +1,6 @@ - documentation_complete: true - --prodtype: debian10,debian11,debian9,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004 -+prodtype: anolis8,debian10,debian11,debian9,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004 - - title: 'Record Unsuccessful Access Attempts to Files - open_by_handle_at' - -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_openat/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_openat/rule.yml -index 61f278a9f2..c8552433d3 100644 ---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_openat/rule.yml -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_openat/rule.yml -@@ -1,6 +1,6 @@ - documentation_complete: true - --prodtype: alinux2,debian10,debian11,debian9,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004 -+prodtype: alinux2,anolis8,debian10,debian11,debian9,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004 - - title: 'Record Unsuccessful Access Attempts to Files - openat' - -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_truncate/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_truncate/rule.yml -index 0a1e39df2e..4e245ab020 100644 ---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_truncate/rule.yml -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_truncate/rule.yml -@@ -1,6 +1,6 @@ - documentation_complete: true - --prodtype: alinux2,debian10,debian11,debian9,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004 -+prodtype: alinux2,anolis8,debian10,debian11,debian9,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004 - - title: 'Record Unsuccessful Access Attempts to Files - truncate' - -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/rule.yml -index ac639d5b31..247e9a1aa5 100644 ---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/rule.yml -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/rule.yml -@@ -1,6 +1,6 @@ - documentation_complete: true - --prodtype: alinux2,alinux3,debian10,debian11,debian9,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15 -+prodtype: alinux2,alinux3,anolis8,debian10,debian11,debian9,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15 - - title: 'Ensure auditd Collects Information on Kernel Module Loading and Unloading' - -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_delete/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_delete/rule.yml -index 56463078fc..aaaf635cd0 100644 ---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_delete/rule.yml -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_delete/rule.yml -@@ -1,6 +1,6 @@ - documentation_complete: true - --prodtype: alinux2,debian10,debian11,debian9,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004 -+prodtype: alinux2,anolis8,debian10,debian11,debian9,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004 - - title: 'Ensure auditd Collects Information on Kernel Module Unloading - delete_module' - -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_finit/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_finit/rule.yml -index c3e5d7a702..46065fc27a 100644 ---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_finit/rule.yml -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_finit/rule.yml -@@ -1,6 +1,6 @@ - documentation_complete: true - --prodtype: debian10,debian11,debian9,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004 -+prodtype: anolis8,debian10,debian11,debian9,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004 - - title: 'Ensure auditd Collects Information on Kernel Module Loading and Unloading - finit_module' - -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_init/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_init/rule.yml -index 334165f75e..4d4e1338c4 100644 ---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_init/rule.yml -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_init/rule.yml -@@ -1,6 +1,6 @@ - documentation_complete: true - --prodtype: alinux2,debian10,debian11,debian9,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004 -+prodtype: alinux2,anolis8,debian10,debian11,debian9,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004 - - title: 'Ensure auditd Collects Information on Kernel Module Loading - init_module' - -diff --git a/linux_os/guide/system/bootloader-grub2/non-uefi/file_groupowner_grub2_cfg/rule.yml b/linux_os/guide/system/bootloader-grub2/non-uefi/file_groupowner_grub2_cfg/rule.yml -index ca391cc112..099414f33f 100644 ---- a/linux_os/guide/system/bootloader-grub2/non-uefi/file_groupowner_grub2_cfg/rule.yml -+++ b/linux_os/guide/system/bootloader-grub2/non-uefi/file_groupowner_grub2_cfg/rule.yml -@@ -1,6 +1,6 @@ - documentation_complete: true - --prodtype: alinux2,alinux3,fedora,ol7,ol8,rhel7,rhel8,rhel9,rhv4,sle12,sle15 -+prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,rhel7,rhel8,rhel9,rhv4,sle12,sle15 - - title: 'Verify {{{ grub2_boot_path }}}/grub.cfg Group Ownership' - -diff --git a/linux_os/guide/system/bootloader-grub2/non-uefi/file_owner_grub2_cfg/rule.yml b/linux_os/guide/system/bootloader-grub2/non-uefi/file_owner_grub2_cfg/rule.yml -index 40a8b787af..fab8602f08 100644 ---- a/linux_os/guide/system/bootloader-grub2/non-uefi/file_owner_grub2_cfg/rule.yml -+++ b/linux_os/guide/system/bootloader-grub2/non-uefi/file_owner_grub2_cfg/rule.yml -@@ -1,6 +1,6 @@ - documentation_complete: true - --prodtype: alinux2,alinux3,fedora,ol7,ol8,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004 -+prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004 - - title: 'Verify {{{ grub2_boot_path }}}/grub.cfg User Ownership' - -diff --git a/linux_os/guide/system/bootloader-grub2/non-uefi/file_permissions_grub2_cfg/rule.yml b/linux_os/guide/system/bootloader-grub2/non-uefi/file_permissions_grub2_cfg/rule.yml -index e4a08f5876..c1c793e73b 100644 ---- a/linux_os/guide/system/bootloader-grub2/non-uefi/file_permissions_grub2_cfg/rule.yml -+++ b/linux_os/guide/system/bootloader-grub2/non-uefi/file_permissions_grub2_cfg/rule.yml -@@ -1,6 +1,6 @@ - documentation_complete: true - --prodtype: alinux2,alinux3,fedora,ol7,ol8,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004 -+prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004 - - title: 'Verify {{{ grub2_boot_path }}}/grub.cfg Permissions' - -diff --git a/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_password/rule.yml b/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_password/rule.yml -index 28adf2303e..9472bbe292 100644 ---- a/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_password/rule.yml -+++ b/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_password/rule.yml -@@ -1,6 +1,6 @@ - documentation_complete: true - --prodtype: alinux3,fedora,ol7,ol8,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004 -+prodtype: alinux3,anolis8,fedora,ol7,ol8,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004 - - title: 'Set Boot Loader Password in grub2' - -diff --git a/linux_os/guide/system/bootloader-grub2/uefi/file_groupowner_efi_grub2_cfg/rule.yml b/linux_os/guide/system/bootloader-grub2/uefi/file_groupowner_efi_grub2_cfg/rule.yml -index a7fb015139..4b12d06e13 100644 ---- a/linux_os/guide/system/bootloader-grub2/uefi/file_groupowner_efi_grub2_cfg/rule.yml -+++ b/linux_os/guide/system/bootloader-grub2/uefi/file_groupowner_efi_grub2_cfg/rule.yml -@@ -1,6 +1,6 @@ - documentation_complete: true - --prodtype: alinux2,alinux3,fedora,ol7,ol8,rhel7,rhel8 -+prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,rhel7,rhel8 - - title: 'Verify the UEFI Boot Loader grub.cfg Group Ownership' - -diff --git a/linux_os/guide/system/bootloader-grub2/uefi/file_owner_efi_grub2_cfg/rule.yml b/linux_os/guide/system/bootloader-grub2/uefi/file_owner_efi_grub2_cfg/rule.yml -index f8f91f2a49..f577dc1d5a 100644 ---- a/linux_os/guide/system/bootloader-grub2/uefi/file_owner_efi_grub2_cfg/rule.yml -+++ b/linux_os/guide/system/bootloader-grub2/uefi/file_owner_efi_grub2_cfg/rule.yml -@@ -1,6 +1,6 @@ - documentation_complete: true - --prodtype: alinux2,alinux3,fedora,ol7,ol8,rhel7,rhel8 -+prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,rhel7,rhel8 - - title: 'Verify the UEFI Boot Loader grub.cfg User Ownership' - -diff --git a/linux_os/guide/system/bootloader-grub2/uefi/file_permissions_efi_grub2_cfg/rule.yml b/linux_os/guide/system/bootloader-grub2/uefi/file_permissions_efi_grub2_cfg/rule.yml -index 348a0fe243..9b1ea037e6 100644 ---- a/linux_os/guide/system/bootloader-grub2/uefi/file_permissions_efi_grub2_cfg/rule.yml -+++ b/linux_os/guide/system/bootloader-grub2/uefi/file_permissions_efi_grub2_cfg/rule.yml -@@ -1,6 +1,6 @@ - documentation_complete: true - --prodtype: alinux2,alinux3,fedora,ol7,ol8,rhel7,rhel8,rhel9 -+prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,rhel7,rhel8,rhel9 - - - title: 'Verify the UEFI Boot Loader grub.cfg Permissions' -diff --git a/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_password/rule.yml b/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_password/rule.yml -index ecfee6ada4..35d0c8ca45 100644 ---- a/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_password/rule.yml -+++ b/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_password/rule.yml -@@ -1,6 +1,6 @@ - documentation_complete: true - --prodtype: alinux3,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004 -+prodtype: alinux3,anolis8,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004 - - title: 'Set the UEFI Boot Loader Password' - -diff --git a/linux_os/guide/system/logging/journald/journald_compress/rule.yml b/linux_os/guide/system/logging/journald/journald_compress/rule.yml -index 39d727ba86..5e192bbabf 100644 ---- a/linux_os/guide/system/logging/journald/journald_compress/rule.yml -+++ b/linux_os/guide/system/logging/journald/journald_compress/rule.yml -@@ -1,6 +1,6 @@ - documentation_complete: true - --prodtype: alinux3,rhel7,rhel8,rhel9,sle15 -+prodtype: alinux3,anolis8,rhel7,rhel8,rhel9,sle15 - - title: Ensure journald is configured to compress large log files - -diff --git a/linux_os/guide/system/logging/journald/journald_forward_to_syslog/rule.yml b/linux_os/guide/system/logging/journald/journald_forward_to_syslog/rule.yml -index ca35dd9370..8bac5b49e8 100644 ---- a/linux_os/guide/system/logging/journald/journald_forward_to_syslog/rule.yml -+++ b/linux_os/guide/system/logging/journald/journald_forward_to_syslog/rule.yml -@@ -1,6 +1,6 @@ - documentation_complete: true - --prodtype: alinux3,rhel7,rhel8,rhel9 -+prodtype: alinux3,anolis8,rhel7,rhel8,rhel9 - - title: Ensure journald is configured to send logs to rsyslog - -diff --git a/linux_os/guide/system/logging/journald/journald_storage/rule.yml b/linux_os/guide/system/logging/journald/journald_storage/rule.yml -index 8176701520..3a5c5e460b 100644 ---- a/linux_os/guide/system/logging/journald/journald_storage/rule.yml -+++ b/linux_os/guide/system/logging/journald/journald_storage/rule.yml -@@ -1,6 +1,6 @@ - documentation_complete: true - --prodtype: alinux3,rhel7,rhel8,rhel9,sle15 -+prodtype: alinux3,anolis8,rhel7,rhel8,rhel9,sle15 - - title: Ensure journald is configured to write log files to persistent disk - -diff --git a/linux_os/guide/system/network/network-firewalld/firewalld_activation/package_firewalld_installed/rule.yml b/linux_os/guide/system/network/network-firewalld/firewalld_activation/package_firewalld_installed/rule.yml -index 10750e14ae..bd7a2fbb09 100644 ---- a/linux_os/guide/system/network/network-firewalld/firewalld_activation/package_firewalld_installed/rule.yml -+++ b/linux_os/guide/system/network/network-firewalld/firewalld_activation/package_firewalld_installed/rule.yml -@@ -1,6 +1,6 @@ - documentation_complete: true - --prodtype: alinux3,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,sle12,sle15 -+prodtype: alinux3,anolis8,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,sle12,sle15 - - title: 'Install firewalld Package' - -diff --git a/linux_os/guide/system/network/network-firewalld/firewalld_activation/service_firewalld_enabled/rule.yml b/linux_os/guide/system/network/network-firewalld/firewalld_activation/service_firewalld_enabled/rule.yml -index 5b43737544..e3d443f584 100644 ---- a/linux_os/guide/system/network/network-firewalld/firewalld_activation/service_firewalld_enabled/rule.yml -+++ b/linux_os/guide/system/network/network-firewalld/firewalld_activation/service_firewalld_enabled/rule.yml -@@ -1,6 +1,6 @@ - documentation_complete: true - --prodtype: alinux2,alinux3,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15 -+prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15 - - title: 'Verify firewalld Enabled' - -diff --git a/linux_os/guide/system/network/network-ipsec/package_libreswan_installed/rule.yml b/linux_os/guide/system/network/network-ipsec/package_libreswan_installed/rule.yml -index 6f110d679b..705c47a4d8 100644 ---- a/linux_os/guide/system/network/network-ipsec/package_libreswan_installed/rule.yml -+++ b/linux_os/guide/system/network/network-ipsec/package_libreswan_installed/rule.yml -@@ -1,6 +1,6 @@ - documentation_complete: true - --prodtype: fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle15,uos20 -+prodtype: anolis8,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle15,uos20 - - title: 'Install libreswan Package' - -diff --git a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_ra/rule.yml b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_ra/rule.yml -index 6118cd929d..bd47636f77 100644 ---- a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_ra/rule.yml -+++ b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_ra/rule.yml -@@ -1,6 +1,6 @@ - documentation_complete: true - --prodtype: alinux2,alinux3,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004 -+prodtype: alinux2,alinux3,anolis8,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004 - - title: 'Configure Accepting Router Advertisements on All IPv6 Interfaces' - -diff --git a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_redirects/rule.yml b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_redirects/rule.yml -index 777bd7c7a1..7a4411d128 100644 ---- a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_redirects/rule.yml -+++ b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_redirects/rule.yml -@@ -1,6 +1,6 @@ - documentation_complete: true - --prodtype: alinux2,alinux3,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004 -+prodtype: alinux2,alinux3,anolis8,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004 - - title: 'Disable Accepting ICMP Redirects for All IPv6 Interfaces' - -diff --git a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_source_route/rule.yml b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_source_route/rule.yml -index ce64d6e653..be86a4e56e 100644 ---- a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_source_route/rule.yml -+++ b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_source_route/rule.yml -@@ -1,6 +1,6 @@ - documentation_complete: true - --prodtype: alinux2,alinux3,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004 -+prodtype: alinux2,alinux3,anolis8,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004 - - title: 'Disable Kernel Parameter for Accepting Source-Routed Packets on all IPv6 Interfaces' - -diff --git a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_forwarding/rule.yml b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_forwarding/rule.yml -index b4c1f42b68..eaa6b55d20 100644 ---- a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_forwarding/rule.yml -+++ b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_forwarding/rule.yml -@@ -1,6 +1,6 @@ - documentation_complete: true - --prodtype: alinux2,alinux3,ol7,ol8,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004 -+prodtype: alinux2,alinux3,anolis8,ol7,ol8,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004 - - title: 'Disable Kernel Parameter for IPv6 Forwarding' - -diff --git a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_accept_ra/rule.yml b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_accept_ra/rule.yml -index d45ca63c8d..158f1b9773 100644 ---- a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_accept_ra/rule.yml -+++ b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_accept_ra/rule.yml -@@ -1,6 +1,6 @@ - documentation_complete: true - --prodtype: alinux2,alinux3,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004 -+prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004 - - title: 'Disable Accepting Router Advertisements on all IPv6 Interfaces by Default' - -diff --git a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_accept_redirects/rule.yml b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_accept_redirects/rule.yml -index a42ca1890b..6723e8ab3b 100644 ---- a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_accept_redirects/rule.yml -+++ b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_accept_redirects/rule.yml -@@ -1,6 +1,6 @@ - documentation_complete: true - --prodtype: alinux2,alinux3,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004 -+prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004 - - title: 'Disable Kernel Parameter for Accepting ICMP Redirects by Default on IPv6 Interfaces' - -diff --git a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_accept_source_route/rule.yml b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_accept_source_route/rule.yml -index 49d059ccf5..c2f7d5ef7f 100644 ---- a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_accept_source_route/rule.yml -+++ b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_accept_source_route/rule.yml -@@ -1,6 +1,6 @@ - documentation_complete: true - --prodtype: alinux2,alinux3,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004 -+prodtype: alinux2,alinux3,anolis8,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004 - - title: 'Disable Kernel Parameter for Accepting Source-Routed Packets on IPv6 Interfaces by Default' - -diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_accept_redirects/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_accept_redirects/rule.yml -index 9a2c88cde5..29fb46c2f8 100644 ---- a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_accept_redirects/rule.yml -+++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_accept_redirects/rule.yml -@@ -1,6 +1,6 @@ - documentation_complete: true - --prodtype: alinux2,alinux3,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004 -+prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004 - - title: 'Disable Accepting ICMP Redirects for All IPv4 Interfaces' - -diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_accept_source_route/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_accept_source_route/rule.yml -index e4e87ff110..3e9d8eef15 100644 ---- a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_accept_source_route/rule.yml -+++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_accept_source_route/rule.yml -@@ -1,6 +1,6 @@ - documentation_complete: true - --prodtype: alinux2,alinux3,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004 -+prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004 - - title: 'Disable Kernel Parameter for Accepting Source-Routed Packets on all IPv4 Interfaces' - -diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_log_martians/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_log_martians/rule.yml -index aeecbae5fb..1ebf98a487 100644 ---- a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_log_martians/rule.yml -+++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_log_martians/rule.yml -@@ -1,6 +1,6 @@ - documentation_complete: true - --prodtype: alinux2,alinux3,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004 -+prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004 - - title: 'Enable Kernel Parameter to Log Martian Packets on all IPv4 Interfaces' - -diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter/rule.yml -index 4d31c6c3eb..5a00b590b5 100644 ---- a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter/rule.yml -+++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter/rule.yml -@@ -1,6 +1,6 @@ - documentation_complete: true - --prodtype: alinux2,alinux3,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004 -+prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004 - - title: 'Enable Kernel Parameter to Use Reverse Path Filtering on all IPv4 Interfaces' - -diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_secure_redirects/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_secure_redirects/rule.yml -index abe92e65a5..5dce2c1517 100644 ---- a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_secure_redirects/rule.yml -+++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_secure_redirects/rule.yml -@@ -1,6 +1,6 @@ - documentation_complete: true - --prodtype: alinux2,alinux3,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004 -+prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004 - - title: 'Disable Kernel Parameter for Accepting Secure ICMP Redirects on all IPv4 Interfaces' - -diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_accept_redirects/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_accept_redirects/rule.yml -index 47abcc223b..6e0281ea25 100644 ---- a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_accept_redirects/rule.yml -+++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_accept_redirects/rule.yml -@@ -1,6 +1,6 @@ - documentation_complete: true - --prodtype: alinux2,alinux3,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004 -+prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004 - - title: 'Disable Kernel Parameter for Accepting ICMP Redirects by Default on IPv4 Interfaces' - -diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_accept_source_route/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_accept_source_route/rule.yml -index 043f16e26e..1882f1a3eb 100644 ---- a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_accept_source_route/rule.yml -+++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_accept_source_route/rule.yml -@@ -1,6 +1,6 @@ - documentation_complete: true - --prodtype: alinux2,alinux3,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004 -+prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004 - - title: 'Disable Kernel Parameter for Accepting Source-Routed Packets on IPv4 Interfaces by Default' - -diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_log_martians/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_log_martians/rule.yml -index 38602c00b1..6d4a4225c9 100644 ---- a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_log_martians/rule.yml -+++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_log_martians/rule.yml -@@ -1,6 +1,6 @@ - documentation_complete: true - --prodtype: alinux2,alinux3,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004 -+prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004 - - title: 'Enable Kernel Paremeter to Log Martian Packets on all IPv4 Interfaces by Default' - -diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_rp_filter/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_rp_filter/rule.yml -index 09ff60235f..2d5b22ec63 100644 ---- a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_rp_filter/rule.yml -+++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_rp_filter/rule.yml -@@ -1,6 +1,6 @@ - documentation_complete: true - --prodtype: alinux2,alinux3,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004 -+prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004 - - title: 'Enable Kernel Parameter to Use Reverse Path Filtering on all IPv4 Interfaces by Default' - -diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_secure_redirects/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_secure_redirects/rule.yml -index f21dfa912a..bea8153427 100644 ---- a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_secure_redirects/rule.yml -+++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_secure_redirects/rule.yml -@@ -1,6 +1,6 @@ - documentation_complete: true - --prodtype: alinux2,alinux3,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004 -+prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004 - - title: 'Configure Kernel Parameter for Accepting Secure Redirects By Default' - -diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_icmp_echo_ignore_broadcasts/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_icmp_echo_ignore_broadcasts/rule.yml -index d45ebce67f..983ea889e8 100644 ---- a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_icmp_echo_ignore_broadcasts/rule.yml -+++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_icmp_echo_ignore_broadcasts/rule.yml -@@ -1,6 +1,6 @@ - documentation_complete: true - --prodtype: alinux2,alinux3,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004 -+prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004 - - title: 'Enable Kernel Parameter to Ignore ICMP Broadcast Echo Requests on IPv4 Interfaces' - -diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_icmp_ignore_bogus_error_responses/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_icmp_ignore_bogus_error_responses/rule.yml -index 4f552dfce9..b841e4e302 100644 ---- a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_icmp_ignore_bogus_error_responses/rule.yml -+++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_icmp_ignore_bogus_error_responses/rule.yml -@@ -1,6 +1,6 @@ - documentation_complete: true - --prodtype: alinux2,alinux3,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004 -+prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004 - - title: 'Enable Kernel Parameter to Ignore Bogus ICMP Error Responses on IPv4 Interfaces' - -diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_tcp_syncookies/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_tcp_syncookies/rule.yml -index e87793d5f6..0292844c8a 100644 ---- a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_tcp_syncookies/rule.yml -+++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_tcp_syncookies/rule.yml -@@ -1,6 +1,6 @@ - documentation_complete: true - --prodtype: alinux2,alinux3,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004 -+prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004 - - title: 'Enable Kernel Parameter to Use TCP Syncookies on Network Interfaces' - -diff --git a/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_conf_all_send_redirects/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_conf_all_send_redirects/rule.yml -index e44509ea33..96fe691e3e 100644 ---- a/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_conf_all_send_redirects/rule.yml -+++ b/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_conf_all_send_redirects/rule.yml -@@ -1,6 +1,6 @@ - documentation_complete: true - --prodtype: alinux2,alinux3,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004 -+prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004 - - title: 'Disable Kernel Parameter for Sending ICMP Redirects on all IPv4 Interfaces' - -diff --git a/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_conf_default_send_redirects/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_conf_default_send_redirects/rule.yml -index b3534eb737..9a1049f59a 100644 ---- a/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_conf_default_send_redirects/rule.yml -+++ b/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_conf_default_send_redirects/rule.yml -@@ -1,6 +1,6 @@ - documentation_complete: true - --prodtype: alinux2,alinux3,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004 -+prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004 - - title: 'Disable Kernel Parameter for Sending ICMP Redirects on all IPv4 Interfaces by Default' - -diff --git a/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_ip_forward/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_ip_forward/rule.yml -index 7acfc0b05b..bebb4df43e 100644 ---- a/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_ip_forward/rule.yml -+++ b/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_ip_forward/rule.yml -@@ -1,6 +1,6 @@ - documentation_complete: