From 8586a3415cbf2d816b3a9a6df8e4e47193433e15 Mon Sep 17 00:00:00 2001 From: Miha Purg Date: Fri, 6 Dec 2024 13:02:04 +0100 Subject: [PATCH 01/26] Improve template pam_account_password_faillock Added template to docs. Defined requirements for variables in template.py: - ext_variable must be defined since it is used in the remediation - bounding variables must be 'use_ext_variable', (int), or undefined (if undefined, bounding variables are initialized to None) Cleaned up the OVAL: - fix conditionals to consistently use inclusive comparisons instead of inclusive for ext_variable, and exclusive for numbers - remove conditionals which compare to `var_ref="{{{ VARIABLE_*_BOUND}}}"` as these variables don't exist in the OVAL - modify check for undefined variable to compare to jinja test none --- docs/templates/template_reference.md | 24 +++++++++++++++++++ .../oval.template | 22 +++++++---------- .../pam_account_password_faillock/template.py | 16 +++++++++++++ 3 files changed, 48 insertions(+), 14 deletions(-) create mode 100644 shared/templates/pam_account_password_faillock/template.py diff --git a/docs/templates/template_reference.md b/docs/templates/template_reference.md index 8677d64d593..cfc76fac022 100644 --- a/docs/templates/template_reference.md +++ b/docs/templates/template_reference.md @@ -621,6 +621,30 @@ When the remediation is applied duplicate occurrences of `key` are removed. - **app** - optional. If not set the check will use the default text `The respective application or service`. If set, the `app` is used within sentences like: "`application` is configured correctly and configuration file exists" +#### pam_account_password_faillock +- Checks if the pam_faillock is enabled in PAM and if the specified + parameter is correctly configured either in /etc/security/faillock.conf + or directly in /etc/pam.d/* files. + + The allowed interval for the faillock parameter is defined by + template parameters `variable_lower_bound` and `variable_upper_bound`. + The boundaries are inclusive (lower <= parameter value <= upper) and + can be set as: + - `use_ext_variable`: use value in external XCCDF variable defined by `ext_variable` + - number: literal number + - undefined: no boundary + +- Parameters: + - **description** - Description of rule + - **prm_name** - name of faillock parameter + - **prm_regex_conf** - regex for faillock parameter in /etc/security/faillock.conf + - **prm_regex_pamd** - regex for faillock parameter in /etc/pam.d/* + - **variable_lower_bound** - lower boundary for allowed parameter value + - **variable_upper_bound** - upper boundary for allowed parameter value + - **ext_variable** - external XCCDG variable used to define interval boundaries and + the value used in the remediation. + + #### pam_options - Checks if the parameters or arguments of a given Linux-PAM (Pluggable Authentication Modules) module in a given PAM configuration file diff --git a/shared/templates/pam_account_password_faillock/oval.template b/shared/templates/pam_account_password_faillock/oval.template index 915905aedd3..c98ebeda316 100644 --- a/shared/templates/pam_account_password_faillock/oval.template +++ b/shared/templates/pam_account_password_faillock/oval.template @@ -242,10 +242,10 @@ id="test_accounts_passwords_pam_faillock_{{{ PRM_NAME }}}_parameter_pamd_{{{ file_stem }}}" comment="Check the expected {{{ PRM_NAME }}} value in {{{ file_stem }}}-auth"> - {{% if VARIABLE_UPPER_BOUND is defined and VARIABLE_UPPER_BOUND != "none" %}} + {{% if VARIABLE_UPPER_BOUND is not none %}} {{% endif %}} - {{% if VARIABLE_LOWER_BOUND is defined and VARIABLE_LOWER_BOUND != "none" %}} + {{% if VARIABLE_LOWER_BOUND is not none %}} {{% endif %}} @@ -266,34 +266,28 @@ - {{% if VARIABLE_UPPER_BOUND is defined and VARIABLE_UPPER_BOUND != "none" %}} + {{% if VARIABLE_UPPER_BOUND is not none %}} {{% if VARIABLE_UPPER_BOUND == "use_ext_variable" %}} - {{% elif VARIABLE_UPPER_BOUND is number %}} - {{{ VARIABLE_UPPER_BOUND }}} {{% else %}} - + {{{ VARIABLE_UPPER_BOUND }}} {{% endif %}} {{% endif %}} - {{% if VARIABLE_LOWER_BOUND is defined and VARIABLE_LOWER_BOUND != "none" %}} + {{% if VARIABLE_LOWER_BOUND is not none %}} {{% if VARIABLE_LOWER_BOUND == "use_ext_variable" %}} - {{% elif VARIABLE_LOWER_BOUND is number %}} - {{{ VARIABLE_LOWER_BOUND }}} {{% else %}} - + {{{ VARIABLE_LOWER_BOUND }}} {{% endif %}} {{% endif %}} @@ -307,10 +301,10 @@ id="test_accounts_passwords_pam_faillock_{{{ PRM_NAME }}}_parameter_faillock_conf" comment="Check the expected {{{ PRM_NAME }}} value in /etc/security/faillock.conf"> - {{% if VARIABLE_UPPER_BOUND is defined and VARIABLE_UPPER_BOUND != "none" %}} + {{% if VARIABLE_UPPER_BOUND is not none %}} {{% endif %}} - {{% if VARIABLE_LOWER_BOUND is defined and VARIABLE_LOWER_BOUND != "none" %}} + {{% if VARIABLE_LOWER_BOUND is not none %}} {{% endif %}} diff --git a/shared/templates/pam_account_password_faillock/template.py b/shared/templates/pam_account_password_faillock/template.py new file mode 100644 index 00000000000..654209336c1 --- /dev/null +++ b/shared/templates/pam_account_password_faillock/template.py @@ -0,0 +1,16 @@ +def preprocess(data, lang): + if data.get("ext_variable") is None: + errmsg = ("The template instance of the rule {0} requires the " + "ext_variable to be defined".format(_rule_id)) + raise ValueError(errmsg) + + for var in ["variable_upper_bound", "variable_lower_bound"]: + data[var] = data.get(var, None) + if data.get(var) is not None and \ + data.get(var) != "use_ext_variable" and \ + type(data.get(var)) != int: + errmsg = ("The template instance of the rule {0} requires the " + "parameter {1} is either 'use_ext_variable' or " + "a number or undefined".formate(_rule_id, var)) + raise ValueError(errmsg) + return data From f222a4264369816465326a0b69c317095e21053e Mon Sep 17 00:00:00 2001 From: Miha Purg Date: Fri, 6 Dec 2024 22:40:00 +0100 Subject: [PATCH 02/26] Fix lower bound variable in accounts_passwords_pam_faillock_deny Fixed to work with new OVAL logic in template (inclusive comparison). --- .../accounts_passwords_pam_faillock_deny/rule.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/rule.yml b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/rule.yml index f18c0a14fec..52107ee4843 100644 --- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/rule.yml +++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/rule.yml @@ -97,4 +97,4 @@ template: ext_variable: var_accounts_passwords_pam_faillock_deny description: Lockout account after failed login attempts. variable_upper_bound: use_ext_variable - variable_lower_bound: 0 + variable_lower_bound: 1 From 97c3e7c058beb69030a7dfbcca4f02e017ff5eb1 Mon Sep 17 00:00:00 2001 From: Miha Purg Date: Fri, 6 Dec 2024 11:53:39 +0100 Subject: [PATCH 03/26] Fix tests for template pam_account_password_faillock - tests were generalized and are no longer specific to `_deny` rule - tests check the different logic flows defined by template parameters and external variables - a new macro was created to initialize the variables - tests from the rules that use the template were removed --- .../tests/authselect_modified_pam.fail.sh | 12 --- .../pam_faillock_expected_pam_files.pass.sh | 6 -- .../pam_faillock_lenient_pam_files.fail.sh | 6 -- .../pam_faillock_stricter_pam_files.pass.sh | 6 -- .../tests/ubuntu_commented_values.fail.sh | 7 -- .../tests/ubuntu_common.sh | 24 ----- .../tests/ubuntu_correct.pass.sh | 7 -- .../tests/ubuntu_correct_pamd.pass.sh | 26 ----- .../tests/ubuntu_missing_pamd.fail.sh | 5 - .../tests/ubuntu_wrong_value.fail.sh | 7 -- .../tests/authselect_modified_pam.fail.sh | 12 --- .../conflicting_settings_authselect.fail.sh | 29 ----- .../pam_faillock_conflicting_settings.fail.sh | 16 --- .../tests/pam_faillock_disabled.fail.sh | 11 -- ...am_faillock_expected_faillock_conf.pass.sh | 10 -- .../pam_faillock_expected_pam_files.pass.sh | 6 -- ...pam_faillock_lenient_faillock_conf.fail.sh | 10 -- .../pam_faillock_lenient_pam_files.fail.sh | 6 -- ...ck_multiple_pam_unix_faillock_conf.fail.sh | 18 ---- ...illock_multiple_pam_unix_pam_files.fail.sh | 12 --- ...am_faillock_not_required_pam_files.fail.sh | 20 ---- ...am_faillock_stricter_faillock_conf.pass.sh | 10 -- .../pam_faillock_stricter_pam_files.pass.sh | 6 -- .../tests/ubuntu_commented_values.fail.sh | 7 -- .../tests/ubuntu_common.sh | 24 ----- .../tests/ubuntu_correct.pass.sh | 7 -- .../tests/ubuntu_correct_pamd.pass.sh | 26 ----- .../tests/ubuntu_missing_pamd.fail.sh | 5 - .../tests/ubuntu_wrong_value.fail.sh | 7 -- .../tests/authselect_modified_pam.fail.sh | 12 --- .../conflicting_settings_authselect.fail.sh | 30 ------ .../pam_faillock_conflicting_settings.fail.sh | 16 --- .../tests/pam_faillock_disabled.fail.sh | 11 -- .../pam_faillock_expected_pam_files.pass.sh | 6 -- ...pam_faillock_lenient_faillock_conf.fail.sh | 10 -- .../pam_faillock_lenient_pam_files.fail.sh | 6 -- ...ck_multiple_pam_unix_faillock_conf.fail.sh | 18 ---- ...illock_multiple_pam_unix_pam_files.fail.sh | 12 --- ...am_faillock_not_required_pam_files.fail.sh | 20 ---- ...am_faillock_stricter_faillock_conf.pass.sh | 10 -- .../pam_faillock_stricter_pam_files.pass.sh | 6 -- .../tests/ubuntu_commented_values.fail.sh | 7 -- .../tests/ubuntu_common.sh | 24 ----- .../tests/ubuntu_correct.pass.sh | 7 -- .../tests/ubuntu_correct_pamd.pass.sh | 26 ----- .../tests/ubuntu_missing_pamd.fail.sh | 5 - shared/macros/20-test-scenarios.jinja | 100 ++++++++++++++++++ .../conflicting_settings_authselect.fail.sh | 8 +- .../pam_faillock_conflicting_settings.fail.sh | 7 +- .../tests/pam_faillock_disabled.fail.sh | 3 +- ...am_faillock_expected_faillock_conf.pass.sh | 5 +- .../pam_faillock_expected_pam_files.pass.sh | 7 ++ ...aillock_lenient_high_faillock_conf.fail.sh | 5 +- ...am_faillock_lenient_high_pam_files.fail.sh | 7 ++ ...faillock_lenient_low_faillock_conf.fail.sh | 5 +- ...pam_faillock_lenient_low_pam_files.fail.sh | 7 ++ ...ck_multiple_pam_unix_faillock_conf.fail.sh | 5 +- ...illock_multiple_pam_unix_pam_files.fail.sh | 5 +- ...am_faillock_not_required_pam_files.fail.sh | 7 +- ...am_faillock_stricter_faillock_conf.pass.sh | 5 +- .../pam_faillock_stricter_pam_files.pass.sh | 7 ++ .../tests/ubuntu_commented_values.fail.sh | 8 ++ .../tests/ubuntu_correct.pass.sh | 8 ++ .../tests/ubuntu_correct_pamd.pass.sh | 9 ++ .../tests/ubuntu_correct_stricter.pass.sh | 8 ++ .../tests/ubuntu_empty_faillock_conf.fail.sh | 8 ++ .../tests/ubuntu_lenient_high.fail.sh | 8 ++ .../tests/ubuntu_lenient_low.fail.sh | 8 ++ .../tests/ubuntu_missing_pamd.fail.sh | 6 ++ .../tests/ubuntu_multiple_pam_unix.fail.sh | 13 +++ .../tests/ubuntu_wrong_value.fail.sh | 0 71 files changed, 237 insertions(+), 596 deletions(-) delete mode 100644 linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/tests/authselect_modified_pam.fail.sh delete mode 100644 linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/tests/pam_faillock_expected_pam_files.pass.sh delete mode 100644 linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/tests/pam_faillock_lenient_pam_files.fail.sh delete mode 100644 linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/tests/pam_faillock_stricter_pam_files.pass.sh delete mode 100644 linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/tests/ubuntu_commented_values.fail.sh delete mode 100644 linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/tests/ubuntu_common.sh delete mode 100644 linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/tests/ubuntu_correct.pass.sh delete mode 100644 linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/tests/ubuntu_correct_pamd.pass.sh delete mode 100644 linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/tests/ubuntu_missing_pamd.fail.sh delete mode 100644 linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/tests/ubuntu_wrong_value.fail.sh delete mode 100644 linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_interval/tests/authselect_modified_pam.fail.sh delete mode 100644 linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_interval/tests/conflicting_settings_authselect.fail.sh delete mode 100644 linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_interval/tests/pam_faillock_conflicting_settings.fail.sh delete mode 100644 linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_interval/tests/pam_faillock_disabled.fail.sh delete mode 100644 linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_interval/tests/pam_faillock_expected_faillock_conf.pass.sh