true - --prodtype: alinux2,alinux3,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004 -+prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004 - - title: 'Disable Kernel Parameter for IP Forwarding on IPv4 Interfaces' - -diff --git a/linux_os/guide/system/network/network-uncommon/kernel_module_dccp_disabled/rule.yml b/linux_os/guide/system/network/network-uncommon/kernel_module_dccp_disabled/rule.yml -index 2087834007..2820608fce 100644 ---- a/linux_os/guide/system/network/network-uncommon/kernel_module_dccp_disabled/rule.yml -+++ b/linux_os/guide/system/network/network-uncommon/kernel_module_dccp_disabled/rule.yml -@@ -1,6 +1,6 @@ - documentation_complete: true - --prodtype: alinux2,alinux3,fedora,ol7,ol8,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004 -+prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004 - - title: 'Disable DCCP Support' - -diff --git a/linux_os/guide/system/network/network-uncommon/kernel_module_sctp_disabled/rule.yml b/linux_os/guide/system/network/network-uncommon/kernel_module_sctp_disabled/rule.yml -index f8b020fc5a..2a95c3a1df 100644 ---- a/linux_os/guide/system/network/network-uncommon/kernel_module_sctp_disabled/rule.yml -+++ b/linux_os/guide/system/network/network-uncommon/kernel_module_sctp_disabled/rule.yml -@@ -1,6 +1,6 @@ - documentation_complete: true - --prodtype: alinux2,alinux3,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004 -+prodtype: alinux2,alinux3,anolis8,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004 - - title: 'Disable SCTP Support' - -diff --git a/linux_os/guide/system/network/network-wireless/wireless_software/wireless_disable_interfaces/rule.yml b/linux_os/guide/system/network/network-wireless/wireless_software/wireless_disable_interfaces/rule.yml -index b3e20e7b0d..31ed5d33c0 100644 ---- a/linux_os/guide/system/network/network-wireless/wireless_software/wireless_disable_interfaces/rule.yml -+++ b/linux_os/guide/system/network/network-wireless/wireless_software/wireless_disable_interfaces/rule.yml -@@ -1,6 +1,6 @@ - documentation_complete: true - --prodtype: alinux3,fedora,ol7,ol8,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004 -+prodtype: alinux3,anolis8,fedora,ol7,ol8,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004 - - title: 'Deactivate Wireless Network Interfaces' - -diff --git a/linux_os/guide/system/permissions/files/file_permissions_unauthorized_sgid/rule.yml b/linux_os/guide/system/permissions/files/file_permissions_unauthorized_sgid/rule.yml -index f23bcd31d8..bc87146694 100644 ---- a/linux_os/guide/system/permissions/files/file_permissions_unauthorized_sgid/rule.yml -+++ b/linux_os/guide/system/permissions/files/file_permissions_unauthorized_sgid/rule.yml -@@ -2,7 +2,7 @@ documentation_complete: true - - title: 'Ensure All SGID Executables Are Authorized' - --prodtype: alinux3,fedora,ol7,ol8,ol9,rhel7,rhel8,rhel9,sle12,sle15,uos20 -+prodtype: alinux3,anolis8,fedora,ol7,ol8,ol9,rhel7,rhel8,rhel9,sle12,sle15,uos20 - - description: |- - The SGID (set group id) bit should be set only on files that were -diff --git a/linux_os/guide/system/permissions/files/file_permissions_unauthorized_suid/rule.yml b/linux_os/guide/system/permissions/files/file_permissions_unauthorized_suid/rule.yml -index 73d98ee1fc..f6c7ef7e4e 100644 ---- a/linux_os/guide/system/permissions/files/file_permissions_unauthorized_suid/rule.yml -+++ b/linux_os/guide/system/permissions/files/file_permissions_unauthorized_suid/rule.yml -@@ -2,7 +2,7 @@ documentation_complete: true - - title: 'Ensure All SUID Executables Are Authorized' - --prodtype: alinux3,fedora,ol7,ol8,ol9,rhel7,rhel8,rhel9,sle12,sle15,uos20 -+prodtype: alinux3,anolis8,fedora,ol7,ol8,ol9,rhel7,rhel8,rhel9,sle12,sle15,uos20 - - description: |- - The SUID (set user id) bit should be set only on files that were -diff --git a/linux_os/guide/system/permissions/files/file_permissions_ungroupowned/rule.yml b/linux_os/guide/system/permissions/files/file_permissions_ungroupowned/rule.yml -index 123f967db0..18c6b37409 100644 ---- a/linux_os/guide/system/permissions/files/file_permissions_ungroupowned/rule.yml -+++ b/linux_os/guide/system/permissions/files/file_permissions_ungroupowned/rule.yml -@@ -1,6 +1,6 @@ - documentation_complete: true - --prodtype: alinux2,alinux3,fedora,ol7,ol8,rhel7,rhel8,rhel9,rhv4,sle12,sle15 -+prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,rhel7,rhel8,rhel9,rhv4,sle12,sle15 - - title: 'Ensure All Files Are Owned by a Group' - -diff --git a/linux_os/guide/system/permissions/mounting/service_autofs_disabled/rule.yml b/linux_os/guide/system/permissions/mounting/service_autofs_disabled/rule.yml -index c774309fca..0cca02ba0b 100644 ---- a/linux_os/guide/system/permissions/mounting/service_autofs_disabled/rule.yml -+++ b/linux_os/guide/system/permissions/mounting/service_autofs_disabled/rule.yml -@@ -1,6 +1,6 @@ - documentation_complete: true - --prodtype: alinux2,alinux3,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu1804,ubuntu2004,uos20 -+prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu1804,ubuntu2004,uos20 - - title: 'Disable the Automounter' - -diff --git a/linux_os/guide/system/permissions/restrictions/coredumps/disable_users_coredumps/rule.yml b/linux_os/guide/system/permissions/restrictions/coredumps/disable_users_coredumps/rule.yml -index c2c0f05d40..989ad0629f 100644 ---- a/linux_os/guide/system/permissions/restrictions/coredumps/disable_users_coredumps/rule.yml -+++ b/linux_os/guide/system/permissions/restrictions/coredumps/disable_users_coredumps/rule.yml -@@ -1,6 +1,6 @@ - documentation_complete: true - --prodtype: alinux2,alinux3,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,sle12,sle15,ubuntu2004 -+prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,sle12,sle15,ubuntu2004 - - title: 'Disable Core Dumps for All Users' - -diff --git a/linux_os/guide/system/software/integrity/crypto/configure_bind_crypto_policy/rule.yml b/linux_os/guide/system/software/integrity/crypto/configure_bind_crypto_policy/rule.yml -index 870150aadf..03e830776f 100644 ---- a/linux_os/guide/system/software/integrity/crypto/configure_bind_crypto_policy/rule.yml -+++ b/linux_os/guide/system/software/integrity/crypto/configure_bind_crypto_policy/rule.yml -@@ -1,6 +1,6 @@ - documentation_complete: true - --prodtype: alinux2,alinux3,fedora,ol8,ol9,rhcos4,rhel8,rhel9,rhv4,uos20 -+prodtype: alinux2,alinux3,anolis8,fedora,ol8,ol9,rhcos4,rhel8,rhel9,rhv4,uos20 - - title: 'Configure BIND to use System Crypto Policy' - -diff --git a/linux_os/guide/system/software/integrity/crypto/configure_crypto_policy/rule.yml b/linux_os/guide/system/software/integrity/crypto/configure_crypto_policy/rule.yml -index de186e7684..92769e5110 100644 ---- a/linux_os/guide/system/software/integrity/crypto/configure_crypto_policy/rule.yml -+++ b/linux_os/guide/system/software/integrity/crypto/configure_crypto_policy/rule.yml -@@ -1,6 +1,6 @@ - documentation_complete: true - --prodtype: alinux2,alinux3,fedora,ol8,ol9,rhcos4,rhel8,rhel9,rhv4,sle15,uos20 -+prodtype: alinux2,alinux3,anolis8,fedora,ol8,ol9,rhcos4,rhel8,rhel9,rhv4,sle15,uos20 - - title: 'Configure System Cryptography Policy' - -diff --git a/linux_os/guide/system/software/integrity/crypto/configure_kerberos_crypto_policy/rule.yml b/linux_os/guide/system/software/integrity/crypto/configure_kerberos_crypto_policy/rule.yml -index 68f748ebf5..3a2df056e7 100644 ---- a/linux_os/guide/system/software/integrity/crypto/configure_kerberos_crypto_policy/rule.yml -+++ b/linux_os/guide/system/software/integrity/crypto/configure_kerberos_crypto_policy/rule.yml -@@ -1,6 +1,6 @@ - documentation_complete: true - --prodtype: alinux2,alinux3,fedora,ol8,ol9,rhcos4,rhel8,rhel9,rhv4,uos20 -+prodtype: alinux2,alinux3,anolis8,fedora,ol8,ol9,rhcos4,rhel8,rhel9,rhv4,uos20 - - title: 'Configure Kerberos to use System Crypto Policy' - -diff --git a/linux_os/guide/system/software/integrity/crypto/configure_libreswan_crypto_policy/rule.yml b/linux_os/guide/system/software/integrity/crypto/configure_libreswan_crypto_policy/rule.yml -index e769599ae5..09745c9e50 100644 ---- a/linux_os/guide/system/software/integrity/crypto/configure_libreswan_crypto_policy/rule.yml -+++ b/linux_os/guide/system/software/integrity/crypto/configure_libreswan_crypto_policy/rule.yml -@@ -1,6 +1,6 @@ - documentation_complete: true - --prodtype: alinux2,alinux3,fedora,ol8,ol9,rhcos4,rhel8,rhel9,rhv4,sle15,uos20 -+prodtype: alinux2,alinux3,anolis8,fedora,ol8,ol9,rhcos4,rhel8,rhel9,rhv4,sle15,uos20 - - title: 'Configure Libreswan to use System Crypto Policy' - -diff --git a/linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/rule.yml b/linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/rule.yml -index 49b35d058d..db7866bdd8 100644 ---- a/linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/rule.yml -+++ b/linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/rule.yml -@@ -1,6 +1,6 @@ - documentation_complete: true - --prodtype: alinux2,alinux3,fedora,ol8,ol9,rhcos4,rhel8,rhel9,rhv4,sle15,uos20 -+prodtype: alinux2,alinux3,anolis8,fedora,ol8,ol9,rhcos4,rhel8,rhel9,rhv4,sle15,uos20 - - title: 'Configure OpenSSL library to use System Crypto Policy' - -diff --git a/linux_os/guide/system/software/integrity/crypto/configure_ssh_crypto_policy/rule.yml b/linux_os/guide/system/software/integrity/crypto/configure_ssh_crypto_policy/rule.yml -index ab9408af96..573983212d 100644 ---- a/linux_os/guide/system/software/integrity/crypto/configure_ssh_crypto_policy/rule.yml -+++ b/linux_os/guide/system/software/integrity/crypto/configure_ssh_crypto_policy/rule.yml -@@ -1,6 +1,6 @@ - documentation_complete: true - --prodtype: alinux2,alinux3,fedora,ol8,ol9,rhcos4,rhel8,rhel9,rhv4,sle15,uos20 -+prodtype: alinux2,alinux3,anolis8,fedora,ol8,ol9,rhcos4,rhel8,rhel9,rhv4,sle15,uos20 - - title: 'Configure SSH to use System Crypto Policy' - -diff --git a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_periodic_cron_checking/rule.yml b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_periodic_cron_checking/rule.yml -index 3b70a5979c..d5abd91d1c 100644 ---- a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_periodic_cron_checking/rule.yml -+++ b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_periodic_cron_checking/rule.yml -@@ -4,7 +4,7 @@ - - documentation_complete: true - --prodtype: alinux2,alinux3,fedora,ol7,ol8,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004 -+prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004 - - title: 'Configure Periodic Execution of AIDE' - -diff --git a/linux_os/guide/system/software/integrity/software-integrity/aide/package_aide_installed/rule.yml b/linux_os/guide/system/software/integrity/software-integrity/aide/package_aide_installed/rule.yml -index 287ac5575e..66720c2c09 100644 ---- a/linux_os/guide/system/software/integrity/software-integrity/aide/package_aide_installed/rule.yml -+++ b/linux_os/guide/system/software/integrity/software-integrity/aide/package_aide_installed/rule.yml -@@ -1,6 +1,6 @@ - documentation_complete: true - --prodtype: alinux2,alinux3,debian10,debian11,debian9,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004 -+prodtype: alinux2,alinux3,anolis8,debian10,debian11,debian9,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004 - - title: 'Install AIDE' - -diff --git a/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_hashes/rule.yml b/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_hashes/rule.yml -index d3d3224739..94a08024d2 100644 ---- a/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_hashes/rule.yml -+++ b/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_hashes/rule.yml -@@ -1,6 +1,6 @@ - documentation_complete: true - --prodtype: alinux2,alinux3,fedora,ol7,ol8,ol9,rhel7,rhel8,rhel9,rhv4,sle15,uos20 -+prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,ol9,rhel7,rhel8,rhel9,rhv4,sle15,uos20 - - title: 'Verify File Hashes with RPM' - -diff --git a/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_permissions/rule.yml b/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_permissions/rule.yml -index c51b054612..2c9d3e65d4 100644 ---- a/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_permissions/rule.yml -+++ b/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_permissions/rule.yml -@@ -1,6 +1,6 @@ - documentation_complete: true - --prodtype: alinux2,alinux3,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle15,uos20 -+prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle15,uos20 - - title: 'Verify and Correct File Permissions with RPM' - -diff --git a/linux_os/guide/system/software/updating/ensure_gpgcheck_globally_activated/rule.yml b/linux_os/guide/system/software/updating/ensure_gpgcheck_globally_activated/rule.yml -index 17fe909be2..22c1776a19 100644 ---- a/linux_os/guide/system/software/updating/ensure_gpgcheck_globally_activated/rule.yml -+++ b/linux_os/guide/system/software/updating/ensure_gpgcheck_globally_activated/rule.yml -@@ -1,6 +1,6 @@ - documentation_complete: true - --prodtype: alinux2,alinux3,fedora,ol7,ol8,ol9,rhel7,rhel8,rhel9,rhv4,sle12,sle15,uos20 -+prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,ol9,rhel7,rhel8,rhel9,rhv4,sle12,sle15,uos20 - - title: 'Ensure gpgcheck Enabled In Main {{{ pkg_manager }}} Configuration' - -diff --git a/linux_os/guide/system/software/updating/ensure_redhat_gpgkey_installed/rule.yml b/linux_os/guide/system/software/updating/ensure_redhat_gpgkey_installed/rule.yml -index 58ae682542..42d87f4c66 100644 ---- a/linux_os/guide/system/software/updating/ensure_redhat_gpgkey_installed/rule.yml -+++ b/linux_os/guide/system/software/updating/ensure_redhat_gpgkey_installed/rule.yml -@@ -1,6 +1,6 @@ - documentation_complete: true - --prodtype: alinux3,rhcos4,rhel7,rhel8,rhel9,rhv4,uos20 -+prodtype: alinux3,anolis8,rhcos4,rhel7,rhel8,rhel9,rhv4,uos20 - - title: 'Ensure Red Hat GPG Key Installed' - -diff --git a/linux_os/guide/system/software/updating/security_patches_up_to_date/rule.yml b/linux_os/guide/system/software/updating/security_patches_up_to_date/rule.yml -index 607846e10f..ac623b8b78 100644 ---- a/linux_os/guide/system/software/updating/security_patches_up_to_date/rule.yml -+++ b/linux_os/guide/system/software/updating/security_patches_up_to_date/rule.yml -@@ -1,6 +1,6 @@ - documentation_complete: true - --prodtype: alinux2,alinux3,fedora,ol7,ol8,ol9,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu1604,ubuntu1804,uos20 -+prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,ol9,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu1604,ubuntu1804,uos20 - - title: 'Ensure Software Patches Installed' - -diff --git a/products/anolis8/CMakeLists.txt b/products/anolis8/CMakeLists.txt -new file mode 100644 -index 0000000000..5e1cfa01ad ---- /dev/null -+++ b/products/anolis8/CMakeLists.txt -@@ -0,0 +1,6 @@ -+# Sometimes our users will try to do: "cd anolis8; cmake ." That needs to error in a nice way. -+if ("${CMAKE_SOURCE_DIR}" STREQUAL "${CMAKE_CURRENT_SOURCE_DIR}") -+ message(FATAL_ERROR "cmake has to be used on the root CMakeLists.txt, see the Building ComplianceAsCode section in the Developer Guide!") -+endif() -+ -+ssg_build_product("anolis8") -diff --git a/products/anolis8/overlays/.gitkeep b/products/anolis8/overlays/.gitkeep -new file mode 100644 -index 0000000000..e69de29bb2 -diff --git a/products/anolis8/product.yml b/products/anolis8/product.yml -new file mode 100644 -index 0000000000..b81bb76575 ---- /dev/null -+++ b/products/anolis8/product.yml -@@ -0,0 +1,23 @@ -+product: anolis8 -+full_name: Anolis OS 8 -+type: platform -+ -+benchmark_id: ANOLIS-8 -+benchmark_root: "../../linux_os/guide" -+ -+profiles_root: "./profiles" -+ -+pkg_manager: "yum" -+ -+init_system: "systemd" -+ -+cpes_root: "../../shared/applicability" -+cpes: -+ - anolis8: -+ name: "cpe:/o:anolis:anolis_os:8" -+ title: "Anolis OS 8" -+ check_id: installed_OS_is_anolis8 -+ -+# Mapping of CPE platform to package -+platform_package_overrides: -+ login_defs: "shadow-utils" -diff --git a/products/anolis8/profiles/standard.profile b/products/anolis8/profiles/standard.profile -new file mode 100644 -index 0000000000..a9f86ca49b ---- /dev/null -+++ b/products/anolis8/profiles/standard.profile -@@ -0,0 +1,728 @@ -+documentation_complete: true -+ -+title: 'Standard System Security Profile for Anolis OS 8' -+ -+description: |- -+ This profile contains rules to ensure standard security baseline -+ of a Anolis OS 8 system. -+ -+selections: -+ # 1 access-and-control -+ ## 1.1-ensure-cron-daemon-is-enabled -+ ### Level 1 -+ - service_crond_enabled -+ -+ ## 1.2-ensure-permissions-on-etc-crontab-are-configured -+ ### Level 1 -+ - file_groupowner_crontab -+ - file_owner_crontab -+ - file_permissions_crontab -+ -+ ## 1.3-ensure-permissions-on-etc-cron.hourly-are-configured -+ ### Level 1 -+ - file_groupowner_cron_hourly -+ - file_owner_cron_hourly -+ - file_permissions_cron_hourly -+ -+ ## 1.4-ensure-permissions-on-etc-cron.daily-are-configured -+ ### Level 1 -+ - file_groupowner_cron_daily -+ - file_owner_cron_daily -+ - file_permissions_cron_daily -+ -+ ## 1.5-ensure-permissions-on-etc-cron.weekly-are-configured -+ ### Level 1 -+ - file_groupowner_cron_weekly -+ - file_owner_cron_weekly -+ - file_permissions_cron_weekly -+ -+ ## 1.6-ensure-permissions-on-etc-cron.monthly-are-configured -+ ### Level 1 -+ - file_groupowner_cron_monthly -+ - file_owner_cron_monthly -+ - file_permissions_cron_monthly -+ -+ ## 1.7-ensure-permissions-on-etc-cron.d-are-configured -+ ### Level 1 -+ - file_groupowner_cron_d -+ - file_owner_cron_d -+ - file_permissions_cron_d -+ -+ ## 1.8-ensure-at-cron-is-restricted-to-authorized-users -+ ### Level 1 -+ - file_groupowner_cron_allow -+ - file_owner_cron_allow -+ - file_cron_deny_not_exist -+ - file_groupowner_at_allow -+ - file_owner_at_allow -+ - file_at_deny_not_exist -+ - file_permissions_at_allow -+ - file_permissions_cron_allow -+ -+ ## 1.9-ensure-permissions-on-etc-ssh-sshd_config-are-configured -+ ### Level 1 -+ - file_groupowner_sshd_config -+ - file_owner_sshd_config -+ - file_permissions_sshd_config -+ -+ ## 1.10-ensure-ssh-access-is-limited -+ ### Level 2 -+ # Needs rule -+ -+ ## 1.11-ensure-permissions-on-ssh-private-host-key-files-are-configured -+ ### Level 1 -+ - file_permissions_sshd_private_key -+ -+ ## 1.12-ensure-permissions-on-ssh-public-host-key-files-are-configured -+ ### Level 1 -+ - file_permissions_sshd_pub_key -+ -+ ## 1.13-ensure-ssh-loglevel-is-appropriate -+ ### Level 1 -+ - sshd_set_loglevel_verbose -+ # or -+ - sshd_set_loglevel_info -+ -+ ## 1.14-ensure-ssh-maxauthtries-is-set-to-4-or-less -+ ### Level 1 -+ - sshd_max_auth_tries_value=4 -+ - sshd_set_max_auth_tries -+ -+ ## 1.15-ensure-ssh-ignorerhosts-is-enabled -+ ### Level 1 -+ - sshd_disable_rhosts -+ -+ ## 1.16-ensure-ssh-hostbasedauthentication-is-disabled -+ ### Level 1 -+ - disable_host_auth -+ -+ ## 1.17-ensure-ssh-root-login-is-disabled -+ ### Level 1 -+ - sshd_disable_root_login -+ -+ ## 1.18-ensure-ssh-permitemptypasswords-is-disabled -+ ### Level 1 -+ - sshd_disable_empty_passwords -+ -+ ## 1.19-ensure-ssh-permituserenvironment-is-disabled -+ ### Level 1 -+ - sshd_do_not_permit_user_env -+ -+ ## 1.20-ensure-ssh-idle-timeout-interval-is-configured -+ ### Level 1 -+ - sshd_idle_timeout_value=15_minutes -+ - sshd_set_idle_timeout -+ - sshd_set_keepalive -+ - var_sshd_set_keepalive=0 -+ -+ ## 1.21-ensure-ssh-logingracetime-is-set-to-one-minute-or-less -+ ### Level 1 -+ - sshd_set_login_grace_time -+ - var_sshd_set_login_grace_time=60 -+ -+ ## 1.22-ensure-ssh-warning-banner-is-configured -+ ### Level 1 -+ - sshd_enable_warning_banner -+ -+ ## 1.23-ensure-ssh-pam-is-enabled -+ ### Level 1 -+ - sshd_enable_pam -+ -+ ## 1.24-ensure-ssh-maxstartups-is-configured -+ ### Level 1 -+ - sshd_set_maxstartups -+ - var_sshd_set_maxstartups=10:30:60 -+ -+ ## 1.25-ensure-ssh-maxsessions-is-set-to-10-or-less -+ ### Level 1 -+ - sshd_set_max_sessions -+ - var_sshd_max_sessions=10 -+ -+ ## 1.26-ensure-system-wide-crypto-policy-is-not-over-ridden -+ ### Level 1 -+ # Needs rule -+ -+ ## 1.27-ensure-password-creation-requirements-are-configured -+ ### Level 1 -+ - accounts_password_pam_minclass -+ - accounts_password_pam_minlen -+ - accounts_password_pam_retry -+ - var_password_pam_minclass=4 -+ - var_password_pam_minlen=14 -+ -+ ## 1.28-ensure-lockout-for-failed-password-attempts-is-configured -+ ### Level 1 -+ - locking_out_password_attempts -+ -+ ## 1.29-ensure-password-reuse-is-limited -+ ### Level 1 -+ - accounts_password_pam_pwhistory_remember_password_auth -+ - accounts_password_pam_pwhistory_remember_system_auth -+ - var_password_pam_remember_control_flag=required -+ - var_password_pam_remember=5 -+ -+ ## 1.30-ensure-password-hashing-algorithm-is-sha-512 -+ ### Level 1 -+ - set_password_hashing_algorithm_systemauth -+ -+ ## 1.31-ensure-password-expiration-is-365-days-or-less -+ ### Level 1 -+ - accounts_maximum_age_login_defs -+ - var_accounts_maximum_age_login_defs=365 -+ - accounts_password_set_max_life_existing -+ -+ ## 1.32-ensure-minimum-days-between-password-changes-is-7-or-more -+ ### Level 1 -+ - accounts_minimum_age_login_defs -+ - var_accounts_minimum_age_login_defs=7 -+ - accounts_password_set_min_life_existing -+ -+ ## 1.33-ensure-password-expiration-warning-days-is-7-or-more -+ ### Level 1 -+ - accounts_password_warn_age_login_defs -+ - var_accounts_password_warn_age_login_defs=7 -+ -+ ## 1.34-ensure-inactive-password-lock-is-30-days-or-less -+ ### Level 1 -+ - account_disable_post_pw_expiration -+ - var_account_disable_post_pw_expiration=30 -+ -+ ## 1.35-ensure-all-users-last-password-change-date-is-in-the-past -+ ### Level 2 -+ # Needs rule -+ -+ ## 1.36-ensure-system-accounts-are-secured -+ ### Level 1 -+ - no_shelllogin_for_systemaccounts -+ -+ ## 1.37-ensure-default-user-shell-timeout-is-900-seconds-or-less -+ ### Level 1 -+ - accounts_tmout -+ - var_accounts_tmout=15_min -+ -+ ## 1.38-ensure-default-group-for-the-root-account-is-gid-0 -+ ### Level 1 -+ - accounts_root_gid_zero -+ -+ ## 1.39-ensure-default-user-umask-is-027-or-more-restrictive -+ ### Level 1 -+ - accounts_umask_etc_bashrc -+ - accounts_umask_etc_login_defs -+ - accounts_umask_etc_profile -+ - var_accounts_user_umask=027 -+ -+ ## 1.40-ensure-access-to-the-su-command-is-restricted -+ ### Level 1 -+ - use_pam_wheel_for_su -+ -+ ## 1.41-ensure-ssh-server-use-protocol_2 -+ ### Level 1 -+ - sshd_allow_only_protocol2 -+ -+ ## 2.1-ensure-audit-log-files-are-not-read-or-write-accessible-by-unauthorized-users -+ ### Level 1 -+ # Needs rule -+ -+ ## 2.2-ensure-only-authorized-users-own-audit-log-files -+ ### Level 1 -+ # Needs rule -+ -+ ## 2.3-ensure-only-authorized-groups-ownership-of-audit-log-files -+ ### Level 1 -+ # Needs rule -+ -+ ## 2.4-ensure-the-audit-log-directory-is-0750-or-more-restrictive -+ ### Level 1 -+ # Needs rule -+ -+ ## 2.5-ensure-audit-configuration-files-are-0640-or-more-restrictive -+ ### Level 1 -+ # Needs rule -+ -+ ## 2.6-ensure-only-authorized-accounts-own-the-audit-configuration-files -+ ### Level 1 -+ # Needs rule -+ -+ ## 2.7-ensure-only-authorized-groups-own-the-audit-configuration-files -+ ### Level 1 -+ # Needs rule -+ -+ ## 2.8-ensure-audit-tools-are-mode-of-0755-or-more-restrictive -+ ### Level 1 -+ # Needs rule -+ -+ ## 2.9-ensure-audit-tools-are-owned-by-root -+ ### Level 1 -+ # Needs rule -+ -+ ## 2.10-ensure-audit-tools-are-group-owned-by-root -+ ### Level 1 -+ # Needs rule -+ -+ ## 2.11-ensure-cryptographic-mechanisms-are-used-to-protect-the-integrity-of-audit-tools -+ ### Level 1 -+ # Needs rule -+ -+ ## 2.12-ensure-rsyslog-is-installed -+ ### Level 1 -+ - package_rsyslog_installed -+ -+ ## 2.13-ensure-rsyslog-service-is-enabled -+ ### Level 1 -+ - service_rsyslog_enabled -+ -+ ## 2.14-ensure-rsyslog-default-file-permissions-configured -+ ### Level 1 -+ # Needs rule -+ -+ ## 2.15-ensure-rsyslog-is-configured-to-send-logs-to-a-remote-log-host -+ ### Level 2 -+ - rsyslog_remote_loghost -+ -+ ## 2.16-ensure-journald-is-configured-to-send-logs-to-rsyslog -+ ### Level 1 -+ - journald_forward_to_syslog -+ -+ ## 2.17-ensure-journald-is-configured-to-compress-large-log-files -+ ### Level 1 -+ - journald_compress -+ -+ ## 2.18-ensure-journald-is-configured-to-write-logfiles-to-persistent-disk -+ ### Level 1 -+ - journald_storage -+ -+ ## 2.19-ensure-audit-is-installed -+ ### Level 1 -+ - package_audit_installed -+ -+ ## 2.20-ensure-audit-service-is-enabled -+ ### Level 3 -+ - service_auditd_enabled -+ -+ ## 3.1-disable-http-server -+ ### Level 1 -+ - service_httpd_disabled -+ -+ ## 3.2-disable-ftp-server -+ ### Level 1 -+ - service_vsftpd_disabled -+ -+ ## 3.3-disable-dns-server -+ ### Level 1 -+ - service_named_disabled -+ -+ ## 3.4-disable-nfs -+ ### Level 1 -+ - service_nfs_disabled -+ -+ ## 3.5-disable-rpc -+ ### Level 1 -+ - service_rpcbind_disabled -+ -+ ## 3.6-disable-ldap-server -+ ### Level 1 -+ - service_slapd_disabled -+ -+ ## 3.7-disable-dhcp-server -+ ### Level 1 -+ - service_dhcpd_disabled -+ -+ ## 3.8-disable-cups -+ ### Level 1 -+ - service_cups_disabled -+ -+ ## 3.9-disable-nis-server -+ ### Level 1 -+ - service_ypserv_disabled -+ -+ ## 3.10-disable-rsync-server -+ ### Level 1 -+ - service_rsyncd_disabled -+ -+ ## 3.11-disable-avahi-server -+ ### Level 1 -+ - service_avahi-daemon_disabled -+ -+ ## 3.12-disable-snmp-server -+ ### Level 1 -+ - service_snmpd_disabled -+ -+ ## 3.13-disable-http-proxy-server -+ ### Level 1 -+ - service_squid_disabled -+ -+ ## 3.14-disable-samba -+ ### Level 1 -+ - service_smb_disabled -+ -+ ## 3.15-disable-imap-and-pop3-server -+ ### Level 1 -+ - service_dovecot_disabled -+ -+ ## 3.16-disable-smtp-protocol -+ ### Level 1 -+ # Needs rule -+ -+ ## 3.17-disable-telnet-port-23 -+ ### Level 1 -+ # Needs rule -+ -+ ## 4.1-ensure-message-of-the-day-is-configured-properly -+ ### Level 1 -+ - banner_etc_motd -+ - login_banner_text=cis_banners -+ -+ ## 4.2-ensure-local-login-warning-banner-is-configured-properly -+ ### Level 1 -+ - banner_etc_issue -+ - login_banner_text=cis_banners -+ -+ ## 4.3-ensure-remote-login-warning-banner-is-configured-properly -+ ### Level 1 -+ # Needs rule -+ -+ ## 4.4-ensure-permissions-on-etc-motd-are-configured -+ ### Level 1 -+ - file_groupowner_etc_motd -+ - file_owner_etc_motd -+ - file_permissions_etc_motd -+ -+ ## 4.5-ensure-permissions-on-etc-issue-are-configured -+ ### Level 1 -+ - file_groupowner_etc_issue -+ - file_owner_etc_issue -+ - file_permissions_etc_issue -+ -+ ## 4.6-ensure-permissions-on-etc-issue.net-are-configured -+ ### Level 1 -+ # Needs rule -+ -+ ## 4.7-ensure-gpgcheck-is-globally-activated -+ ### Level 1 -+ - ensure_gpgcheck_globally_activated -+ -+ ## 4.8-ensure-aide-is-installed -+ ### Level 1 -+ - package_aide_installed -+ -+ ## 4.9-ensure-filesystem-integrity-is-regularly-checked -+ ### Level 1 -+ - aide_periodic_cron_checking -+ -+ ## 4.10-ensure-bootloader-password-is-set -+ ### Level 2 -+ - grub2_password -+ -+ ## 4.11-ensure-permissions-on-bootloader-config-are-configured -+ ### Level 1 -+ #- file_groupowner_efi_grub2_cfg -+ - file_groupowner_grub2_cfg -+ #- file_owner_efi_grub2_cfg -+ - file_owner_grub2_cfg -+ #- file_permissions_efi_grub2_cfg -+ - file_permissions_grub2_cfg -+ -+ ## 4.12-ensure-authentication-required-for-single-user-mode -+ ### Level 1 -+ - require_singleuser_auth -+ - require_emergency_target_auth -+ -+ ## 4.13-ensure-core-dumps-are-restricted -+ ### Level 1 -+ - disable_users_coredumps -+ - sysctl_fs_suid_dumpable -+ - coredump_disable_backtraces -+ - coredump_disable_storage -+ -+ ## 4.14-ensure-address-space-layout-randomization-(ASLR)-is-enabled -+ ### Level 1 -+ - sysctl_kernel_randomize_va_space -+ -+ ## 4.15-ensure-system-wide-crypto-policy-is-not-legacy -+ ### Level 1 -+ - configure_crypto_policy -+ - var_system_crypto_policy=default_policy -+ -+ ## 4.16-ensure-sticky-bit-is-set-on-all-world-writable-directories -+ ### Level 1 -+ - dir_perms_world_writable_sticky_bits -+ -+ ## 4.17-ensure-permissions-on-etc-passwd-are-configured -+ ### Level 1 -+ - file_permissions_etc_passwd -+ -+ ## 4.18-ensure-permissions-on-etc-shadow-are-configured -+ ### Level 1 -+ - file_owner_etc_shadow -+ - file_groupowner_etc_shadow -+ - file_permissions_etc_shadow -+ -+ ## 4.19-ensure-permissions-on-etc-group-are-configured -+ ### Level 1 -+ - file_groupowner_etc_group -+ - file_owner_etc_group -+ - file_permissions_etc_group -+ -+ ## 4.20-ensure-permissions-on-etc-gshadow-are-configured -+ ### Level 1 -+ - file_groupowner_etc_gshadow -+ - file_owner_etc_gshadow -+ - file_permissions_etc_gshadow -+ -+ ## 4.21-ensure-permissions-on-etc-passwd--are-configured -+ ### Level 1 -+ - file_groupowner_backup_etc_passwd -+ - file_owner_backup_etc_passwd -+ - file_permissions_backup_etc_passwd -+ -+ ## 4.22-ensure-permissions-on-etc-shadow--are-configured -+ ### Level 1 -+ - file_groupowner_backup_etc_shadow -+ - file_owner_backup_etc_shadow -+ - file_permissions_backup_etc_shadow -+ -+ ## 4.23-ensure-permissions-on-etc-group--are-configured -+ ### Level 1 -+ - file_groupowner_backup_etc_group -+ - file_owner_backup_etc_group -+ - file_permissions_backup_etc_group -+ -+ ## 4.24-ensure-permissions-on-etc-gshadow--are-configured -+ ### Level 1 -+ - file_groupowner_backup_etc_gshadow -+ - file_owner_backup_etc_gshadow -+ - file_permissions_backup_etc_gshadow -+ -+ ## 4.25-ensure-no-world-writable-files-exist -+ ### Level 2 -+ - file_permissions_unauthorized_world_writable -+ -+ ## 4.26-ensure-no-unowned-files-or-directories-exist -+ ### Level 2 -+ # Needs rule -+ -+ ## 4.27-ensure-no-ungrouped-files-or-directories-exist -+ ### Level 2 -+ - file_permissions_ungroupowned -+ -+ ## 4.28-ensure-no-password-fields-are-not-empty -+ ### Level 2 -+ # Needs rule -+ -+ ## 4.29-ensure-root-path-integrity -+ ### Level 2 -+ - accounts_root_path_dirs_no_write -+ - root_path_no_dot -+ -+ ## 4.30-ensure-root-is-the-only-uid-0-account -+ ### Level 2 -+ - accounts_no_uid_except_zero -+ -+ ## 4.31-ensure-users-home-directories-permissions-are-750-or-more-restrictive -+ ### Level 1 -+ # Needs rule -+ -+ ## 4.32-ensure-users-own-their-home-directories -+ ### Level 1 -+ - file_ownership_home_directories -+ - file_groupownership_home_directories -+ -+ ## 4.33-ensure-users-dot-files-are-not-group-or-world-writable -+ ### Level 1 -+ # Needs rule -+ -+ ## 4.34-ensure-no-users-have-.forward-files -+ ### Level 1 -+ # Needs rule -+ -+ ## 4.35-ensure-no-users-have-.netrc-files -+ ### Level 1 -+ - no_netrc_files -+ -+ ## 4.36-ensure-users-.netrc-files-are-not-group-or-world-accessible -+ ### Level 1 -+ # Needs rule -+ -+ ## 4.37-ensure-no-users-have-.rhosts-files -+ ### Level 1 -+ - no_rsh_trust_files -+ -+ ## 4.38-ensure-all-groups-in-etc-passwd-exist-in-etc-group -+ ### Level 2 -+ # Needs rule -+ -+ ## 4.39-ensure-no-duplicate-uids-exist -+ ### Level 2 -+ - account_unique_id -+ -+ ## 4.40-ensure-no-duplicate-gids-exist -+ ### Level 2 -+ - group_unique_id -+ -+ ## 4.41-ensure-no-duplicate-user-names-exist -+ ### Level 2 -+ # Needs rule -+ -+ ## 4.42-ensure-no-duplicate-group-names-exist -+ ### Level 2 -+ - group_unique_name -+ -+ ## 4.43-ensure-all-users-home-directories-exist -+ ### Level 1 -+ # Needs rule -+ -+ ## 4.44-ensure-sctp-is-disabled -+ ### Level 1 -+ - kernel_module_sctp_disabled -+ -+ ## 4.45-ensure-dccp-is-disabled -+ ### Level 1 -+ - kernel_module_dccp_disabled -+ -+ ## 4.46-ensure-wireless-interfaces-are-disabled -+ ### Level 1 -+ - wireless_disable_interfaces -+ -+ ## 4.47-ensure-ip-forwarding-is-disabled -+ ### Level 1 -+ - sysctl_net_ipv4_ip_forward -+ - sysctl_net_ipv6_conf_all_forwarding -+ - sysctl_net_ipv6_conf_all_forwarding_value=disabled -+ -+ ## 4.48-ensure-packet-redirect-sending-is-disabled -+ ### Level 1 -+ - sysctl_net_ipv4_conf_all_send_redirects -+ - sysctl_net_ipv4_conf_default_send_redirects -+ -+ ## 4.49-ensure-source-routed-packets-are-not-accepted -+ ### Level 1 -+ - sysctl_net_ipv4_conf_all_accept_source_route -+ - sysctl_net_ipv4_conf_all_accept_source_route_value=disabled -+ - sysctl_net_ipv4_conf_default_accept_source_route -+ - sysctl_net_ipv4_conf_default_accept_source_route_value=disabled -+ - sysctl_net_ipv6_conf_all_accept_source_route -+ - sysctl_net_ipv6_conf_all_accept_source_route_value=disabled -+ - sysctl_net_ipv6_conf_default_accept_source_route -+ - sysctl_net_ipv6_conf_default_accept_source_route_value=disabled -+ -+ ## 4.50-ensure-icmp-redirects-are-not-accepted -+ ### Level 1 -+ - sysctl_net_ipv4_conf_all_accept_redirects -+ - sysctl_net_ipv4_conf_all_accept_redirects_value=disabled -+ - sysctl_net_ipv4_conf_default_accept_redirects -+ - sysctl_net_ipv4_conf_default_accept_redirects_value=disabled -+ - sysctl_net_ipv6_conf_all_accept_redirects -+ - sysctl_net_ipv6_conf_all_accept_redirects_value=disabled -+ - sysctl_net_ipv6_conf_default_accept_redirects -+ - sysctl_net_ipv6_conf_default_accept_redirects_value=disabled -+ -+ ## 4.51-ensure-secure-icmp-redirects-are-not-accepted -+ ### Level 1 -+ - sysctl_net_ipv4_conf_all_secure_redirects -+ - sysctl_net_ipv4_conf_all_secure_redirects_value=disabled -+ - sysctl_net_ipv4_conf_default_secure_redirects -+ - sysctl_net_ipv4_conf_default_secure_redirects_value=disabled -+ -+ ## 4.52-ensure-suspicious-packets-are-logged -+ ### Level 1 -+ - sysctl_net_ipv4_conf_all_log_martians -+ - sysctl_net_ipv4_conf_all_log_martians_value=enabled -+ - sysctl_net_ipv4_conf_default_log_martians -+ - sysctl_net_ipv4_conf_default_log_martians_value=enabled -+ -+ ## 4.53-ensure-broadcast-icmp-requests-are-ignored -+ ### Level 1 -+ - sysctl_net_ipv4_icmp_echo_ignore_broadcasts -+ - sysctl_net_ipv4_icmp_echo_ignore_broadcasts_value=enabled -+ -+ ## 4.54-ensure-bogus-icmp-responses-are-ignored -+ ### Level 1 -+ - sysctl_net_ipv4_icmp_ignore_bogus_error_responses -+ - sysctl_net_ipv4_icmp_ignore_bogus_error_responses_value=enabled -+ -+ ## 4.55-ensure-reverse-path-filtering-is-enabled -+ ### Level 1 -+ - sysctl_net_ipv4_conf_all_rp_filter -+ - sysctl_net_ipv4_conf_all_rp_filter_value=enabled -+ - sysctl_net_ipv4_conf_default_rp_filter -+ - sysctl_net_ipv4_conf_default_rp_filter_value=enabled -+ -+ ## 4.56-ensure-tcp-syn-cookies-is-enabled -+ ### Level 1 -+ - sysctl_net_ipv4_tcp_syncookies -+ - sysctl_net_ipv4_tcp_syncookies_value=enabled -+ -+ ## 4.57-ensure-ipv6-router-advertisements-are-not-accepted -+ ### Level 1 -+ - sysctl_net_ipv6_conf_all_accept_ra -+ - sysctl_net_ipv6_conf_all_accept_ra_value=disabled -+ - sysctl_net_ipv6_conf_default_accept_ra -+ - sysctl_net_ipv6_conf_default_accept_ra_value=disabled -+ -+ ## 4.58-ensure-a-firewall-package-is-installed -+ ### Level 1 -+ - package_firewalld_installed -+ -+ ## 4.59-ensure-firewalld-service-is-enabled-and-running -+ ### Level 1 -+ - service_firewalld_enabled -+ -+ ## 4.60-ensure-iptables-is-not-enabled -+ ### Level 1 -+ # Needs rule -+ -+ ## 4.61-ensure-nftables-is-not-enabled -+ ### Level 1 -+ # Needs rule -+ -+ ## 4.62-ensure-nftables-service-is-enabled -+ ### Level 1 -+ # Needs rule -+ -+ ## 4.63-ensure-iptables-packages-are-installed -+ ### Level 1 -+ - package_iptables_installed -+ -+ ## 4.64-ensure-nftables-is-not-installed -+ ### Level 1 -+ # Needs rule -+ -+ ## 4.65-ensure-firewalld-is-not-installed-or-stopped-and-masked -+ ### Level 1 -+ # Needs rule -+ -+ ## 4.66-ensure-system-histsize-as-100-or-other -+ ### Level 1 -+ # Needs rule -+ -+ ## 4.67-ensure-system-histfilesize-100 -+ ### Level 1 -+ # Needs rule -+ -+ ## 5.1-ensure-selinux-is-installed -+ ### Level 1 -+ # Needs rule -+ -+ ## 5.2-ensure-selinux-policy-is-configured -+ ### Level 3 -+ # Needs rule -+ -+ ## 5.3-ensure-the-selinux-mode-is-enabled -+ ### Level 3 -+ # Needs rule -+ -+ ## 5.4-ensure-the-selinux-mode-is-enforcing -+ ### Level 3 -+ # Needs rule -+ -+ ## 5.5-ensure-no-unconfined-services-exist -+ ### Level 4 -+ # Needs rule -+ -+ ## 5.6-use-selinux-for-separation-of-powers-user-created -+ ### Level 4 -+ # Needs rule -+ -+ ## 5.7-use-selinux-for-separation-of-powers-system-administrator-login-permission-configuration -+ ### Level 4 -+ # Needs rule -\ No newline at end of file -diff --git a/products/anolis8/transforms/constants.xslt b/products/anolis8/transforms/constants.xslt -new file mode 100644 -index 0000000000..c3323b4a52 ---- /dev/null -+++ b/products/anolis8/transforms/constants.xslt -@@ -0,0 +1,10 @@ -+ -+ -+ -+ -+Anolis OS 8 -+Anolis 8 -+empty -+anolis -+ -+ -diff --git a/products/anolis8/transforms/table-style.xslt b/products/anolis8/transforms/table-style.xslt -new file mode 100644 -index 0000000000..218d0f7542 ---- /dev/null -+++ b/products/anolis8/transforms/table-style.xslt -@@ -0,0 +1,5 @@ -+ -+ -+ -+ -+ -diff --git a/products/anolis8/transforms/xccdf-apply-overlay-stig.xslt b/products/anolis8/transforms/xccdf-apply-overlay-stig.xslt -new file mode 100644 -index 0000000000..4789419b80 ---- /dev/null -+++ b/products/anolis8/transforms/xccdf-apply-overlay-stig.xslt -@@ -0,0 +1,8 @@ -+ -+ -+ -+ -+ -+ -+ -+ -diff --git a/products/anolis8/transforms/xccdf2table-cce.xslt b/products/anolis8/transforms/xccdf2table-cce.xslt -new file mode 100644 -index 0000000000..1ffb22215c ---- /dev/null -+++ b/products/anolis8/transforms/xccdf2table-cce.xslt -@@ -0,0 +1,9 @@ -+ -+ -+ -+ -+ -+ -+ -+ -+ -diff --git a/products/anolis8/transforms/xccdf2table-profileccirefs.xslt b/products/anolis8/transforms/xccdf2table-profileccirefs.xslt -new file mode 100644 -index 0000000000..5a104d956f ---- /dev/null -+++ b/products/anolis8/transforms/xccdf2table-profileccirefs.xslt -@@ -0,0 +1,9 @@ -+ -+ -+ -+ -+ -+ -+ -+ -+ -diff --git a/shared/checks/oval/installed_OS_is_anolis8.xml b/shared/checks/oval/installed_OS_is_anolis8.xml -new file mode 100644 -index 0000000000..c662d8c960 ---- /dev/null -+++ b/shared/checks/oval/installed_OS_is_anolis8.xml -@@ -0,0 +1,28 @@ -+ -+ -+ -+ Anolis OS 8 -+ -+ multi_platform_all -+ -+ -+ The operating system installed on the system is Anolis OS 8 -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ ^8.*$ -+ -+ -+ anolis-release -+ -+ -+ -diff --git a/shared/checks/oval/sysctl_kernel_ipv6_disable.xml b/shared/checks/oval/sysctl_kernel_ipv6_disable.xml -index f971d28a04..94967843fa 100644 ---- a/shared/checks/oval/sysctl_kernel_ipv6_disable.xml -+++ b/shared/checks/oval/sysctl_kernel_ipv6_disable.xml -@@ -3,6 +3,7 @@ - - Kernel Runtime Parameter IPv6 Check - -+ multi_platform_anolis - multi_platform_debian - multi_platform_example - multi_platform_fedora -diff --git a/ssg/constants.py b/ssg/constants.py -index d73c6012f3..1c01f6fead 100644 ---- a/ssg/constants.py -+++ b/ssg/constants.py -@@ -41,6 +41,7 @@ SSG_REF_URIS = { - product_directories = [ - 'alinux2', - 'alinux3', -+ 'anolis8', - 'chromium', - 'debian9', 'debian10', 'debian11', - 'example', -@@ -195,6 +196,7 @@ PKG_MANAGER_TO_CONFIG_FILE = { - FULL_NAME_TO_PRODUCT_MAPPING = { - "Alinux 2": "alinux2", - "Alinux 3": "alinux3", -+ "Anolis OS 8": "anolis8", - "Chromium": "chromium", - "Debian 9": "debian9", - "Debian 10": "debian10", -@@ -266,11 +268,12 @@ REFERENCES = dict( - - MULTI_PLATFORM_LIST = ["rhel", "fedora", "rhv", "debian", "ubuntu", - "opensuse", "sle", "ol", "ocp", "rhcos", -- "example", "eks", "alinux", "uos"] -+ "example", "eks", "alinux", "uos", "anolis"] - - MULTI_PLATFORM_MAPPING = { - "multi_platform_alinux": ["alinux2"], - "multi_platform_alinux": ["alinux3"], -+ "multi_platform_anolis": ["anolis8"], - "multi_platform_debian": ["debian9", "debian10", "debian11"], - "multi_platform_example": ["example"], - "multi_platform_eks": ["eks"], -@@ -436,6 +439,7 @@ XCCDF_PLATFORM_TO_PACKAGE = { - # _version_name_map = { - MAKEFILE_ID_TO_PRODUCT_MAP = { - 'alinux': 'Alibaba Cloud Linux', -+ 'anolis': 'Anolis OS', - 'chromium': 'Google Chromium Browser', - 'fedora': 'Fedora', - 'firefox': 'Mozilla Firefox', -diff --git a/tests/unit/ssg-module/test_utils.py b/tests/unit/ssg-module/test_utils.py -index 095191dd2d..b55a217ab7 100644 ---- a/tests/unit/ssg-module/test_utils.py -+++ b/tests/unit/ssg-module/test_utils.py -@@ -12,7 +12,7 @@ def test_is_applicable(): - - assert not ssg.utils.is_applicable('fedora,multi_platform_ubuntu', 'rhel7') - assert not ssg.utils.is_applicable('ol7', 'rhel7') -- assert not ssg.utils.is_applicable('alinux2,alinux3,fedora,debian9,debian10,debian11,uos20', -+ assert not ssg.utils.is_applicable('alinux2,alinux3,anolis8,fedora,debian9,debian10,debian11,uos20', - 'rhel7') - - --- -2.31.1 - diff --git a/scap-security-guide-0.1.67-firewalld_sshd_port_enabled_tests-PR_10162.patch b/scap-security-guide-0.1.67-firewalld_sshd_port_enabled_tests-PR_10162.patch new file mode 100644 index 0000000..625ed24 --- /dev/null +++ b/scap-security-guide-0.1.67-firewalld_sshd_port_enabled_tests-PR_10162.patch @@ -0,0 +1,106 @@ +From 5e28d4aa823560545e6b49d58e55aecb572f6bd9 Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Tue, 7 Feb 2023 10:53:18 +0100 +Subject: [PATCH 4/5] Change custom zones check in firewalld_sshd_port_enabled + +Patch-name: scap-security-guide-0.1.67-firewalld_sshd_port_enabled_tests-PR_10162.patch +Patch-status: Change custom zones check in firewalld_sshd_port_enabled +--- + .../oval/shared.xml | 68 +++++++++++++++---- + 1 file changed, 54 insertions(+), 14 deletions(-) + +diff --git a/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/oval/shared.xml b/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/oval/shared.xml +index 4adef2e53f..d7c96665b4 100644 +--- a/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/oval/shared.xml ++++ b/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/oval/shared.xml +@@ -133,9 +133,10 @@ + OVAL resources in order to detect and assess only active zone, which are zones with at + least one NIC assigned to it. Since it was possible to easily have the list of active + zones, it was cumbersome to use that list in other OVAL objects without introduce a high +- level of complexity to make sure environments with multiple NICs and multiple zones are +- in use. So, in favor of simplicity and readbility it was decided to work with a static +- list. It means that, in the future, it is possible this list needs to be updated. --> ++ level of complexity to ensure proper assessment in environments where multiple NICs and ++ multiple zones are in use. So, in favor of simplicity and readbility it was decided to ++ work with a static list. It means that, in the future, it is possible this list needs to ++ be updated. --> + +@@ -145,23 +146,62 @@ + +- ++ +- +- +- ++ ++ ++ ++ ++ ++ var_firewalld_sshd_port_enabled_custom_zone_files_with_ssh_count ++ ++ ++ ++ ++ ++ ++ + + +- /etc/firewalld/zones +- ^.*\.xml$ +- /zone/service[@name='ssh'] ++ /etc/firewalld/zones ++ ^.*\.xml$ ++ /zone/service[@name='ssh'] + + +- +- /zone/service[@name='ssh'] +- ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ /etc/firewalld/zones ++ ^.*\.xml$ ++ + + + +- +- /etc/rsyslog.conf +- ^(?:include\([\n\s]*file="([^\s;]+)".*|\$IncludeConfig[\s]+([^\s;]+))$ +- 1 +- state_permissions_ignore_hidden_paths +- +- +- +- +- ^.*\/\..*$ +- +- +- +- +- +- +- +- +- +- +- +- +- +- var_rfp_include_config_regex +- +- +- +- ^/etc/rsyslog.conf$ +- +- +- +- var_rfp_syslog_config +- +- +- +- +- +- object_var_rfp_include_config_regex +- object_var_rfp_syslog_config +- +- +- +- +- +- +- +- +- +- +- +- +- ^[^(\s|#|\$)]+[\s]+.*[\s]+-?(/+[^:;\s]+);*\.*$ +- 1 +- state_permissions_ignore_include_paths +- +- +- +- +- (?:file="[^\s;]+"|\$IncludeConfig[\s]+[^\s;]+|\/dev\/.*) +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- regular +- false +- {{% if product in ["debian10", "debian11", "ubuntu1604", "ubuntu1804", "ubuntu2004", "ubuntu2204", "sle15", "sle12"] %}} +- true +- {{% else %}} +- false +- {{% endif %}} +- false +- false +- false +- false +- false +- +- +diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/rule.yml b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/rule.yml +index 508ff73cde..042c35362d 100644 +--- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/rule.yml ++++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/rule.yml +@@ -1,18 +1,24 @@ ++{{%- if product in ["debian10", "debian11", "ubuntu1604", "ubuntu1804", "ubuntu2004", "ubuntu2204", "sle15", "sle12"] %}} ++ {{%- set rsyslog_perm='640' %}} ++{{%- else %}} ++ {{%- set rsyslog_perm='600' %}} ++{{%- endif %}} ++ + documentation_complete: true + + title: 'Ensure System Log Files Have Correct Permissions' + + description: |- + The file permissions for all log files written by rsyslog should +- be set to 600, or more restrictive. These log files are determined by the ++ be set to {{{ rsyslog_perm }}}, or more restrictive. These log files are determined by the + second part of each Rule line in /etc/rsyslog.conf and typically + all appear in /var/log. For each log file LOGFILE + referenced in /etc/rsyslog.conf, run the following command to + inspect the file's permissions: + 
$ ls -l LOGFILE
+- If the permissions are not 600 or more restrictive, run the following ++ If the permissions are not {{{ rsyslog_perm }}} or more restrictive, run the following + command to correct this: +- 
$ sudo chmod 0600 LOGFILE
" ++ 
$ sudo chmod {{{ rsyslog_perm }}} LOGFILE
" + + rationale: |- + Log files can contain valuable information regarding system +@@ -46,9 +52,23 @@ ocil_clause: 'the permissions are not correct' + + ocil: |- + The file permissions for all log files written by rsyslog should +- be set to 600, or more restrictive. These log files are determined by the ++ be set to {{{ rsyslog_perm }}}, or more restrictive. These log files are determined by the + second part of each Rule line in /etc/rsyslog.conf and typically + all appear in /var/log. To see the permissions of a given log + file, run the following command: + 
$ ls -l LOGFILE
+- The permissions should be 600, or more restrictive. ++ The permissions should be {{{ rsyslog_perm }}}, or more restrictive. ++ ++template: ++ name: rsyslog_logfiles_attributes_modify ++ vars: ++ attribute: permissions ++ value: '0600' ++ value@debian10: '0640' ++ value@debian11: '0640' ++ value@sle12: '0640' ++ value@sle15: '0640' ++ value@ubuntu1604: '0640' ++ value@ubuntu1804: '0640' ++ value@ubuntu2004: '0640' ++ value@ubuntu2204: '0640' +diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/IncludeConfig_glob_perms_0600.pass.sh b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/IncludeConfig_glob_perms_0600.pass.sh +deleted file mode 100755 +index c27e7874d9..0000000000 +--- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/IncludeConfig_glob_perms_0600.pass.sh ++++ /dev/null +@@ -1,40 +0,0 @@ +-#!/bin/bash +-# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_sle +- +-# Check rsyslog.conf with log file permissions 0600 from rules and +-# log file permissions 0600 from $IncludeConfig passes. +-# test $IncludeConfig with wildcard (*.conf) +- +-source $SHARED/rsyslog_log_utils.sh +- +-PERMS=0600 +- +-# setup test data +-create_rsyslog_test_logs 2 +- +-# setup test log files and permissions +-chmod $PERMS ${RSYSLOG_TEST_LOGS[0]} +-chmod $PERMS ${RSYSLOG_TEST_LOGS[1]} +- +-# create test configuration file +-test_conf=${RSYSLOG_TEST_DIR}/test1.conf +-cat << EOF > ${test_conf} +-# rsyslog configuration file +- +-#### RULES #### +- +-*.* ${RSYSLOG_TEST_LOGS[1]} +-EOF +- +-# create rsyslog.conf configuration file +-cat << EOF > $RSYSLOG_CONF +-# rsyslog configuration file +- +-#### RULES #### +- +-*.* ${RSYSLOG_TEST_LOGS[0]} +- +-#### MODULES #### +- +-\$IncludeConfig ${RSYSLOG_TEST_DIR}/*.conf +-EOF +diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/IncludeConfig_glob_perms_0601.fail.sh b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/IncludeConfig_glob_perms_0601.fail.sh +deleted file mode 100755 +index 124b5e863e..0000000000 +--- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/IncludeConfig_glob_perms_0601.fail.sh ++++ /dev/null +@@ -1,41 +0,0 @@ +-#!/bin/bash +-# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol +- +-# Check rsyslog.conf with log file permissions 0600 from rules and +-# log file permissions 0601 from $IncludeConfig fails. +-# test $IncludeConfig with wildcard (*.conf) +- +-source $SHARED/rsyslog_log_utils.sh +- +-PERMS_PASS=0600 +-PERMS_FAIL=0601 +- +-# setup test data +-create_rsyslog_test_logs 2 +- +-# setup test log files and permissions +-chmod $PERMS_PASS ${RSYSLOG_TEST_LOGS[0]} +-chmod $PERMS_FAIL ${RSYSLOG_TEST_LOGS[1]} +- +-# create test configuration file +-test_conf=${RSYSLOG_TEST_DIR}/test1.conf +-cat << EOF > ${test_conf} +-# rsyslog configuration file +- +-#### RULES #### +- +-*.* ${RSYSLOG_TEST_LOGS[1]} +-EOF +- +-# create rsyslog.conf configuration file +-cat << EOF > $RSYSLOG_CONF +-# rsyslog configuration file +- +-#### RULES #### +- +-*.* ${RSYSLOG_TEST_LOGS[0]} +- +-#### MODULES #### +- +-\$IncludeConfig ${RSYSLOG_TEST_DIR}/*.conf +-EOF +diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/IncludeConfig_perms_0600.pass.sh b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/IncludeConfig_perms_0600.pass.sh +deleted file mode 100755 +index a6ff6a1109..0000000000 +--- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/IncludeConfig_perms_0600.pass.sh ++++ /dev/null +@@ -1,39 +0,0 @@ +-#!/bin/bash +-# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_sle +- +-# Check rsyslog.conf with log file permissions 0600 from rules and +-# log file permissions 0600 from $IncludeConfig passes. +- +-source $SHARED/rsyslog_log_utils.sh +- +-PERMS=0600 +- +-# setup test data +-create_rsyslog_test_logs 2 +- +-# setup test log files and permissions +-chmod $PERMS ${RSYSLOG_TEST_LOGS[0]} +-chmod $PERMS ${RSYSLOG_TEST_LOGS[1]} +- +-# create test configuration file +-test_conf=${RSYSLOG_TEST_DIR}/test1.conf +-cat << EOF > ${test_conf} +-# rsyslog configuration file +- +-#### RULES #### +- +-*.* ${RSYSLOG_TEST_LOGS[1]} +-EOF +- +-# create rsyslog.conf configuration file +-cat << EOF > $RSYSLOG_CONF +-# rsyslog configuration file +- +-#### RULES #### +- +-*.* ${RSYSLOG_TEST_LOGS[0]} +- +-#### MODULES #### +- +-\$IncludeConfig ${test_conf} +-EOF +diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/IncludeConfig_perms_0601.fail.sh b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/IncludeConfig_perms_0601.fail.sh +deleted file mode 100755 +index 2ae5c89a4e..0000000000 +--- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/IncludeConfig_perms_0601.fail.sh ++++ /dev/null +@@ -1,40 +0,0 @@ +-#!/bin/bash +-# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol +- +-# Check rsyslog.conf with log file permissions 0600 from rules and +-# log file permissions 0601 from $IncludeConfig fails. +- +-source $SHARED/rsyslog_log_utils.sh +- +-PERMS_PASS=0600 +-PERMS_FAIL=0601 +- +-# setup test data +-create_rsyslog_test_logs 2 +- +-# setup test log files and permissions +-chmod $PERMS_PASS ${RSYSLOG_TEST_LOGS[0]} +-chmod $PERMS_FAIL ${RSYSLOG_TEST_LOGS[1]} +- +-# create test configuration file +-test_conf=${RSYSLOG_TEST_DIR}/test1.conf +-cat << EOF > ${test_conf} +-# rsyslog configuration file +- +-#### RULES #### +- +-*.* ${RSYSLOG_TEST_LOGS[1]} +-EOF +- +-# create rsyslog.conf configuration file +-cat << EOF > $RSYSLOG_CONF +-# rsyslog configuration file +- +-#### RULES #### +- +-*.* ${RSYSLOG_TEST_LOGS[0]} +- +-#### MODULES #### +- +-\$IncludeConfig ${test_conf} +-EOF +diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0600.pass.sh b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0600.pass.sh +deleted file mode 100755 +index a5a2f67fad..0000000000 +--- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0600.pass.sh ++++ /dev/null +@@ -1,85 +0,0 @@ +-#!/bin/bash +-# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_sle +- +-# Check rsyslog.conf with log file permissions 0600 from rules and +-# log file permissions 0600 from $IncludeConfig passes. +- +-source $SHARED/rsyslog_log_utils.sh +- +-PERMS=0600 +- +-# setup test data +-create_rsyslog_test_logs 5 +- +-# setup test log files and permissions +-chmod $PERMS ${RSYSLOG_TEST_LOGS[0]} +-chmod $PERMS ${RSYSLOG_TEST_LOGS[1]} +-chmod $PERMS ${RSYSLOG_TEST_LOGS[2]} +-chmod $PERMS ${RSYSLOG_TEST_LOGS[3]} +-chmod $PERMS ${RSYSLOG_TEST_LOGS[4]} +- +-# create test configuration files +-conf_subdir=${RSYSLOG_TEST_DIR}/subdir +-conf_hiddir=${RSYSLOG_TEST_DIR}/.hiddir +-mkdir ${conf_subdir} +-mkdir ${conf_hiddir} +- +-test_conf_in_subdir=${conf_subdir}/in_subdir.conf +-test_conf_name_bak=${RSYSLOG_TEST_DIR}/name.bak +- +-test_conf_in_hiddir=${conf_hiddir}/in_hiddir.conf +-test_conf_dot_name=${RSYSLOG_TEST_DIR}/.name.conf +- +-cat << EOF > ${test_conf_in_subdir} +-# rsyslog configuration file +- +-#### RULES #### +- +-*.* ${RSYSLOG_TEST_LOGS[1]} +-EOF +- +-cat << EOF > ${test_conf_name_bak} +-# rsyslog configuration file +- +-#### RULES #### +- +-*.* ${RSYSLOG_TEST_LOGS[2]} +-EOF +- +-cat << EOF > ${test_conf_in_hiddir} +-# rsyslog configuration file +-# not used +- +-#### RULES #### +- +-*.* ${RSYSLOG_TEST_LOGS[3]} +-EOF +- +-cat << EOF > ${test_conf_dot_name} +-# rsyslog configuration file +-# not used +- +-#### RULES #### +- +-*.* ${RSYSLOG_TEST_LOGS[4]} +-EOF +- +-# create rsyslog.conf configuration file +-cat << EOF > $RSYSLOG_CONF +-# rsyslog configuration file +- +-#### RULES #### +- +-*.* ${RSYSLOG_TEST_LOGS[0]} +- +-#### MODULES #### +- +-include(file="${RSYSLOG_TEST_DIR}/*/*.conf" mode="optional") +-include(file="${RSYSLOG_TEST_DIR}/*.conf" mode="optional") +-include(file="${RSYSLOG_TEST_DIR}" mode="optional") +- +-\$IncludeConfig ${RSYSLOG_TEST_DIR}/*/*.conf +-\$IncludeConfig ${RSYSLOG_TEST_DIR}/*.conf +-\$IncludeConfig ${RSYSLOG_TEST_DIR} +- +-EOF +diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0601.fail.sh b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0601.fail.sh +deleted file mode 100755 +index fe4db0a3c9..0000000000 +--- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0601.fail.sh ++++ /dev/null +@@ -1,86 +0,0 @@ +-#!/bin/bash +-# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_sle +- +-# Check rsyslog.conf with log file permissions 0600 from rules and +-# log file permissions 0601 from $IncludeConfig fails. +- +-source $SHARED/rsyslog_log_utils.sh +- +-PERMS_PASS=0600 +-PERMS_FAIL=0601 +- +-# setup test data +-create_rsyslog_test_logs 5 +- +-# setup test log files and permissions +-chmod $PERMS_PASS ${RSYSLOG_TEST_LOGS[0]} +-chmod $PERMS_FAIL ${RSYSLOG_TEST_LOGS[1]} +-chmod $PERMS_FAIL ${RSYSLOG_TEST_LOGS[2]} +-chmod $PERMS_FAIL ${RSYSLOG_TEST_LOGS[3]} +-chmod $PERMS_FAIL ${RSYSLOG_TEST_LOGS[4]} +- +-# create test configuration files +-conf_subdir=${RSYSLOG_TEST_DIR}/subdir +-conf_hiddir=${RSYSLOG_TEST_DIR}/.hiddir +-mkdir ${conf_subdir} +-mkdir ${conf_hiddir} +- +-test_conf_in_subdir=${conf_subdir}/in_subdir.conf +-test_conf_name_bak=${RSYSLOG_TEST_DIR}/name.bak +- +-test_conf_in_hiddir=${conf_hiddir}/in_hiddir.conf +-test_conf_dot_name=${RSYSLOG_TEST_DIR}/.name.conf +- +-cat << EOF > ${test_conf_in_subdir} +-# rsyslog configuration file +- +-#### RULES #### +- +-*.* ${RSYSLOG_TEST_LOGS[1]} +-EOF +- +-cat << EOF > ${test_conf_name_bak} +-# rsyslog configuration file +- +-#### RULES #### +- +-*.* ${RSYSLOG_TEST_LOGS[2]} +-EOF +- +-cat << EOF > ${test_conf_in_hiddir} +-# rsyslog configuration file +-# not used +- +-#### RULES #### +- +-*.* ${RSYSLOG_TEST_LOGS[3]} +-EOF +- +-cat << EOF > ${test_conf_dot_name} +-# rsyslog configuration file +-# not used +- +-#### RULES #### +- +-*.* ${RSYSLOG_TEST_LOGS[4]} +-EOF +- +-# create rsyslog.conf configuration file +-cat << EOF > $RSYSLOG_CONF +-# rsyslog configuration file +- +-#### RULES #### +- +-*.* ${RSYSLOG_TEST_LOGS[0]} +- +-#### MODULES #### +- +-include(file="${RSYSLOG_TEST_DIR}/*/*.conf" mode="optional") +-include(file="${RSYSLOG_TEST_DIR}/*.conf" mode="optional") +-include(file="${RSYSLOG_TEST_DIR}" mode="optional") +- +-\$IncludeConfig ${RSYSLOG_TEST_DIR}/*/*.conf +-\$IncludeConfig ${RSYSLOG_TEST_DIR}/*.conf +-\$IncludeConfig ${RSYSLOG_TEST_DIR} +- +-EOF +diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_multiline_perms_0600.pass.sh b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_multiline_perms_0600.pass.sh +deleted file mode 100755 +index eabcb21956..0000000000 +--- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_multiline_perms_0600.pass.sh ++++ /dev/null +@@ -1,41 +0,0 @@ +-#!