delete mode 100644 linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_interval/tests/pam_faillock_expected_pam_files.pass.sh delete mode 100644 linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_interval/tests/pam_faillock_lenient_faillock_conf.fail.sh delete mode 100644 linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_interval/tests/pam_faillock_lenient_pam_files.fail.sh delete mode 100644 linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_interval/tests/pam_faillock_multiple_pam_unix_faillock_conf.fail.sh delete mode 100644 linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_interval/tests/pam_faillock_multiple_pam_unix_pam_files.fail.sh delete mode 100644 linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_interval/tests/pam_faillock_not_required_pam_files.fail.sh delete mode 100644 linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_interval/tests/pam_faillock_stricter_faillock_conf.pass.sh delete mode 100644 linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_interval/tests/pam_faillock_stricter_pam_files.pass.sh delete mode 100644 linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_interval/tests/ubuntu_commented_values.fail.sh delete mode 100644 linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_interval/tests/ubuntu_common.sh delete mode 100644 linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_interval/tests/ubuntu_correct.pass.sh delete mode 100644 linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_interval/tests/ubuntu_correct_pamd.pass.sh delete mode 100644 linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_interval/tests/ubuntu_missing_pamd.fail.sh delete mode 100644 linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_interval/tests/ubuntu_wrong_value.fail.sh delete mode 100644 linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/tests/authselect_modified_pam.fail.sh delete mode 100644 linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/tests/conflicting_settings_authselect.fail.sh delete mode 100644 linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/tests/pam_faillock_conflicting_settings.fail.sh delete mode 100644 linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/tests/pam_faillock_disabled.fail.sh delete mode 100644 linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/tests/pam_faillock_expected_pam_files.pass.sh delete mode 100644 linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/tests/pam_faillock_lenient_faillock_conf.fail.sh delete mode 100644 linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/tests/pam_faillock_lenient_pam_files.fail.sh delete mode 100644 linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/tests/pam_faillock_multiple_pam_unix_faillock_conf.fail.sh delete mode 100644 linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/tests/pam_faillock_multiple_pam_unix_pam_files.fail.sh delete mode 100644 linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/tests/pam_faillock_not_required_pam_files.fail.sh delete mode 100644 linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/tests/pam_faillock_stricter_faillock_conf.pass.sh delete mode 100644 linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/tests/pam_faillock_stricter_pam_files.pass.sh delete mode 100644 linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/tests/ubuntu_commented_values.fail.sh delete mode 100644 linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/tests/ubuntu_common.sh delete mode 100644 linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/tests/ubuntu_correct.pass.sh delete mode 100644 linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/tests/ubuntu_correct_pamd.pass.sh delete mode 100644 linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/tests/ubuntu_missing_pamd.fail.sh rename {linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny => shared/templates/pam_account_password_faillock}/tests/conflicting_settings_authselect.fail.sh (77%) rename {linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny => shared/templates/pam_account_password_faillock}/tests/pam_faillock_conflicting_settings.fail.sh (78%) rename {linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny => shared/templates/pam_account_password_faillock}/tests/pam_faillock_disabled.fail.sh (84%) rename {linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny => shared/templates/pam_account_password_faillock}/tests/pam_faillock_expected_faillock_conf.pass.sh (73%) create mode 100644 shared/templates/pam_account_password_faillock/tests/pam_faillock_expected_pam_files.pass.sh rename linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/tests/pam_faillock_expected_faillock_conf.pass.sh => shared/templates/pam_account_password_faillock/tests/pam_faillock_lenient_high_faillock_conf.fail.sh (71%) create mode 100644 shared/templates/pam_account_password_faillock/tests/pam_faillock_lenient_high_pam_files.fail.sh rename linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/tests/pam_faillock_lenient_faillock_conf.fail.sh => shared/templates/pam_account_password_faillock/tests/pam_faillock_lenient_low_faillock_conf.fail.sh (73%) create mode 100644 shared/templates/pam_account_password_faillock/tests/pam_faillock_lenient_low_pam_files.fail.sh rename {linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny => shared/templates/pam_account_password_faillock}/tests/pam_faillock_multiple_pam_unix_faillock_conf.fail.sh (88%) rename {linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny => shared/templates/pam_account_password_faillock}/tests/pam_faillock_multiple_pam_unix_pam_files.fail.sh (77%) rename {linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny => shared/templates/pam_account_password_faillock}/tests/pam_faillock_not_required_pam_files.fail.sh (78%) rename {linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny => shared/templates/pam_account_password_faillock}/tests/pam_faillock_stricter_faillock_conf.pass.sh (73%) create mode 100644 shared/templates/pam_account_password_faillock/tests/pam_faillock_stricter_pam_files.pass.sh create mode 100644 shared/templates/pam_account_password_faillock/tests/ubuntu_commented_values.fail.sh create mode 100644 shared/templates/pam_account_password_faillock/tests/ubuntu_correct.pass.sh create mode 100644 shared/templates/pam_account_password_faillock/tests/ubuntu_correct_pamd.pass.sh create mode 100644 shared/templates/pam_account_password_faillock/tests/ubuntu_correct_stricter.pass.sh create mode 100644 shared/templates/pam_account_password_faillock/tests/ubuntu_empty_faillock_conf.fail.sh create mode 100644 shared/templates/pam_account_password_faillock/tests/ubuntu_lenient_high.fail.sh create mode 100644 shared/templates/pam_account_password_faillock/tests/ubuntu_lenient_low.fail.sh create mode 100644 shared/templates/pam_account_password_faillock/tests/ubuntu_missing_pamd.fail.sh create mode 100644 shared/templates/pam_account_password_faillock/tests/ubuntu_multiple_pam_unix.fail.sh rename {linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time => shared/templates/pam_account_password_faillock}/tests/ubuntu_wrong_value.fail.sh (100%) diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/tests/authselect_modified_pam.fail.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/tests/authselect_modified_pam.fail.sh deleted file mode 100644 index b3232cc93ec..00000000000 --- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/tests/authselect_modified_pam.fail.sh +++ /dev/null @@ -1,12 +0,0 @@ -#!/bin/bash -# platform = Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,multi_platform_fedora -# remediation = none - -SYSTEM_AUTH_FILE="/etc/pam.d/system-auth" - -# This modification will break the integrity checks done by authselect. -if ! $(grep -q "^[^#].*pam_pwhistory\.so.*remember=" $SYSTEM_AUTH_FILE); then - sed -i "/^password.*requisite.*pam_pwquality\.so/a password requisite pam_pwhistory.so" $SYSTEM_AUTH_FILE -else - sed -i "s/\(.*pam_pwhistory\.so.*remember=\)[[:digit:]]\+\s\(.*\)/\1/g" $SYSTEM_AUTH_FILE -fi diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/tests/pam_faillock_expected_pam_files.pass.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/tests/pam_faillock_expected_pam_files.pass.sh deleted file mode 100644 index bbf97fa2ac0..00000000000 --- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/tests/pam_faillock_expected_pam_files.pass.sh +++ /dev/null @@ -1,6 +0,0 @@ -#!/bin/bash -# packages = authconfig -# platform = Oracle Linux 7,multi_platform_fedora -# variables = var_accounts_passwords_pam_faillock_deny=3 - -authconfig --enablefaillock --faillockargs="deny=3" --update diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/tests/pam_faillock_lenient_pam_files.fail.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/tests/pam_faillock_lenient_pam_files.fail.sh deleted file mode 100644 index cb1ca930499..00000000000 --- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/tests/pam_faillock_lenient_pam_files.fail.sh +++ /dev/null @@ -1,6 +0,0 @@ -#!/bin/bash -# packages = authconfig -# platform = Oracle Linux 7,multi_platform_fedora -# variables = var_accounts_passwords_pam_faillock_deny=3 - -authconfig --enablefaillock --faillockargs="deny=5" --update diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/tests/pam_faillock_stricter_pam_files.pass.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/tests/pam_faillock_stricter_pam_files.pass.sh deleted file mode 100644 index 54729a3144b..00000000000 --- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/tests/pam_faillock_stricter_pam_files.pass.sh +++ /dev/null @@ -1,6 +0,0 @@ -#!/bin/bash -# packages = authconfig -# platform = Oracle Linux 7,multi_platform_fedora -# variables = var_accounts_passwords_pam_faillock_deny=3 - -authconfig --enablefaillock --faillockargs="deny=2" --update diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/tests/ubuntu_commented_values.fail.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/tests/ubuntu_commented_values.fail.sh deleted file mode 100644 index 9b10313e9f8..00000000000 --- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/tests/ubuntu_commented_values.fail.sh +++ /dev/null @@ -1,7 +0,0 @@ -#!/bin/bash -# platform = multi_platform_ubuntu -# variables = var_accounts_passwords_pam_faillock_deny=10 - -source ubuntu_common.sh - -echo "#deny=1" > /etc/security/faillock.conf diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/tests/ubuntu_common.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/tests/ubuntu_common.sh deleted file mode 100644 index 532926d2701..00000000000 --- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/tests/ubuntu_common.sh +++ /dev/null @@ -1,24 +0,0 @@ -#!/bin/bash - -cat << EOF > /usr/share/pam-configs/faillock -Name: Enable pam_faillock to deny access -Default: yes -Priority: 0 -Auth-Type: Primary -Auth: - [default=die] pam_faillock.so authfail -EOF - -cat << EOF > /usr/share/pam-configs/faillock_notify -Name: Notify of failed login attempts and reset count upon success -Default: yes -Priority: 1024 -Auth-Type: Primary -Auth: - requisite pam_faillock.so preauth -Account-Type: Primary -Account: - required pam_faillock.so -EOF - -DEBIAN_FRONTEND=noninteractive pam-auth-update diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/tests/ubuntu_correct.pass.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/tests/ubuntu_correct.pass.sh deleted file mode 100644 index 6edc7e7af1f..00000000000 --- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/tests/ubuntu_correct.pass.sh +++ /dev/null @@ -1,7 +0,0 @@ -#!/bin/bash -# platform = multi_platform_ubuntu -# variables = var_accounts_passwords_pam_faillock_deny=10 - -source ubuntu_common.sh - -echo "deny=1" > /etc/security/faillock.conf diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/tests/ubuntu_correct_pamd.pass.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/tests/ubuntu_correct_pamd.pass.sh deleted file mode 100644 index f1d9a7266c5..00000000000 --- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/tests/ubuntu_correct_pamd.pass.sh +++ /dev/null @@ -1,26 +0,0 @@ -#!/bin/bash -# platform = multi_platform_ubuntu -# variables = var_accounts_passwords_pam_faillock_deny=10 - -cat << EOF > /usr/share/pam-configs/faillock -Name: Enable pam_faillock to deny access -Default: yes -Priority: 0 -Auth-Type: Primary -Auth: - [default=die] pam_faillock.so authfail deny=1 -EOF - -cat << EOF > /usr/share/pam-configs/faillock_notify -Name: Notify of failed login attempts and reset count upon success -Default: yes -Priority: 1024 -Auth-Type: Primary -Auth: - requisite pam_faillock.so preauth deny=1 -Account-Type: Primary -Account: - required pam_faillock.so -EOF - -DEBIAN_FRONTEND=noninteractive pam-auth-update diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/tests/ubuntu_missing_pamd.fail.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/tests/ubuntu_missing_pamd.fail.sh deleted file mode 100644 index 3fbb16cdc5c..00000000000 --- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/tests/ubuntu_missing_pamd.fail.sh +++ /dev/null @@ -1,5 +0,0 @@ -#!/bin/bash -# platform = multi_platform_ubuntu -# variables = var_accounts_passwords_pam_faillock_deny=10 - -echo "deny=1" > /etc/security/faillock.conf diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/tests/ubuntu_wrong_value.fail.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/tests/ubuntu_wrong_value.fail.sh deleted file mode 100644 index b185d221714..00000000000 --- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/tests/ubuntu_wrong_value.fail.sh +++ /dev/null @@ -1,7 +0,0 @@ -#!/bin/bash -# platform = multi_platform_ubuntu -# variables = var_accounts_passwords_pam_faillock_deny=10 - -source ubuntu_common.sh - -echo "deny=999" > /etc/security/faillock.conf diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_interval/tests/authselect_modified_pam.fail.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_interval/tests/authselect_modified_pam.fail.sh deleted file mode 100644 index b3232cc93ec..00000000000 --- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_interval/tests/authselect_modified_pam.fail.sh +++ /dev/null @@ -1,12 +0,0 @@ -#!/bin/bash -# platform = Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,multi_platform_fedora -# remediation = none - -SYSTEM_AUTH_FILE="/etc/pam.d/system-auth" - -# This modification will break the integrity checks done by authselect. -if ! $(grep -q "^[^#].*pam_pwhistory\.so.*remember=" $SYSTEM_AUTH_FILE); then - sed -i "/^password.*requisite.*pam_pwquality\.so/a password requisite pam_pwhistory.so" $SYSTEM_AUTH_FILE -else - sed -i "s/\(.*pam_pwhistory\.so.*remember=\)[[:digit:]]\+\s\(.*\)/\1/g" $SYSTEM_AUTH_FILE -fi diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_interval/tests/conflicting_settings_authselect.fail.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_interval/tests/conflicting_settings_authselect.fail.sh deleted file mode 100644 index 9a553893cbe..00000000000 --- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_interval/tests/conflicting_settings_authselect.fail.sh +++ /dev/null @@ -1,29 +0,0 @@ -#!/bin/bash -# packages = authselect,pam -# platform = Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9 - -pam_files=("password-auth" "system-auth") - -authselect create-profile testingProfile --base-on minimal - -CUSTOM_PROFILE_DIR="/etc/authselect/custom/testingProfile" - -authselect select --force custom/testingProfile - -truncate -s 0 /etc/security/faillock.conf - -echo "fail_interval = 900" > /etc/security/faillock.conf - -{{{ bash_pam_faillock_enable() }}} - -for file in ${pam_files[@]}; do - if grep -qP "auth.*faillock\.so.*preauth" $CUSTOM_PROFILE_DIR/$file; then - sed -i "/^\s*auth.*faillock\.so.*preauth/ s/$/fail_interval=900/" \ - "$CUSTOM_PROFILE_DIR/$file" - else - sed -i "0,/^\s*auth.*/i auth required pam_faillock.so preauth fail_interval=900" \ - "$CUSTOM_PROFILE_DIR/$file" - fi -done - -authselect apply-changes diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_interval/tests/pam_faillock_conflicting_settings.fail.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_interval/tests/pam_faillock_conflicting_settings.fail.sh deleted file mode 100644 index 0b67e0e02af..00000000000 --- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_interval/tests/pam_faillock_conflicting_settings.fail.sh +++ /dev/null @@ -1,16 +0,0 @@ -#!/bin/bash -# packages = authselect -# platform = multi_platform_fedora,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,Oracle Linux 8 -# remediation = none -# variables = var_accounts_passwords_pam_faillock_fail_interval=900 - -authselect select sssd --force -authselect enable-feature with-faillock -# This test scenario simulates conflicting settings in pam and faillock.conf files. -# It means that authselect is not properly configured and may have a unexpected behaviour. The -# authselect integrity check will fail and the remediation will be aborted in order to preserve -# intentional changes. In this case, an informative message will be shown in the remediation report. -sed -i --follow-symlinks 's/\(pam_faillock.so \(preauth silent\|authfail\)\).*$/\1 fail_interval=900/g' /etc/pam.d/system-auth /etc/pam.d/password-auth -> /etc/security/faillock.conf -echo "fail_interval = 900" >> /etc/security/faillock.conf -echo "silent" >> /etc/security/faillock.conf diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_interval/tests/pam_faillock_disabled.fail.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_interval/tests/pam_faillock_disabled.fail.sh deleted file mode 100644 index 9d4320fbb4e..00000000000 --- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_interval/tests/pam_faillock_disabled.fail.sh +++ /dev/null @@ -1,11 +0,0 @@ -#!/bin/bash -# platform = multi_platform_fedora,multi_platform_rhel,multi_platform_ol,multi_platform_rhv,multi_platform_sle -# packages = authselect -# variables = var_accounts_passwords_pam_faillock_fail_interval=900 - -if [ -f /usr/sbin/authconfig ]; then - authconfig --disablefaillock --update -else - authselect select sssd --force - authselect disable-feature with-faillock -fi diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_interval/tests/pam_faillock_expected_faillock_conf.pass.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_interval/tests/pam_faillock_expected_faillock_conf.pass.sh deleted file mode 100644 index 82bf9fa75bb..00000000000 --- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_interval/tests/pam_faillock_expected_faillock_conf.pass.sh +++ /dev/null @@ -1,10 +0,0 @@ -#!/bin/bash -# packages = authselect -# platform = multi_platform_fedora,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,Oracle Linux 8 -# variables = var_accounts_passwords_pam_faillock_fail_interval=900 - -authselect select sssd --force -authselect enable-feature with-faillock -> /etc/security/faillock.conf -echo "fail_interval = 900" >> /etc/security/faillock.conf -echo "silent" >> /etc/security/faillock.conf diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_interval/tests/pam_faillock_expected_pam_files.pass.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_interval/tests/pam_faillock_expected_pam_files.pass.sh deleted file mode 100644 index 552078405cc..00000000000 --- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_interval/tests/pam_faillock_expected_pam_files.pass.sh +++ /dev/null @@ -1,6 +0,0 @@ -#!/bin/bash -# packages = authconfig -# platform = Oracle Linux 7,multi_platform_fedora -# variables = var_accounts_passwords_pam_faillock_fail_interval=900 - -authconfig --enablefaillock --faillockargs="fail_interval=900" --update diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_interval/tests/pam_faillock_lenient_faillock_conf.fail.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_interval/tests/pam_faillock_lenient_faillock_conf.fail.sh deleted file mode 100644 index 74236e2fba7..00000000000 --- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_interval/tests/pam_faillock_lenient_faillock_conf.fail.sh +++ /dev/null @@ -1,10 +0,0 @@ -#!/bin/bash -# packages = authselect -# platform = multi_platform_fedora,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,Oracle Linux 8 -# variables = var_accounts_passwords_pam_faillock_fail_interval=900 - -authselect select sssd --force -authselect enable-feature with-faillock -> /etc/security/faillock.conf -echo "fail_interval = 300" >> /etc/security/faillock.conf -echo "silent" >> /etc/security/faillock.conf diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_interval/tests/pam_faillock_lenient_pam_files.fail.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_interval/tests/pam_faillock_lenient_pam_files.fail.sh deleted file mode 100644 index f1d331f5da1..00000000000 --- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_interval/tests/pam_faillock_lenient_pam_files.fail.sh +++ /dev/null @@ -1,6 +0,0 @@ -#!/bin/bash -# packages = authconfig -# platform = Oracle Linux 7,multi_platform_fedora -# variables = var_accounts_passwords_pam_faillock_fail_interval=900 - -authconfig --enablefaillock --faillockargs="fail_interval=300" --update diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_interval/tests/pam_faillock_multiple_pam_unix_faillock_conf.fail.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_interval/tests/pam_faillock_multiple_pam_unix_faillock_conf.fail.sh deleted file mode 100644 index ef2461160c2..00000000000 --- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_interval/tests/pam_faillock_multiple_pam_unix_faillock_conf.fail.sh +++ /dev/null @@ -1,18 +0,0 @@ -#!/bin/bash -# packages = authselect -# platform = multi_platform_fedora,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,Oracle Linux 8 -# remediation = none -# variables = var_accounts_passwords_pam_faillock_fail_interval=900 - -authselect select sssd --force -authselect enable-feature with-faillock -# Ensure the parameters only in /etc/security/faillock.conf -sed -i --follow-symlinks 's/\(pam_faillock.so \(preauth silent\|authfail\)\).*$/\1/g' /etc/pam.d/system-auth /etc/pam.d/password-auth -> /etc/security/faillock.conf -echo "fail_interval = 900" >> /etc/security/faillock.conf -echo "silent" >> /etc/security/faillock.conf - -# Multiple instances of pam_unix.so in auth section may, intentionally or not, interfere -# in the expected behaviour of pam_faillock.so. Remediation does not solve this automatically -# in order to preserve intentional changes. -echo "auth sufficient pam_unix.so" >> /etc/pam.d/password-auth diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_interval/tests/pam_faillock_multiple_pam_unix_pam_files.fail.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_interval/tests/pam_faillock_multiple_pam_unix_pam_files.fail.sh deleted file mode 100644 index eaf164272ad..00000000000 --- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_interval/tests/pam_faillock_multiple_pam_unix_pam_files.fail.sh +++ /dev/null @@ -1,12 +0,0 @@ -#!/bin/bash -# packages = authconfig -# platform = Oracle Linux 7,multi_platform_fedora -# remediation = none -# variables = var_accounts_passwords_pam_faillock_fail_interval=900 - -authconfig --enablefaillock --faillockargs="fail_interval=900" --update - -# Multiple instances of pam_unix.so in auth section may, intentionally or not, interfere -# in the expected behaviour of pam_faillock.so. Remediation does not solve this automatically -# in order to preserve intentional changes. -echo "auth sufficient pam_unix.so" >> /etc/pam.d/password-auth diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_interval/tests/pam_faillock_not_required_pam_files.fail.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_interval/tests/pam_faillock_not_required_pam_files.fail.sh deleted file mode 100644 index 30e04472962..00000000000 --- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_interval/tests/pam_faillock_not_required_pam_files.fail.sh +++ /dev/null @@ -1,20 +0,0 @@ -#!/bin/bash -# platform = multi_platform_fedora,multi_platform_rhel,multi_platform_ol,multi_platform_rhv,multi_platform_sle -# packages = authselect -# remediation = none -# variables = var_accounts_passwords_pam_faillock_fail_interval=900 - -# This test scenario manually modify the pam_faillock.so entries in auth section from -# "required" to "sufficient". This makes pam_faillock.so behave differently than initially -# intentioned. We catch this, but we can't safely remediate in an automated way. -if [ -f /usr/sbin/authconfig ]; then - authconfig --enablefaillock --faillockargs="fail_interval=900" --update -else - authselect select sssd --force - authselect enable-feature with-faillock - sed -i --follow-symlinks 's/\(pam_faillock.so \(preauth silent\|authfail\)\).