/bin/bash +-# platform = Red Hat Enterprise Linux 8,multi_platform_fedora,Oracle Linux 8,multi_platform_sle +- +-# Check rsyslog.conf with log file permissions 0600 from rules and +-# log file permissions 0600 from multiline include() passes. +- +-source $SHARED/rsyslog_log_utils.sh +- +-PERMS=0600 +- +-# setup test data +-create_rsyslog_test_logs 2 +- +-# setup test log files and permissions +-chmod $PERMS ${RSYSLOG_TEST_LOGS[0]} +-chmod $PERMS ${RSYSLOG_TEST_LOGS[1]} +- +-# create test configuration file +-test_conf=${RSYSLOG_TEST_DIR}/test1.conf +-cat << EOF > ${test_conf} +-# rsyslog configuration file +- +-#### RULES #### +- +-*.* ${RSYSLOG_TEST_LOGS[1]} +-EOF +- +-# create rsyslog.conf configuration file +-cat << EOF > $RSYSLOG_CONF +-# rsyslog configuration file +- +-#### RULES #### +- +-*.* ${RSYSLOG_TEST_LOGS[0]} +- +-#### MODULES #### +- +-include( +- file="${test_conf}" +-) +-EOF +diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_perms_0600.pass.sh b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_perms_0600.pass.sh +deleted file mode 100755 +index 32cd4c334a..0000000000 +--- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_perms_0600.pass.sh ++++ /dev/null +@@ -1,39 +0,0 @@ +-#!/bin/bash +-# platform = Red Hat Enterprise Linux 8,multi_platform_fedora,Oracle Linux 8,multi_platform_sle +- +-# Check rsyslog.conf with log file permissions 0600 from rules and +-# log file permissions 0600 from include() passes. +- +-source $SHARED/rsyslog_log_utils.sh +- +-PERMS=0600 +- +-# setup test data +-create_rsyslog_test_logs 2 +- +-# setup test log files and permissions +-chmod $PERMS ${RSYSLOG_TEST_LOGS[0]} +-chmod $PERMS ${RSYSLOG_TEST_LOGS[1]} +- +-# create test configuration file +-test_conf=${RSYSLOG_TEST_DIR}/test1.conf +-cat << EOF > ${test_conf} +-# rsyslog configuration file +- +-#### RULES #### +- +-*.* ${RSYSLOG_TEST_LOGS[1]} +-EOF +- +-# create rsyslog.conf configuration file +-cat << EOF > $RSYSLOG_CONF +-# rsyslog configuration file +- +-#### RULES #### +- +-*.* ${RSYSLOG_TEST_LOGS[0]} +- +-#### MODULES #### +- +-include(file="${test_conf}") +-EOF +diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_perms_0600_IncludeConfig_perms_0600.pass.sh b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_perms_0600_IncludeConfig_perms_0600.pass.sh +deleted file mode 100755 +index 357d4f9718..0000000000 +--- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_perms_0600_IncludeConfig_perms_0600.pass.sh ++++ /dev/null +@@ -1,52 +0,0 @@ +-#!/bin/bash +-# platform = Red Hat Enterprise Linux 8,multi_platform_fedora,Oracle Linux 8 +- +-# Check rsyslog.conf with log file permisssions 0600 from rules and +-# log file permissions 0600 from include() passes. +- +-source $SHARED/rsyslog_log_utils.sh +- +-PERMS_PASS=0600 +- +-# setup test data +-create_rsyslog_test_logs 3 +- +-# setup test log files and permissions +-chmod $PERMS_PASS ${RSYSLOG_TEST_LOGS[0]} +-chmod $PERMS_PASS ${RSYSLOG_TEST_LOGS[1]} +-chmod $PERMS_PASS ${RSYSLOG_TEST_LOGS[2]} +- +-# create test configuration file +-test_conf=${RSYSLOG_TEST_DIR}/test1.conf +-cat << EOF > ${test_conf} +-# rsyslog configuration file +- +-#### RULES #### +- +-*.* ${RSYSLOG_TEST_LOGS[1]} +-EOF +- +-# create test2 configuration file +-test_conf2=${RSYSLOG_TEST_DIR}/test2.conf +-cat << EOF > ${test_conf2} +-# rsyslog configuration file +- +-#### RULES #### +- +-*.* ${RSYSLOG_TEST_LOGS[2]} +-EOF +- +-# create rsyslog.conf configuration file +-cat << EOF > $RSYSLOG_CONF +-# rsyslog configuration file +- +-#### RULES #### +- +-*.* ${RSYSLOG_TEST_LOGS[0]} +- +-#### MODULES #### +- +-include(file="${test_conf}") +- +-\$IncludeConfig ${test_conf2} +-EOF +diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_perms_0600_IncludeConfig_perms_0601.fail.sh b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_perms_0600_IncludeConfig_perms_0601.fail.sh +deleted file mode 100755 +index 7bdb830c00..0000000000 +--- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_perms_0600_IncludeConfig_perms_0601.fail.sh ++++ /dev/null +@@ -1,53 +0,0 @@ +-#!/bin/bash +-# platform = Red Hat Enterprise Linux 8,multi_platform_fedora,Oracle Linux 8 +- +-# Check rsyslog.conf with log file permisssions 0600 from rules and +-# log file permissions 0601 from include() fails. +- +-source $SHARED/rsyslog_log_utils.sh +- +-PERMS_PASS=0600 +-PERMS_FAIL=0601 +- +-# setup test data +-create_rsyslog_test_logs 3 +- +-# setup test log files and permissions +-chmod $PERMS_PASS ${RSYSLOG_TEST_LOGS[0]} +-chmod $PERMS_PASS ${RSYSLOG_TEST_LOGS[1]} +-chmod $PERMS_FAIL ${RSYSLOG_TEST_LOGS[2]} +- +-# create test configuration file +-test_conf=${RSYSLOG_TEST_DIR}/test1.conf +-cat << EOF > ${test_conf} +-# rsyslog configuration file +- +-#### RULES #### +- +-*.* ${RSYSLOG_TEST_LOGS[1]} +-EOF +- +-# create test2 configuration file +-test_conf2=${RSYSLOG_TEST_DIR}/test2.conf +-cat << EOF > ${test_conf2} +-# rsyslog configuration file +- +-#### RULES #### +- +-*.* ${RSYSLOG_TEST_LOGS[2]} +-EOF +- +-# create rsyslog.conf configuration file +-cat << EOF > $RSYSLOG_CONF +-# rsyslog configuration file +- +-#### RULES #### +- +-*.* ${RSYSLOG_TEST_LOGS[0]} +- +-#### MODULES #### +- +-include(file="${test_conf}") +- +-\$IncludeConfig ${test_conf2} +-EOF +diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_perms_0600_IncludeConfig_perms_0601_hidden.pass.sh b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_perms_0600_IncludeConfig_perms_0601_hidden.pass.sh +deleted file mode 100644 +index 9b0185c6b2..0000000000 +--- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_perms_0600_IncludeConfig_perms_0601_hidden.pass.sh ++++ /dev/null +@@ -1,53 +0,0 @@ +-#!/bin/bash +-# platform = Red Hat Enterprise Linux 8,multi_platform_fedora,Oracle Linux 8 +- +-# Check rsyslog.conf with log file permisssions 0600 from rules and +-# log file permissions 0601 from include() fails. +- +-source $SHARED/rsyslog_log_utils.sh +- +-PERMS_PASS=0600 +-PERMS_FAIL=0601 +- +-# setup test data +-create_rsyslog_test_logs 3 +- +-# setup test log files and permissions +-chmod $PERMS_PASS ${RSYSLOG_TEST_LOGS[0]} +-chmod $PERMS_PASS ${RSYSLOG_TEST_LOGS[1]} +-chmod $PERMS_FAIL ${RSYSLOG_TEST_LOGS[2]} +- +-# create test configuration file +-test_conf=${RSYSLOG_TEST_DIR}/test1.conf +-cat << EOF > ${test_conf} +-# rsyslog configuration file +- +-#### RULES #### +- +-*.* ${RSYSLOG_TEST_LOGS[1]} +-EOF +- +-# create hidden test2 configuration file +-test_conf2=${RSYSLOG_TEST_DIR}/.test2.conf +-cat << EOF > ${test_conf2} +-# rsyslog configuration file +- +-#### RULES #### +- +-*.* ${RSYSLOG_TEST_LOGS[2]} +-EOF +- +-# create rsyslog.conf configuration file +-cat << EOF > $RSYSLOG_CONF +-# rsyslog configuration file +- +-#### RULES #### +- +-*.* ${RSYSLOG_TEST_LOGS[0]} +- +-#### MODULES #### +- +-include(file="${test_conf}") +- +-\$IncludeConfig ${test_conf2} +-EOF +diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_perms_0600_IncludeConfig_perms_0601_missing.pass.sh b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_perms_0600_IncludeConfig_perms_0601_missing.pass.sh +deleted file mode 100644 +index b929f2a94a..0000000000 +--- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_perms_0600_IncludeConfig_perms_0601_missing.pass.sh ++++ /dev/null +@@ -1,45 +0,0 @@ +-#!/bin/bash +-# platform = Red Hat Enterprise Linux 8,multi_platform_fedora,Oracle Linux 8 +- +-# Check rsyslog.conf with log file permisssions 0600 from rules and +-# log file permissions 0601 from include() fails. +- +-source $SHARED/rsyslog_log_utils.sh +- +-PERMS_PASS=0600 +-PERMS_FAIL=0601 +- +-# setup test data +-create_rsyslog_test_logs 3 +- +-# setup test log files and permissions +-chmod $PERMS_PASS ${RSYSLOG_TEST_LOGS[0]} +-chmod $PERMS_PASS ${RSYSLOG_TEST_LOGS[1]} +-chmod $PERMS_FAIL ${RSYSLOG_TEST_LOGS[2]} +- +-# create test configuration file +-test_conf=${RSYSLOG_TEST_DIR}/test1.conf +-cat << EOF > ${test_conf} +-# rsyslog configuration file +- +-#### RULES #### +- +-*.* ${RSYSLOG_TEST_LOGS[1]} +-EOF +- +-# Skip creation test2 configuration file +- +-# create rsyslog.conf configuration file +-cat << EOF > $RSYSLOG_CONF +-# rsyslog configuration file +- +-#### RULES #### +- +-*.* ${RSYSLOG_TEST_LOGS[0]} +- +-#### MODULES #### +- +-include(file="${test_conf}") +- +-\$IncludeConfig ${test_conf2} +-EOF +diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_perms_0600_cloudinit.pass.sh b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_perms_0600_cloudinit.pass.sh +deleted file mode 100644 +index 2eb515a43e..0000000000 +--- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_perms_0600_cloudinit.pass.sh ++++ /dev/null +@@ -1,23 +0,0 @@ +-#!/bin/bash +-# platform = Red Hat Enterprise Linux 8,multi_platform_fedora,Oracle Linux 8,multi_platform_sle +- +-source $SHARED/rsyslog_log_utils.sh +- +-PERMS=0600 +- +-# setup test data +-create_rsyslog_test_logs 2 +- +-# setup test log files and permissions +-chmod $PERMS ${RSYSLOG_TEST_LOGS[@]} +- +-# create rsyslog.conf configuration file +-cat << EOF > $RSYSLOG_CONF +-# rsyslog configuration file +- +-#### RULES #### +- +-*.* ${RSYSLOG_TEST_LOGS[0]} +-:syslogtag, isequal, "[CLOUDINIT]" ${RSYSLOG_TEST_LOGS[1]} +-EOF +- +diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_perms_0601.fail.sh b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_perms_0601.fail.sh +deleted file mode 100755 +index fd3f9e92ec..0000000000 +--- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_perms_0601.fail.sh ++++ /dev/null +@@ -1,41 +0,0 @@ +-#!/bin/bash +-# platform = Red Hat Enterprise Linux 8,multi_platform_fedora,Oracle Linux 8 +- +-# Check rsyslog.conf with log file permissions 0600 from rules and +-# log file permissions 0601 from include() fails. +- +-source $SHARED/rsyslog_log_utils.sh +- +-PERMS_FAIL=0601 +- +-PERMS_PASS=0600 +- +-# setup test data +-create_rsyslog_test_logs 2 +- +-# setup test log files and permissions +-chmod $PERMS_PASS ${RSYSLOG_TEST_LOGS[0]} +-chmod $PERMS_FAIL ${RSYSLOG_TEST_LOGS[1]} +- +-# create test configuration file +-test_conf=${RSYSLOG_TEST_DIR}/test1.conf +-cat << EOF > ${test_conf} +-# rsyslog configuration file +- +-#### RULES #### +- +-*.* ${RSYSLOG_TEST_LOGS[1]} +-EOF +- +-# create rsyslog.conf configuration file +-cat << EOF > $RSYSLOG_CONF +-# rsyslog configuration file +- +-#### RULES #### +- +-*.* ${RSYSLOG_TEST_LOGS[0]} +- +-#### MODULES #### +- +-include(file="${test_conf}") +-EOF +diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_perms_0601_cloudinit.fail.sh b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_perms_0601_cloudinit.fail.sh +deleted file mode 100644 +index 7a598626d0..0000000000 +--- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_perms_0601_cloudinit.fail.sh ++++ /dev/null +@@ -1,22 +0,0 @@ +-#!/bin/bash +-# platform = Red Hat Enterprise Linux 8,multi_platform_fedora,Oracle Linux 8,multi_platform_sle +- +-source $SHARED/rsyslog_log_utils.sh +- +-# setup test data +-create_rsyslog_test_logs 2 +- +-# setup test log files and permissions +-chmod 0600 ${RSYSLOG_TEST_LOGS[0]} +-chmod 0601 ${RSYSLOG_TEST_LOGS[1]} +- +-# create rsyslog.conf configuration file +-cat << EOF > $RSYSLOG_CONF +-# rsyslog configuration file +- +-#### RULES #### +- +-*.* ${RSYSLOG_TEST_LOGS[0]} +-:syslogtag, isequal, "[CLOUDINIT]" ${RSYSLOG_TEST_LOGS[1]} +-EOF +- +diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/mixed_correct_attr_group_read.pass.sh b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/mixed_correct_attr_group_read.pass.sh +new file mode 100755 +index 0000000000..b3846fec47 +--- /dev/null ++++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/mixed_correct_attr_group_read.pass.sh +@@ -0,0 +1,25 @@ ++#!/bin/bash ++# platform = multi_platform_sle,multi_platform_ubuntu ++ ++# Declare variables used for the tests and define the create_rsyslog_test_logs function ++source $SHARED/rsyslog_log_utils.sh ++ ++CHATTR="chmod" ++ATTR_VALUE="0640" ++ ++# create three test log file ++create_rsyslog_test_logs 2 ++ ++# setup test log file property ++$CHATTR $ATTR_VALUE ${RSYSLOG_TEST_LOGS[0]} ++$CHATTR $ATTR_VALUE ${RSYSLOG_TEST_LOGS[1]} ++ ++# add rules with both syntax for different test log files ++cat << EOF > $RSYSLOG_CONF ++# rsyslog configuration file ++ ++#### RULES #### ++*.* ${RSYSLOG_TEST_LOGS[0]} ++*.* action(type="omfile" FileCreateMode="0640" fileOwner="root" fileGroup="hoiadm" File="${RSYSLOG_TEST_LOGS[1]}") ++ ++EOF +diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/mixed_correct_attr_stricter.pass.sh b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/mixed_correct_attr_stricter.pass.sh +new file mode 100755 +index 0000000000..0b4cb5dce0 +--- /dev/null ++++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/mixed_correct_attr_stricter.pass.sh +@@ -0,0 +1,25 @@ ++#!/bin/bash ++# platform = multi_platform_all ++ ++# Declare variables used for the tests and define the create_rsyslog_test_logs function ++source $SHARED/rsyslog_log_utils.sh ++ ++CHATTR="chmod" ++ATTR_VALUE="0400" ++ ++# create three test log file ++create_rsyslog_test_logs 2 ++ ++# setup test log file property ++$CHATTR $ATTR_VALUE ${RSYSLOG_TEST_LOGS[0]} ++$CHATTR $ATTR_VALUE ${RSYSLOG_TEST_LOGS[1]} ++ ++# add rules with both syntax for different test log files ++cat << EOF > $RSYSLOG_CONF ++# rsyslog configuration file ++ ++#### RULES #### ++*.* ${RSYSLOG_TEST_LOGS[0]} ++*.* action(type="omfile" FileCreateMode="0640" fileOwner="root" fileGroup="hoiadm" File="${RSYSLOG_TEST_LOGS[1]}") ++ ++EOF +diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/perms_0600.pass.sh b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/perms_0600.pass.sh +deleted file mode 100755 +index fbdcd18f77..0000000000 +--- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/perms_0600.pass.sh ++++ /dev/null +@@ -1,35 +0,0 @@ +-#!/bin/bash +-# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_sle +- +-# Check if log file with permissions 0600 in rsyslog.conf passes. +- +-source $SHARED/rsyslog_log_utils.sh +- +-PERMS=0600 +- +-# setup test data +-create_rsyslog_test_logs 4 +- +-# setup all files with incorrect permission +-chmod 0601 "${RSYSLOG_TEST_LOGS[@]}" +- +-# setup the real logfile with correct permissions +-chmod $PERMS "${RSYSLOG_TEST_LOGS[0]}" +- +-# add rule with 0600 permissions log file +-cat << EOF > $RSYSLOG_CONF +-# rsyslog configuration file +- +-#### RULES #### +- +-*.* ${RSYSLOG_TEST_LOGS[0]} +- +- *.* ${RSYSLOG_TEST_LOGS[1]} +- +-authpriv.* /nonexistent_file +- +-# *.* /irrelevant_file +- +-\$something /irrelevant_file +- +-EOF +diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/perms_0601.fail.sh b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/perms_0601.fail.sh +deleted file mode 100755 +index 75e9558c63..0000000000 +--- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/perms_0601.fail.sh ++++ /dev/null +@@ -1,34 +0,0 @@ +-#!/bin/bash +-# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_sle +- +-# Check if log file with permissions 0601 in rsyslog.conf fails. +- +-source $SHARED/rsyslog_log_utils.sh +- +-PERMS=0601 +- +-# setup test data +-create_rsyslog_test_logs 3 +- +-# setup test log file and permissions +-chmod $PERMS ${RSYSLOG_TEST_LOGS[0]} +- +-# add rule with 0601 permissions log file +-cat << EOF > $RSYSLOG_CONF +-# rsyslog configuration file +- +-#### RULES #### +- +-*.* ${RSYSLOG_TEST_LOGS[0]} +- +-cron.* /nonexistent_file +- +- authpriv.* /irrelevant_file +- +-# *.* /irrelevant_file +- +-\$something /irrelevant_file +- +-something.* ${RSYSLOG_TEST_LOGS[2]} +- +-EOF +diff --git a/shared/templates/rsyslog_logfiles_attributes_modify/ansible.template b/shared/templates/rsyslog_logfiles_attributes_modify/ansible.template +index fc9e8844b6..81d6220415 100644 +--- a/shared/templates/rsyslog_logfiles_attributes_modify/ansible.template ++++ b/shared/templates/rsyslog_logfiles_attributes_modify/ansible.template +@@ -20,7 +20,7 @@ + - name: '{{{ rule_title }}} - Get include files directives' + ansible.builtin.shell: | + set -o pipefail +- grep -oP '^\s*include\s*\(\s*file.*' {{ rsyslog_etc_config }} |cut -d"\"" -f 2 || true ++ awk '/)/{f=0} /include\(/{f=1} f{nf=gensub("^(include\\(|\\s*)file=\"(\\S+)\".*","\\2",1); if($0!=nf){print nf}}' {{ rsyslog_etc_config }} || true + register: rsyslog_new_inc + changed_when: False + +@@ -61,8 +61,9 @@ + - name: '{{{ rule_title }}} -Setup log files attribute' + ansible.builtin.file: + path: "{{ item }}" +- owner: '{{ ( "{{{ ATTRIBUTE }}}" is match("owner")) | ternary({{{ VALUE }}}, omit) }}' +- group: '{{ ( "{{{ ATTRIBUTE }}}" is match("groupowner")) | ternary({{{ VALUE }}} , omit) }}' ++ {{{ 'owner: ' ~ VALUE if ATTRIBUTE == "owner" }}} ++ {{{- 'group: ' ~ VALUE if ATTRIBUTE == "groupowner" }}} ++ {{{- 'mode: ' ~ VALUE if ATTRIBUTE == "permissions" }}} + state: file + loop: "{{ log_files | list | flatten | unique }}" + failed_when: false +diff --git a/shared/templates/rsyslog_logfiles_attributes_modify/bash.template b/shared/templates/rsyslog_logfiles_attributes_modify/bash.template +index ab4a563dc5..d6755d5692 100644 +--- a/shared/templates/rsyslog_logfiles_attributes_modify/bash.template ++++ b/shared/templates/rsyslog_logfiles_attributes_modify/bash.template +@@ -48,7 +48,8 @@ do + # * Strip quotes and closing brackets from paths. + # * Ignore paths that match /dev|/etc.*\.conf, as those are paths, but likely not log files + # * From the remaining valid rows select only fields constituting a log file path +- # Text file column is understood to represent a log file path if and only if all of the following are met: ++ # Text file column is understood to represent a log file path if and only if all of the ++ # following are met: + # * it contains at least one slash '/' character, + # * it is preceded by space + # * it doesn't contain space (' '), colon (':'), and semicolon (';') characters +@@ -60,8 +61,8 @@ do + FILTERED_PATHS=$(awk '{if(NF>=2&&($NF~/^\//||$NF~/^-\//)){sub(/^-\//,"/",$NF);print $NF}}' <<< "${LINES_WITH_PATHS}") + CLEANED_PATHS=$(sed -e "s/[\"')]//g; /\\/etc.*\.conf/d; /\\/dev\\//d" <<< "${FILTERED_PATHS}") + MATCHED_ITEMS=$(sed -e "/^$/d" <<< "${CLEANED_PATHS}") +- # Since above sed command might return more than one item (delimited by newline), split the particular +- # matches entries into new array specific for this log file ++ # Since above sed command might return more than one item (delimited by newline), split ++ # the particular matches entries into new array specific for this log file + readarray -t ARRAY_FOR_LOG_FILE <<< "$MATCHED_ITEMS" + # Concatenate the two arrays - previous content of $LOG_FILE_PATHS array with + # items from newly created array for this log file +@@ -71,7 +72,8 @@ do + fi + done + +-# Check for RainerScript action log format which might be also multiline so grep regex is a bit curly ++# Check for RainerScript action log format which might be also multiline so grep regex is a bit ++# curly: + # extract possibly multiline action omfile expressions + # extract File="logfile" expression + # match only "logfile" expression +@@ -82,22 +84,10 @@ do + LOG_FILE_PATHS+=("$(echo "${OMFILE_LINES}"| grep -oE "\"([/[:alnum:][:punct:]]*)\""|tr -d "\"")") + done + +-FILE_PARAM="{{{ ATTRIBUTE }}}" +-FILE_CMD="" +-case "$FILE_PARAM" in +- "groupowner") +- FILE_CMD=$(which chgrp) +- ;; +- "owner") +- FILE_CMD=$(which chown) +- ;; +- *) +- echo -n "Not supported file attribute! " +- exit 1 +- ;; +-esac +- +-# Correct the form o ++# Ensure the correct attribute if file exists ++{{{ 'FILE_CMD="chown"' if ATTRIBUTE == "owner" }}} ++{{{- 'FILE_CMD="chgrp"' if ATTRIBUTE == "groupowner" }}} ++{{{- 'FILE_CMD="chmod"' if ATTRIBUTE == "permissions" }}} + for LOG_FILE_PATH in "${LOG_FILE_PATHS[@]}" + do + # Sanity check - if particular $LOG_FILE_PATH is empty string, skip it from further processing +@@ -105,6 +95,5 @@ do + then + continue + fi +- +- $FILE_CMD "+{{{ VALUE }}}" "$LOG_FILE_PATH" ++ $FILE_CMD "{{{ VALUE }}}" "$LOG_FILE_PATH" + done +diff --git a/shared/templates/rsyslog_logfiles_attributes_modify/oval.template b/shared/templates/rsyslog_logfiles_attributes_modify/oval.template +index 4f288df1c9..243d678852 100644 +--- a/shared/templates/rsyslog_logfiles_attributes_modify/oval.template ++++ b/shared/templates/rsyslog_logfiles_attributes_modify/oval.template +@@ -3,59 +3,57 @@ + {{{ oval_metadata("All syslog log files should have appropriate ownership.") }}} + + {{% if product in ["debian10", "debian11", "ubuntu1604"] %}} +- ++ + {{% endif %}} +- ++ + +- + + +- +- +- ++ ++ + /etc/rsyslog.conf + ^(?:include\([\n\s]*file="([^\s;]+)".*|\$IncludeConfig[\s]+([^\s;]+))$ ++ operation="pattern match">^(?:include\([\n\s]*file="([^\s;]+)".*|\$IncludeConfig[\s]+([^\s;]+))$ + 1 + + + + ++ comment="rsyslog's include config values converted to regex."> + + + ++ object_ref="object_{{{ _RULE_ID }}}_include_config_value"/> + + + + +- +- ++ ++ + var_{{{ _RULE_ID }}}_include_config_regex + + +- ++ + ^/etc/rsyslog.conf$ + + +- ++ + var_{{{ _RULE_ID }}}_syslog_config + + +- +- ++ ++ + + object_var_{{{ _RULE_ID }}}_include_config_regex + object_var_{{{ _RULE_ID }}}_syslog_config +@@ -64,74 +62,72 @@ + + +- +- ++ ++ + + +- +- +- +- +- ^\s*[^(\s|#|\$)]+\s+-?[\w\(="\s]*(\/[^:;\s"]+)+.*$ ++ ++ ++ ++ ++ ^\s*[^(\s|#|\$)]+\s+.*\s+-?[\w\(="\s]*(\/[^:;\s"]+)+.*$ + 1 +- state_{{{ _RULE_ID }}}_ownership_ignore_include_paths ++ state_{{{ _RULE_ID }}}_ignore_include_paths + + +- +- ++ ++ + (?:file="[^\s;]+"|\$IncludeConfig[\s]+[^\s;]+|\/dev\/.*) + + + ++ retrieved from the different rsyslog configuration files. --> + +- ++ comment="File paths of all rsyslog log files"> ++ + + +- +- +- ++ ++ ++ + + + +- +- ++ ++ + + + + regular + {{% if ATTRIBUTE == "groupowner" %}} + {{{ VALUE }}} +- {{% else %}} ++ {{% elif ATTRIBUTE == "owner" %}} + {{{ VALUE }}} ++ {{% else %}} ++ {{{ STATEMODE | indent(4) }}} + {{% endif %}} + +- + +diff --git a/shared/templates/rsyslog_logfiles_attributes_modify/template.py b/shared/templates/rsyslog_logfiles_attributes_modify/template.py +new file mode 100644 +index 0000000000..9ea31c9a6b +--- /dev/null ++++ b/shared/templates/rsyslog_logfiles_attributes_modify/template.py +@@ -0,0 +1,18 @@ ++def preprocess(data, lang): ++ if lang == "oval" and data["attribute"] == 'permissions': ++ # create STATEMODE used in the OVAL template by processing the octal permission and ++ # creating the equivalent permission fields of "unix:file_state" element. ++ mode = data["value"] ++ fields = [ ++ 'oexec', 'owrite', 'oread', 'gexec', 'gwrite', 'gread', ++ 'uexec', 'uwrite', 'uread', 'sticky', 'sgid', 'suid'] ++ mode_int = int(mode, 8) ++ mode_str = "" ++ for field in fields: ++ if mode_int & 0x01 == 0: ++ mode_str = ( ++ "false\n{mode_str}".format( ++ field=field, mode_str=mode_str)) ++ mode_int = mode_int >> 1 ++ data["statemode"] = mode_str.rstrip("\n") ++ return data +diff --git a/shared/templates/rsyslog_logfiles_attributes_modify/tests/IncludeConfig_is_other.fail.sh b/shared/templates/rsyslog_logfiles_attributes_modify/tests/IncludeConfig_is_other.fail.sh +deleted file mode 100755 +index db7e5261eb..0000000000 +--- a/shared/templates/rsyslog_logfiles_attributes_modify/tests/IncludeConfig_is_other.fail.sh ++++ /dev/null +@@ -1,50 +0,0 @@ +-#!/bin/bash +-# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_sle +- +-# Check rsyslog.conf with root user log from rules and +-# non root user log from $IncludeConfig fails. +- +-source $SHARED/rsyslog_log_utils.sh +- +-{{% if ATTRIBUTE == "owner" %}} +-ADDCOMMAND="useradd" +-CHATTR="chown" +-{{% else %}} +-ADDCOMMAND="groupadd" +-CHATTR="chgrp" +-{{% endif %}} +- +-USER_TEST=testssg +-$ADDCOMMAND $USER_TEST +- +-USER_ROOT=root +- +-# setup test data +-create_rsyslog_test_logs 2 +- +-# setup test log files ownership +-$CHATTR $USER_ROOT ${RSYSLOG_TEST_LOGS[0]} +-$CHATTR $USER_TEST ${RSYSLOG_TEST_LOGS[1]} +- +-# create test configuration file +-test_conf=${RSYSLOG_TEST_DIR}/test1.conf +-cat << EOF > ${test_conf} +-# rsyslog configuration file +- +-#### RULES #### +- +-*.* ${RSYSLOG_TEST_LOGS[1]} +-EOF +- +-# create rsyslog.conf configuration file +-cat << EOF > $RSYSLOG_CONF +-# rsyslog configuration file +- +-#### RULES #### +- +-*.* ${RSYSLOG_TEST_LOGS[0]} +- +-#### MODULES #### +- +-\$IncludeConfig ${test_conf} +-EOF +diff --git a/shared/templates/rsyslog_logfiles_attributes_modify/tests/include_is_other.fail.sh b/shared/templates/rsyslog_logfiles_attributes_modify/tests/include_is_other.fail.sh +deleted file mode 100755 +index d79ae23cfc..0000000000 +--- a/shared/templates/rsyslog_logfiles_attributes_modify/tests/include_is_other.fail.sh ++++ /dev/null +@@ -1,50 +0,0 @@ +-#!/bin/bash +-# platform = Red Hat Enterprise Linux 8,multi_platform_fedora,Oracle Linux 8,multi_platform_sle +- +-# Check rsyslog.conf with root user log from rules and +-# non root user log from include() fails. +- +-source $SHARED/rsyslog_log_utils.sh +- +-{{% if ATTRIBUTE == "owner" %}} +-ADDCOMMAND="useradd" +-CHATTR="chown" +-{{% else %}} +-ADDCOMMAND="groupadd" +-CHATTR="chgrp" +-{{% endif %}} +- +-USER_TEST=testssg +-$ADDCOMMAND $USER_TEST +- +-USER_ROOT=root +- +-# setup test data +-create_rsyslog_test_logs 2 +- +-# setup test log files ownership +-$CHATTR $USER_ROOT ${RSYSLOG_TEST_LOGS[0]} +-$CHATTR $USER_TEST ${RSYSLOG_TEST_LOGS[1]} +- +-# create test configuration file +-test_conf=${RSYSLOG_TEST_DIR}/test1.conf +-cat << EOF > ${test_conf} +-# rsyslog configuration file +- +-#### RULES #### +- +-*.* ${RSYSLOG_TEST_LOGS[1]} +-EOF +- +-# create rsyslog.conf configuration file +-cat << EOF > $RSYSLOG_CONF +-# rsyslog configuration file +- +-#### RULES #### +- +-*.* ${RSYSLOG_TEST_LOGS[0]} +- +-#### MODULES #### +- +-include(file="${test_conf}") +-EOF +diff --git a/shared/templates/rsyslog_logfiles_attributes_modify/tests/include_is_other_IncludeConfig_is_other_RainerLogClause.fail.sh b/shared/templates/rsyslog_logfiles_attributes_modify/tests/include_is_other_IncludeConfig_is_other_RainerLogClause.fail.sh +deleted file mode 100644 +index 7869a180a8..0000000000 +--- a/shared/templates/rsyslog_logfiles_attributes_modify/tests/include_is_other_IncludeConfig_is_other_RainerLogClause.fail.sh ++++ /dev/null +@@ -1,75 +0,0 @@ +-#!/bin/bash +-# platform = Red Hat Enterprise Linux 8,multi_platform_fedora,Oracle Linux 8,multi_platform_sle +- +-# Check rsyslog.conf with root user log from rules and +-# root user log from include() passes. +- +-source $SHARED/rsyslog_log_utils.sh +- +-{{% if ATTRIBUTE == "owner" %}} +-ADDCOMMAND="useradd" +-CHATTR="chown" +-{{% else %}} +-ADDCOMMAND="groupadd" +-CHATTR="chgrp" +-{{% endif %}} +- +-USER_TEST=testssg +-$ADDCOMMAND $USER_TEST +- +-USER=root +- +-# setup test data +-create_rsyslog_test_logs 3 +- +-# setup test log files ownership +-$CHATTR $USER_TEST ${RSYSLOG_TEST_LOGS[0]} +-$CHATTR $USER_TEST ${RSYSLOG_TEST_LOGS[1]} +-$CHATTR $USER_TEST ${RSYSLOG_TEST_LOGS[2]} +- +-# create test configuration file +-test_conf=${RSYSLOG_TEST_DIR}/test1.conf +-cat << EOF > ${test_conf} +-# rsyslog configuration file +- +-#### RULES #### +- +-*.* ${RSYSLOG_TEST_LOGS[1]} +-EOF +- +-# create test2 configuration file +-test_conf2=${RSYSLOG_TEST_DIR}/test2.conf +-{{% if ATTRIBUTE == "owner" %}} +-cat << EOF > ${test_conf2} +-# rsyslog configuration file +- +-#### RULES #### +- +- +-*.* action(type="omfile" FileCreateMode="0640" fileOwner="$USER_TEST" fileGroup="root" File="${RSYSLOG_TEST_LOGS[2]}") +-EOF +-{{% else %}} +-cat << EOF > ${test_conf2} +-# rsyslog configuration file +- +-#### RULES #### +- +- +-*.* action(type="omfile" FileCreateMode="0640" fileOwner="root" fileGroup="$USER_TEST" File="${RSYSLOG_TEST_LOGS[2]}") +-EOF +-{{% endif %}} +- +-# create rsyslog.conf configuration file +-cat << EOF > $RSYSLOG_CONF +-# rsyslog configuration file +- +-#### RULES #### +- +-*.* ${RSYSLOG_TEST_LOGS[0]} +- +-#### MODULES #### +- +-include(file="${test_conf}") +- +-\$IncludeConfig ${test_conf2} +-EOF +diff --git a/shared/templates/rsyslog_logfiles_attributes_modify/tests/include_is_root.pass.sh b/shared/templates/rsyslog_logfiles_attributes_modify/tests/include_is_root.pass.sh +deleted file mode 100755 +index e80395ca99..0000000000 +--- a/shared/templates/rsyslog_logfiles_attributes_modify/tests/include_is_root.pass.sh ++++ /dev/null +@@ -1,46 +0,0 @@ +-#!