*$/\1 fail_interval=900/g' /etc/pam.d/system-auth /etc/pam.d/password-auth -fi -sed -i --follow-symlinks 's/\(^\s*auth\s*\)\(\s.*\)\(pam_faillock\.so.*$\)/\1 sufficient \3/g' /etc/pam.d/system-auth /etc/pam.d/password-auth -if [ -f /etc/security/faillock.conf ]; then - > /etc/security/faillock.conf -fi diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_interval/tests/pam_faillock_stricter_faillock_conf.pass.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_interval/tests/pam_faillock_stricter_faillock_conf.pass.sh deleted file mode 100644 index c71a12afe36..00000000000 --- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_interval/tests/pam_faillock_stricter_faillock_conf.pass.sh +++ /dev/null @@ -1,10 +0,0 @@ -#!/bin/bash -# packages = authselect -# platform = multi_platform_fedora,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,Oracle Linux 8 -# variables = var_accounts_passwords_pam_faillock_fail_interval=900 - -authselect select sssd --force -authselect enable-feature with-faillock -> /etc/security/faillock.conf -echo "fail_interval = 1200" >> /etc/security/faillock.conf -echo "silent" >> /etc/security/faillock.conf diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_interval/tests/pam_faillock_stricter_pam_files.pass.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_interval/tests/pam_faillock_stricter_pam_files.pass.sh deleted file mode 100644 index 3697ba2b0d9..00000000000 --- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_interval/tests/pam_faillock_stricter_pam_files.pass.sh +++ /dev/null @@ -1,6 +0,0 @@ -#!/bin/bash -# packages = authconfig -# platform = Oracle Linux 7,multi_platform_fedora -# variables = var_accounts_passwords_pam_faillock_fail_interval=900 - -authconfig --enablefaillock --faillockargs="fail_interval=1200" --update diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_interval/tests/ubuntu_commented_values.fail.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_interval/tests/ubuntu_commented_values.fail.sh deleted file mode 100644 index a865d7efd18..00000000000 --- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_interval/tests/ubuntu_commented_values.fail.sh +++ /dev/null @@ -1,7 +0,0 @@ -#!/bin/bash -# platform = multi_platform_ubuntu -# variables = var_accounts_passwords_pam_faillock_fail_interval=800 - -source ubuntu_common.sh - -echo "#fail_interval=900" > /etc/security/faillock.conf diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_interval/tests/ubuntu_common.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_interval/tests/ubuntu_common.sh deleted file mode 100644 index 532926d2701..00000000000 --- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_interval/tests/ubuntu_common.sh +++ /dev/null @@ -1,24 +0,0 @@ -#!/bin/bash - -cat << EOF > /usr/share/pam-configs/faillock -Name: Enable pam_faillock to deny access -Default: yes -Priority: 0 -Auth-Type: Primary -Auth: - [default=die] pam_faillock.so authfail -EOF - -cat << EOF > /usr/share/pam-configs/faillock_notify -Name: Notify of failed login attempts and reset count upon success -Default: yes -Priority: 1024 -Auth-Type: Primary -Auth: - requisite pam_faillock.so preauth -Account-Type: Primary -Account: - required pam_faillock.so -EOF - -DEBIAN_FRONTEND=noninteractive pam-auth-update diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_interval/tests/ubuntu_correct.pass.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_interval/tests/ubuntu_correct.pass.sh deleted file mode 100644 index 0be3daea347..00000000000 --- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_interval/tests/ubuntu_correct.pass.sh +++ /dev/null @@ -1,7 +0,0 @@ -#!/bin/bash -# platform = multi_platform_ubuntu -# variables = var_accounts_passwords_pam_faillock_fail_interval=800 - -source ubuntu_common.sh - -echo "fail_interval=900" > /etc/security/faillock.conf diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_interval/tests/ubuntu_correct_pamd.pass.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_interval/tests/ubuntu_correct_pamd.pass.sh deleted file mode 100644 index 7b43417e5f7..00000000000 --- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_interval/tests/ubuntu_correct_pamd.pass.sh +++ /dev/null @@ -1,26 +0,0 @@ -#!/bin/bash -# platform = multi_platform_ubuntu -# variables = var_accounts_passwords_pam_faillock_fail_interval=800 - -cat << EOF > /usr/share/pam-configs/faillock -Name: Enable pam_faillock to deny access -Default: yes -Priority: 0 -Auth-Type: Primary -Auth: - [default=die] pam_faillock.so authfail fail_interval=900 -EOF - -cat << EOF > /usr/share/pam-configs/faillock_notify -Name: Notify of failed login attempts and reset count upon success -Default: yes -Priority: 1024 -Auth-Type: Primary -Auth: - requisite pam_faillock.so preauth fail_interval=900 -Account-Type: Primary -Account: - required pam_faillock.so -EOF - -DEBIAN_FRONTEND=noninteractive pam-auth-update diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_interval/tests/ubuntu_missing_pamd.fail.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_interval/tests/ubuntu_missing_pamd.fail.sh deleted file mode 100644 index 1983fb4e6ff..00000000000 --- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_interval/tests/ubuntu_missing_pamd.fail.sh +++ /dev/null @@ -1,5 +0,0 @@ -#!/bin/bash -# platform = multi_platform_ubuntu -# variables = var_accounts_passwords_pam_faillock_fail_interval=800 - -echo "fail_interval=900" > /etc/security/faillock.conf diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_interval/tests/ubuntu_wrong_value.fail.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_interval/tests/ubuntu_wrong_value.fail.sh deleted file mode 100644 index 88fc852a76c..00000000000 --- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_interval/tests/ubuntu_wrong_value.fail.sh +++ /dev/null @@ -1,7 +0,0 @@ -#!/bin/bash -# platform = multi_platform_ubuntu -# variables = var_accounts_passwords_pam_faillock_fail_interval=800 - -source ubuntu_common.sh - -echo "fail_interval=100" > /etc/security/faillock.conf diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/tests/authselect_modified_pam.fail.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/tests/authselect_modified_pam.fail.sh deleted file mode 100644 index b3232cc93ec..00000000000 --- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/tests/authselect_modified_pam.fail.sh +++ /dev/null @@ -1,12 +0,0 @@ -#!/bin/bash -# platform = Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,multi_platform_fedora -# remediation = none - -SYSTEM_AUTH_FILE="/etc/pam.d/system-auth" - -# This modification will break the integrity checks done by authselect. -if ! $(grep -q "^[^#].*pam_pwhistory\.so.*remember=" $SYSTEM_AUTH_FILE); then - sed -i "/^password.*requisite.*pam_pwquality\.so/a password requisite pam_pwhistory.so" $SYSTEM_AUTH_FILE -else - sed -i "s/\(.*pam_pwhistory\.so.*remember=\)[[:digit:]]\+\s\(.*\)/\1/g" $SYSTEM_AUTH_FILE -fi diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/tests/conflicting_settings_authselect.fail.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/tests/conflicting_settings_authselect.fail.sh deleted file mode 100644 index d547b0e3562..00000000000 --- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/tests/conflicting_settings_authselect.fail.sh +++ /dev/null @@ -1,30 +0,0 @@ -#!/bin/bash -# packages = authselect,pam -# platform = Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9 - -pam_files=("password-auth" "system-auth") - -authselect create-profile testingProfile --base-on minimal - -CUSTOM_PROFILE_DIR="/etc/authselect/custom/testingProfile" - -authselect select --force custom/testingProfile - -truncate -s 0 /etc/security/faillock.conf - -echo "unlock_time=600" > /etc/security/faillock.conf - -{{{ bash_pam_faillock_enable() }}} - -for file in ${pam_files[@]}; do - if grep -qP "auth.*faillock\.so.*preauth" $CUSTOM_PROFILE_DIR/$file; then - sed -i "/^\s*auth.*faillock\.so.*preauth/ s/$/unlock_time=600/" \ - "$CUSTOM_PROFILE_DIR/$file" - else - sed -i "0,/^\s*auth.*/i auth required pam_faillock.so preauth unlock_time=600" \ - "$CUSTOM_PROFILE_DIR/$file" - fi -done - - -authselect apply-changes diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/tests/pam_faillock_conflicting_settings.fail.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/tests/pam_faillock_conflicting_settings.fail.sh deleted file mode 100644 index 057348eb4e7..00000000000 --- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/tests/pam_faillock_conflicting_settings.fail.sh +++ /dev/null @@ -1,16 +0,0 @@ -#!/bin/bash -# packages = authselect -# platform = multi_platform_fedora,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,Oracle Linux 8 -# remediation = none -# variables = var_accounts_passwords_pam_faillock_unlock_time=600 - -authselect select sssd --force -authselect enable-feature with-faillock -# This test scenario simulates conflicting settings in pam and faillock.conf files. -# It means that authselect is not properly configured and may have a unexpected behaviour. The -# authselect integrity check will fail and the remediation will be aborted in order to preserve -# intentional changes. In this case, an informative message will be shown in the remediation report. -sed -i --follow-symlinks 's/\(pam_faillock.so \(preauth silent\|authfail\)\).*$/\1 unlock_time=600/g' /etc/pam.d/system-auth /etc/pam.d/password-auth -> /etc/security/faillock.conf -echo "unlock_time=600" >> /etc/security/faillock.conf -echo "silent" >> /etc/security/faillock.conf diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/tests/pam_faillock_disabled.fail.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/tests/pam_faillock_disabled.fail.sh deleted file mode 100644 index bfcc7d4a43c..00000000000 --- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/tests/pam_faillock_disabled.fail.sh +++ /dev/null @@ -1,11 +0,0 @@ -#!/bin/bash -# platform = multi_platform_fedora,multi_platform_rhel,multi_platform_ol,multi_platform_rhv,multi_platform_sle -# packages = authselect -# variables = var_accounts_passwords_pam_faillock_unlock_time=600 - -if [ -f /usr/sbin/authconfig ]; then - authconfig --disablefaillock --update -else - authselect select sssd --force - authselect disable-feature with-faillock -fi diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/tests/pam_faillock_expected_pam_files.pass.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/tests/pam_faillock_expected_pam_files.pass.sh deleted file mode 100644 index 643f503f1ac..00000000000 --- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/tests/pam_faillock_expected_pam_files.pass.sh +++ /dev/null @@ -1,6 +0,0 @@ -#!/bin/bash -# packages = authconfig -# platform = Oracle Linux 7,multi_platform_fedora -# variables = var_accounts_passwords_pam_faillock_unlock_time=600 - -authconfig --enablefaillock --faillockargs="unlock_time=600" --update diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/tests/pam_faillock_lenient_faillock_conf.fail.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/tests/pam_faillock_lenient_faillock_conf.fail.sh deleted file mode 100644 index 838ab7c536f..00000000000 --- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/tests/pam_faillock_lenient_faillock_conf.fail.sh +++ /dev/null @@ -1,10 +0,0 @@ -#!/bin/bash -# packages = authselect -# platform = multi_platform_fedora,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,Oracle Linux 8 -# variables = var_accounts_passwords_pam_faillock_unlock_time=600 - -authselect select sssd --force -authselect enable-feature with-faillock -> /etc/security/faillock.conf -echo "unlock_time=300" >> /etc/security/faillock.conf -echo "silent" >> /etc/security/faillock.conf diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/tests/pam_faillock_lenient_pam_files.fail.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/tests/pam_faillock_lenient_pam_files.fail.sh deleted file mode 100644 index a45ea873de1..00000000000 --- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/tests/pam_faillock_lenient_pam_files.fail.sh +++ /dev/null @@ -1,6 +0,0 @@ -#!/bin/bash -# packages = authconfig -# platform = Oracle Linux 7,multi_platform_fedora -# variables = var_accounts_passwords_pam_faillock_unlock_time=600 - -authconfig --enablefaillock --faillockargs="unlock_time=300" --update diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/tests/pam_faillock_multiple_pam_unix_faillock_conf.fail.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/tests/pam_faillock_multiple_pam_unix_faillock_conf.fail.sh deleted file mode 100644 index b7b1532bb97..00000000000 --- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/tests/pam_faillock_multiple_pam_unix_faillock_conf.fail.sh +++ /dev/null @@ -1,18 +0,0 @@ -#!/bin/bash -# packages = authselect -# platform = multi_platform_fedora,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,Oracle Linux 8 -# remediation = none -# variables = var_accounts_passwords_pam_faillock_unlock_time=600 - -authselect select sssd --force -authselect enable-feature with-faillock -# Ensure the parameters only in /etc/security/faillock.conf -sed -i --follow-symlinks 's/\(pam_faillock.so \(preauth silent\|authfail\)\).*$/\1/g' /etc/pam.d/system-auth /etc/pam.d/password-auth -> /etc/security/faillock.conf -echo "unlock_time=600" >> /etc/security/faillock.conf -echo "silent" >> /etc/security/faillock.conf - -# Multiple instances of pam_unix.so in auth section may, intentionally or not, interfere -# in the expected behaviour of pam_faillock.so. Remediation does not solve this automatically -# in order to preserve intentional changes. -echo "auth sufficient pam_unix.so" >> /etc/pam.d/password-auth diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/tests/pam_faillock_multiple_pam_unix_pam_files.fail.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/tests/pam_faillock_multiple_pam_unix_pam_files.fail.sh deleted file mode 100644 index d7d727671b4..00000000000 --- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/tests/pam_faillock_multiple_pam_unix_pam_files.fail.sh +++ /dev/null @@ -1,12 +0,0 @@ -#!/bin/bash -# packages = authconfig -# platform = Oracle Linux 7,multi_platform_fedora -# remediation = none -# variables = var_accounts_passwords_pam_faillock_unlock_time=600 - -authconfig --enablefaillock --faillockargs="unlock_time=600" --update - -# Multiple instances of pam_unix.so in auth section may, intentionally or not, interfere -# in the expected behaviour of pam_faillock.so. Remediation does not solve this automatically -# in order to preserve intentional changes. -echo "auth sufficient pam_unix.so" >> /etc/pam.d/password-auth diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/tests/pam_faillock_not_required_pam_files.fail.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/tests/pam_faillock_not_required_pam_files.fail.sh deleted file mode 100644 index eff1bd32c19..00000000000 --- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/tests/pam_faillock_not_required_pam_files.fail.sh +++ /dev/null @@ -1,20 +0,0 @@ -#!/bin/bash -# platform = multi_platform_fedora,multi_platform_rhel,multi_platform_ol,multi_platform_rhv,multi_platform_sle -# packages = authselect -# remediation = none -# variables = var_accounts_passwords_pam_faillock_unlock_time=600 - -# This test scenario manually modify the pam_faillock.so entries in auth section from -# "required" to "sufficient". This makes pam_faillock.so behave differently than initially -# intentioned. We catch this, but we can't safely remediate in an automated way. -if [ -f /usr/sbin/authconfig ]; then - authconfig --enablefaillock --faillockargs="unlock_time=600" --update -else - authselect select sssd --force - authselect enable-feature with-faillock - sed -i --follow-symlinks 's/\(pam_faillock.so \(preauth silent\|authfail\)\).*$/\1 unlock_time=600/g' /etc/pam.d/system-auth /etc/pam.d/password-auth -fi -sed -i --follow-symlinks 's/\(^\s*auth\s*\)\(\s.*\)\(pam_faillock\.so.*$\)/\1 sufficient \3/g' /etc/pam.d/system-auth /etc/pam.d/password-auth -if [ -f /etc/security/faillock.conf ]; then - > /etc/security/faillock.conf -fi diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/tests/pam_faillock_stricter_faillock_conf.pass.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/tests/pam_faillock_stricter_faillock_conf.pass.sh deleted file mode 100644 index a57645eb10a..00000000000 --- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/tests/pam_faillock_stricter_faillock_conf.pass.sh +++ /dev/null @@ -1,10 +0,0 @@ -#!/bin/bash -# packages = authselect -# platform = multi_platform_fedora,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,Oracle Linux 8 -# variables = var_accounts_passwords_pam_faillock_unlock_time=600 - -authselect select sssd --force -authselect enable-feature with-faillock -> /etc/security/faillock.conf -echo "unlock_time=900" >> /etc/security/faillock.conf -echo "silent" >> /etc/security/faillock.conf diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/tests/pam_faillock_stricter_pam_files.pass.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/tests/pam_faillock_stricter_pam_files.pass.sh deleted file mode 100644 index 3db1d3acf87..00000000000 --- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/tests/pam_faillock_stricter_pam_files.pass.sh +++ /dev/null @@ -1,6 +0,0 @@ -#!/bin/bash -# packages = authconfig -# platform = Oracle Linux 7,multi_platform_fedora -# variables = var_accounts_passwords_pam_faillock_unlock_time=600 - -authconfig --enablefaillock --faillockargs="unlock_time=900" --update diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/tests/ubuntu_commented_values.fail.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/tests/ubuntu_commented_values.fail.sh deleted file mode 100644 index 0825090b42d..00000000000 --- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/tests/ubuntu_commented_values.fail.sh +++ /dev/null @@ -1,7 +0,0 @@ -#!/bin/bash -# platform = multi_platform_ubuntu -# variables = var_accounts_passwords_pam_faillock_unlock_time=300 - -source ubuntu_common.sh - -echo "#unlock_time=1000" > /etc/security/faillock.conf diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/tests/ubuntu_common.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/tests/ubuntu_common.sh deleted file mode 100644 index 532926d2701..00000000000 --- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/tests/ubuntu_common.sh +++ /dev/null @@ -1,24 +0,0 @@ -#!/bin/bash - -cat << EOF > /usr/share/pam-configs/faillock -Name: Enable pam_faillock to deny access -Default: yes -Priority: 0 -Auth-Type: Primary -Auth: - [default=die] pam_faillock.so authfail -EOF - -cat << EOF > /usr/share/pam-configs/faillock_notify -Name: Notify of failed login attempts and reset count upon success -Default: yes -Priority: 1024 -Auth-Type: Primary -Auth: - requisite pam_faillock.so preauth -Account-Type: Primary -Account: - required pam_faillock.so -EOF - -DEBIAN_FRONTEND=noninteractive pam-auth-update diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/tests/ubuntu_correct.pass.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/tests/ubuntu_correct.pass.sh deleted file mode 100644 index 7ace223da97..00000000000 --- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/tests/ubuntu_correct.pass.sh +++ /dev/null @@ -1,7 +0,0 @@ -#!/bin/bash -# platform = multi_platform_ubuntu -# variables = var_accounts_passwords_pam_faillock_unlock_time=300 - -source ubuntu_common.sh - -echo "unlock_time=1000" > /etc/security/faillock.conf diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/tests/ubuntu_correct_pamd.pass.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/tests/ubuntu_correct_pamd.pass.sh deleted file mode 100644 index 884fdcd6baa..00000000000 --- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/tests/ubuntu_correct_pamd.pass.sh +++ /dev/null @@ -1,26 +0,0 @@ -#!/bin/bash -# platform = multi_platform_ubuntu -# variables = var_accounts_passwords_pam_faillock_unlock_time=300 - -cat << EOF > /usr/share/pam-configs/faillock -Name: Enable pam_faillock to deny access -Default: yes -Priority: 0 -Auth-Type: Primary -Auth: - [default=die] pam_faillock.so authfail unlock_time=900 -EOF - -cat << EOF > /usr/share/pam-configs/faillock_notify -Name: Notify of failed login attempts and reset count upon success -Default: yes -Priority: 1024 -Auth-Type: Primary -Auth: - requisite pam_faillock.so preauth unlock_time=900 -Account-Type: Primary -Account: - required pam_faillock.so -EOF - -DEBIAN_FRONTEND=noninteractive pam-auth-update diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/tests/ubuntu_missing_pamd.fail.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/tests/ubuntu_missing_pamd.fail.sh deleted file mode 100644 index 89e4d1a4a78..00000000000 --- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/tests/ubuntu_missing_pamd.fail.sh +++ /dev/null @@ -1,5 +0,0 @@ -#!/bin/bash -# platform = multi_platform_ubuntu -# variables = var_accounts_passwords_pam_faillock_unlock_time=300 - -echo "unlock_time=1000" > /etc/security/faillock.conf diff --git a/shared/macros/20-test-scenarios.jinja b/shared/macros/20-test-scenarios.jinja index db1f03220eb..879d61a5d69 100644 --- a/shared/macros/20-test-scenarios.jinja +++ b/shared/macros/20-test-scenarios.jinja @@ -10,3 +10,103 @@ sed -i "s%^ExecStartPost=.*%ExecStartPost=-/sbin/auditctl%" /usr/lib/systemd/sys {{% endif %}} {{%- endmacro -%}} + +{{# +This macro is used by pam_account_password_faillock template to initialize +the external variable and parameter value to a desired state. + +:param state: correct, stricter, lenient_high, lenient_low +:type state: str +#}} + +{{%- macro tests_init_faillock_vars(state) -%}} + +PRM_NAME={{{ PRM_NAME }}} +{{% if state not in ["correct", "stricter", "lenient_high", "lenient_low"] %}} +echo "Unsupported value for argument 'state': {{{ state }}}" +exit 2 + +{{% elif VARIABLE_UPPER_BOUND == "use_ext_variable" and VARIABLE_LOWER_BOUND == "use_ext_variable" %}} +{{% if state == "correct" %}} +# variables = {{{ EXT_VARIABLE }}}=5 +TEST_VALUE=5 +{{% elif state == "stricter" %}} +# variables = {{{ EXT_VARIABLE }}}=5 +TEST_VALUE=5 +{{% elif state == "lenient_high" %}} +# variables = {{{ EXT_VARIABLE }}}=5 +TEST_VALUE=6 +{{% elif state == "lenient_low" %}} +# variables = {{{ EXT_VARIABLE }}}=5 +TEST_VALUE=4 +{{% endif %}} + +{{% elif VARIABLE_UPPER_BOUND == "use_ext_variable" and VARIABLE_LOWER_BOUND is number %}} +{{% if state == "correct" %}} +# variables = {{{ EXT_VARIABLE }}}={{{ VARIABLE_LOWER_BOUND }}} +TEST_VALUE={{{ VARIABLE_LOWER_BOUND }}} +{{% elif state == "stricter" %}} +# variables = {{{ EXT_VARIABLE }}}={{{ VARIABLE_LOWER_BOUND + 2 }}} +TEST_VALUE={{{ VARIABLE_LOWER_BOUND + 1 }}} +{{% elif state == "lenient_high" %}} +# variables = {{{ EXT_VARIABLE }}}={{{ VARIABLE_LOWER_BOUND }}} +TEST_VALUE={{{ VARIABLE_LOWER_BOUND + 1 }}} +{{% elif state == "lenient_low" %}} +# variables = {{{ EXT_VARIABLE }}}={{{ VARIABLE_LOWER_BOUND }}} +TEST_VALUE={{{ VARIABLE_LOWER_BOUND - 1 }}} +{{% endif %}} + +{{% elif VARIABLE_UPPER_BOUND == "use_ext_variable" and VARIABLE_LOWER_BOUND is none %}} +{{% if state == "correct" %}} +# variables = {{{ EXT_VARIABLE }}}=5 +TEST_VALUE=5 +{{% elif state == "stricter" %}} +# variables = {{{ EXT_VARIABLE }}}=5 +TEST_VALUE=4 +{{% elif state == "lenient_high" %}} +# variables = {{{ EXT_VARIABLE }}}=5 +TEST_VALUE=6 +{{% elif state == "lenient_low" %}} +# there is no lower limit so the test should be not-applicable +# check = none +{{% endif %}} + +{{% elif VARIABLE_LOWER_BOUND == "use_ext_variable" and VARIABLE_UPPER_BOUND is number %}} +{{% if state == "correct" %}} +# variables = {{{ EXT_VARIABLE }}}={{{ VARIABLE_UPPER_BOUND | default(100) }}} +TEST_VALUE={{{ VARIABLE_UPPER_BOUND | default(100) }}} +{{% elif state == "stricter" %}} +# variables = {{{ EXT_VARIABLE }}}={{{ VARIABLE_UPPER_BOUND | default(100) - 2 }}} +TEST_VALUE={{{ VARIABLE_UPPER_BOUND | default(100) - 1 }}} +{{% elif state == "lenient_high" %}} +# variables = {{{ EXT_VARIABLE }}}={{{ VARIABLE_UPPER_BOUND }}} +TEST_VALUE={{{ VARIABLE_UPPER_BOUND + 1 }}} +{{% elif state == "lenient_low" %}} +# variables = {{{ EXT_VARIABLE }}}={{{ VARIABLE_UPPER_BOUND }}} +TEST_VALUE={{{ VARIABLE_UPPER_BOUND - 1 }}} +{{% endif %}} + +{{% elif VARIABLE_LOWER_BOUND == "use_ext_variable" and VARIABLE_UPPER_BOUND is none %}} +{{% if state == "correct" %}} +# variables = {{{ EXT_VARIABLE }}}=5 +TEST_VALUE=5 +{{% elif state == "stricter" %}} +# variables = {{{ EXT_VARIABLE }}}=5 +TEST_VALUE=6 +{{% elif state == "lenient_high" %}} +# there is no upper limit so the test should be not-applicable +# check = none +{{% elif state == "lenient_low" %}} +# variables = {{{ EXT_VARIABLE }}}=5 +TEST_VALUE=4 +{{% endif %}} + +{{% else %}} +echo "The combination of template parameters is not supported by the test:" +echo " variable_upper_bound={{{ VARIABLE_UPPER_BOUND }}}" +echo " variable_lower_bound={{{ VARIABLE_LOWER_BOUND }}}" +echo " ext_variable={{{ EXT_VARIABLE }}}" +exit 2 +{{% endif %}} +{{%- endmacro -%}} + diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/tests/conflicting_settings_authselect.fail.sh b/shared/templates/pam_account_password_faillock/tests/conflicting_settings_authselect.fail.sh similarity index 77% rename from linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/tests/conflicting_settings_authselect.fail.sh rename to shared/templates/pam_account_password_faillock/tests/conflicting_settings_authselect.fail.sh index 24f5731f63d..a99e632a291 100644 --- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/tests/conflicting_settings_authselect.fail.sh +++ b/shared/templates/pam_account_password_faillock/tests/conflicting_settings_authselect.fail.sh @@ -2,6 +2,8 @@ # packages = authselect,pam # platform = Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9 +{{{ tests_init_faillock_vars("correct") }}} + pam_files=("password-auth" "system-auth") authselect create-profile testingProfile --base-on minimal @@ -12,16 +14,16 @@ authselect select --force custom/testingProfile truncate -s 0 /etc/security/faillock.conf -echo "deny = 3" > /etc/security/faillock.conf +echo "$PRM_NAME = $TEST_VALUE" > /etc/security/faillock.conf {{{ bash_pam_faillock_enable() }}} for file in ${pam_files[@]}; do if grep -qP "auth.