/bin/bash +-# platform = Red Hat Enterprise Linux 8,multi_platform_fedora,Oracle Linux 8,multi_platform_sle +- +-# Check rsyslog.conf with root user log from rules and +-# root user log from include() passes. +- +-source $SHARED/rsyslog_log_utils.sh +- +- +-{{% if ATTRIBUTE == "owner" %}} +-CHATTR="chown" +-{{% else %}} +-CHATTR="chgrp" +-{{% endif %}} +- +-USER=root +- +-# setup test data +-create_rsyslog_test_logs 2 +- +-# setup test log files ownership +-$CHATTR $USER ${RSYSLOG_TEST_LOGS[0]} +-$CHATTR $USER ${RSYSLOG_TEST_LOGS[1]} +- +-# create test configuration file +-test_conf=${RSYSLOG_TEST_DIR}/test1.conf +-cat << EOF > ${test_conf} +-# rsyslog configuration file +- +-#### RULES #### +- +-*.* ${RSYSLOG_TEST_LOGS[1]} +-EOF +- +-# create rsyslog.conf configuration file +-cat << EOF > $RSYSLOG_CONF +-# rsyslog configuration file +- +-#### RULES #### +- +-*.* ${RSYSLOG_TEST_LOGS[0]} +- +-#### MODULES #### +- +-include(file="${test_conf}") +-EOF +diff --git a/shared/templates/rsyslog_logfiles_attributes_modify/tests/include_is_root_IncludeConfig_is_other.fail.sh b/shared/templates/rsyslog_logfiles_attributes_modify/tests/include_is_root_IncludeConfig_is_other.fail.sh +deleted file mode 100755 +index e7b4905dc5..0000000000 +--- a/shared/templates/rsyslog_logfiles_attributes_modify/tests/include_is_root_IncludeConfig_is_other.fail.sh ++++ /dev/null +@@ -1,63 +0,0 @@ +-#!/bin/bash +-# platform = Red Hat Enterprise Linux 8,multi_platform_fedora,Oracle Linux 8,multi_platform_sle +- +-# Check rsyslog.conf with root user log from rules and +-# non root user log from include() fails. +- +-source $SHARED/rsyslog_log_utils.sh +- +-{{% if ATTRIBUTE == "owner" %}} +-ADDCOMMAND="useradd" +-CHATTR="chown" +-{{% else %}} +-ADDCOMMAND="groupadd" +-CHATTR="chgrp" +-{{% endif %}} +- +-USER_ROOT=root +- +-USER_TEST=testssg +-$ADDCOMMAND $USER_TEST +- +-# setup test data +-create_rsyslog_test_logs 3 +- +-# setup test log files ownership +-$CHATTR $USER_ROOT ${RSYSLOG_TEST_LOGS[0]} +-$CHATTR $USER_ROOT ${RSYSLOG_TEST_LOGS[1]} +-$CHATTR $USER_TEST ${RSYSLOG_TEST_LOGS[2]} +- +-# create test configuration file +-test_conf=${RSYSLOG_TEST_DIR}/test1.conf +-cat << EOF > ${test_conf} +-# rsyslog configuration file +- +-#### RULES #### +- +-*.* ${RSYSLOG_TEST_LOGS[1]} +-EOF +- +-# create test2 configuration file +-test_conf2=${RSYSLOG_TEST_DIR}/test2.conf +-cat << EOF > ${test_conf2} +-# rsyslog configuration file +- +-#### RULES #### +- +-*.* ${RSYSLOG_TEST_LOGS[2]} +-EOF +- +-# create rsyslog.conf configuration file +-cat << EOF > $RSYSLOG_CONF +-# rsyslog configuration file +- +-#### RULES #### +- +-*.* ${RSYSLOG_TEST_LOGS[0]} +- +-#### MODULES #### +- +-include(file="${test_conf}") +- +-\$IncludeConfig ${test_conf2} +-EOF +diff --git a/shared/templates/rsyslog_logfiles_attributes_modify/tests/include_is_root_IncludeConfig_is_root.pass.sh b/shared/templates/rsyslog_logfiles_attributes_modify/tests/include_is_root_IncludeConfig_is_root.pass.sh +deleted file mode 100755 +index 6389e6ea3b..0000000000 +--- a/shared/templates/rsyslog_logfiles_attributes_modify/tests/include_is_root_IncludeConfig_is_root.pass.sh ++++ /dev/null +@@ -1,58 +0,0 @@ +-#!/bin/bash +-# platform = Red Hat Enterprise Linux 8,multi_platform_fedora,Oracle Linux 8,multi_platform_sle +- +-# Check rsyslog.conf with root user log from rules and +-# root user log from include() passes. +- +-source $SHARED/rsyslog_log_utils.sh +- +-{{% if ATTRIBUTE == "owner" %}} +-CHATTR="chown" +-{{% else %}} +-CHATTR="chgrp" +-{{% endif %}} +- +-USER=root +- +-# setup test data +-create_rsyslog_test_logs 3 +- +-# setup test log files ownership +-$CHATTR $USER ${RSYSLOG_TEST_LOGS[0]} +-$CHATTR $USER ${RSYSLOG_TEST_LOGS[1]} +-$CHATTR $USER ${RSYSLOG_TEST_LOGS[2]} +- +-# create test configuration file +-test_conf=${RSYSLOG_TEST_DIR}/test1.conf +-cat << EOF > ${test_conf} +-# rsyslog configuration file +- +-#### RULES #### +- +-*.* ${RSYSLOG_TEST_LOGS[1]} +-EOF +- +-# create test2 configuration file +-test_conf2=${RSYSLOG_TEST_DIR}/test2.conf +-cat << EOF > ${test_conf2} +-# rsyslog configuration file +- +-#### RULES #### +- +-*.* ${RSYSLOG_TEST_LOGS[2]} +-EOF +- +-# create rsyslog.conf configuration file +-cat << EOF > $RSYSLOG_CONF +-# rsyslog configuration file +- +-#### RULES #### +- +-*.* ${RSYSLOG_TEST_LOGS[0]} +- +-#### MODULES #### +- +-include(file="${test_conf}") +- +-\$IncludeConfig ${test_conf2} +-EOF +diff --git a/shared/templates/rsyslog_logfiles_attributes_modify/tests/include_is_root_IncludeConfig_is_root_RainerLogClause.pass.sh b/shared/templates/rsyslog_logfiles_attributes_modify/tests/include_is_root_IncludeConfig_is_root_RainerLogClause.pass.sh +deleted file mode 100755 +index 6b81a77c2f..0000000000 +--- a/shared/templates/rsyslog_logfiles_attributes_modify/tests/include_is_root_IncludeConfig_is_root_RainerLogClause.pass.sh ++++ /dev/null +@@ -1,59 +0,0 @@ +-#!/bin/bash +-# platform = Red Hat Enterprise Linux 8,multi_platform_fedora,Oracle Linux 8,multi_platform_sle +- +-# Check rsyslog.conf with root user log from rules and +-# root user log from include() passes. +- +-source $SHARED/rsyslog_log_utils.sh +- +-{{% if ATTRIBUTE == "owner" %}} +-CHATTR="chown" +-{{% else %}} +-CHATTR="chgrp" +-{{% endif %}} +- +-USER=root +- +-# setup test data +-create_rsyslog_test_logs 3 +- +-# setup test log files ownership +-$CHATTR $USER ${RSYSLOG_TEST_LOGS[0]} +-$CHATTR $USER ${RSYSLOG_TEST_LOGS[1]} +-$CHATTR $USER ${RSYSLOG_TEST_LOGS[2]} +- +-# create test configuration file +-test_conf=${RSYSLOG_TEST_DIR}/test1.conf +-cat << EOF > ${test_conf} +-# rsyslog configuration file +- +-#### RULES #### +- +-*.* ${RSYSLOG_TEST_LOGS[1]} +-EOF +- +-# create test2 configuration file +-test_conf2=${RSYSLOG_TEST_DIR}/test2.conf +-cat << EOF > ${test_conf2} +-# rsyslog configuration file +- +-#### RULES #### +- +- +-*.* action(type="omfile" FileCreateMode="0640" fileOwner="root" fileGroup="root" File="${RSYSLOG_TEST_LOGS[2]}") +-EOF +- +-# create rsyslog.conf configuration file +-cat << EOF > $RSYSLOG_CONF +-# rsyslog configuration file +- +-#### RULES #### +- +-*.* ${RSYSLOG_TEST_LOGS[0]} +- +-#### MODULES #### +- +-include(file="${test_conf}") +- +-\$IncludeConfig ${test_conf2} +-EOF +diff --git a/shared/templates/rsyslog_logfiles_attributes_modify/tests/include_multiline_is_root.pass.sh b/shared/templates/rsyslog_logfiles_attributes_modify/tests/include_multiline_is_root.pass.sh +deleted file mode 100755 +index 78b105abf3..0000000000 +--- a/shared/templates/rsyslog_logfiles_attributes_modify/tests/include_multiline_is_root.pass.sh ++++ /dev/null +@@ -1,47 +0,0 @@ +-#!/bin/bash +-# platform = Red Hat Enterprise Linux 8,multi_platform_fedora,Oracle Linux 8,multi_platform_sle +- +-# Check rsyslog.conf with root user log from rules and +-# root user log from multiline include() passes. +- +-source $SHARED/rsyslog_log_utils.sh +- +-{{% if ATTRIBUTE == "owner" %}} +-CHATTR="chown" +-{{% else %}} +-CHATTR="chgrp" +-{{% endif %}} +- +-USER=root +- +-# setup test data +-create_rsyslog_test_logs 2 +- +-# setup test log files ownership +-$CHATTR $USER ${RSYSLOG_TEST_LOGS[0]} +-$CHATTR $USER ${RSYSLOG_TEST_LOGS[1]} +- +-# create test configuration file +-test_conf=${RSYSLOG_TEST_DIR}/test1.conf +-cat << EOF > ${test_conf} +-# rsyslog configuration file +- +-#### RULES #### +- +-*.* ${RSYSLOG_TEST_LOGS[1]} +-EOF +- +-# create rsyslog.conf configuration file +-cat << EOF > $RSYSLOG_CONF +-# rsyslog configuration file +- +-#### RULES #### +- +-*.* ${RSYSLOG_TEST_LOGS[0]} +- +-#### MODULES #### +- +-include( +- file="${test_conf}" +-) +-EOF +diff --git a/shared/templates/rsyslog_logfiles_attributes_modify/tests/is_root.pass.sh b/shared/templates/rsyslog_logfiles_attributes_modify/tests/is_root.pass.sh +deleted file mode 100755 +index afce21fa27..0000000000 +--- a/shared/templates/rsyslog_logfiles_attributes_modify/tests/is_root.pass.sh ++++ /dev/null +@@ -1,30 +0,0 @@ +-#!/bin/bash +-# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_sle +- +-# Check if log file with root user in rsyslog.conf passes. +- +-source $SHARED/rsyslog_log_utils.sh +- +-{{% if ATTRIBUTE == "owner" %}} +-CHATTR="chown" +-{{% else %}} +-CHATTR="chgrp" +-{{% endif %}} +- +-USER=root +- +-# setup test data +-create_rsyslog_test_logs 1 +- +-# setup test log file ownership +-$CHATTR $USER ${RSYSLOG_TEST_LOGS[0]} +- +-# add rule with root user owned log file +-cat << EOF > $RSYSLOG_CONF +-# rsyslog configuration file +- +-#### RULES #### +- +-*.* ${RSYSLOG_TEST_LOGS[0]} +- +-EOF +diff --git a/shared/templates/rsyslog_logfiles_attributes_modify/tests/is_other.fail.sh b/shared/templates/rsyslog_logfiles_attributes_modify/tests/legacy_correct_attr.pass.sh +similarity index 53% +rename from shared/templates/rsyslog_logfiles_attributes_modify/tests/is_other.fail.sh +rename to shared/templates/rsyslog_logfiles_attributes_modify/tests/legacy_correct_attr.pass.sh +index 1afe20823c..dc362ae003 100755 +--- a/shared/templates/rsyslog_logfiles_attributes_modify/tests/is_other.fail.sh ++++ b/shared/templates/rsyslog_logfiles_attributes_modify/tests/legacy_correct_attr.pass.sh +@@ -1,33 +1,31 @@ + #!/bin/bash + # platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_sle + +-# Check if log file with non root user in rsyslog.conf fails. +- ++# Declare variables used for the tests and define the create_rsyslog_test_logs function + source $SHARED/rsyslog_log_utils.sh + + {{% if ATTRIBUTE == "owner" %}} +-ADDCOMMAND="useradd" + CHATTR="chown" +-{{% else %}} +-ADDCOMMAND="groupadd" ++ATTR_VALUE="root" ++{{% elif ATTRIBUTE == "groupowner" %}} + CHATTR="chgrp" ++ATTR_VALUE="root" ++{{% else %}} ++CHATTR="chmod" ++ATTR_VALUE="0600" + {{% endif %}} + +-USER=testssg +- +-$ADDCOMMAND $USER +- +-# setup test data ++# create one test log file + create_rsyslog_test_logs 1 + +-# setup test log file ownership +-$CHATTR $USER ${RSYSLOG_TEST_LOGS[0]} ++# setup test log file property ++$CHATTR $ATTR_VALUE ${RSYSLOG_TEST_LOGS[0]} + +-# add rule with non-root user owned log file ++# add rule with test log file + cat << EOF > $RSYSLOG_CONF + # rsyslog configuration file + + #### RULES #### +- + *.* ${RSYSLOG_TEST_LOGS[0]} ++ + EOF +diff --git a/shared/templates/rsyslog_logfiles_attributes_modify/tests/IncludeConfig_is_root.pass.sh b/shared/templates/rsyslog_logfiles_attributes_modify/tests/legacy_include_correct_attr.pass.sh +similarity index 51% +rename from shared/templates/rsyslog_logfiles_attributes_modify/tests/IncludeConfig_is_root.pass.sh +rename to shared/templates/rsyslog_logfiles_attributes_modify/tests/legacy_include_correct_attr.pass.sh +index b03268fe3e..c742f41039 100755 +--- a/shared/templates/rsyslog_logfiles_attributes_modify/tests/IncludeConfig_is_root.pass.sh ++++ b/shared/templates/rsyslog_logfiles_attributes_modify/tests/legacy_include_correct_attr.pass.sh +@@ -1,45 +1,45 @@ + #!/bin/bash + # platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_sle + +-# Check rsyslog.conf with root user log from rules and +-# root user log from $IncludeConfig passes. +- ++# Declare variables used for the tests and define the create_rsyslog_test_logs function + source $SHARED/rsyslog_log_utils.sh + + {{% if ATTRIBUTE == "owner" %}} + CHATTR="chown" +-{{% else %}} ++ATTR_VALUE="root" ++{{% elif ATTRIBUTE == "groupowner" %}} + CHATTR="chgrp" ++ATTR_VALUE="root" ++{{% else %}} ++CHATTR="chmod" ++ATTR_VALUE="0600" + {{% endif %}} + +-USER=root +- +-# setup test data ++# create two test log file + create_rsyslog_test_logs 2 + +-# setup test log files ownership +-$CHATTR $USER ${RSYSLOG_TEST_LOGS[0]} +-$CHATTR $USER ${RSYSLOG_TEST_LOGS[1]} ++# setup test log file property ++$CHATTR $ATTR_VALUE ${RSYSLOG_TEST_LOGS[0]} ++$CHATTR $ATTR_VALUE ${RSYSLOG_TEST_LOGS[1]} + +-# create test configuration file ++# create test configuration file with rule for second test log file + test_conf=${RSYSLOG_TEST_DIR}/test1.conf + cat << EOF > ${test_conf} +-# rsyslog configuration file ++# rsyslog test configuration file + + #### RULES #### +- + *.* ${RSYSLOG_TEST_LOGS[1]} ++ + EOF + +-# create rsyslog.conf configuration file ++# add rule with first test log file plus an include statement + cat << EOF > $RSYSLOG_CONF + # rsyslog configuration file + + #### RULES #### +- + *.* ${RSYSLOG_TEST_LOGS[0]} + + #### MODULES #### +- + \$IncludeConfig ${test_conf} ++ + EOF +diff --git a/shared/templates/rsyslog_logfiles_attributes_modify/tests/legacy_include_incorrect_attr.fail.sh b/shared/templates/rsyslog_logfiles_attributes_modify/tests/legacy_include_incorrect_attr.fail.sh +new file mode 100755 +index 0000000000..a12d0bc653 +--- /dev/null ++++ b/shared/templates/rsyslog_logfiles_attributes_modify/tests/legacy_include_incorrect_attr.fail.sh +@@ -0,0 +1,50 @@ ++#!/bin/bash ++# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_sle ++ ++# Declare variables used for the tests and define the create_rsyslog_test_logs function ++source $SHARED/rsyslog_log_utils.sh ++ ++{{% if ATTRIBUTE == "owner" %}} ++CHATTR="chown" ++ATTR_VALUE="root" ++ATTR_INCORRECT_VALUE="cac_testuser" ++useradd $ATTR_INCORRECT_VALUE ++{{% elif ATTRIBUTE == "groupowner" %}} ++CHATTR="chgrp" ++ATTR_VALUE="root" ++ATTR_INCORRECT_VALUE="cac_testgroup" ++groupadd $ATTR_INCORRECT_VALUE ++{{% else %}} ++CHATTR="chmod" ++ATTR_VALUE="0600" ++ATTR_INCORRECT_VALUE="0666" ++{{% endif %}} ++ ++# create two test log file ++create_rsyslog_test_logs 2 ++ ++# setup test log file property ++$CHATTR $ATTR_VALUE ${RSYSLOG_TEST_LOGS[0]} ++$CHATTR $ATTR_INCORRECT_VALUE ${RSYSLOG_TEST_LOGS[1]} ++ ++# create test configuration file with rule for second test log file ++test_conf=${RSYSLOG_TEST_DIR}/test1.conf ++cat << EOF > ${test_conf} ++# rsyslog test configuration file ++ ++#### RULES #### ++*.* ${RSYSLOG_TEST_LOGS[1]} ++ ++EOF ++ ++# add rule with first test log file plus an include statement ++cat << EOF > $RSYSLOG_CONF ++# rsyslog configuration file ++ ++#### RULES #### ++*.* ${RSYSLOG_TEST_LOGS[0]} ++ ++#### MODULES #### ++\$IncludeConfig ${test_conf} ++ ++EOF +diff --git a/shared/templates/rsyslog_logfiles_attributes_modify/tests/legacy_incorrect_attr.fail.sh b/shared/templates/rsyslog_logfiles_attributes_modify/tests/legacy_incorrect_attr.fail.sh +new file mode 100755 +index 0000000000..25430db033 +--- /dev/null ++++ b/shared/templates/rsyslog_logfiles_attributes_modify/tests/legacy_incorrect_attr.fail.sh +@@ -0,0 +1,33 @@ ++#!/bin/bash ++# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_sle ++ ++# Declare variables used for the tests and define the create_rsyslog_test_logs function ++source $SHARED/rsyslog_log_utils.sh ++ ++{{% if ATTRIBUTE == "owner" %}} ++CHATTR="chown" ++ATTR_INCORRECT_VALUE="cac_testuser" ++useradd $ATTR_INCORRECT_VALUE ++{{% elif ATTRIBUTE == "groupowner" %}} ++CHATTR="chgrp" ++ATTR_INCORRECT_VALUE="cac_testgroup" ++groupadd $ATTR_INCORRECT_VALUE ++{{% else %}} ++CHATTR="chmod" ++ATTR_INCORRECT_VALUE="0666" ++{{% endif %}} ++ ++# create one test log file ++create_rsyslog_test_logs 1 ++ ++# setup test log file property ++$CHATTR $ATTR_INCORRECT_VALUE ${RSYSLOG_TEST_LOGS[0]} ++ ++# add rule with non-root user owned log file ++cat << EOF > $RSYSLOG_CONF ++# rsyslog configuration file ++ ++#### RULES #### ++*.* ${RSYSLOG_TEST_LOGS[0]} ++ ++EOF +diff --git a/shared/templates/rsyslog_logfiles_attributes_modify/tests/mixed_correct_attr.pass.sh b/shared/templates/rsyslog_logfiles_attributes_modify/tests/mixed_correct_attr.pass.sh +new file mode 100755 +index 0000000000..c1c5758d80 +--- /dev/null ++++ b/shared/templates/rsyslog_logfiles_attributes_modify/tests/mixed_correct_attr.pass.sh +@@ -0,0 +1,33 @@ ++#!/bin/bash ++# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_sle ++ ++# Declare variables used for the tests and define the create_rsyslog_test_logs function ++source $SHARED/rsyslog_log_utils.sh ++ ++{{% if ATTRIBUTE == "owner" %}} ++CHATTR="chown" ++ATTR_VALUE="root" ++{{% elif ATTRIBUTE == "groupowner" %}} ++CHATTR="chgrp" ++ATTR_VALUE="root" ++{{% else %}} ++CHATTR="chmod" ++ATTR_VALUE="0600" ++{{% endif %}} ++ ++# create three test log file ++create_rsyslog_test_logs 2 ++ ++# setup test log file property ++$CHATTR $ATTR_VALUE ${RSYSLOG_TEST_LOGS[0]} ++$CHATTR $ATTR_VALUE ${RSYSLOG_TEST_LOGS[1]} ++ ++# add rules with both syntax for different test log files ++cat << EOF > $RSYSLOG_CONF ++# rsyslog configuration file ++ ++#### RULES #### ++*.* ${RSYSLOG_TEST_LOGS[0]} ++*.* action(type="omfile" FileCreateMode="0640" fileOwner="root" fileGroup="hoiadm" File="${RSYSLOG_TEST_LOGS[1]}") ++ ++EOF +diff --git a/shared/templates/rsyslog_logfiles_attributes_modify/tests/mixed_include_correct_attr.pass.sh b/shared/templates/rsyslog_logfiles_attributes_modify/tests/mixed_include_correct_attr.pass.sh +new file mode 100755 +index 0000000000..0235130534 +--- /dev/null ++++ b/shared/templates/rsyslog_logfiles_attributes_modify/tests/mixed_include_correct_attr.pass.sh +@@ -0,0 +1,58 @@ ++#!/bin/bash ++# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_sle ++ ++# Declare variables used for the tests and define the create_rsyslog_test_logs function ++source $SHARED/rsyslog_log_utils.sh ++ ++{{% if ATTRIBUTE == "owner" %}} ++CHATTR="chown" ++ATTR_VALUE="root" ++{{% elif ATTRIBUTE == "groupowner" %}} ++CHATTR="chgrp" ++ATTR_VALUE="root" ++{{% else %}} ++CHATTR="chmod" ++ATTR_VALUE="0600" ++{{% endif %}} ++ ++# create three test log file ++create_rsyslog_test_logs 3 ++ ++# setup test log file property ++$CHATTR $ATTR_VALUE ${RSYSLOG_TEST_LOGS[0]} ++$CHATTR $ATTR_VALUE ${RSYSLOG_TEST_LOGS[1]} ++$CHATTR $ATTR_VALUE ${RSYSLOG_TEST_LOGS[2]} ++ ++# create first test configuration file with legacy rule for second test log file ++test_conf1=${RSYSLOG_TEST_DIR}/legacy.conf ++cat << EOF > ${test_conf1} ++# rsyslog test configuration file with legacy syntax ++ ++#### RULES #### ++*.* ${RSYSLOG_TEST_LOGS[1]} ++ ++EOF ++ ++# create second test configuration file with RainerScript rule for third test log file ++test_conf2=${RSYSLOG_TEST_DIR}/rainerscript.conf ++cat << EOF > ${test_conf2} ++# rsyslog test configuration file with RainerScript syntax ++ ++#### RULES #### ++*.* action(type="omfile" FileCreateMode="0640" fileOwner="root" fileGroup="hoiadm" File="${RSYSLOG_TEST_LOGS[2]}") ++ ++EOF ++ ++# add rule with first test log file plus two mixed include statement ++cat << EOF > $RSYSLOG_CONF ++# rsyslog configuration file ++ ++#### RULES #### ++*.* ${RSYSLOG_TEST_LOGS[0]} ++ ++#### MODULES #### ++\$IncludeConfig ${test_conf1} ++ ++include(file="${test_conf2}") ++ ++EOF +diff --git a/shared/templates/rsyslog_logfiles_attributes_modify/tests/mixed_include_incorrect_attr_legacy.fail.sh b/shared/templates/rsyslog_logfiles_attributes_modify/tests/mixed_include_incorrect_attr_legacy.fail.sh +new file mode 100755 +index 0000000000..bed0afaf5e +--- /dev/null ++++ b/shared/templates/rsyslog_logfiles_attributes_modify/tests/mixed_include_incorrect_attr_legacy.fail.sh +@@ -0,0 +1,63 @@ ++#!/bin/bash ++# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_sle ++ ++# Declare variables used for the tests and define the create_rsyslog_test_logs function ++source $SHARED/rsyslog_log_utils.sh ++ ++{{% if ATTRIBUTE == "owner" %}} ++CHATTR="chown" ++ATTR_VALUE="root" ++ATTR_INCORRECT_VALUE="cac_testuser" ++useradd $ATTR_INCORRECT_VALUE ++{{% elif ATTRIBUTE == "groupowner" %}} ++CHATTR="chgrp" ++ATTR_VALUE="root" ++ATTR_INCORRECT_VALUE="cac_testgroup" ++groupadd $ATTR_INCORRECT_VALUE ++{{% else %}} ++CHATTR="chmod" ++ATTR_VALUE="0600" ++ATTR_INCORRECT_VALUE="0666" ++{{% endif %}} ++ ++# create three test log file ++create_rsyslog_test_logs 3 ++ ++# setup test log file property ++$CHATTR $ATTR_VALUE ${RSYSLOG_TEST_LOGS[0]} ++$CHATTR $ATTR_INCORRECT_VALUE ${RSYSLOG_TEST_LOGS[1]} ++$CHATTR $ATTR_VALUE ${RSYSLOG_TEST_LOGS[2]} ++ ++# create first test configuration file with legacy rule for second test log file ++test_conf1=${RSYSLOG_TEST_DIR}/legacy.conf ++cat << EOF > ${test_conf1} ++# rsyslog test configuration file with legacy syntax ++ ++#### RULES #### ++*.* ${RSYSLOG_TEST_LOGS[1]} ++ ++EOF ++ ++# create second test configuration file with RainerScript rule for third test log file ++test_conf2=${RSYSLOG_TEST_DIR}/rainerscript.conf ++cat << EOF > ${test_conf2} ++# rsyslog test configuration file with RainerScript syntax ++ ++#### RULES #### ++*.* action(type="omfile" FileCreateMode="0640" fileOwner="root" fileGroup="hoiadm" File="${RSYSLOG_TEST_LOGS[2]}") ++ ++EOF ++ ++# add rule with first test log file plus two mixed include statement ++cat << EOF > $RSYSLOG_CONF ++# rsyslog configuration file ++ ++#### RULES #### ++*.* ${RSYSLOG_TEST_LOGS[0]} ++ ++#### MODULES #### ++\$IncludeConfig ${test_conf1} ++ ++include(file="${test_conf2}") ++ ++EOF +diff --git a/shared/templates/rsyslog_logfiles_attributes_modify/tests/mixed_include_incorrect_attr_rainer.fail.sh b/shared/templates/rsyslog_logfiles_attributes_modify/tests/mixed_include_incorrect_attr_rainer.fail.sh +new file mode 100755 +index 0000000000..83c69b3a17 +--- /dev/null ++++ b/shared/templates/rsyslog_logfiles_attributes_modify/tests/mixed_include_incorrect_attr_rainer.fail.sh +@@ -0,0 +1,63 @@ ++#!/bin/bash ++# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_sle ++ ++# Declare variables used for the tests and define the create_rsyslog_test_logs function ++source $SHARED/rsyslog_log_utils.sh ++ ++{{% if ATTRIBUTE == "owner" %}} ++CHATTR="chown" ++ATTR_VALUE="root" ++ATTR_INCORRECT_VALUE="cac_testuser" ++useradd $ATTR_INCORRECT_VALUE ++{{% elif ATTRIBUTE == "groupowner" %}} ++CHATTR="chgrp" ++ATTR_VALUE="root" ++ATTR_INCORRECT_VALUE="cac_testgroup" ++groupadd $ATTR_INCORRECT_VALUE ++{{% else %}} ++CHATTR="chmod" ++ATTR_VALUE="0600" ++ATTR_INCORRECT_VALUE="0666" ++{{% endif %}} ++ ++# create three test log file ++create_rsyslog_test_logs 3 ++ ++# setup test log file property ++$CHATTR $ATTR_VALUE ${RSYSLOG_TEST_LOGS[0]} ++$CHATTR $ATTR_VALUE ${RSYSLOG_TEST_LOGS[1]} ++$CHATTR $ATTR_INCORRECT_VALUE ${RSYSLOG_TEST_LOGS[2]} ++ ++# create first test configuration file with legacy rule for second test log file ++test_conf1=${RSYSLOG_TEST_DIR}/legacy.conf ++cat << EOF > ${test_conf1} ++# rsyslog test configuration file with legacy syntax ++ ++#### RULES #### ++*.* ${RSYSLOG_TEST_LOGS[1]} ++ ++EOF ++ ++# create second test configuration file with RainerScript rule for third test log file ++test_conf2=${RSYSLOG_TEST_DIR}/rainerscript.conf ++cat << EOF > ${test_conf2} ++# rsyslog test configuration file with RainerScript syntax ++ ++#### RULES #### ++*.* action(type="omfile" FileCreateMode="0640" fileOwner="root" fileGroup="hoiadm" File="${RSYSLOG_TEST_LOGS[2]}") ++ ++EOF ++ ++# add rule with first test log file plus two mixed include statement ++cat << EOF > $RSYSLOG_CONF ++# rsyslog configuration file ++ ++#### RULES #### ++*.* ${RSYSLOG_TEST_LOGS[0]} ++ ++#### MODULES #### ++\$IncludeConfig ${test_conf1} ++ ++include(file="${test_conf2}") ++ ++EOF +diff --git a/shared/templates/rsyslog_logfiles_attributes_modify/tests/mixed_incorrect_attr_cloudinit.fail.sh b/shared/templates/rsyslog_logfiles_attributes_modify/tests/mixed_incorrect_attr_cloudinit.fail.sh +new file mode 100755 +index 0000000000..43a6f2648d +--- /dev/null ++++ b/shared/templates/rsyslog_logfiles_attributes_modify/tests/mixed_incorrect_attr_cloudinit.fail.sh +@@ -0,0 +1,38 @@ ++#!/bin/bash ++# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_sle ++ ++# Declare variables used for the tests and define the create_rsyslog_test_logs function ++source $SHARED/rsyslog_log_utils.sh ++ ++{{% if ATTRIBUTE == "owner" %}} ++CHATTR="chown" ++ATTR_VALUE="root" ++ATTR_INCORRECT_VALUE="cac_testuser" ++useradd $ATTR_INCORRECT_VALUE ++{{% elif ATTRIBUTE == "groupowner" %}} ++CHATTR="chgrp" ++ATTR_VALUE="root" ++ATTR_INCORRECT_VALUE="cac_testgroup" ++groupadd $ATTR_INCORRECT_VALUE ++{{% else %}} ++CHATTR="chmod" ++ATTR_VALUE="0600" ++ATTR_INCORRECT_VALUE="0666" ++{{% endif %}} ++ ++# create three test log file ++create_rsyslog_test_logs 2 ++ ++# setup test log file property ++$CHATTR $ATTR_VALUE ${RSYSLOG_TEST_LOGS[0]} ++$CHATTR $ATTR_INCORRECT_VALUE ${RSYSLOG_TEST_LOGS[1]} ++ ++# add rules with both syntax for different test log files ++cat << EOF > $RSYSLOG_CONF ++# rsyslog configuration file ++ ++#### RULES #### ++*.* ${RSYSLOG_TEST_LOGS[0]} ++:syslogtag, isequal, "[CLOUDINIT]" ${RSYSLOG_TEST_LOGS[1]} ++ ++EOF +diff --git a/shared/templates/rsyslog_logfiles_attributes_modify/tests/mixed_incorrect_attr_legacy.fail.sh b/shared/templates/rsyslog_logfiles_attributes_modify/tests/mixed_incorrect_attr_legacy.fail.sh +new file mode 100755 +index 0000000000..f459e7377b +--- /dev/null ++++ b/shared/templates/rsyslog_logfiles_attributes_modify/tests/mixed_incorrect_attr_legacy.fail.sh +@@ -0,0 +1,38 @@ ++#!/bin/bash ++# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_sle ++ ++# Declare variables used for the tests and define the create_rsyslog_test_logs function ++source $SHARED/rsyslog_log_utils.sh ++ ++{{% if ATTRIBUTE == "owner" %}} ++CHATTR="chown" ++ATTR_VALUE="root" ++ATTR_INCORRECT_VALUE="cac_testuser" ++useradd $ATTR_INCORRECT_VALUE ++{{% elif ATTRIBUTE == "groupowner" %}} ++CHATTR="chgrp" ++ATTR_VALUE="root" ++ATTR_INCORRECT_VALUE="cac_testgroup" ++groupadd $ATTR_INCORRECT_VALUE ++{{% else %}} ++CHATTR="chmod" ++ATTR_VALUE="0600" ++ATTR_INCORRECT_VALUE="0666" ++{{% endif %}} ++ ++# create three test log file ++create_rsyslog_test_logs 2 ++ ++# setup test log file property ++$CHATTR $ATTR_INCORRECT_VALUE ${RSYSLOG_TEST_LOGS[0]} ++$CHATTR $ATTR_VALUE ${RSYSLOG_TEST_LOGS[1]} ++ ++# add rules with both syntax for different test log files ++cat << EOF > $RSYSLOG_CONF ++# rsyslog configuration file ++ ++#### RULES #### ++*.* ${RSYSLOG_TEST_LOGS[0]} ++*.* action(type="omfile" FileCreateMode="0640" fileOwner="root" fileGroup="hoiadm" File="${RSYSLOG_TEST_LOGS[1]}") ++ ++EOF +diff --git a/shared/templates/rsyslog_logfiles_attributes_modify/tests/mixed_incorrect_attr_rainer.fail.sh b/shared/templates/rsyslog_logfiles_attributes_modify/tests/mixed_incorrect_attr_rainer.fail.sh +new file mode 100755 +index 0000000000..67193b69d8 +--- /dev/null ++++ b/shared/templates/rsyslog_logfiles_attributes_modify/tests/mixed_incorrect_attr_rainer.fail.sh +@@ -0,0 +1,38 @@ ++#!/bin/bash ++# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_sle ++ ++# Declare variables used for the tests and define the create_rsyslog_test_logs function ++source $SHARED/rsyslog_log_utils.sh ++ ++{{% if ATTRIBUTE == "owner" %}} ++CHATTR="chown" ++ATTR_VALUE="root" ++ATTR_INCORRECT_VALUE="cac_testuser" ++useradd $ATTR_INCORRECT_VALUE ++{{% elif ATTRIBUTE == "groupowner" %}} ++CHATTR="chgrp" ++ATTR_VALUE="root" ++ATTR_INCORRECT_VALUE="cac_testgroup" ++groupadd $ATTR_INCORRECT_VALUE ++{{% else %}} ++CHATTR="chmod" ++ATTR_VALUE="0600" ++ATTR_INCORRECT_VALUE="0666" ++{{% endif %}} ++ ++# create three test log file ++create_rsyslog_test_logs 2 ++ ++# setup test log file property ++$CHATTR $ATTR_VALUE ${RSYSLOG_TEST_LOGS[0]} ++$CHATTR $ATTR_INCORRECT_VALUE ${RSYSLOG_TEST_LOGS[1]} ++ ++# add rules with both syntax for different test log files ++cat << EOF > $RSYSLOG_CONF ++# rsyslog configuration file ++ ++#### RULES #### ++*.* ${RSYSLOG_TEST_LOGS[0]} ++*.* action(type="omfile" FileCreateMode="0640" fileOwner="root" fileGroup="hoiadm" File="${RSYSLOG_TEST_LOGS[1]}") ++ ++EOF +diff --git a/shared/templates/rsyslog_logfiles_attributes_modify/tests/rainer_correct_attr.pass.sh b/shared/templates/rsyslog_logfiles_attributes_modify/tests/rainer_correct_attr.pass.sh +new file mode 100755 +index 0000000000..abdb09c485 +--- /dev/null ++++ b/shared/templates/rsyslog_logfiles_attributes_modify/tests/rainer_correct_attr.pass.sh +@@ -0,0 +1,31 @@ ++#!/bin/bash ++# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_sle ++ ++# Declare variables used for the tests and define the create_rsyslog_test_logs function ++source $SHARED/rsyslog_log_utils.sh ++ ++{{% if ATTRIBUTE == "owner" %}} ++CHATTR="chown" ++ATTR_VALUE="root" ++{{% elif ATTRIBUTE == "groupowner" %}} ++CHATTR="chgrp" ++ATTR_VALUE="root" ++{{% else %}} ++CHATTR="chmod" ++ATTR_VALUE="0600" ++{{% endif %}} ++ ++# create one test log file ++create_rsyslog_test_logs 1 ++ ++# setup test log file property ++$CHATTR $ATTR_VALUE ${RSYSLOG_TEST_LOGS[0]} ++ ++# add rule with test log file ++cat << EOF > $RSYSLOG_CONF ++# rsyslog configuration file ++ ++#### RULES #### ++*.* action(type="omfile" FileCreateMode="0640" fileOwner="root" fileGroup="hoiadm" File="${RSYSLOG_TEST_LOGS[0]}") ++ ++EOF +diff --git a/shared/templates/rsyslog_logfiles_attributes_modify/tests/rainer_include_correct_attr.pass.sh b/shared/templates/rsyslog_logfiles_attributes_modify/tests/rainer_include_correct_attr.pass.sh +new file mode 100755 +index 0000000000..8b73578e39 +--- /dev/null ++++ b/shared/templates/rsyslog_logfiles_attributes_modify/tests/rainer_include_correct_attr.pass.sh +@@ -0,0 +1,45 @@ ++#!/bin/bash ++# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_sle ++ ++# Declare variables used for the tests and define the create_rsyslog_test_logs function ++source $SHARED/rsyslog_log_utils.sh ++ ++{{% if ATTRIBUTE == "owner" %}} ++CHATTR="chown" ++ATTR_VALUE="root" ++{{% elif ATTRIBUTE == "groupowner" %}} ++CHATTR="chgrp" ++ATTR_VALUE="root" ++{{% else %}} ++CHATTR="chmod" ++ATTR_VALUE="0600" ++{{% endif %}} ++ ++# create two test log file ++create_rsyslog_test_logs 2 ++ ++# setup test log file property ++$CHATTR $ATTR_VALUE ${RSYSLOG_TEST_LOGS[0]} ++$CHATTR $ATTR_VALUE ${RSYSLOG_TEST_LOGS[1]} ++ ++# create test configuration file with rule for second test log file ++test_conf=${RSYSLOG_TEST_DIR}/test1.conf ++cat << EOF > ${test_conf} ++# rsyslog test configuration file ++ ++#### RULES #### ++*.* action(type="omfile" FileCreateMode="0640" fileOwner="root" fileGroup="hoiadm" File="${RSYSLOG_TEST_LOGS[1]}") ++ ++EOF ++ ++# add rule with first test log file plus an include statement ++cat << EOF > $RSYSLOG_CONF ++# rsyslog configuration file ++ ++#### RULES #### ++*.* action(type="omfile" FileCreateMode="0640" fileOwner="root" fileGroup="hoiadm" File="${RSYSLOG_TEST_LOGS[0]}") ++ ++#### MODULES #### ++include(file="${test_conf}") ++ ++EOF +diff --git a/shared/templates/rsyslog_logfiles_attributes_modify/tests/rainer_include_incorrect_attr.fail.sh b/shared/templates/rsyslog_logfiles_attributes_modify/tests/rainer_include_incorrect_attr.fail.sh +new file mode 100755 +index 0000000000..4c25c09e2e +--- /dev/null ++++ b/shared/templates/rsyslog_logfiles_attributes_modify/tests/rainer_include_incorrect_attr.fail.sh +@@ -0,0 +1,50 @@ ++#!/bin/bash ++# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_sle ++ ++# Declare variables used for the tests and define the create_rsyslog_test_logs function ++source $SHARED/rsyslog_log_utils.sh ++ ++{{% if ATTRIBUTE == "owner" %}} ++CHATTR="chown" ++ATTR_VALUE="root" ++ATTR_INCORRECT_VALUE="cac_testuser" ++useradd $ATTR_INCORRECT_VALUE ++{{% elif ATTRIBUTE == "groupowner" %}} ++CHATTR="chgrp" ++ATTR_VALUE="root" ++ATTR_INCORRECT_VALUE="cac_testgroup" ++groupadd $ATTR_INCORRECT_VALUE ++{{% else %}} ++CHATTR="chmod" ++ATTR_VALUE="0600" ++ATTR_INCORRECT_VALUE="0666" ++{{% endif %}} ++ ++# create two test log file ++create_rsyslog_test_logs 2 ++ ++# setup test log file property ++$CHATTR $ATTR_VALUE ${RSYSLOG_TEST_LOGS[0]} ++$CHATTR $ATTR_INCORRECT_VALUE ${RSYSLOG_TEST_LOGS[1]} ++ ++# create test configuration file with rule for second test log file ++test_conf=${RSYSLOG_TEST_DIR}/test1.conf ++cat << EOF > ${test_conf} ++# rsyslog test configuration file ++ ++#### RULES #### ++*.* action(type="omfile" FileCreateMode="0640" fileOwner="root" fileGroup="hoiadm" File="${RSYSLOG_TEST_LOGS[1]}") ++ ++EOF ++ ++# add rule with first test log file plus an include statement ++cat << EOF > $RSYSLOG_CONF ++# rsyslog configuration file ++ ++#### RULES #### ++*.* action(type="omfile" FileCreateMode="0640" fileOwner="root" fileGroup="hoiadm" File="${RSYSLOG_TEST_LOGS[0]}") ++ ++#### MODULES #### ++include(file="${test_conf}") ++ ++EOF +diff --git a/shared/templates/rsyslog_logfiles_attributes_modify/tests/rainer_include_multiline_correct_attr.pass.sh b/shared/templates/rsyslog_logfiles_attributes_modify/tests/rainer_include_multiline_correct_attr.pass.sh +new file mode 100755 +index 0000000000..508a5cf6eb +--- /dev/null ++++ b/shared/templates/rsyslog_logfiles_attributes_modify/tests/rainer_include_multiline_correct_attr.pass.sh +@@ -0,0 +1,47 @@ ++#!/bin/bash ++# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_sle ++ ++# Declare variables used for the tests and define the create_rsyslog_test_logs function ++source $SHARED/rsyslog_log_utils.sh ++ ++{{% if ATTRIBUTE == "owner" %}} ++CHATTR="chown" ++ATTR_VALUE="root" ++{{% elif ATTRIBUTE == "groupowner" %}} ++CHATTR="chgrp" ++ATTR_VALUE="root" ++{{% else %}} ++CHATTR="chmod" ++ATTR_VALUE="0600" ++{{% endif %}} ++ ++# create two test log file ++create_rsyslog_test_logs 2 ++ ++# setup test log file property ++$CHATTR $ATTR_VALUE ${RSYSLOG_TEST_LOGS[0]} ++$CHATTR $ATTR_VALUE ${RSYSLOG_TEST_LOGS[1]} ++ ++# create test configuration file with rule for second test log file ++test_conf=${RSYSLOG_TEST_DIR}/test1.conf ++cat << EOF > ${test_conf} ++# rsyslog test configuration file ++ ++#### RULES #### ++*.* action(type="omfile" FileCreateMode="0640" fileOwner="root" fileGroup="hoiadm" File="${RSYSLOG_TEST_LOGS[1]}") ++ ++EOF ++ ++# add rule with first test log file plus an include statement ++cat << EOF > $RSYSLOG_CONF ++# rsyslog configuration file ++ ++#### RULES #### ++*.* action(type="omfile" FileCreateMode="0640" fileOwner="root" fileGroup="hoiadm" File="${RSYSLOG_TEST_LOGS[0]}") ++ ++#### MODULES #### ++include( ++ file="${test_conf}" ++) ++ ++EOF +diff --git a/shared/templates/rsyslog_logfiles_attributes_modify/tests/rainer_include_multiline_incorrect_attr.fail.sh b/shared/templates/rsyslog_logfiles_attributes_modify/tests/rainer_include_multiline_incorrect_attr.fail.sh +new file mode 100755 +index 0000000000..49fada4cd4 +--- /dev/null ++++ b/shared/templates/rsyslog_logfiles_attributes_modify/tests/rainer_include_multiline_incorrect_attr.fail.sh +@@ -0,0 +1,52 @@ ++#!/bin/bash ++# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_sle ++ ++# Declare variables used for the tests and define the create_rsyslog_test_logs function ++source $SHARED/rsyslog_log_utils.sh ++ ++{{% if ATTRIBUTE == "owner" %}} ++CHATTR="chown" ++ATTR_VALUE="root" ++ATTR_INCORRECT_VALUE="cac_testuser" ++useradd $ATTR_INCORRECT_VALUE ++{{% elif ATTRIBUTE == "groupowner" %}} ++CHATTR="chgrp" ++ATTR_VALUE="root" ++ATTR_INCORRECT_VALUE="cac_testgroup" ++groupadd $ATTR_INCORRECT_VALUE ++{{% else %}} ++CHATTR="chmod" ++ATTR_VALUE="0600" ++ATTR_INCORRECT_VALUE="0666" ++{{% endif %}} ++ ++# create two test log file ++create_rsyslog_test_logs 2 ++ ++# setup test log file property ++$CHATTR $ATTR_VALUE ${RSYSLOG_TEST_LOGS[0]} ++$CHATTR $ATTR_INCORRECT_VALUE ${RSYSLOG_TEST_LOGS[1]} ++ ++# create test configuration file with rule for second test log file ++test_conf=${RSYSLOG_TEST_DIR}/test1.conf ++cat << EOF > ${test_conf} ++# rsyslog test configuration file ++ ++#### RULES #### ++*.* action(type="omfile" FileCreateMode="0640" fileOwner="root" fileGroup="hoiadm" File="${RSYSLOG_TEST_LOGS[1]}") ++ ++EOF ++ ++# add rule with first test log file plus an include statement ++cat << EOF > $RSYSLOG_CONF ++# rsyslog configuration file ++ ++#### RULES #### ++*.* action(type="omfile" FileCreateMode="0640" fileOwner="root" fileGroup="hoiadm" File="${RSYSLOG_TEST_LOGS[0]}") ++ ++#### MODULES #### ++include( ++ file="${test_conf}" ++) ++ ++EOF +diff --git a/shared/templates/rsyslog_logfiles_attributes_modify/tests/rainer_incorrect_attr.fail.sh b/shared/templates/rsyslog_logfiles_attributes_modify/tests/rainer_incorrect_attr.fail.sh +new file mode 100755 +index 0000000000..b17eb6b744 +--- /dev/null ++++ b/shared/templates/rsyslog_logfiles_attributes_modify/tests/rainer_incorrect_attr.fail.sh +@@ -0,0 +1,33 @@ ++#!/bin/bash ++# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_sle ++ ++# Declare variables used for the tests and define the create_rsyslog_test_logs function ++source $SHARED/rsyslog_log_utils.sh ++ ++{{% if ATTRIBUTE == "owner" %}} ++CHATTR="chown" ++ATTR_INCORRECT_VALUE="cac_testuser" ++useradd $ATTR_INCORRECT_VALUE ++{{% elif ATTRIBUTE == "groupowner" %}} ++CHATTR="chgrp" ++ATTR_INCORRECT_VALUE="cac_testgroup" ++groupadd $ATTR_INCORRECT_VALUE ++{{% else %}} ++CHATTR="chmod" ++ATTR_INCORRECT_VALUE="0666" ++{{% endif %}} ++ ++# create one test log file ++create_rsyslog_test_logs 1 ++ ++# setup test log file property ++$CHATTR $ATTR_INCORRECT_VALUE ${RSYSLOG_TEST_LOGS[0]} ++ ++# add rule with non-root user owned log file ++cat << EOF > $RSYSLOG_CONF ++# rsyslog configuration file ++ ++#### RULES #### ++*.* action(type="omfile" FileCreateMode="0640" fileOwner="root" fileGroup="hoiadm" File="${RSYSLOG_TEST_LOGS[0]}") ++ ++EOF +-- +2.39.1 + diff --git a/scap-security-guide-0.1.67-rsyslog_files_rules_remediations-PR_9789.patch b/scap-security-guide-0.1.67-rsyslog_files_rules_remediations-PR_9789.patch new file mode 100644 index 0000000..9543446 --- /dev/null +++ b/scap-security-guide-0.1.67-rsyslog_files_rules_remediations-PR_9789.patch @@ -0,0 +1,1950 @@ +From 7d188e88ef47a50714b127658b4138540af8396c Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Tue, 7 Feb 2023 10:53:17 +0100 +Subject: [PATCH 2/5] Rsyslog files rules remediations + +Patch-name: scap-security-guide-0.1.67-rsyslog_files_rules_remediations-PR_9789.patch +Patch-status: Rsyslog files rules remediations +--- + controls/cis_sle12.yml | 4 +- + controls/cis_sle15.yml | 4 +- + .../file_groupowner_logfiles_value.var | 18 --- + .../oval/shared.xml | 116 --------------- + .../rsyslog_files_groupownership/rule.yml | 39 ++++- + .../tests/IncludeConfig_is_other.fail.sh | 42 ------ + .../tests/IncludeConfig_is_root.pass.sh | 39 ----- + .../tests/include_is_other.fail.sh | 42 ------ + .../tests/include_is_root.pass.sh | 39 ----- + .../tests/include_multiline_is_root.pass.sh | 41 ------ + .../tests/is_other.fail.sh | 25 ---- + .../tests/is_root.pass.sh | 24 --- + .../rsyslog_files_ownership/oval/shared.xml | 114 --------------- + .../rsyslog_files_ownership/rule.yml | 44 +++++- + .../ansible/shared.yml | 12 ++ + .../rsyslog_logging_configured/bash/shared.sh | 7 + + .../oval/shared.xml | 41 ++++++ + .../rsyslog_logging_configured/rule.yml | 34 +++++ + ...with_everything_logged_to_messages.pass.sh | 13 ++ + .../rsyslog_file_with_no_logging.fail.sh | 12 ++ + .../profiles/anssi_np_nt28_average.profile | 2 - + products/debian10/profiles/standard.profile | 2 - + .../profiles/anssi_np_nt28_average.profile | 2 - + products/debian11/profiles/standard.profile | 2 - + products/rhel7/profiles/rht-ccp.profile | 2 - + products/rhel8/profiles/rht-ccp.profile | 2 - + .../profiles/anssi_bp28_intermediary.profile | 1 + + products/sle15/profiles/standard.profile | 2 - + .../profiles/anssi_np_nt28_average.profile | 2 - + products/ubuntu1604/profiles/standard.profile | 2 - + .../profiles/anssi_np_nt28_average.profile | 2 - + products/ubuntu1804/profiles/standard.profile | 2 - + products/ubuntu2004/profiles/standard.profile | 2 - + products/ubuntu2204/profiles/standard.profile | 2 - + shared/references/cce-sle12-avail.txt | 1 - + shared/references/cce-sle15-avail.txt | 1 - + .../ansible.template | 68 +++++++++ + .../bash.template | 110 ++++++++++++++ + .../oval.template | 137 ++++++++++++++++++ + .../template.yml | 4 + + .../tests/IncludeConfig_is_other.fail.sh | 14 +- + .../tests/IncludeConfig_is_root.pass.sh | 10 +- + .../tests/include_is_other.fail.sh | 14 +- + ...udeConfig_is_other_RainerLogClause.fail.sh | 37 ++++- + .../tests/include_is_root.pass.sh | 11 +- + ...ude_is_root_IncludeConfig_is_other.fail.sh | 16 +- + ...lude_is_root_IncludeConfig_is_root.pass.sh | 12 +- + ...ludeConfig_is_root_RainerLogClause.pass.sh | 22 +-- + .../tests/include_multiline_is_root.pass.sh | 10 +- + .../tests/is_other.fail.sh | 12 +- + .../tests/is_root.pass.sh | 8 +- + 51 files changed, 648 insertions(+), 576 deletions(-) + delete mode 100644 linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/file_groupowner_logfiles_value.var + delete mode 100644 linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_groupownership/oval/shared.xml + delete mode 100755 linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_groupownership/tests/IncludeConfig_is_other.fail.sh + delete mode 100755 linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_groupownership/tests/IncludeConfig_is_root.pass.sh + delete mode 100755 linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_groupownership/tests/include_is_other.fail.sh + delete mode 100755 linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_groupownership/tests/include_is_root.pass.sh + delete mode 100755 linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_groupownership/tests/include_multiline_is_root.pass.sh + delete mode 100755 linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_groupownership/tests/is_other.fail.sh + delete mode 100755 linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_groupownership/tests/is_root.pass.sh + delete mode 100644 linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_ownership/oval/shared.xml + create mode 100644 linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_logging_configured/ansible/shared.yml + create mode 100644 linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_logging_configured/bash/shared.sh + create mode 100644 linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_logging_configured/oval/shared.xml + create mode 100644 linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_logging_configured/rule.yml + create mode 100644 linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_logging_configured/tests/rsyslog_file_with_everything_logged_to_messages.pass.sh + create mode 100644 linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_logging_configured/tests/rsyslog_file_with_no_logging.fail.sh + create mode 100644 shared/templates/rsyslog_logfiles_attributes_modify/ansible.template + create mode 100644 shared/templates/rsyslog_logfiles_attributes_modify/bash.template + create mode 100644 shared/templates/rsyslog_logfiles_attributes_modify/oval.template + create mode 100644 shared/templates/rsyslog_logfiles_attributes_modify/template.yml + rename {linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_ownership => shared/templates/rsyslog_logfiles_attributes_modify}/tests/IncludeConfig_is_other.fail.sh (75%) + rename {linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_ownership => shared/templates/rsyslog_logfiles_attributes_modify}/tests/IncludeConfig_is_root.pass.sh (81%) + rename {linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_ownership => shared/templates/rsyslog_logfiles_attributes_modify}/tests/include_is_other.fail.sh (75%) + rename linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_groupownership/tests/include_is_root_IncludeConfig_is_root.pass.sh => shared/templates/rsyslog_logfiles_attributes_modify/tests/include_is_other_IncludeConfig_is_other_RainerLogClause.fail.sh (50%) + mode change 100755 => 100644 + rename {linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_ownership => shared/templates/rsyslog_logfiles_attributes_modify}/tests/include_is_root.pass.sh (81%) + rename {linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_ownership => shared/templates/rsyslog_logfiles_attributes_modify}/tests/include_is_root_IncludeConfig_is_other.fail.sh (77%) + rename {linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_ownership => shared/templates/rsyslog_logfiles_attributes_modify}/tests/include_is_root_IncludeConfig_is_root.pass.sh (82%) + rename linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_groupownership/tests/include_is_root_IncludeConfig_is_other.fail.sh => shared/templates/rsyslog_logfiles_attributes_modify/tests/include_is_root_IncludeConfig_is_root_RainerLogClause.pass.sh (65%) + rename {linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_ownership => shared/templates/rsyslog_logfiles_attributes_modify}/tests/include_multiline_is_root.pass.sh (81%) + rename {linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_ownership => shared/templates/rsyslog_logfiles_attributes_modify}/tests/is_other.fail.sh (70%) + rename {linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_ownership => shared/templates/rsyslog_logfiles_attributes_modify}/tests/is_root.pass.sh (77%) + +diff --git a/controls/cis_sle12.yml b/controls/cis_sle12.yml +index 5c464fe556..8576343b9d 100644 +--- a/controls/cis_sle12.yml ++++ b/controls/cis_sle12.yml +@@ -1321,7 +1321,9 @@ controls: + levels: + - l1_server + - l1_workstation +- status: manual ++ automated: yes ++ rules: ++ - rsyslog_logging_configured + + - id: 4.2.1.5 + title: Ensure rsyslog is configured to send logs to a remote log host (Automated) +diff --git a/controls/cis_sle15.yml b/controls/cis_sle15.yml +index 36d7616f90..f82341a038 100644 +--- a/controls/cis_sle15.yml ++++ b/controls/cis_sle15.yml +@@ -1469,7 +1469,9 @@ controls: + levels: + - l1_server + - l1_workstation +- status: manual ++ automated: yes ++ rules: ++ - rsyslog_logging_configured + + - id: 4.2.1.5 + title: Ensure rsyslog is configured to send logs to a remote log host (Automated) +diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/file_groupowner_logfiles_value.var b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/file_groupowner_logfiles_value.var +deleted file mode 100644 +index 7ebf8c191a..0000000000 +--- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/file_groupowner_logfiles_value.var ++++ /dev/null +@@ -1,18 +0,0 @@ +-documentation_complete: true +- +-title: 'group who owns log files' +- +-description: |- +- Specify group owner of all logfiles specified in +- /etc/rsyslog.conf. +- +-type: string +- +-operator: equals +- +-interactive: false +- +-options: +- default: root +- adm: adm +- root: root +diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_groupownership/oval/shared.xml b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_groupownership/oval/shared.xml +deleted file mode 100644 +index 4567f4d411..0000000000 +--- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_groupownership/oval/shared.xml ++++ /dev/null +@@ -1,116 +0,0 @@ +- +- +- {{{ oval_metadata("All syslog log files should be owned by the appropriate group.") }}} +- +- +- {{% if product in ["debian10", "debian11", "ubuntu1604"] %}} +- +- {{% endif %}} +- +- +- +- +- +- +- +- /etc/rsyslog.conf +- ^(?:include\([\n\s]*file="([^\s;]+)".*|\$IncludeConfig[\s]+([^\s;]+))$ +- 1 +- +- +- +- +- +- +- +- +- +- +- +- +- +- var_rfg_include_config_regex +- +- +- +- ^/etc/rsyslog.conf$ +- +- +- +- var_rfg_syslog_config +- +- +- +- +- +- object_var_rfg_include_config_regex +- object_var_rfg_syslog_config +- +- +- +- +- +- +- +- +- +- +- +- +- ^[^(\s|#|\$)]+[\s]+.*[\s]+-?(/+[^:;\s]+);*\.*$ +- 1 +- state_groupownership_ignore_include_paths +- +- +- +- +- (?:file="[^\s;]+"|\$IncludeConfig[\s]+[^\s;]+|\/dev\/.*) +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- regular +- {{% if product in ["debian10", "debian11", "ubuntu1604", "ubuntu2004", "ubuntu2204"] %}} +- 4 +- {{% else %}} +- 0 +- {{% endif %}} +- +- +- +diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_groupownership/rule.yml b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_groupownership/rule.yml +index 4f797f4a21..13c89d90c5 100644 +--- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_groupownership/rule.yml ++++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_groupownership/rule.yml +@@ -4,15 +4,30 @@ title: 'Ensure Log Files Are Owned By Appropriate Group' + + description: |- + The group-owner of all log files written by +- rsyslog should be {{{ xccdf_value("file_groupowner_logfiles_value") }}}. ++ rsyslog should be ++{{% if 'debian' in product or 'ubuntu' in product %}} ++ adm. ++{{% else %}} ++ root. ++{{% endif %}} + These log files are determined by the second part of each Rule line in + /etc/rsyslog.conf and typically all appear in /var/log. + For each log file LOGFILE referenced in /etc/rsyslog.conf, + run the following command to inspect the file's group owner: + 
$ ls -l LOGFILE
+- If the owner is not {{{ xccdf_value("file_groupowner_logfiles_value") }}}, run the following command to ++ If the owner is not ++ {{% if 'debian' in product or 'ubuntu' in product %}} ++ adm, ++ {{% else %}} ++ root, ++ {{% endif %}} ++ run the following command to + correct this: +- 
$ sudo chgrp {{{ xccdf_value("file_groupowner_logfiles_value") }}} LOGFILE
++{{% if 'debian' in product or 'ubuntu' in product %}} ++ 
$ sudo chgrp adm LOGFILE
++{{% else %}} ++ 
$ sudo chgrp root LOGFILE
++{{% endif %}} + + rationale: |- + The log files generated by rsyslog contain valuable information regarding system +@@ -47,8 +62,24 @@ references: + ocil_clause: 'the group-owner is not correct' + + ocil: |- +- The group-owner of all log files written by rsyslog should be {{{ xccdf_value("file_groupowner_logfiles_value") }}}. ++ The group-owner of all log files written by rsyslog should be ++ {{% if 'debian' in product or 'ubuntu' in product %}} ++ adm. ++ {{% else %}} ++ root. ++ {{% endif %}} + These log files are determined by the second part of each Rule line in + /etc/rsyslog.conf and typically all appear in /var/log. + To see the group-owner of a given log file, run the following command: + 
$ ls -l LOGFILE
++ ++template: ++ name: rsyslog_logfiles_attributes_modify ++ vars: ++ attribute: groupowner ++ value: 0 ++ value@debian10: 4 ++ value@debian11: 4 ++ value@ubuntu1604: 4 ++ value@ubuntu2004: 4 ++ value@ubuntu2204: 4 +diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_groupownership/tests/IncludeConfig_is_other.fail.sh b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_groupownership/tests/IncludeConfig_is_other.fail.sh +deleted file mode 100755 +index 575530ef2e..0000000000 +--- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_groupownership/tests/IncludeConfig_is_other.fail.sh ++++ /dev/null +@@ -1,42 +0,0 @@ +-#!/bin/bash +-# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_sle +- +-# Check rsyslog.conf with root group-owner log from rules and +-# non root group-owner log from $IncludeConfig fails. +- +-source $SHARED/rsyslog_log_utils.sh +- +-GROUP_TEST=testssg +-groupadd $GROUP_TEST +- +-GROUP_ROOT=root +- +-# setup test data +-create_rsyslog_test_logs 2 +- +-# setup test log files ownership +-chgrp $GROUP_ROOT ${RSYSLOG_TEST_LOGS[0]} +-chgrp $GROUP_TEST ${RSYSLOG_TEST_LOGS[1]} +- +-# create test configuration file +-test_conf=${RSYSLOG_TEST_DIR}/test1.conf +-cat << EOF > ${test_conf} +-# rsyslog configuration file +- +-#### RULES #### +- +-*.* ${RSYSLOG_TEST_LOGS[1]} +-EOF +- +-# create rsyslog.conf configuration file +-cat << EOF > $RSYSLOG_CONF +-# rsyslog configuration file +- +-#### RULES #### +- +-*.* ${RSYSLOG_TEST_LOGS[0]} +- +-#### MODULES #### +- +-\$IncludeConfig ${test_conf} +-EOF +diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_groupownership/tests/IncludeConfig_is_root.pass.sh b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_groupownership/tests/IncludeConfig_is_root.pass.sh +deleted file mode 100755 +index 39efc1a4b7..0000000000 +--- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_groupownership/tests/IncludeConfig_is_root.pass.sh ++++ /dev/null +@@ -1,39 +0,0 @@ +-#!/bin/bash +-# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_sle +- +-# Check rsyslog.conf with root group-owner log from rules and +-# root group-owner log from $IncludeConfig passes. +- +-source $SHARED/rsyslog_log_utils.sh +- +-GROUP=root +- +-# setup test data +-create_rsyslog_test_logs 2 +- +-# setup test log files ownership +-chgrp $GROUP ${RSYSLOG_TEST_LOGS[0]} +-chgrp $GROUP ${RSYSLOG_TEST_LOGS[1]} +- +-# create test configuration file +-test_conf=${RSYSLOG_TEST_DIR}/test1.conf +-cat << EOF > ${test_conf} +-# rsyslog configuration file +- +-#### RULES #### +- +-*.* ${RSYSLOG_TEST_LOGS[1]} +-EOF +- +-# create rsyslog.conf configuration file +-cat << EOF > $RSYSLOG_CONF +-# rsyslog configuration file +- +-#### RULES #### +- +-*.* ${RSYSLOG_TEST_LOGS[0]} +- +-#### MODULES #### +- +-\$IncludeConfig ${test_conf} +-EOF +diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_groupownership/tests/include_is_other.fail.sh b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_groupownership/tests/include_is_other.fail.sh +deleted file mode 100755 +index c0db7056b4..0000000000 +--- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_groupownership/tests/include_is_other.fail.sh ++++ /dev/null +@@ -1,42 +0,0 @@ +-#!/bin/bash +-# platform = Red Hat Enterprise Linux 8,multi_platform_fedora,Oracle Linux 8,multi_platform_sle +- +-# Check rsyslog.conf with root group-owner log from rules and +-# non root group-owner log from include() fails. +- +-source $SHARED/rsyslog_log_utils.sh +- +-GROUP_TEST=testssg +-groupadd $GROUP_TEST +- +-GROUP_ROOT=root +- +-# setup test data +-create_rsyslog_test_logs 2 +- +-# setup test log files ownership +-chgrp $GROUP_ROOT ${RSYSLOG_TEST_LOGS[0]} +-chgrp $GROUP_TEST ${RSYSLOG_TEST_LOGS[1]} +- +-# create test configuration file +-test_conf=${RSYSLOG_TEST_DIR}/test1.conf +-cat << EOF > ${test_conf} +-# rsyslog configuration file +- +-#### RULES #### +- +-*.* ${RSYSLOG_TEST_LOGS[1]} +-EOF +- +-# create rsyslog.conf configuration file +-cat << EOF > $RSYSLOG_CONF +-# rsyslog configuration file +- +-#### RULES #### +- +-*.* ${RSYSLOG_TEST_LOGS[0]} +- +-#### MODULES #### +- +-include(file="${test_conf}") +-EOF +diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_groupownership/tests/include_is_root.pass.sh b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_groupownership/tests/include_is_root.pass.sh +deleted file mode 100755 +index 1feaf762fc..0000000000 +--- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_groupownership/tests/include_is_root.pass.sh ++++ /dev/null +@@ -1,39 +0,0 @@ +-#!/bin/bash +-# platform = Red Hat Enterprise Linux 8,multi_platform_fedora,Oracle Linux 8,multi_platform_sle +- +-# Check rsyslog.conf with root group-owner log from rules and +-# root group-owner log from include() passes. +- +-source $SHARED/rsyslog_log_utils.sh +- +-GROUP=root +- +-# setup test data +-create_rsyslog_test_logs 2 +- +-# setup test log files ownership +-chgrp $GROUP ${RSYSLOG_TEST_LOGS[0]} +-chgrp $GROUP ${RSYSLOG_TEST_LOGS[1]} +- +-# create test configuration file +-test_conf=${RSYSLOG_TEST_DIR}/test1.conf +-cat << EOF > ${test_conf} +-# rsyslog configuration file +- +-#### RULES #### +- +-*.* ${RSYSLOG_TEST_LOGS[1]} +-EOF +- +-# create rsyslog.conf configuration file +-cat << EOF > $RSYSLOG_CONF +-# rsyslog configuration file +- +-#### RULES #### +- +-*.* ${RSYSLOG_TEST_LOGS[0]} +- +-#### MODULES #### +- +-include(file="${test_conf}") +-EOF +diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_groupownership/tests/include_multiline_is_root.pass.sh b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_groupownership/tests/include_multiline_is_root.pass.sh +deleted file mode 100755 +index 5a357d029b..0000000000 +--- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_groupownership/tests/include_multiline_is_root.pass.sh ++++ /dev/null +@@ -1,41 +0,0 @@ +-#!/bin/bash +-# platform = Red Hat Enterprise Linux 8,multi_platform_fedora,Oracle Linux 8,multi_platform_sle +- +-# Check rsyslog.conf with root group-owner log from rules and +-# root group-owner log from multiline include() passes. +- +-source $SHARED/rsyslog_log_utils.sh +- +-GROUP=root +- +-# setup test data +-create_rsyslog_test_logs 2 +- +-# setup test log files ownership +-chgrp $GROUP ${RSYSLOG_TEST_LOGS[0]} +-chgrp $GROUP ${RSYSLOG_TEST_LOGS[1]} +- +-# create test configuration file +-test_conf=${RSYSLOG_TEST_DIR}/test1.conf +-cat << EOF > ${test_conf} +-# rsyslog configuration file +- +-#### RULES #### +- +-*.* ${RSYSLOG_TEST_LOGS[1]} +-EOF +- +-# create rsyslog.conf configuration file +-cat << EOF > $RSYSLOG_CONF +-# rsyslog configuration file +- +-#### RULES #### +- +-*.* ${RSYSLOG_TEST_LOGS[0]} +- +-#### MODULES #### +- +-include( +- file="${test_conf}" +-) +-EOF +diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_groupownership/tests/is_other.fail.sh b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_groupownership/tests/is_other.fail.sh +deleted file mode 100755 +index c7c01132f2..0000000000 +--- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_groupownership/tests/is_other.fail.sh ++++ /dev/null +@@ -1,25 +0,0 @@ +-#!/bin/bash +-# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_sle +- +-# Check if log file with non root group-owner in rsyslog.conf fails. +- +-source $SHARED/rsyslog_log_utils.sh +- +-GROUP=testssg +- +-groupadd $GROUP +- +-# setup test data +-create_rsyslog_test_logs 1 +- +-# setup test log file ownership +-chgrp $GROUP ${RSYSLOG_TEST_LOGS[0]} +- +-# add rule with non-root group owned log file +-cat << EOF > $RSYSLOG_CONF +-# rsyslog configuration file +- +-#### RULES #### +- +-*.* ${RSYSLOG_TEST_LOGS[0]} +-EOF +diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_groupownership/tests/is_root.pass.sh b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_groupownership/tests/is_root.pass.sh +deleted file mode 100755 +index 0ecbb35bd1..0000000000 +--- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_groupownership/tests/is_root.pass.sh ++++ /dev/null +@@ -1,24 +0,0 @@ +-#!/bin/bash +-# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_sle +- +-# Check if log file with root group-owner in rsyslog.conf passes. +- +-source $SHARED/rsyslog_log_utils.sh +- +-GROUP=root +- +-# setup test data +-create_rsyslog_test_logs 1 +- +-# setup test log file ownership +-chgrp $GROUP ${RSYSLOG_TEST_LOGS[0]} +- +-# add rule with root group owned log file +-cat << EOF > $RSYSLOG_CONF +-# rsyslog configuration file +- +-#### RULES #### +- +-*.* ${RSYSLOG_TEST_LOGS[0]} +- +-EOF +diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_ownership/oval/shared.xml b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_ownership/oval/shared.xml +deleted file mode 100644 +index 8e3f68db26..0000000000 +--- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_ownership/oval/shared.xml ++++ /dev/null +@@ -1,114 +0,0 @@ +- +- +- {{{ oval_metadata("All syslog log files should be owned by the appropriate user.") }}} +- +- +- +- +- +- +- +- +- +- /etc/rsyslog.conf +- ^(?:include\([\n\s]*file="([^\s;]+)".*|\$IncludeConfig[\s]+([^\s;]+))$ +- 1 +- +- +- +- +- +- +- +- +- +- +- +- +- +- var_rfo_include_config_regex +- +- +- +- ^/etc/rsyslog.conf$ +- +- +- +- var_rfo_syslog_config +- +- +- +- +- +- object_var_rfo_include_config_regex +- object_var_rfo_syslog_config +- +- +- +- +- +- +- +- +- +- +- +- +- ^[^(#|\$)]+[\s]+.*[\s]+-?(/+[^:;\s]+);*\.*$ +- 1 +- state_owner_ignore_include_paths +- +- +- +- +- (?:file="[^\s;]+"|\$IncludeConfig[\s]+[^\s;]+|\/dev\/.*) +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- regular +- +- {{% if product in ["ubuntu2004", "ubuntu2204"] %}} +- 104 +- {{% else %}} +- 0 +- {{% endif %}} +- +- +- +diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_ownership/rule.yml b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_ownership/rule.yml +index 37c87b07cd..0d9bf40f4b 100644 +--- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_ownership/rule.yml ++++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_ownership/rule.yml +@@ -4,15 +4,36 @@ title: 'Ensure Log Files Are Owned By Appropriate User' + + description: |- + The owner of all log files written by +- rsyslog should be {{{ xccdf_value("file_owner_logfiles_value") }}}. ++ rsyslog should be ++ {{% if product in ['ubuntu2204','ubuntu2004'] %}} ++ syslog. ++ {{% elif 'debian' in product or 'ubuntu' in product %}} ++ adm. ++ {{% else %}} ++ root. ++ {{% endif %}} + These log files are determined by the second part of each Rule line in + /etc/rsyslog.conf and typically all appear in /var/log. + For each log file LOGFILE referenced in /etc/rsyslog.conf, + run the following command to inspect the file's owner: + 