*faillock\.so.*preauth" $CUSTOM_PROFILE_DIR/$file; then - sed -i "/^\s*auth.*faillock\.so.*preauth/ s/$/deny=3/" \ + sed -i "/^\s*auth.*faillock\.so.*preauth/ s/$/$PRM_NAME=$TEST_VALUE/" \ "$CUSTOM_PROFILE_DIR/$file" else - sed -i "0,/^\s*auth.*/i auth required pam_faillock.so preauth deny=3" \ + sed -i "0,/^\s*auth.*/i auth required pam_faillock.so preauth $PRM_NAME=$TEST_VALUE" \ "$CUSTOM_PROFILE_DIR/$file" fi done diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/tests/pam_faillock_conflicting_settings.fail.sh b/shared/templates/pam_account_password_faillock/tests/pam_faillock_conflicting_settings.fail.sh similarity index 78% rename from linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/tests/pam_faillock_conflicting_settings.fail.sh rename to shared/templates/pam_account_password_faillock/tests/pam_faillock_conflicting_settings.fail.sh index aa3ca061de7..e9f8a06f48d 100644 --- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/tests/pam_faillock_conflicting_settings.fail.sh +++ b/shared/templates/pam_account_password_faillock/tests/pam_faillock_conflicting_settings.fail.sh @@ -2,7 +2,8 @@ # packages = authselect # platform = multi_platform_fedora,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,Oracle Linux 8 # remediation = none -# variables = var_accounts_passwords_pam_faillock_deny=3 + +{{{ tests_init_faillock_vars("correct") }}} authselect select sssd --force authselect enable-feature with-faillock @@ -10,7 +11,7 @@ authselect enable-feature with-faillock # It means that authselect is not properly configured and may have a unexpected behaviour. The # authselect integrity check will fail and the remediation will be aborted in order to preserve # intentional changes. In this case, an informative message will be shown in the remediation report. -sed -i --follow-symlinks 's/\(pam_faillock.so \(preauth silent\|authfail\)\).*$/\1 deny=3/g' /etc/pam.d/system-auth /etc/pam.d/password-auth +sed -i --follow-symlinks 's/\(pam_faillock.so \(preauth silent\|authfail\)\).*$/\1 '$PRM_NAME'='$TEST_VALUE'/g' /etc/pam.d/system-auth /etc/pam.d/password-auth > /etc/security/faillock.conf -echo "deny = 3" >> /etc/security/faillock.conf +echo "$PRM_NAME = $TEST_VALUE" >> /etc/security/faillock.conf echo "silent" >> /etc/security/faillock.conf diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/tests/pam_faillock_disabled.fail.sh b/shared/templates/pam_account_password_faillock/tests/pam_faillock_disabled.fail.sh similarity index 84% rename from linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/tests/pam_faillock_disabled.fail.sh rename to shared/templates/pam_account_password_faillock/tests/pam_faillock_disabled.fail.sh index 67c1b593bdb..b1a88e37a65 100644 --- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/tests/pam_faillock_disabled.fail.sh +++ b/shared/templates/pam_account_password_faillock/tests/pam_faillock_disabled.fail.sh @@ -1,7 +1,8 @@ #!/bin/bash # platform = multi_platform_fedora,multi_platform_rhel,multi_platform_ol,multi_platform_rhv,multi_platform_sle # packages = authselect -# variables = var_accounts_passwords_pam_faillock_deny=3 + +{{{ tests_init_faillock_vars("correct") }}} if [ -f /usr/sbin/authconfig ]; then authconfig --disablefaillock --update diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/tests/pam_faillock_expected_faillock_conf.pass.sh b/shared/templates/pam_account_password_faillock/tests/pam_faillock_expected_faillock_conf.pass.sh similarity index 73% rename from linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/tests/pam_faillock_expected_faillock_conf.pass.sh rename to shared/templates/pam_account_password_faillock/tests/pam_faillock_expected_faillock_conf.pass.sh index e770e300f52..b5d27377a4c 100644 --- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/tests/pam_faillock_expected_faillock_conf.pass.sh +++ b/shared/templates/pam_account_password_faillock/tests/pam_faillock_expected_faillock_conf.pass.sh @@ -1,10 +1,11 @@ #!/bin/bash # packages = authselect # platform = multi_platform_fedora,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,Oracle Linux 8 -# variables = var_accounts_passwords_pam_faillock_deny=3 + +{{{ tests_init_faillock_vars("correct") }}} authselect select sssd --force authselect enable-feature with-faillock > /etc/security/faillock.conf -echo "deny = 3" >> /etc/security/faillock.conf +echo "$PRM_NAME = $TEST_VALUE" >> /etc/security/faillock.conf echo "silent" >> /etc/security/faillock.conf diff --git a/shared/templates/pam_account_password_faillock/tests/pam_faillock_expected_pam_files.pass.sh b/shared/templates/pam_account_password_faillock/tests/pam_faillock_expected_pam_files.pass.sh new file mode 100644 index 00000000000..1e315064228 --- /dev/null +++ b/shared/templates/pam_account_password_faillock/tests/pam_faillock_expected_pam_files.pass.sh @@ -0,0 +1,7 @@ +#!/bin/bash +# packages = authconfig +# platform = Oracle Linux 7,multi_platform_fedora + +{{{ tests_init_faillock_vars("correct") }}} + +authconfig --enablefaillock --faillockargs="$PRM_NAME=$TEST_VALUE" --update diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/tests/pam_faillock_expected_faillock_conf.pass.sh b/shared/templates/pam_account_password_faillock/tests/pam_faillock_lenient_high_faillock_conf.fail.sh similarity index 71% rename from linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/tests/pam_faillock_expected_faillock_conf.pass.sh rename to shared/templates/pam_account_password_faillock/tests/pam_faillock_lenient_high_faillock_conf.fail.sh index 1840cae45af..d900ff868db 100644 --- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/tests/pam_faillock_expected_faillock_conf.pass.sh +++ b/shared/templates/pam_account_password_faillock/tests/pam_faillock_lenient_high_faillock_conf.fail.sh @@ -1,10 +1,11 @@ #!/bin/bash # packages = authselect # platform = multi_platform_fedora,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,Oracle Linux 8 -# variables = var_accounts_passwords_pam_faillock_unlock_time=600 + +{{{ tests_init_faillock_vars("lenient_high") }}} authselect select sssd --force authselect enable-feature with-faillock > /etc/security/faillock.conf -echo "unlock_time=600" >> /etc/security/faillock.conf +echo "$PRM_NAME = $TEST_VALUE" >> /etc/security/faillock.conf echo "silent" >> /etc/security/faillock.conf diff --git a/shared/templates/pam_account_password_faillock/tests/pam_faillock_lenient_high_pam_files.fail.sh b/shared/templates/pam_account_password_faillock/tests/pam_faillock_lenient_high_pam_files.fail.sh new file mode 100644 index 00000000000..0cdaee7c0f3 --- /dev/null +++ b/shared/templates/pam_account_password_faillock/tests/pam_faillock_lenient_high_pam_files.fail.sh @@ -0,0 +1,7 @@ +#!/bin/bash +# packages = authconfig +# platform = Oracle Linux 7,multi_platform_fedora + +{{{ tests_init_faillock_vars("lenient_high") }}} + +authconfig --enablefaillock --faillockargs="$PRM_NAME=$TEST_VALUE" --update diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/tests/pam_faillock_lenient_faillock_conf.fail.sh b/shared/templates/pam_account_password_faillock/tests/pam_faillock_lenient_low_faillock_conf.fail.sh similarity index 73% rename from linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/tests/pam_faillock_lenient_faillock_conf.fail.sh rename to shared/templates/pam_account_password_faillock/tests/pam_faillock_lenient_low_faillock_conf.fail.sh index fd57152b8c4..bcb8d10028b 100644 --- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/tests/pam_faillock_lenient_faillock_conf.fail.sh +++ b/shared/templates/pam_account_password_faillock/tests/pam_faillock_lenient_low_faillock_conf.fail.sh @@ -1,10 +1,11 @@ #!/bin/bash # packages = authselect # platform = multi_platform_fedora,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,Oracle Linux 8 -# variables = var_accounts_passwords_pam_faillock_deny=3 + +{{{ tests_init_faillock_vars("lenient_low") }}} authselect select sssd --force authselect enable-feature with-faillock > /etc/security/faillock.conf -echo "deny = 5" >> /etc/security/faillock.conf +echo "$PRM_NAME = $TEST_VALUE" >> /etc/security/faillock.conf echo "silent" >> /etc/security/faillock.conf diff --git a/shared/templates/pam_account_password_faillock/tests/pam_faillock_lenient_low_pam_files.fail.sh b/shared/templates/pam_account_password_faillock/tests/pam_faillock_lenient_low_pam_files.fail.sh new file mode 100644 index 00000000000..4b1e2802627 --- /dev/null +++ b/shared/templates/pam_account_password_faillock/tests/pam_faillock_lenient_low_pam_files.fail.sh @@ -0,0 +1,7 @@ +#!/bin/bash +# packages = authconfig +# platform = Oracle Linux 7,multi_platform_fedora + +{{{ tests_init_faillock_vars("lenient_low") }}} + +authconfig --enablefaillock --faillockargs="$PRM_NAME=$TEST_VALUE" --update diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/tests/pam_faillock_multiple_pam_unix_faillock_conf.fail.sh b/shared/templates/pam_account_password_faillock/tests/pam_faillock_multiple_pam_unix_faillock_conf.fail.sh similarity index 88% rename from linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/tests/pam_faillock_multiple_pam_unix_faillock_conf.fail.sh rename to shared/templates/pam_account_password_faillock/tests/pam_faillock_multiple_pam_unix_faillock_conf.fail.sh index efb57601cb9..56f9acccc80 100644 --- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/tests/pam_faillock_multiple_pam_unix_faillock_conf.fail.sh +++ b/shared/templates/pam_account_password_faillock/tests/pam_faillock_multiple_pam_unix_faillock_conf.fail.sh @@ -2,14 +2,15 @@ # packages = authselect # platform = multi_platform_fedora,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,Oracle Linux 8 # remediation = none -# variables = var_accounts_passwords_pam_faillock_deny=3 + +{{{ tests_init_faillock_vars("correct") }}} authselect select sssd --force authselect enable-feature with-faillock # Ensure the parameters only in /etc/security/faillock.conf sed -i --follow-symlinks 's/\(pam_faillock.so \(preauth silent\|authfail\)\).*$/\1/g' /etc/pam.d/system-auth /etc/pam.d/password-auth > /etc/security/faillock.conf -echo "deny = 3" >> /etc/security/faillock.conf +echo "$PRM_NAME = $TEST_VALUE" >> /etc/security/faillock.conf echo "silent" >> /etc/security/faillock.conf # Multiple instances of pam_unix.so in auth section may, intentionally or not, interfere diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/tests/pam_faillock_multiple_pam_unix_pam_files.fail.sh b/shared/templates/pam_account_password_faillock/tests/pam_faillock_multiple_pam_unix_pam_files.fail.sh similarity index 77% rename from linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/tests/pam_faillock_multiple_pam_unix_pam_files.fail.sh rename to shared/templates/pam_account_password_faillock/tests/pam_faillock_multiple_pam_unix_pam_files.fail.sh index 51d94b3333b..5947d7d67a1 100644 --- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/tests/pam_faillock_multiple_pam_unix_pam_files.fail.sh +++ b/shared/templates/pam_account_password_faillock/tests/pam_faillock_multiple_pam_unix_pam_files.fail.sh @@ -2,9 +2,10 @@ # packages = authconfig # platform = Oracle Linux 7,multi_platform_fedora # remediation = none -# variables = var_accounts_passwords_pam_faillock_deny=3 -authconfig --enablefaillock --faillockargs="deny=3" --update +{{{ tests_init_faillock_vars("correct") }}} + +authconfig --enablefaillock --faillockargs="$PRM_NAME=$TEST_VALUE" --update # Multiple instances of pam_unix.so in auth section may, intentionally or not, interfere # in the expected behaviour of pam_faillock.so. Remediation does not solve this automatically diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/tests/pam_faillock_not_required_pam_files.fail.sh b/shared/templates/pam_account_password_faillock/tests/pam_faillock_not_required_pam_files.fail.sh similarity index 78% rename from linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/tests/pam_faillock_not_required_pam_files.fail.sh rename to shared/templates/pam_account_password_faillock/tests/pam_faillock_not_required_pam_files.fail.sh index e3ec96da080..4e4f06004f0 100644 --- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/tests/pam_faillock_not_required_pam_files.fail.sh +++ b/shared/templates/pam_account_password_faillock/tests/pam_faillock_not_required_pam_files.fail.sh @@ -2,17 +2,18 @@ # platform = multi_platform_fedora,multi_platform_rhel,multi_platform_ol,multi_platform_rhv,multi_platform_sle # packages = authselect # remediation = none -# variables = var_accounts_passwords_pam_faillock_deny=3 + +{{{ tests_init_faillock_vars("correct") }}} # This test scenario manually modify the pam_faillock.so entries in auth section from # "required" to "sufficient". This makes pam_faillock.so behave differently than initially # intentioned. We catch this, but we can't safely remediate in an automated way. if [ -f /usr/sbin/authconfig ]; then - authconfig --enablefaillock --faillockargs="deny=3" --update + authconfig --enablefaillock --faillockargs="$PRM_NAME=$TEST_VALUE" --update else authselect select sssd --force authselect enable-feature with-faillock - sed -i --follow-symlinks 's/\(pam_faillock.so \(preauth silent\|authfail\)\).*$/\1 deny=3/g' /etc/pam.d/system-auth /etc/pam.d/password-auth + sed -i --follow-symlinks 's/\(pam_faillock.so \(preauth silent\|authfail\)\).*$/\1 '$PRM_NAME'='$TEST_VALUE'/g' /etc/pam.d/system-auth /etc/pam.d/password-auth fi sed -i --follow-symlinks 's/\(^\s*auth\s*\)\(\s.*\)\(pam_faillock\.so.*$\)/\1 sufficient \3/g' /etc/pam.d/system-auth /etc/pam.d/password-auth if [ -f /etc/security/faillock.conf ]; then diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/tests/pam_faillock_stricter_faillock_conf.pass.sh b/shared/templates/pam_account_password_faillock/tests/pam_faillock_stricter_faillock_conf.pass.sh similarity index 73% rename from linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/tests/pam_faillock_stricter_faillock_conf.pass.sh rename to shared/templates/pam_account_password_faillock/tests/pam_faillock_stricter_faillock_conf.pass.sh index 595b85192da..00846218152 100644 --- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/tests/pam_faillock_stricter_faillock_conf.pass.sh +++ b/shared/templates/pam_account_password_faillock/tests/pam_faillock_stricter_faillock_conf.pass.sh @@ -1,10 +1,11 @@ #!/bin/bash # packages = authselect # platform = multi_platform_fedora,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,Oracle Linux 8 -# variables = var_accounts_passwords_pam_faillock_deny=3 + +{{{ tests_init_faillock_vars("stricter") }}} authselect select sssd --force authselect enable-feature with-faillock > /etc/security/faillock.conf -echo "deny = 2" >> /etc/security/faillock.conf +echo "$PRM_NAME = $TEST_VALUE" >> /etc/security/faillock.conf echo "silent" >> /etc/security/faillock.conf diff --git a/shared/templates/pam_account_password_faillock/tests/pam_faillock_stricter_pam_files.pass.sh b/shared/templates/pam_account_password_faillock/tests/pam_faillock_stricter_pam_files.pass.sh new file mode 100644 index 00000000000..8d52f968e26 --- /dev/null +++ b/shared/templates/pam_account_password_faillock/tests/pam_faillock_stricter_pam_files.pass.sh @@ -0,0 +1,7 @@ +#!/bin/bash +# packages = authconfig +# platform = Oracle Linux 7,multi_platform_fedora + +{{{ tests_init_faillock_vars("stricter") }}} + +authconfig --enablefaillock --faillockargs="$PRM_NAME=$TEST_VALUE" --update diff --git a/shared/templates/pam_account_password_faillock/tests/ubuntu_commented_values.fail.sh b/shared/templates/pam_account_password_faillock/tests/ubuntu_commented_values.fail.sh new file mode 100644 index 00000000000..6983c7c371e --- /dev/null +++ b/shared/templates/pam_account_password_faillock/tests/ubuntu_commented_values.fail.sh @@ -0,0 +1,8 @@ +#!/bin/bash +# platform = multi_platform_ubuntu + +{{{ tests_init_faillock_vars("correct") }}} + +{{{ bash_enable_pam_faillock_directly_in_pam_files() }}} + +echo "#$PRM_NAME=$TEST_VALUE" > /etc/security/faillock.conf diff --git a/shared/templates/pam_account_password_faillock/tests/ubuntu_correct.pass.sh b/shared/templates/pam_account_password_faillock/tests/ubuntu_correct.pass.sh new file mode 100644 index 00000000000..1d9c8ca036c --- /dev/null +++ b/shared/templates/pam_account_password_faillock/tests/ubuntu_correct.pass.sh @@ -0,0 +1,8 @@ +#!/bin/bash +# platform = multi_platform_ubuntu + +{{{ tests_init_faillock_vars("correct") }}} + +{{{ bash_enable_pam_faillock_directly_in_pam_files() }}} + +echo "$PRM_NAME=$TEST_VALUE" > /etc/security/faillock.conf diff --git a/shared/templates/pam_account_password_faillock/tests/ubuntu_correct_pamd.pass.sh b/shared/templates/pam_account_password_faillock/tests/ubuntu_correct_pamd.pass.sh new file mode 100644 index 00000000000..c65c647089f --- /dev/null +++ b/shared/templates/pam_account_password_faillock/tests/ubuntu_correct_pamd.pass.sh @@ -0,0 +1,9 @@ +#!/bin/bash +# platform = multi_platform_ubuntu + +{{{ tests_init_faillock_vars("correct") }}} + +{{{ bash_enable_pam_faillock_directly_in_pam_files() }}} + +sed -i 's/\(.*pam_faillock.so.*\)/\1 '$PRM_NAME'='$TEST_VALUE'/g' /etc/pam.d/common-auth + diff --git a/shared/templates/pam_account_password_faillock/tests/ubuntu_correct_stricter.pass.sh b/shared/templates/pam_account_password_faillock/tests/ubuntu_correct_stricter.pass.sh new file mode 100644 index 00000000000..20f3dc84980 --- /dev/null +++ b/shared/templates/pam_account_password_faillock/tests/ubuntu_correct_stricter.pass.sh @@ -0,0 +1,8 @@ +#!/bin/bash +# platform = multi_platform_ubuntu + +{{{ tests_init_faillock_vars("stricter") }}} + +{{{ bash_enable_pam_faillock_directly_in_pam_files() }}} + +echo "$PRM_NAME=$TEST_VALUE" > /etc/security/faillock.conf diff --git a/shared/templates/pam_account_password_faillock/tests/ubuntu_empty_faillock_conf.fail.sh b/shared/templates/pam_account_password_faillock/tests/ubuntu_empty_faillock_conf.fail.sh new file mode 100644 index 00000000000..6e03271b6d2 --- /dev/null +++ b/shared/templates/pam_account_password_faillock/tests/ubuntu_empty_faillock_conf.fail.sh @@ -0,0 +1,8 @@ +#!/bin/bash +# platform = multi_platform_ubuntu + +{{{ tests_init_faillock_vars("correct") }}} + +{{{ bash_enable_pam_faillock_directly_in_pam_files() }}} + +echo > /etc/security/faillock.conf diff --git a/shared/templates/pam_account_password_faillock/tests/ubuntu_lenient_high.fail.sh b/shared/templates/pam_account_password_faillock/tests/ubuntu_lenient_high.fail.sh new file mode 100644 index 00000000000..3eac17028ee --- /dev/null +++ b/shared/templates/pam_account_password_faillock/tests/ubuntu_lenient_high.fail.sh @@ -0,0 +1,8 @@ +#!/bin/bash +# platform = multi_platform_ubuntu + +{{{ tests_init_faillock_vars("lenient_high") }}} + +{{{ bash_enable_pam_faillock_directly_in_pam_files() }}} + +echo "$PRM_NAME=$TEST_VALUE" > /etc/security/faillock.conf diff --git a/shared/templates/pam_account_password_faillock/tests/ubuntu_lenient_low.fail.sh b/shared/templates/pam_account_password_faillock/tests/ubuntu_lenient_low.fail.sh new file mode 100644 index 00000000000..fbb76961a61 --- /dev/null +++ b/shared/templates/pam_account_password_faillock/tests/ubuntu_lenient_low.fail.sh @@ -0,0 +1,8 @@ +#!/bin/bash +# platform = multi_platform_ubuntu + +{{{ tests_init_faillock_vars("lenient_low") }}} + +{{{ bash_enable_pam_faillock_directly_in_pam_files() }}} + +echo "$PRM_NAME=$TEST_VALUE" > /etc/security/faillock.conf diff --git a/shared/templates/pam_account_password_faillock/tests/ubuntu_missing_pamd.fail.sh b/shared/templates/pam_account_password_faillock/tests/ubuntu_missing_pamd.fail.sh new file mode 100644 index 00000000000..edfa5613095 --- /dev/null +++ b/shared/templates/pam_account_password_faillock/tests/ubuntu_missing_pamd.fail.sh @@ -0,0 +1,6 @@ +#!/bin/bash +# platform = multi_platform_ubuntu + +{{{ tests_init_faillock_vars("correct") }}} + +echo "$PRM_NAME=$TEST_VALUE" > /etc/security/faillock.conf diff --git a/shared/templates/pam_account_password_faillock/tests/ubuntu_multiple_pam_unix.fail.sh b/shared/templates/pam_account_password_faillock/tests/ubuntu_multiple_pam_unix.fail.sh new file mode 100644 index 00000000000..7937ecf2862 --- /dev/null +++ b/shared/templates/pam_account_password_faillock/tests/ubuntu_multiple_pam_unix.fail.sh @@ -0,0 +1,13 @@ +#!/bin/bash +# platform = multi_platform_ubuntu +# remediation = none + +{{{ tests_init_faillock_vars("correct") }}} + +{{{ bash_enable_pam_faillock_directly_in_pam_files() }}} + +# Multiple instances of pam_unix.so in auth section may, intentionally or not, interfere +# in the expected behaviour of pam_faillock.so. Remediation does not solve this automatically +# in order to preserve intentional changes. + +sed -i '/# end of pam-auth-update config/i\auth sufficient pam_unix.so' /etc/pam.d/common-auth diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/tests/ubuntu_wrong_value.fail.sh b/shared/templates/pam_account_password_faillock/tests/ubuntu_wrong_value.fail.sh similarity index 100% rename from linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/tests/ubuntu_wrong_value.fail.sh rename to shared/templates/pam_account_password_faillock/tests/ubuntu_wrong_value.fail.sh From 2507ad8d44bfbdb790f06b30d32c03842de6adde Mon Sep 17 00:00:00 2001 From: Miha Purg Date: Wed, 11 Dec 2024 12:12:16 +0100 Subject: [PATCH 04/26] Fix broken test in pam_account_password_faillock In newer versions of authselect, 'minimal' profile is removed in favor of 'local'. - https://fedoramagazine.org/authselect-in-fedora-linux-40-migrating-to-the-new-local-profile/ - https://github.com/authselect/authselect/releases/tag/1.5.0 --- .../tests/conflicting_settings_authselect.fail.sh | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/shared/templates/pam_account_password_faillock/tests/conflicting_settings_authselect.fail.sh b/shared/templates/pam_account_password_faillock/tests/conflicting_settings_authselect.fail.sh index a99e632a291..91890c28fbc 100644 --- a/shared/templates/pam_account_password_faillock/tests/conflicting_settings_authselect.fail.sh +++ b/shared/templates/pam_account_password_faillock/tests/conflicting_settings_authselect.fail.sh @@ -6,7 +6,8 @@ pam_files=("password-auth" "system-auth") -authselect create-profile testingProfile --base-on minimal +authselect create-profile testingProfile --base-on minimal || \ + authselect create-profile testingProfile --base-on local CUSTOM_PROFILE_DIR="/etc/authselect/custom/testingProfile" From 8055c39655c8da65e88a7c587cd11d1e4fc18a90 Mon Sep 17 00:00:00 2001 From: Miha Purg Date: Wed, 11 Dec 2024 21:07:37 +0100 Subject: [PATCH 05/26] Fix platforms used in pam_account_password_faillock ansible remediation The ansible remediation in `pam_account_password_faillock` was fixed to be applicable on same platforms as the remediations in original rules (accounts_passwords_pam_faillock_deny/unlock_time/interval). --- shared/templates/pam_account_password_faillock/ansible.template | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/shared/templates/pam_account_password_faillock/ansible.template b/shared/templates/pam_account_password_faillock/ansible.template index 5e1161920e5..52ff31b34bd 100644 --- a/shared/templates/pam_account_password_faillock/ansible.template +++ b/shared/templates/pam_account_password_faillock/ansible.template @@ -1,4 +1,4 @@ -# platform = multi_platform_all +# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv # reboot = false # strategy = restrict # complexity = low From f3e1cc97dc0095096ceec1a038b76f156a60ac43 Mon Sep 17 00:00:00 2001 From: Matthew Burket Date: Fri, 20 Dec 2024 12:12:59 -0600 Subject: [PATCH 06/26] Update set_password_hashing_algorithm_passwordauth for RHEL 10 STIG --- .../policy/stig/rhel10.yml | 27 +++++++++++++++++++ 1 file changed, 27 insertions(+) create mode 100644 linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_passwordauth/policy/stig/rhel10.yml diff --git a/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_passwordauth/policy/stig/rhel10.yml b/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_passwordauth/policy/stig/rhel10.yml new file mode 100644 index 00000000000..b8b8afdefc0 --- /dev/null +++ b/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_passwordauth/policy/stig/rhel10.yml @@ -0,0 +1,27 @@ +srg_requirement: |- + {{{ full_name }}} pam_unix.so module must be configured in the password-auth file to use a FIPS 140-3 approved cryptographic hashing algorithm for system authentication. + +fixtext: |- + Configure {{{ full_name }}} to use a FIPS 140-3 approved cryptographic hashing algorithm for system authentication. + + Edit/modify the following line in the "/etc/pam.d/password-auth" file to include the yescrypt option for pam_unix.so: + + password sufficient pam_unix.so yescrypt + +checktext: |- + Verify that the pam_unix.so module is configured to use yescrypt in /etc/pam.d/password-auth with the following command: + + $ grep "^password.