$ ls -l LOGFILE
+- If the owner is not {{{ xccdf_value("file_owner_logfiles_value") }}}, run the following command to ++ If the owner is not ++ {{% if product in ['ubuntu2204','ubuntu2004'] %}} ++ syslog, ++ {{% elif 'debian' in product or 'ubuntu' in product %}} ++ adm, ++ {{% else %}} ++ root, ++ {{% endif %}} ++ run the following command to + correct this: +- 
$ sudo chown {{{ xccdf_value("file_owner_logfiles_value") }}} LOGFILE
++ {{% if product in ['ubuntu2204','ubuntu2004'] %}} ++ 
$ sudo chown syslog LOGFILE
++ {{% elif 'debian' in product or 'ubuntu' in product %}} ++ 
$ sudo chown adm LOGFILE
++ {{% else %}} ++ 
$ sudo chown root LOGFILE
++ {{% endif %}} + + rationale: |- + The log files generated by rsyslog contain valuable information regarding system +@@ -47,8 +68,23 @@ references: + ocil_clause: 'the owner is not correct' + + ocil: |- +- The owner of all log files written by rsyslog should be {{{ xccdf_value("file_owner_logfiles_value") }}}. ++ The owner of all log files written by rsyslog should be ++ {{% if product in ['ubuntu2204','ubuntu2004'] %}} ++ syslog. ++ {{% elif 'debian' in product or 'ubuntu' in product %}} ++ adm. ++ {{% else %}} ++ root. ++ {{% endif %}} + These log files are determined by the second part of each Rule line in + /etc/rsyslog.conf and typically all appear in /var/log. + To see the owner of a given log file, run the following command: + 
$ ls -l LOGFILE
++ ++template: ++ name: rsyslog_logfiles_attributes_modify ++ vars: ++ attribute: owner ++ value: 0 ++ value@ubuntu2004: 104 ++ value@ubuntu2204: 104 +diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_logging_configured/ansible/shared.yml b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_logging_configured/ansible/shared.yml +new file mode 100644 +index 0000000000..041e263155 +--- /dev/null ++++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_logging_configured/ansible/shared.yml +@@ -0,0 +1,12 @@ ++# platform = multi_platform_sle ++# reboot = false ++# strategy = restrict ++# complexity = low ++# disruption = low ++ ++- name: "Set rsyslog remote loghost" ++ lineinfile: ++ dest: /etc/rsyslog.conf ++ regexp: "^\\*\\.\\*" ++ line: "*.* /var/log/messages" ++ create: yes +diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_logging_configured/bash/shared.sh b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_logging_configured/bash/shared.sh +new file mode 100644 +index 0000000000..d634610225 +--- /dev/null ++++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_logging_configured/bash/shared.sh +@@ -0,0 +1,7 @@ ++# platform = multi_platform_sle ++# reboot = false ++# strategy = restrict ++# complexity = low ++# disruption = low ++ ++{{{ bash_replace_or_append('/etc/rsyslog.conf', '^\*\.\*', "/var/log/messages", '%s %s') }}} +diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_logging_configured/oval/shared.xml b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_logging_configured/oval/shared.xml +new file mode 100644 +index 0000000000..89e1e7616e +--- /dev/null ++++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_logging_configured/oval/shared.xml +@@ -0,0 +1,41 @@ ++ ++ ++ {{{ oval_metadata("Syslog logs should be configured") }}} ++ ++ ++ {{% if product in ["debian10", "debian11", "ubuntu1604", "ubuntu1804"] %}} ++ ++ {{% endif %}} ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ /etc/rsyslog.conf ++ ^[^(\s|#|\$)]+[\s]+.*[\s]+(\:\w+\:\S*|-?(\/+[^:;\s]+);*\.*)$ ++ 1 ++ ++ ++ ++ /etc/rsyslog.d ++ ^.+\.conf$ ++ ^[^(\s|#|\$)]+[\s]+.*[\s]+(\:\w+\:\S*|-?(\/+[^:;\s]+);*\.*)$ ++ 1 ++ ++ ++ +diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_logging_configured/rule.yml b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_logging_configured/rule.yml +new file mode 100644 +index 0000000000..f9477de9e9 +--- /dev/null ++++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_logging_configured/rule.yml +@@ -0,0 +1,34 @@ ++documentation_complete: true ++ ++title: 'Ensure logging is configured' ++ ++description: |- ++ The /etc/rsyslog.conf and /etc/rsyslog.d/*.conf files ++ specifies rules for logging and which files are to be used to log certain ++ classes of messages. ++ ++rationale: |- ++ A great deal of important security-related information is sent via ++ rsyslog (e.g., successful and failed su attempts, failed login attempts, ++ root login attempts, etc.). ++ ++severity: medium ++ ++identifiers: ++ cce@sle12: CCE-92379-7 ++ cce@sle15: CCE-92497-7 ++ ++references: ++ cis@sle12: 4.2.1.4 ++ cis@sle15: 4.2.1.4 ++ ++ocil_clause: 'no logging is configured' ++ ++ocil: |- ++ Review the contents of the /etc/rsyslog.conf and /etc/rsyslog.d/*.conf ++ files to ensure appropriate logging is set. In addition, run the following command: ++ 
ls -l /var/log/
++ and verify that the log files are logging information ++ ++fixtext: |- ++ Configure logging with selectors covering each priority +diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_logging_configured/tests/rsyslog_file_with_everything_logged_to_messages.pass.sh b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_logging_configured/tests/rsyslog_file_with_everything_logged_to_messages.pass.sh +new file mode 100644 +index 0000000000..a4fb1cf07a +--- /dev/null ++++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_logging_configured/tests/rsyslog_file_with_everything_logged_to_messages.pass.sh +@@ -0,0 +1,13 @@ ++#!/bin/bash ++# platform = multi_platform_sle ++ ++# Check rsyslog.conf with no includes and all loggging facility/priority configured to go to /var/log/messages ++ ++source $SHARED/rsyslog_log_utils.sh ++cat << EOF > ${RSYSLOG_CONF} ++# rsyslog configuration file ++ ++#### RULES #### ++ ++*.* /var/log/messages ++EOF +diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_logging_configured/tests/rsyslog_file_with_no_logging.fail.sh b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_logging_configured/tests/rsyslog_file_with_no_logging.fail.sh +new file mode 100644 +index 0000000000..158cf4c98d +--- /dev/null ++++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_logging_configured/tests/rsyslog_file_with_no_logging.fail.sh +@@ -0,0 +1,12 @@ ++#!/bin/bash ++# platform = multi_platform_sle ++ ++# Check rsyslog.conf with no includes and no loggging facility/priority configured ++ ++source $SHARED/rsyslog_log_utils.sh ++cat << EOF > ${RSYSLOG_CONF} ++# rsyslog configuration file ++ ++#### RULES #### ++ ++EOF +diff --git a/products/debian10/profiles/anssi_np_nt28_average.profile b/products/debian10/profiles/anssi_np_nt28_average.profile +index 600f1a6f71..4c42814719 100644 +--- a/products/debian10/profiles/anssi_np_nt28_average.profile ++++ b/products/debian10/profiles/anssi_np_nt28_average.profile +@@ -22,9 +22,7 @@ selections: + - sshd_allow_only_protocol2 + - var_sshd_set_keepalive=0 + - sshd_set_keepalive_0 +- - file_owner_logfiles_value=adm + - rsyslog_files_ownership +- - file_groupowner_logfiles_value=adm + - rsyslog_files_groupownership + - rsyslog_files_permissions + - "!rsyslog_remote_loghost" +diff --git a/products/debian10/profiles/standard.profile b/products/debian10/profiles/standard.profile +index 3784182fa1..446f5aca1d 100644 +--- a/products/debian10/profiles/standard.profile ++++ b/products/debian10/profiles/standard.profile +@@ -33,9 +33,7 @@ selections: + - sshd_allow_only_protocol2 + - var_sshd_set_keepalive=0 + - sshd_set_keepalive_0 +- - file_owner_logfiles_value=adm + - rsyslog_files_ownership +- - file_groupowner_logfiles_value=adm + - rsyslog_files_groupownership + - rsyslog_files_permissions + - "!rsyslog_remote_loghost" +diff --git a/products/debian11/profiles/anssi_np_nt28_average.profile b/products/debian11/profiles/anssi_np_nt28_average.profile +index 600f1a6f71..4c42814719 100644 +--- a/products/debian11/profiles/anssi_np_nt28_average.profile ++++ b/products/debian11/profiles/anssi_np_nt28_average.profile +@@ -22,9 +22,7 @@ selections: + - sshd_allow_only_protocol2 + - var_sshd_set_keepalive=0 + - sshd_set_keepalive_0 +- - file_owner_logfiles_value=adm + - rsyslog_files_ownership +- - file_groupowner_logfiles_value=adm + - rsyslog_files_groupownership + - rsyslog_files_permissions + - "!rsyslog_remote_loghost" +diff --git a/products/debian11/profiles/standard.profile b/products/debian11/profiles/standard.profile +index e1b2c718df..c21f8d592b 100644 +--- a/products/debian11/profiles/standard.profile ++++ b/products/debian11/profiles/standard.profile +@@ -33,9 +33,7 @@ selections: + - sshd_allow_only_protocol2 + - var_sshd_set_keepalive=0 + - sshd_set_keepalive_0 +- - file_owner_logfiles_value=adm + - rsyslog_files_ownership +- - file_groupowner_logfiles_value=adm + - rsyslog_files_groupownership + - rsyslog_files_permissions + - "!rsyslog_remote_loghost" +diff --git a/products/rhel7/profiles/rht-ccp.profile b/products/rhel7/profiles/rht-ccp.profile +index 12a3a25013..a246d5a094 100644 +--- a/products/rhel7/profiles/rht-ccp.profile ++++ b/products/rhel7/profiles/rht-ccp.profile +@@ -11,8 +11,6 @@ description: |- + selections: + - var_selinux_state=enforcing + - var_selinux_policy_name=targeted +- - file_owner_logfiles_value=root +- - file_groupowner_logfiles_value=root + - sshd_idle_timeout_value=5_minutes + - var_accounts_minimum_age_login_defs=7 + - var_accounts_passwords_pam_faillock_deny=5 +diff --git a/products/rhel8/profiles/rht-ccp.profile b/products/rhel8/profiles/rht-ccp.profile +index ae1e7d5a15..0a00d2f46b 100644 +--- a/products/rhel8/profiles/rht-ccp.profile ++++ b/products/rhel8/profiles/rht-ccp.profile +@@ -11,8 +11,6 @@ description: |- + selections: + - var_selinux_state=enforcing + - var_selinux_policy_name=targeted +- - file_owner_logfiles_value=root +- - file_groupowner_logfiles_value=root + - sshd_idle_timeout_value=5_minutes + - var_logind_session_timeout=5_minutes + - var_accounts_minimum_age_login_defs=7 +diff --git a/products/sle12/profiles/anssi_bp28_intermediary.profile b/products/sle12/profiles/anssi_bp28_intermediary.profile +index 24a98fd824..22498b6b6f 100644 +--- a/products/sle12/profiles/anssi_bp28_intermediary.profile ++++ b/products/sle12/profiles/anssi_bp28_intermediary.profile +@@ -23,3 +23,4 @@ description: |- + + selections: + - anssi:all:intermediary ++ +diff --git a/products/sle15/profiles/standard.profile b/products/sle15/profiles/standard.profile +index 204804c2ee..1af0a865ef 100644 +--- a/products/sle15/profiles/standard.profile ++++ b/products/sle15/profiles/standard.profile +@@ -29,9 +29,7 @@ selections: + - service_cron_enabled + - service_ntp_enabled + - service_rsyslog_enabled +- - file_owner_logfiles_value=adm + - rsyslog_files_ownership +- - file_groupowner_logfiles_value=adm + - rsyslog_files_groupownership + - rsyslog_files_permissions + - ensure_logrotate_activated +diff --git a/products/ubuntu1604/profiles/anssi_np_nt28_average.profile b/products/ubuntu1604/profiles/anssi_np_nt28_average.profile +index 600f1a6f71..4c42814719 100644 +--- a/products/ubuntu1604/profiles/anssi_np_nt28_average.profile ++++ b/products/ubuntu1604/profiles/anssi_np_nt28_average.profile +@@ -22,9 +22,7 @@ selections: + - sshd_allow_only_protocol2 + - var_sshd_set_keepalive=0 + - sshd_set_keepalive_0 +- - file_owner_logfiles_value=adm + - rsyslog_files_ownership +- - file_groupowner_logfiles_value=adm + - rsyslog_files_groupownership + - rsyslog_files_permissions + - "!rsyslog_remote_loghost" +diff --git a/products/ubuntu1604/profiles/standard.profile b/products/ubuntu1604/profiles/standard.profile +index 6fd70f0da6..93001f3bfe 100644 +--- a/products/ubuntu1604/profiles/standard.profile ++++ b/products/ubuntu1604/profiles/standard.profile +@@ -34,9 +34,7 @@ selections: + - sshd_allow_only_protocol2 + - var_sshd_set_keepalive=0 + - sshd_set_keepalive_0 +- - file_owner_logfiles_value=adm + - rsyslog_files_ownership +- - file_groupowner_logfiles_value=adm + - rsyslog_files_groupownership + - rsyslog_files_permissions + - "!rsyslog_remote_loghost" +diff --git a/products/ubuntu1804/profiles/anssi_np_nt28_average.profile b/products/ubuntu1804/profiles/anssi_np_nt28_average.profile +index 600f1a6f71..4c42814719 100644 +--- a/products/ubuntu1804/profiles/anssi_np_nt28_average.profile ++++ b/products/ubuntu1804/profiles/anssi_np_nt28_average.profile +@@ -22,9 +22,7 @@ selections: + - sshd_allow_only_protocol2 + - var_sshd_set_keepalive=0 + - sshd_set_keepalive_0 +- - file_owner_logfiles_value=adm + - rsyslog_files_ownership +- - file_groupowner_logfiles_value=adm + - rsyslog_files_groupownership + - rsyslog_files_permissions + - "!rsyslog_remote_loghost" +diff --git a/products/ubuntu1804/profiles/standard.profile b/products/ubuntu1804/profiles/standard.profile +index d587d499d8..a17117818e 100644 +--- a/products/ubuntu1804/profiles/standard.profile ++++ b/products/ubuntu1804/profiles/standard.profile +@@ -32,9 +32,7 @@ selections: + - sshd_allow_only_protocol2 + - var_sshd_set_keepalive=0 + - sshd_set_keepalive_0 +- - file_owner_logfiles_value=adm + - rsyslog_files_ownership +- - file_groupowner_logfiles_value=adm + - rsyslog_files_groupownership + - rsyslog_files_permissions + - "!rsyslog_remote_loghost" +diff --git a/products/ubuntu2004/profiles/standard.profile b/products/ubuntu2004/profiles/standard.profile +index 823a69a5d9..6ed27aa16d 100644 +--- a/products/ubuntu2004/profiles/standard.profile ++++ b/products/ubuntu2004/profiles/standard.profile +@@ -31,9 +31,7 @@ selections: + - sshd_disable_empty_passwords + - var_sshd_set_keepalive=0 + - sshd_set_keepalive +- - file_owner_logfiles_value=syslog + - rsyslog_files_ownership +- - file_groupowner_logfiles_value=adm + - rsyslog_files_groupownership + - rsyslog_files_permissions + - "!rsyslog_remote_loghost" +diff --git a/products/ubuntu2204/profiles/standard.profile b/products/ubuntu2204/profiles/standard.profile +index c8bc5369c9..1bb9f43e7d 100644 +--- a/products/ubuntu2204/profiles/standard.profile ++++ b/products/ubuntu2204/profiles/standard.profile +@@ -31,9 +31,7 @@ selections: + - sshd_disable_empty_passwords + - var_sshd_set_keepalive=0 + - sshd_set_keepalive +- - file_owner_logfiles_value=syslog + - rsyslog_files_ownership +- - file_groupowner_logfiles_value=adm + - rsyslog_files_groupownership + - rsyslog_files_permissions + - "!rsyslog_remote_loghost" +diff --git a/shared/references/cce-sle12-avail.txt b/shared/references/cce-sle12-avail.txt +index c119834759..4e0a76f8de 100644 +--- a/shared/references/cce-sle12-avail.txt ++++ b/shared/references/cce-sle12-avail.txt +@@ -54,7 +54,6 @@ CCE-92375-5 + CCE-92376-3 + CCE-92377-1 + CCE-92378-9 +-CCE-92379-7 + CCE-92380-5 + CCE-92381-3 + CCE-92382-1 +diff --git a/shared/references/cce-sle15-avail.txt b/shared/references/cce-sle15-avail.txt +index d04c40d31f..e39dae033e 100644 +--- a/shared/references/cce-sle15-avail.txt ++++ b/shared/references/cce-sle15-avail.txt +@@ -17,7 +17,6 @@ CCE-92492-8 + CCE-92493-6 + CCE-92495-1 + CCE-92496-9 +-CCE-92497-7 + CCE-92498-5 + CCE-92499-3 + CCE-92500-8 +diff --git a/shared/templates/rsyslog_logfiles_attributes_modify/ansible.template b/shared/templates/rsyslog_logfiles_attributes_modify/ansible.template +new file mode 100644 +index 0000000000..fc9e8844b6 +--- /dev/null ++++ b/shared/templates/rsyslog_logfiles_attributes_modify/ansible.template +@@ -0,0 +1,68 @@ ++# platform = multi_platform_all ++# reboot = false ++# strategy = configure ++# complexity = low ++# disruption = medium ++ ++- name: '{{{ rule_title }}} - Set rsyslog logfile configuration facts' ++ ansible.builtin.set_fact: ++ rsyslog_etc_config: "/etc/rsyslog.conf" ++ ++# * And also the log file paths listed after rsyslog's $IncludeConfig directive ++# (store the result into array for the case there's shell glob used as value of IncludeConfig) ++- name: '{{{ rule_title }}} - Get IncludeConfig directive' ++ ansible.builtin.shell: | ++ set -o pipefail ++ grep -e '$IncludeConfig' {{ rsyslog_etc_config }} | cut -d ' ' -f 2 || true ++ register: rsyslog_old_inc ++ changed_when: False ++ ++- name: '{{{ rule_title }}} - Get include files directives' ++ ansible.builtin.shell: | ++ set -o pipefail ++ grep -oP '^\s*include\s*\(\s*file.*' {{ rsyslog_etc_config }} |cut -d"\"" -f 2 || true ++ register: rsyslog_new_inc ++ changed_when: False ++ ++- name: '{{{ rule_title }}} - Aggregate rsyslog includes' ++ ansible.builtin.set_fact: ++ include_config_output: "{{ rsyslog_old_inc.stdout_lines + rsyslog_new_inc.stdout_lines }}" ++ ++- name: '{{{ rule_title }}} - List all config files' ++ ansible.builtin.find: ++ paths: "{{ include_config_output | list | map('dirname') }}" ++ patterns: "{{ include_config_output | list | map('basename') }}" ++ hidden: no ++ follow: yes ++ register: rsyslog_config_files ++ failed_when: False ++ changed_when: False ++ ++- name: '{{{ rule_title }}} - Extract log files old format' ++ ansible.builtin.shell: | ++ set -o pipefail ++ grep -oP '^[^(\s|#|\$)]+[\s]+.*[\s]+-?(/+[^:;\s]+);*\.*$' {{ item }} |awk '{print $NF}'|sed -e 's/^-//' || true ++ loop: "{{ rsyslog_config_files.files|map(attribute='path')|list|flatten|unique + [ rsyslog_etc_config ] }}" ++ register: log_files_old ++ changed_when: False ++ ++- name: '{{{ rule_title }}} - Extract log files new format' ++ ansible.builtin.shell: | ++ set -o pipefail ++ grep -ozP "action\s*\(\s*type\s*=\s*\"omfile\"[^\)]*\)" {{ item }} | grep -aoP "File\s*=\s*\"([/[:alnum:][:punct:]]*)\"\s*\)"|grep -oE "\"([/[:alnum:][:punct:]]*)\"" |tr -d "\""|| true ++ loop: "{{ rsyslog_config_files.files|map(attribute='path')|list|flatten|unique + [ rsyslog_etc_config ] }}" ++ register: log_files_new ++ changed_when: False ++ ++- name: '{{{ rule_title }}} - Sum all log files found' ++ ansible.builtin.set_fact: ++ log_files: "{{ log_files_new.results|map(attribute='stdout_lines')|list|flatten|unique + log_files_old.results|map(attribute='stdout_lines')|list|flatten|unique }}" ++ ++- name: '{{{ rule_title }}} -Setup log files attribute' ++ ansible.builtin.file: ++ path: "{{ item }}" ++ owner: '{{ ( "{{{ ATTRIBUTE }}}" is match("owner")) | ternary({{{ VALUE }}}, omit) }}' ++ group: '{{ ( "{{{ ATTRIBUTE }}}" is match("groupowner")) | ternary({{{ VALUE }}} , omit) }}' ++ state: file ++ loop: "{{ log_files | list | flatten | unique }}" ++ failed_when: false +diff --git a/shared/templates/rsyslog_logfiles_attributes_modify/bash.template b/shared/templates/rsyslog_logfiles_attributes_modify/bash.template +new file mode 100644 +index 0000000000..ab4a563dc5 +--- /dev/null ++++ b/shared/templates/rsyslog_logfiles_attributes_modify/bash.template +@@ -0,0 +1,110 @@ ++# platform = multi_platform_all ++ ++# List of log file paths to be inspected for correct permissions ++# * Primarily inspect log file paths listed in /etc/rsyslog.conf ++RSYSLOG_ETC_CONFIG="/etc/rsyslog.conf" ++# * And also the log file paths listed after rsyslog's $IncludeConfig directive ++# (store the result into array for the case there's shell glob used as value of IncludeConfig) ++readarray -t OLD_INC < <(grep -e "\$IncludeConfig[[:space:]]\+[^[:space:];]\+" /etc/rsyslog.conf | cut -d ' ' -f 2) ++readarray -t RSYSLOG_INCLUDE_CONFIG < <(for INCPATH in "${OLD_INC[@]}"; do eval printf '%s\\n' "${INCPATH}"; done) ++readarray -t NEW_INC < <(awk '/)/{f=0} /include\(/{f=1} f{nf=gensub("^(include\\(|\\s*)file=\"(\\S+)\".*","\\2",1); if($0!=nf){print nf}}' /etc/rsyslog.conf) ++readarray -t RSYSLOG_INCLUDE < <(for INCPATH in "${NEW_INC[@]}"; do eval printf '%s\\n' "${INCPATH}"; done) ++ ++# Declare an array to hold the final list of different log file paths ++declare -a LOG_FILE_PATHS ++ ++# Array to hold all rsyslog config entries ++RSYSLOG_CONFIGS=() ++RSYSLOG_CONFIGS=("${RSYSLOG_ETC_CONFIG}" "${RSYSLOG_INCLUDE_CONFIG[@]}" "${RSYSLOG_INCLUDE[@]}") ++ ++# Get full list of files to be checked ++# RSYSLOG_CONFIGS may contain globs such as ++# /etc/rsyslog.d/*.conf /etc/rsyslog.d/*.frule ++# So, loop over the entries in RSYSLOG_CONFIGS and use find to get the list of included files. ++RSYSLOG_CONFIG_FILES=() ++for ENTRY in "${RSYSLOG_CONFIGS[@]}" ++do ++ # If directory, rsyslog will search for config files in recursively. ++ # However, files in hidden sub-directories or hidden files will be ignored. ++ if [ -d "${ENTRY}" ] ++ then ++ readarray -t FINDOUT < <(find "${ENTRY}" -not -path '*/.*' -type f) ++ RSYSLOG_CONFIG_FILES+=("${FINDOUT[@]}") ++ elif [ -f "${ENTRY}" ] ++ then ++ RSYSLOG_CONFIG_FILES+=("${ENTRY}") ++ else ++ echo "Invalid include object: ${ENTRY}" ++ fi ++done ++ ++# Browse each file selected above as containing paths of log files ++# ('/etc/rsyslog.conf' and '/etc/rsyslog.d/*.conf' in the default configuration) ++for LOG_FILE in "${RSYSLOG_CONFIG_FILES[@]}" ++do ++ # From each of these files extract just particular log file path(s), thus: ++ # * Ignore lines starting with space (' '), comment ('#"), or variable syntax ('$') characters, ++ # * Ignore empty lines, ++ # * Strip quotes and closing brackets from paths. ++ # * Ignore paths that match /dev|/etc.*\.conf, as those are paths, but likely not log files ++ # * From the remaining valid rows select only fields constituting a log file path ++ # Text file column is understood to represent a log file path if and only if all of the following are met: ++ # * it contains at least one slash '/' character, ++ # * it is preceded by space ++ # * it doesn't contain space (' '), colon (':'), and semicolon (';') characters ++ # Search log file for path(s) only in case it exists! ++ if [[ -f "${LOG_FILE}" ]] ++ then ++ NORMALIZED_CONFIG_FILE_LINES=$(sed -e "/^[#|$]/d" "${LOG_FILE}") ++ LINES_WITH_PATHS=$(grep '[^/]*\s\+\S*/\S\+$' <<< "${NORMALIZED_CONFIG_FILE_LINES}") ++ FILTERED_PATHS=$(awk '{if(NF>=2&&($NF~/^\//||$NF~/^-\//)){sub(/^-\//,"/",$NF);print $NF}}' <<< "${LINES_WITH_PATHS}") ++ CLEANED_PATHS=$(sed -e "s/[\"')]//g; /\\/etc.*\.conf/d; /\\/dev\\//d" <<< "${FILTERED_PATHS}") ++ MATCHED_ITEMS=$(sed -e "/^$/d" <<< "${CLEANED_PATHS}") ++ # Since above sed command might return more than one item (delimited by newline), split the particular ++ # matches entries into new array specific for this log file ++ readarray -t ARRAY_FOR_LOG_FILE <<< "$MATCHED_ITEMS" ++ # Concatenate the two arrays - previous content of $LOG_FILE_PATHS array with ++ # items from newly created array for this log file ++ LOG_FILE_PATHS+=("${ARRAY_FOR_LOG_FILE[@]}") ++ # Delete the temporary array ++ unset ARRAY_FOR_LOG_FILE ++ fi ++done ++ ++# Check for RainerScript action log format which might be also multiline so grep regex is a bit curly ++# extract possibly multiline action omfile expressions ++# extract File="logfile" expression ++# match only "logfile" expression ++for LOG_FILE in "${RSYSLOG_CONFIG_FILES[@]}" ++do ++ ACTION_OMFILE_LINES=$(grep -ozP "action\s*\(\s*type\s*=\s*\"omfile\"[^\)]*\)" "${LOG_FILE}") ++ OMFILE_LINES=$(echo "${ACTION_OMFILE_LINES}"| grep -aoP "File\s*=\s*\"([/[:alnum:][:punct:]]*)\"\s*\)") ++ LOG_FILE_PATHS+=("$(echo "${OMFILE_LINES}"| grep -oE "\"([/[:alnum:][:punct:]]*)\""|tr -d "\"")") ++done ++ ++FILE_PARAM="{{{ ATTRIBUTE }}}" ++FILE_CMD="" ++case "$FILE_PARAM" in ++ "groupowner") ++ FILE_CMD=$(which chgrp) ++ ;; ++ "owner") ++ FILE_CMD=$(which chown) ++ ;; ++ *) ++ echo -n "Not supported file attribute! " ++ exit 1 ++ ;; ++esac ++ ++# Correct the form o ++for LOG_FILE_PATH in "${LOG_FILE_PATHS[@]}" ++do ++ # Sanity check - if particular $LOG_FILE_PATH is empty string, skip it from further processing ++ if [ -z "$LOG_FILE_PATH" ] ++ then ++ continue ++ fi ++ ++ $FILE_CMD "+{{{ VALUE }}}" "$LOG_FILE_PATH" ++done +diff --git a/shared/templates/rsyslog_logfiles_attributes_modify/oval.template b/shared/templates/rsyslog_logfiles_attributes_modify/oval.template +new file mode 100644 +index 0000000000..4f288df1c9 +--- /dev/null ++++ b/shared/templates/rsyslog_logfiles_attributes_modify/oval.template +@@ -0,0 +1,137 @@ ++ ++ ++ {{{ oval_metadata("All syslog log files should have appropriate ownership.") }}} ++ ++ {{% if product in ["debian10", "debian11", "ubuntu1604"] %}} ++ ++ {{% endif %}} ++ ++ ++ ++ ++ ++ ++ ++ ++ /etc/rsyslog.conf ++ ^(?:include\([\n\s]*file="([^\s;]+)".*|\$IncludeConfig[\s]+([^\s;]+))$ ++ 1 ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ var_{{{ _RULE_ID }}}_include_config_regex ++ ++ ++ ++ ^/etc/rsyslog.conf$ ++ ++ ++ ++ var_{{{ _RULE_ID }}}_syslog_config ++ ++ ++ ++ ++ ++ object_var_{{{ _RULE_ID }}}_include_config_regex ++ object_var_{{{ _RULE_ID }}}_syslog_config ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ^\s*[^(\s|#|\$)]+\s+-?[\w\(="\s]*(\/[^:;\s"]+)+.*$ ++ 1 ++ state_{{{ _RULE_ID }}}_ownership_ignore_include_paths ++ ++ ++ ++ ++ (?:file="[^\s;]+"|\$IncludeConfig[\s]+[^\s;]+|\/dev\/.*) ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ regular ++ {{% if ATTRIBUTE == "groupowner" %}} ++ {{{ VALUE }}} ++ {{% else %}} ++ {{{ VALUE }}} ++ {{% endif %}} ++ ++ ++ +diff --git a/shared/templates/rsyslog_logfiles_attributes_modify/template.yml b/shared/templates/rsyslog_logfiles_attributes_modify/template.yml +new file mode 100644 +index 0000000000..b57de6fbb6 +--- /dev/null ++++ b/shared/templates/rsyslog_logfiles_attributes_modify/template.yml +@@ -0,0 +1,4 @@ ++supported_languages: ++ - ansible ++ - bash ++ - oval +diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_ownership/tests/IncludeConfig_is_other.fail.sh b/shared/templates/rsyslog_logfiles_attributes_modify/tests/IncludeConfig_is_other.fail.sh +similarity index 75% +rename from linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_ownership/tests/IncludeConfig_is_other.fail.sh +rename to shared/templates/rsyslog_logfiles_attributes_modify/tests/IncludeConfig_is_other.fail.sh +index 6c82a1942f..db7e5261eb 100755 +--- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_ownership/tests/IncludeConfig_is_other.fail.sh ++++ b/shared/templates/rsyslog_logfiles_attributes_modify/tests/IncludeConfig_is_other.fail.sh +@@ -6,8 +6,16 @@ + + source $SHARED/rsyslog_log_utils.sh + ++{{% if ATTRIBUTE == "owner" %}} ++ADDCOMMAND="useradd" ++CHATTR="chown" ++{{% else %}} ++ADDCOMMAND="groupadd" ++CHATTR="chgrp" ++{{% endif %}} ++ + USER_TEST=testssg +-useradd $USER_TEST ++$ADDCOMMAND $USER_TEST + + USER_ROOT=root + +@@ -15,8 +23,8 @@ USER_ROOT=root + create_rsyslog_test_logs 2 + + # setup test log files ownership +-chown $USER_ROOT ${RSYSLOG_TEST_LOGS[0]} +-chown $USER_TEST ${RSYSLOG_TEST_LOGS[1]} ++$CHATTR $USER_ROOT ${RSYSLOG_TEST_LOGS[0]} ++$CHATTR $USER_TEST ${RSYSLOG_TEST_LOGS[1]} + + # create test configuration file + test_conf=${RSYSLOG_TEST_DIR}/test1.conf +diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_ownership/tests/IncludeConfig_is_root.pass.sh b/shared/templates/rsyslog_logfiles_attributes_modify/tests/IncludeConfig_is_root.pass.sh +similarity index 81% +rename from linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_ownership/tests/IncludeConfig_is_root.pass.sh +rename to shared/templates/rsyslog_logfiles_attributes_modify/tests/IncludeConfig_is_root.pass.sh +index b24e5e1699..b03268fe3e 100755 +--- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_ownership/tests/IncludeConfig_is_root.pass.sh ++++ b/shared/templates/rsyslog_logfiles_attributes_modify/tests/IncludeConfig_is_root.pass.sh +@@ -6,14 +6,20 @@ + + source $SHARED/rsyslog_log_utils.sh + ++{{% if ATTRIBUTE == "owner" %}} ++CHATTR="chown" ++{{% else %}} ++CHATTR="chgrp" ++{{% endif %}} ++ + USER=root + + # setup test data + create_rsyslog_test_logs 2 + + # setup test log files ownership +-chown $USER ${RSYSLOG_TEST_LOGS[0]} +-chown $USER ${RSYSLOG_TEST_LOGS[1]} ++$CHATTR $USER ${RSYSLOG_TEST_LOGS[0]} ++$CHATTR $USER ${RSYSLOG_TEST_LOGS[1]} + + # create test configuration file + test_conf=${RSYSLOG_TEST_DIR}/test1.conf +diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_ownership/tests/include_is_other.fail.sh b/shared/templates/rsyslog_logfiles_attributes_modify/tests/include_is_other.fail.sh +similarity index 75% +rename from linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_ownership/tests/include_is_other.fail.sh +rename to shared/templates/rsyslog_logfiles_attributes_modify/tests/include_is_other.fail.sh +index 18f43c6927..d79ae23cfc 100755 +--- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_ownership/tests/include_is_other.fail.sh ++++ b/shared/templates/rsyslog_logfiles_attributes_modify/tests/include_is_other.fail.sh +@@ -6,8 +6,16 @@ + + source $SHARED/rsyslog_log_utils.sh + ++{{% if ATTRIBUTE == "owner" %}} ++ADDCOMMAND="useradd" ++CHATTR="chown" ++{{% else %}} ++ADDCOMMAND="groupadd" ++CHATTR="chgrp" ++{{% endif %}} ++ + USER_TEST=testssg +-useradd $USER_TEST ++$ADDCOMMAND $USER_TEST + + USER_ROOT=root + +@@ -15,8 +23,8 @@ USER_ROOT=root + create_rsyslog_test_logs 2 + + # setup test log files ownership +-chown $USER_ROOT ${RSYSLOG_TEST_LOGS[0]} +-chown $USER_TEST ${RSYSLOG_TEST_LOGS[1]} ++$CHATTR $USER_ROOT ${RSYSLOG_TEST_LOGS[0]} ++$CHATTR $USER_TEST ${RSYSLOG_TEST_LOGS[1]} + + # create test configuration file + test_conf=${RSYSLOG_TEST_DIR}/test1.conf +diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_groupownership/tests/include_is_root_IncludeConfig_is_root.pass.sh b/shared/templates/rsyslog_logfiles_attributes_modify/tests/include_is_other_IncludeConfig_is_other_RainerLogClause.fail.sh +old mode 100755 +new mode 100644 +similarity index 50% +rename from linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_groupownership/tests/include_is_root_IncludeConfig_is_root.pass.sh +rename to shared/templates/rsyslog_logfiles_attributes_modify/tests/include_is_other_IncludeConfig_is_other_RainerLogClause.fail.sh +index 05dd50ed24..7869a180a8 +--- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_groupownership/tests/include_is_root_IncludeConfig_is_root.pass.sh ++++ b/shared/templates/rsyslog_logfiles_attributes_modify/tests/include_is_other_IncludeConfig_is_other_RainerLogClause.fail.sh +@@ -1,20 +1,31 @@ + #!/bin/bash + # platform = Red Hat Enterprise Linux 8,multi_platform_fedora,Oracle Linux 8,multi_platform_sle + +-# Check rsyslog.conf with root group-owner log from rules and +-# root group-owner log from include() passes. ++# Check rsyslog.conf with root user log from rules and ++# root user log from include() passes. + + source $SHARED/rsyslog_log_utils.sh + +-GROUP=root ++{{% if ATTRIBUTE == "owner" %}} ++ADDCOMMAND="useradd" ++CHATTR="chown" ++{{% else %}} ++ADDCOMMAND="groupadd" ++CHATTR="chgrp" ++{{% endif %}} ++ ++USER_TEST=testssg ++$ADDCOMMAND $USER_TEST ++ ++USER=root + + # setup test data + create_rsyslog_test_logs 3 + + # setup test log files ownership +-chgrp $GROUP ${RSYSLOG_TEST_LOGS[0]} +-chgrp $GROUP ${RSYSLOG_TEST_LOGS[1]} +-chgrp $GROUP ${RSYSLOG_TEST_LOGS[2]} ++$CHATTR $USER_TEST ${RSYSLOG_TEST_LOGS[0]} ++$CHATTR $USER_TEST ${RSYSLOG_TEST_LOGS[1]} ++$CHATTR $USER_TEST ${RSYSLOG_TEST_LOGS[2]} + + # create test configuration file + test_conf=${RSYSLOG_TEST_DIR}/test1.conf +@@ -28,13 +39,25 @@ EOF + + # create test2 configuration file + test_conf2=${RSYSLOG_TEST_DIR}/test2.conf ++{{% if ATTRIBUTE == "owner" %}} ++cat << EOF > ${test_conf2} ++# rsyslog configuration file ++ ++#### RULES #### ++ ++ ++*.* action(type="omfile" FileCreateMode="0640" fileOwner="$USER_TEST" fileGroup="root" File="${RSYSLOG_TEST_LOGS[2]}") ++EOF ++{{% else %}} + cat << EOF > ${test_conf2} + # rsyslog configuration file + + #### RULES #### + +-*.* ${RSYSLOG_TEST_LOGS[2]} ++ ++*.* action(type="omfile" FileCreateMode="0640" fileOwner="root" fileGroup="$USER_TEST" File="${RSYSLOG_TEST_LOGS[2]}") + EOF ++{{% endif %}} + + # create rsyslog.conf configuration file + cat << EOF > $RSYSLOG_CONF +diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_ownership/tests/include_is_root.pass.sh b/shared/templates/rsyslog_logfiles_attributes_modify/tests/include_is_root.pass.sh +similarity index 81% +rename from linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_ownership/tests/include_is_root.pass.sh +rename to shared/templates/rsyslog_logfiles_attributes_modify/tests/include_is_root.pass.sh +index 69dead5135..e80395ca99 100755 +--- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_ownership/tests/include_is_root.pass.sh ++++ b/shared/templates/rsyslog_logfiles_attributes_modify/tests/include_is_root.pass.sh +@@ -6,14 +6,21 @@ + + source $SHARED/rsyslog_log_utils.sh + ++ ++{{% if ATTRIBUTE == "owner" %}} ++CHATTR="chown" ++{{% else %}} ++CHATTR="chgrp" ++{{% endif %}} ++ + USER=root + + # setup test data + create_rsyslog_test_logs 2 + + # setup test log files ownership +-chown $USER ${RSYSLOG_TEST_LOGS[0]} +-chown $USER ${RSYSLOG_TEST_LOGS[1]} ++$CHATTR $USER ${RSYSLOG_TEST_LOGS[0]} ++$CHATTR $USER ${RSYSLOG_TEST_LOGS[1]} + + # create test configuration file + test_conf=${RSYSLOG_TEST_DIR}/test1.conf +diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_ownership/tests/include_is_root_IncludeConfig_is_other.fail.sh b/shared/templates/rsyslog_logfiles_attributes_modify/tests/include_is_root_IncludeConfig_is_other.fail.sh +similarity index 77% +rename from linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_ownership/tests/include_is_root_IncludeConfig_is_other.fail.sh +rename to shared/templates/rsyslog_logfiles_attributes_modify/tests/include_is_root_IncludeConfig_is_other.fail.sh +index e725fb4d54..e7b4905dc5 100755 +--- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_ownership/tests/include_is_root_IncludeConfig_is_other.fail.sh ++++ b/shared/templates/rsyslog_logfiles_attributes_modify/tests/include_is_root_IncludeConfig_is_other.fail.sh +@@ -6,18 +6,26 @@ + + source $SHARED/rsyslog_log_utils.sh + ++{{% if ATTRIBUTE == "owner" %}} ++ADDCOMMAND="useradd" ++CHATTR="chown" ++{{% else %}} ++ADDCOMMAND="groupadd" ++CHATTR="chgrp" ++{{% endif %}} ++ + USER_ROOT=root + + USER_TEST=testssg +-useradd $USER_TEST ++$ADDCOMMAND $USER_TEST + + # setup test data + create_rsyslog_test_logs 3 + + # setup test log files ownership +-chown $USER_ROOT ${RSYSLOG_TEST_LOGS[0]} +-chown $USER_ROOT ${RSYSLOG_TEST_LOGS[1]} +-chown $USER_TEST ${RSYSLOG_TEST_LOGS[2]} ++$CHATTR $USER_ROOT ${RSYSLOG_TEST_LOGS[0]} ++$CHATTR $USER_ROOT ${RSYSLOG_TEST_LOGS[1]} ++$CHATTR $USER_TEST ${RSYSLOG_TEST_LOGS[2]} + + # create test configuration file + test_conf=${RSYSLOG_TEST_DIR}/test1.conf +diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_ownership/tests/include_is_root_IncludeConfig_is_root.pass.sh b/shared/templates/rsyslog_logfiles_attributes_modify/tests/include_is_root_IncludeConfig_is_root.pass.sh +similarity index 82% +rename from linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_ownership/tests/include_is_root_IncludeConfig_is_root.pass.sh +rename to shared/templates/rsyslog_logfiles_attributes_modify/tests/include_is_root_IncludeConfig_is_root.pass.sh +index ca47d453c1..6389e6ea3b 100755 +--- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_ownership/tests/include_is_root_IncludeConfig_is_root.pass.sh ++++ b/shared/templates/rsyslog_logfiles_attributes_modify/tests/include_is_root_IncludeConfig_is_root.pass.sh +@@ -6,15 +6,21 @@ + + source $SHARED/rsyslog_log_utils.sh + ++{{% if ATTRIBUTE == "owner" %}} ++CHATTR="chown" ++{{% else %}} ++CHATTR="chgrp" ++{{% endif %}} ++ + USER=root + + # setup test data + create_rsyslog_test_logs 3 + + # setup test log files ownership +-chown $USER ${RSYSLOG_TEST_LOGS[0]} +-chown $USER ${RSYSLOG_TEST_LOGS[1]} +-chown $USER ${RSYSLOG_TEST_LOGS[2]} ++$CHATTR $USER ${RSYSLOG_TEST_LOGS[0]} ++$CHATTR $USER ${RSYSLOG_TEST_LOGS[1]} ++$CHATTR $USER ${RSYSLOG_TEST_LOGS[2]} + + # create test configuration file + test_conf=${RSYSLOG_TEST_DIR}/test1.conf +diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_groupownership/tests/include_is_root_IncludeConfig_is_other.fail.sh b/shared/templates/rsyslog_logfiles_attributes_modify/tests/include_is_root_IncludeConfig_is_root_RainerLogClause.pass.sh +similarity index 65% +rename from linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_groupownership/tests/include_is_root_IncludeConfig_is_other.fail.sh +rename to shared/templates/rsyslog_logfiles_attributes_modify/tests/include_is_root_IncludeConfig_is_root_RainerLogClause.pass.sh +index 9747e0b28b..6b81a77c2f 100755 +--- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_groupownership/tests/include_is_root_IncludeConfig_is_other.fail.sh ++++ b/shared/templates/rsyslog_logfiles_attributes_modify/tests/include_is_root_IncludeConfig_is_root_RainerLogClause.pass.sh +@@ -1,23 +1,26 @@ + #!/bin/bash + # platform = Red Hat Enterprise Linux 8,multi_platform_fedora,Oracle Linux 8,multi_platform_sle + +-# Check rsyslog.conf with root group-owner log from rules and +-# non root group-owner log from include() fails. ++# Check rsyslog.conf with root user log from rules and ++# root user log from include() passes. + + source $SHARED/rsyslog_log_utils.sh + +-GROUP_ROOT=root ++{{% if ATTRIBUTE == "owner" %}} ++CHATTR="chown" ++{{% else %}} ++CHATTR="chgrp" ++{{% endif %}} + +-GROUP_TEST=testssg +-groupadd $GROUP_TEST ++USER=root + + # setup test data + create_rsyslog_test_logs 3 + + # setup test log files ownership +-chgrp $GROUP_ROOT ${RSYSLOG_TEST_LOGS[0]} +-chgrp $GROUP_ROOT ${RSYSLOG_TEST_LOGS[1]} +-chgrp $GROUP_TEST ${RSYSLOG_TEST_LOGS[2]} ++$CHATTR $USER ${RSYSLOG_TEST_LOGS[0]} ++$CHATTR $USER ${RSYSLOG_TEST_LOGS[1]} ++$CHATTR $USER ${RSYSLOG_TEST_LOGS[2]} + + # create test configuration file + test_conf=${RSYSLOG_TEST_DIR}/test1.conf +@@ -36,7 +39,8 @@ cat << EOF > ${test_conf2} + + #### RULES #### + +-*.* ${RSYSLOG_TEST_LOGS[2]} ++ ++*.* action(type="omfile" FileCreateMode="0640" fileOwner="root" fileGroup="root" File="${RSYSLOG_TEST_LOGS[2]}") + EOF + + # create rsyslog.conf configuration file +diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_ownership/tests/include_multiline_is_root.pass.sh b/shared/templates/rsyslog_logfiles_attributes_modify/tests/include_multiline_is_root.pass.sh +similarity index 81% +rename from linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_ownership/tests/include_multiline_is_root.pass.sh +rename to shared/templates/rsyslog_logfiles_attributes_modify/tests/include_multiline_is_root.pass.sh +index d68cc2e67d..78b105abf3 100755 +--- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_ownership/tests/include_multiline_is_root.pass.sh ++++ b/shared/templates/rsyslog_logfiles_attributes_modify/tests/include_multiline_is_root.pass.sh +@@ -6,14 +6,20 @@ + + source $SHARED/rsyslog_log_utils.sh + ++{{% if ATTRIBUTE == "owner" %}} ++CHATTR="chown" ++{{% else %}} ++CHATTR="chgrp" ++{{% endif %}} ++ + USER=root + + # setup test data + create_rsyslog_test_logs 2 + + # setup test log files ownership +-chown $USER ${RSYSLOG_TEST_LOGS[0]} +-chown $USER ${RSYSLOG_TEST_LOGS[1]} ++$CHATTR $USER ${RSYSLOG_TEST_LOGS[0]} ++$CHATTR $USER ${RSYSLOG_TEST_LOGS[1]} + + # create test configuration file + test_conf=${RSYSLOG_TEST_DIR}/test1.conf +diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_ownership/tests/is_other.fail.sh b/shared/templates/rsyslog_logfiles_attributes_modify/tests/is_other.fail.sh +similarity index 70% +rename from linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_ownership/tests/is_other.fail.sh +rename to shared/templates/rsyslog_logfiles_attributes_modify/tests/is_other.fail.sh +index 7edbb17ea1..1afe20823c 100755 +--- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_ownership/tests/is_other.fail.sh ++++ b/shared/templates/rsyslog_logfiles_attributes_modify/tests/is_other.fail.sh +@@ -5,15 +5,23 @@ + + source $SHARED/rsyslog_log_utils.sh + ++{{% if ATTRIBUTE == "owner" %}} ++ADDCOMMAND="useradd" ++CHATTR="chown" ++{{% else %}} ++ADDCOMMAND="groupadd" ++CHATTR="chgrp" ++{{% endif %}} ++ + USER=testssg + +-useradd $USER ++$ADDCOMMAND $USER + + # setup test data + create_rsyslog_test_logs 1 + + # setup test log file ownership +-chown $USER ${RSYSLOG_TEST_LOGS[0]} ++$CHATTR $USER ${RSYSLOG_TEST_LOGS[0]} + + # add rule with non-root user owned log file + cat << EOF > $RSYSLOG_CONF +diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_ownership/tests/is_root.pass.sh b/shared/templates/rsyslog_logfiles_attributes_modify/tests/is_root.pass.sh +similarity index 77% +rename from linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_ownership/tests/is_root.pass.sh +rename to shared/templates/rsyslog_logfiles_attributes_modify/tests/is_root.pass.sh +index e0e518bc50..afce21fa27 100755 +--- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_ownership/tests/is_root.pass.sh ++++ b/shared/templates/rsyslog_logfiles_attributes_modify/tests/is_root.pass.sh +@@ -5,13 +5,19 @@ + + source $SHARED/rsyslog_log_utils.sh + ++{{% if ATTRIBUTE == "owner" %}} ++CHATTR="chown" ++{{% else %}} ++CHATTR="chgrp" ++{{% endif %}} ++ + USER=root + + # setup test data + create_rsyslog_test_logs 1 + + # setup test log file ownership +-chown $USER ${RSYSLOG_TEST_LOGS[0]} ++$CHATTR $USER ${RSYSLOG_TEST_LOGS[0]} + + # add rule with root user owned log file + cat << EOF > $RSYSLOG_CONF +-- +2.39.1 + diff --git a/scap-security-guide.spec b/scap-security-guide.spec index 1e71b56..3d035b5 100644 --- a/scap-security-guide.spec +++ b/scap-security-guide.spec @@ -1,13 +1,12 @@ -%define anolis_release .0.2 # Base name of static rhel6 content tarball %global _static_rhel6_content %{name}-0.1.52-2.el7_9-rhel6 # https://fedoraproject.org/wiki/Changes/CMake_to_do_out-of-source_builds %global _vpath_builddir build -%global _default_patch_fuzz 2 +# global _default_patch_fuzz 2 # Normally shouldn't be needed as patches should apply cleanly Name: scap-security-guide -Version: 0.1.63 -Release: 1%{anolis_release}%{?dist} +Version: 0.1.66 +Release: 2%{?dist} Summary: Security guidance and baselines in SCAP formats License: BSD-3-Clause Group: Applications/System @@ -15,34 +14,18 @@ URL: https://github.com/ComplianceAsCode/content/ Source0: https://github.com/ComplianceAsCode/content/releases/download/v%{version}/scap-security-guide-%{version}.tar.bz2 # Include tarball with last released rhel6 content Source1: %{_static_rhel6_content}.tar.bz2 -# Disable profiles that are not in good shape for products/rhel8 +# Patch prevents cjis, rht-ccp and standard profiles in RHEL8 datastream Patch0: disable-not-in-good-shape-profiles.patch -# Update RHEL8 STIG to V1R7 -Patch1: scap-security-guide-0.1.64-update-rhel8-stig-to-v1r7-PR_9276.patch -# Refresh BPF related rules in RHEL 9 OSPP profile -Patch2: scap-security-guide-0.1.64-update_sysctl_template_with_multivalue_compliance-PR_9147.patch -# New sysctl ipv4 forwarding rule -Patch3: scap-security-guide-0.1.64-add_new_rule_sysctl_ipv4_forwarding-PR_9277.patch -# Add rsyslogd to the list of tools checked by aide -Patch4: scap-security-guide-0.1.64-aide_check_rsyslogd-PR_9282.patch -# Accept sudoers files without includes as compliant -Patch5: scap-security-guide-0.1.64-accept_sudoers_wihout_includes-PR_9283.patch -# Update few sysctl rules to accept multiple compliant values -Patch6: scap-security-guide-0.1.64-add_multivalue_compliance_kptr_rp_filter-PR_9286.patch -# Reintroduce back the sshd timeout rules in RHEL8 STIG profile -Patch7: scap-security-guide-0.1.64-readd-sshd_timeout-rules-PR_9318.patch -# Make OSPP profiles use minimal Authselect profile -Patch8: scap-security-guide-0.1.64-authselect_minimal_in_ospp-PR_9298.patch -# change rules protecting boot in RHEL8 OSPP -Patch9: scap-security-guide-0.1.64-select_grub2_disable_recovery-PR_9231.patch -# Introduce and apply the "partition exists" platform -Patch10: scap-security-guide-0.1.64-add_platform_partition_exists-PR_9204.patch -# Add the platform applicability to relevant rules -Patch11: scap-security-guide-0.1.64-add_partition_platform_to_relevant_rules-PR_9324.path -# Fix ansible partition conditionals -Patch12: scap-security-guide-0.1.64-fix_ansible_partition_conditional-PR_9339.patch -# supports Anolis OS 8 -Patch13: scap-security-guide-0.1.65-supports_anolis_os_8-PR_9770.patch +# Rsyslog files rules remediations +Patch1: scap-security-guide-0.1.67-rsyslog_files_rules_remediations-PR_9789.patch +# Extends rsyslog_logfiles_attributes_modify template for permissions +Patch2: scap-security-guide-0.1.67-rsyslog_files_permissions_template-PR_10139.patch +# Change custom zones check in firewalld_sshd_port_enabled +Patch3: scap-security-guide-0.1.67-firewalld_sshd_port_enabled_tests-PR_10162.patch +# Accept required and requisite control flag for pam_pwhistory +Patch4: scap-security-guide-0.1.67-pwhistory_control-PR_10175.patch +# remove rule logind_session_timeout and associated variable from profiles +Patch5: scap-security-guide-0.1.67-remove_logind_session_timeout_from_profiles-PR_10202.patch BuildArch: noarch @@ -81,15 +64,6 @@ The %{name}-doc package contains HTML formatted documents containing hardening guidances that have been generated from XCCDF benchmarks present in %{name} package. -%package extra -Summary: Extra files package -Group: System Environment/Base -Requires: %{name} = %{version}-%{release} - -%description extra -The %{name}-extra package contains various situation guidebooks - - %if ( %{defined rhel} && (! %{defined centos}) ) %package rule-playbooks Summary: Ansible playbooks per each rule. @@ -100,8 +74,6 @@ Requires: %{name} = %{version}-%{release} The %{name}-rule-playbooks package contains individual ansible playbooks per rule. %endif - - %prep %autosetup -p1 -b1 @@ -114,7 +86,6 @@ cd build -DSSG_PRODUCT_RHEL8:BOOLEAN=TRUE \ -DSSG_PRODUCT_FIREFOX:BOOLEAN=TRUE \ -DSSG_PRODUCT_JRE:BOOLEAN=TRUE \ --DSSG_PRODUCT_ANOLIS8:BOOLEAN=TRUE \ %if %{defined centos} -DSSG_CENTOS_DERIVATIVES_ENABLED:BOOL=ON \ %else @@ -137,11 +108,6 @@ cp -r %{_builddir}/%{_static_rhel6_content}/tables %{buildroot}%{_docdir}/%{name cp -r %{_builddir}/%{_static_rhel6_content}/guides %{buildroot}%{_docdir}/%{name} %files -%exclude %{_datadir}/%{name}/ansible/rhel* -%exclude %{_datadir}/%{name}/bash/rhel* -%exclude %{_datadir}/%{name}/kickstart/ssg-rhel* -%exclude %{_datadir}/%{name}/tailoring/rhel* -%exclude %{_datadir}/xml/scap/ssg/content/ssg-rhel* %{_datadir}/xml/scap/ssg/content %{_datadir}/%{name}/kickstart %{_datadir}/%{name}/ansible @@ -159,13 +125,6 @@ cp -r %{_builddir}/%{_static_rhel6_content}/guides %{buildroot}%{_docdir}/%{name %doc %{_docdir}/%{name}/guides/*.html %doc %{_docdir}/%{name}/tables/*.html -%files extra -%{_datadir}/%{name}/ansible/rhel* -%{_datadir}/%{name}/bash/rhel* -%{_datadir}/%{name}/kickstart/ssg-rhel* -%{_datadir}/%{name}/tailoring/rhel* -%{_datadir}/xml/scap/ssg/content/ssg-rhel* - %if ( %{defined rhel} && (! %{defined centos}) ) %files rule-playbooks %defattr(-,root,root,-) @@ -173,26 +132,49 @@ cp -r %{_builddir}/%{_static_rhel6_content}/guides %{buildroot}%{_docdir}/%{name %endif %changelog -* Fri Dec 30 2022 Yuqing - 0.1.63-1.0.2 -- Add product for Anolis8 (#9770) - -* Thu Nov 10 2022 Chang Gao - 0.1.63-1.0.1 -- Add extra package - -* Mon Aug 15 2022 Watson Sato - 0.1.63-1 -- Update to the latest upstream release (RHBZ#2116347) -- Update RHEL8 STIG profile to V1R7 (RHBZ#2116408) -- Select grub2_disable_recovery in OSPP Profile (RHBZ#2117308) -- Use authselect minimal profile in OSPP Profile (RHBZ#2117306) -- Improve rules for CIS level1 partition options (RHBZ#2117510) +* Mon Feb 13 2023 Watson Sato - 0.1.66-2 +- Unselect rule logind_session_timeout (RHBZ#2168079) + +* Mon Feb 06 2023 Watson Sato - 0.1.66-1 +- Rebase to a new upstream release 0.1.66 (RHBZ#2168079) +- Update RHEL8 STIG profile to V1R9 (RHBZ#2168075) +- Fix levels of CIS rules (RHBZ#2168072) +- Remove unused RHEL8 STIG control file (RHBZ#2168069) +- Fix handling of space in sudo_require_reauthentication (RHBZ#2168066) +- Add rule for audit immutable login uids (RHBZ#2168063) +- Fix remediation of audit watch rules (RHBZ#2168060) +- Align file_permissions_sshd_private_key with DISA Benchmark (RHBZ#2168057) +- Fix applicability of kerberos rules (RHBZ#2168054) +- Add support rainer scripts in rsyslog rules (RHBZ#2168050) + +* Wed Aug 17 2022 Watson Sato - 0.1.63-4 +- Fix check of enable_fips_mode on s390x (RHBZ#2070564) + +* Mon Aug 15 2022 Watson Sato - 0.1.63-3 +- Fix Ansible partition conditional (RHBZ#2032403) + +* Wed Aug 10 2022 Vojtech Polasek - 0.1.63-2 +- aligning with the latest STIG update (RHBZ#2112937) +- OSPP: use Authselect minimal profile (RHBZ#2117192) +- OSPP: change rules for protecting of boot (RHBZ#2116440) +- add warning about configuring of TCP queues to rsyslog_remote_loghost (RHBZ#2078974) +- fix handling of Defaults clause in sudoers (RHBZ#2083109) +- make rules checking for mount options of /tmp and /var/tmp applicable only when the partition really exists (RHBZ#2032403) +- fix handling of Rsyslog include directives (RHBZ#2075384) + +* Mon Aug 01 2022 Vojtech Polasek - 0.1.63-1 +- Rebase to a new upstream release 0.1.63 (RHBZ#2070564) + +* Wed Jun 01 2022 Matej Tyc - 0.1.62-1 +- Rebase to a new upstream release (RHBZ#2070564) * Tue May 17 2022 Watson Sato - 0.1.60-9 -- Fix validation of OVAL 5.10 content (RHBZ#2082556) -- Fix Ansible sysctl remediation (RHBZ#2082556) +- Fix validation of OVAL 5.10 content (RHBZ#2079241) +- Fix Ansible sysctl remediation (RHBZ#2079241) * Tue May 03 2022 Watson Sato - 0.1.60-8 -- Update to ensure a sysctl option is not defined in multiple files (RHBZ#2082556) -- Update RHEL8 STIG profile to V1R6 (RHBZ#2082556) +- Update to ensure a sysctl option is not defined in multiple files (RHBZ#2079241) +- Update RHEL8 STIG profile to V1R6 (RHBZ#2079241) * Thu Feb 24 2022 Watson Sato - 0.1.60-7 - Resize ANSSI kickstart partitions to accommodate GUI installs (RHBZ#2058033) -- Gitee From 9687096b80466475cb2ed66d8f5f8988299e308e Mon Sep 17 00:00:00 2001 From: "taifu.gc" Date: Thu, 10 Nov 2022 02:22:35 +0800 Subject: [PATCH 2/2] Add extra package --- scap-security-guide.spec | 29 ++++++++++++++++++++++++++++- 1 file changed, 28 insertions(+), 1 deletion(-) diff --git a/scap-security-guide.spec b/scap-security-guide.spec index 3d035b5..54761f2 100644 --- a/scap-security-guide.spec +++ b/scap-security-guide.spec @@ -1,3 +1,4 @@ +%define anolis_release .0.1 # Base name of static rhel6 content tarball %global _static_rhel6_content %{name}-0.1.52-2.el7_9-rhel6 # https://fedoraproject.org/wiki/Changes/CMake_to_do_out-of-source_builds @@ -6,7 +7,7 @@ Name: scap-security-guide Version: 0.1.66 -Release: 2%{?dist} +Release: 2%{anolis_release}%{?dist} Summary: Security guidance and baselines in SCAP formats License: BSD-3-Clause Group: Applications/System @@ -64,6 +65,15 @@ The %{name}-doc package contains HTML formatted documents containing hardening guidances that have been generated from XCCDF benchmarks present in %{name} package. +%package extra +Summary: Extra files package +Group: System Environment/Base +Requires: %{name} = %{version}-%{release} + +%description extra +The %{name}-extra package contains various situation guidebooks + + %if ( %{defined rhel} && (! %{defined centos}) ) %package rule-playbooks Summary: Ansible playbooks per each rule. @@ -74,6 +84,8 @@ Requires: %{name} = %{version}-%{release} The %{name}-rule-playbooks package contains individual ansible playbooks per rule. %endif + + %prep %autosetup -p1 -b1 @@ -108,6 +120,11 @@ cp -r %{_builddir}/%{_static_rhel6_content}/tables %{buildroot}%{_docdir}/%{name cp -r %{_builddir}/%{_static_rhel6_content}/guides %{buildroot}%{_docdir}/%{name} %files +%exclude %{_datadir}/%{name}/ansible/rhel* +%exclude %{_datadir}/%{name}/bash/rhel* +%exclude %{_datadir}/%{name}/kickstart/ssg-rhel* +%exclude %{_datadir}/%{name}/tailoring/rhel* +%exclude %{_datadir}/xml/scap/ssg/content/ssg-rhel* %{_datadir}/xml/scap/ssg/content %{_datadir}/%{name}/kickstart %{_datadir}/%{name}/ansible @@ -125,6 +142,13 @@ cp -r %{_builddir}/%{_static_rhel6_content}/guides %{buildroot}%{_docdir}/%{name %doc %{_docdir}/%{name}/guides/*.html %doc %{_docdir}/%{name}/tables/*.html +%files extra +%{_datadir}/%{name}/ansible/rhel* +%{_datadir}/%{name}/bash/rhel* +%{_datadir}/%{name}/kickstart/ssg-rhel* +%{_datadir}/%{name}/tailoring/rhel* +%{_datadir}/xml/scap/ssg/content/ssg-rhel* + %if ( %{defined rhel} && (! %{defined centos}) ) %files rule-playbooks %defattr(-,root,root,-) @@ -132,6 +156,9 @@ cp -r %{_builddir}/%{_static_rhel6_content}/guides %{buildroot}%{_docdir}/%{name %endif %changelog +* Wed Feb 22 2023 Chang Gao - 0.1.66-2.0.1 +- Add extra package + * Mon Feb 13 2023 Watson Sato - 0.1.66-2 - Unselect rule logind_session_timeout (RHBZ#2168079) -- Gitee