*pam_unix.so.*yescrypt" /etc/pam.d/password-auth + + password sufficient pam_unix.so yescrypt + + If "yescrypt" is missing, or the line is commented out, this is a finding. + + + +vuldiscussion: |- + Unapproved mechanisms that are used for authentication to the cryptographic module are not verified and; therefore, cannot be relied upon to provide confidentiality or integrity, and DOD data may be compromised. + + {{{ full_name }}} systems utilizing encryption are required to use FIPS-compliant mechanisms for authenticating to cryptographic modules. + + FIPS 140-3 is the current standard for validating that mechanisms used to access cryptographic modules utilize authentication that meets DOD requirements. This allows for Security Levels 1, 2, 3, or 4 for use on a general-purpose computing system. From 4db5e72efa7868ec0e17180f8e9a1222fe7fa4fe Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= Date: Sat, 28 Dec 2024 21:58:49 +0100 Subject: [PATCH 07/26] Improve audit_rules_privileged_commands The rule audit_rules_privileged_commands needs to be adjusted because it doesn't work in bootable containers. - exclude /sysroot from searching for privileged commands - include composefs as a valid type of filesystem partition - apply remediations on the root filesystem during image build --- .../bash/shared.sh | 27 +++- .../oval/shared.xml | 138 ++++++++++++++++-- 2 files changed, 149 insertions(+), 16 deletions(-) diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/bash/shared.sh b/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/bash/shared.sh index cd61de6dfe3..d0371afcb3d 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/bash/shared.sh +++ b/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/bash/shared.sh @@ -10,14 +10,27 @@ SYSCALL="" KEY="privileged" SYSCALL_GROUPING="" -FILTER_NODEV=$(awk '/nodev/ { print $2 }' /proc/filesystems | paste -sd,) -PARTITIONS=$(findmnt -n -l -k -it $FILTER_NODEV | grep -Pv "noexec|nosuid|/proc($|/.*$)" | awk '{ print $1 }') -for PARTITION in $PARTITIONS; do - PRIV_CMDS=$(find "${PARTITION}" -xdev -perm /6000 -type f 2>/dev/null) - for PRIV_CMD in $PRIV_CMDS; do - OTHER_FILTERS="-F path=$PRIV_CMD -F perm=x" +function add_audit_rule() +{ + local PRIV_CMD="$1" + local OTHER_FILTERS="-F path=$PRIV_CMD -F perm=x" # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' {{{ bash_fix_audit_syscall_rule("augenrules", "$ACTION_ARCH_FILTERS", "$OTHER_FILTERS", "$AUID_FILTERS", "$SYSCALL", "$SYSCALL_GROUPING", "$KEY") | indent(4) }}} {{{ bash_fix_audit_syscall_rule("auditctl", "$ACTION_ARCH_FILTERS", "$OTHER_FILTERS", "$AUID_FILTERS", "$SYSCALL", "$SYSCALL_GROUPING", "$KEY") | indent(4) }}} +} + +if {{{ bash_bootc_build() }}} ; then + PRIV_CMDS=$(find / -perm /6000 -type f -not -path "/sysroot/*" 2>/dev/null) + for PRIV_CMD in $PRIV_CMDS; do + add_audit_rule $PRIV_CMD + done +else + FILTER_NODEV=$(awk '/nodev/ { print $2 }' /proc/filesystems | paste -sd,) + PARTITIONS=$(findmnt -n -l -k -it "$FILTER_NODEV" | grep -Pv "noexec|nosuid|/proc($|/.*$)" | awk '{ print $1 }') + for PARTITION in $PARTITIONS; do + PRIV_CMDS=$(find "${PARTITION}" -xdev -perm /6000 -type f 2>/dev/null) + for PRIV_CMD in $PRIV_CMDS; do + add_audit_rule $PRIV_CMD + done done -done +fi diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/oval/shared.xml b/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/oval/shared.xml index 35cc22cf784..b7b8ab2028a 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/oval/shared.xml +++ b/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/oval/shared.xml @@ -5,26 +5,50 @@ - - + + + + + + + + + + + + - - + + + + + + + + + + + + - ^/dev/.*$ + ^(/dev/.*|composefs)$ @@ -64,6 +88,11 @@ ^/var/tmp/dracut.* + + ^/sysroot/.*$ + + @@ -123,11 +181,22 @@ 1 state_unprivileged_commands + + ^/etc/audit/rules\.d/.*\.rules$ + + 1 + state_unprivileged_commands_bootc + + + + + + + + @@ -142,11 +217,21 @@ + + + + + + + + + + + + @@ -163,6 +254,13 @@ 1 state_unprivileged_commands + + /etc/audit/audit.rules + + 1 + state_unprivileged_commands_bootc + + + + + @@ -177,11 +281,21 @@ + + + + + + + + + + + + From 7813cec9500f54c00577554b2e01ede8acc540d6 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 30 Dec 2024 02:08:15 +0000 Subject: [PATCH 08/26] Bump peter-evans/create-pull-request from 7.0.5 to 7.0.6 Bumps [peter-evans/create-pull-request](https://github.com/peter-evans/create-pull-request) from 7.0.5 to 7.0.6. - [Release notes](https://github.com/peter-evans/create-pull-request/releases) - [Commits](https://github.com/peter-evans/create-pull-request/compare/5e914681df9dc83aa4e4905692ca88beb2f9e91f...67ccf781d68cd99b580ae25a5c18a1cc84ffff1f) --- updated-dependencies: - dependency-name: peter-evans/create-pull-request dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] --- .github/workflows/update-oscal.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/update-oscal.yml b/.github/workflows/update-oscal.yml index bb0324dabfc..4bbe4a56727 100644 --- a/.github/workflows/update-oscal.yml +++ b/.github/workflows/update-oscal.yml @@ -45,7 +45,7 @@ jobs: trestle href --name "${{ matrix.variables.profile-name }}" -hr "trestle://catalogs/${{ matrix.variables.catalog-name }}/catalog.json" working-directory: ./shared/references/oscal - name: Update content - uses: peter-evans/create-pull-request@5e914681df9dc83aa4e4905692ca88beb2f9e91f # v7.0.5 + uses: peter-evans/create-pull-request@67ccf781d68cd99b580ae25a5c18a1cc84ffff1f # v7.0.6 with: base: master branch: "oscal-update-${{ github.run_id }}" From f7916768e6a8a3b99591238d6440d68afcb76e96 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= Date: Tue, 17 Dec 2024 17:21:51 +0100 Subject: [PATCH 09/26] Introduce 'environment' header key to SCE checks This adds a new mechanism that allow content authors to control the execution of SCE checks depending on environment. They can use the `environment` key to disable running their SCE check during a build of a bootable container image, or on contrary, disable running the SCE check outside of the bootable container image build environment. We need to distinguish generic SCE checks from SCE checks that are meant to be executed only during the "podman build" phase of the bootable containers. We need to have a way to specify that some code is special for this environment. This way, we will prevent using SCE checks that require DBUS or other special SCE checks. Also, it will prevent using SCE checks that are designed only for the bootable containers to be executed in other scenarios. This change depends on this OpenSCAP PR: https://github.com/OpenSCAP/openscap/pull/2189 --- .../developer/06_contributing_with_content.md | 7 ++++ shared/templates/sebool/sce-bash.template | 1 + .../service_disabled/sce-bash.template | 1 + .../service_enabled/sce-bash.template | 1 + .../socket_disabled/sce-bash.template | 1 + shared/templates/sysctl/sce-bash.template | 1 + .../templates/timer_enabled/sce-bash.template | 1 + ssg/build_sce.py | 35 ++++++++++++++++++- 8 files changed, 47 insertions(+), 1 deletion(-) diff --git a/docs/manual/developer/06_contributing_with_content.md b/docs/manual/developer/06_contributing_with_content.md index e1f5e4f906e..11af2c115d5 100644 --- a/docs/manual/developer/06_contributing_with_content.md +++ b/docs/manual/developer/06_contributing_with_content.md @@ -825,6 +825,13 @@ are unique to SCE: it is not necessary. Additionally, OCIL checks, if any is present in the `rule.yml`, are added as a top-level OR-operator `` with the results of this ``. + - `environment`: can be `normal`, `bootc`, `any`. + The default value that is used when this key is not set is `normal`. + This key specifies the environment in which the SCE check can run in. + This way you can restrict some SCE checks to run or not run in Image mode. + If set to `bootc`, the SCE check code will be modified to not run outside of the bootable image build process. + If set to `normal`, the SCE check code will be modified to not run during the bootable image build process. + If set to `any`, the SCE check code will not be modified and therefore will run in any environment. For an example of SCE content, consider the check: diff --git a/shared/templates/sebool/sce-bash.template b/shared/templates/sebool/sce-bash.template index 143aedfe1d8..87a442ecbcc 100644 --- a/shared/templates/sebool/sce-bash.template +++ b/shared/templates/sebool/sce-bash.template @@ -1,4 +1,5 @@ #!/usr/bin/env bash +# environment = bootc # check-import = stdout {{% if not SEBOOL_BOOL %}} # check-export = var_{{{ SEBOOLID }}}=var_{{{ SEBOOLID }}} diff --git a/shared/templates/service_disabled/sce-bash.template b/shared/templates/service_disabled/sce-bash.template index 84addf8e8cc..4d86b9fdc99 100644 --- a/shared/templates/service_disabled/sce-bash.template +++ b/shared/templates/service_disabled/sce-bash.template @@ -1,5 +1,6 @@ #!/bin/bash # check-import = stdout +# environment = bootc if [[ $(systemctl is-enabled {{{ DAEMONNAME }}}.service) == "masked" ]] ; then exit "$XCCDF_RESULT_PASS" fi diff --git a/shared/templates/service_enabled/sce-bash.template b/shared/templates/service_enabled/sce-bash.template index 5d33a00d3a6..03254c17170 100644 --- a/shared/templates/service_enabled/sce-bash.template +++ b/shared/templates/service_enabled/sce-bash.template @@ -1,4 +1,5 @@ #!/bin/bash +# environment = bootc # check-import = stdout if [[ $(systemctl is-enabled {{{ DAEMONNAME }}}.service) == "enabled" ]] ; then exit "$XCCDF_RESULT_PASS" diff --git a/shared/templates/socket_disabled/sce-bash.template b/shared/templates/socket_disabled/sce-bash.template index 2b27cd73ba6..3b0cca18f0c 100644 --- a/shared/templates/socket_disabled/sce-bash.template +++ b/shared/templates/socket_disabled/sce-bash.template @@ -1,4 +1,5 @@ #!/bin/bash +# environment = bootc # check-import = stdout if [[ $(systemctl is-enabled {{{ SOCKETNAME }}}.socket) == "masked" ]] ; then exit "$XCCDF_RESULT_PASS" diff --git a/shared/templates/sysctl/sce-bash.template b/shared/templates/sysctl/sce-bash.template index 54a120e983e..352b701f9b0 100644 --- a/shared/templates/sysctl/sce-bash.template +++ b/shared/templates/sysctl/sce-bash.template @@ -1,4 +1,5 @@ #!/usr/bin/env bash +# environment = bootc # check-import = stdout {{% if SYSCTLVAL == "" %}} # check-export = sysctl_{{{ SYSCTLID }}}_value=sysctl_{{{ SYSCTLID }}}_value diff --git a/shared/templates/timer_enabled/sce-bash.template b/shared/templates/timer_enabled/sce-bash.template index 53101b496dd..a09354aa387 100644 --- a/shared/templates/timer_enabled/sce-bash.template +++ b/shared/templates/timer_enabled/sce-bash.template @@ -1,4 +1,5 @@ #!/bin/bash +# environment = bootc # check-import = stdout if [[ $(systemctl is-enabled {{{ TIMERNAME }}}.timer) == "enabled" ]] ; then exit "$XCCDF_RESULT_PASS" diff --git a/ssg/build_sce.py b/ssg/build_sce.py index 110a73f7617..b8fc73703c1 100644 --- a/ssg/build_sce.py +++ b/ssg/build_sce.py @@ -34,12 +34,33 @@ def load_sce_and_metadata(file_path, local_env_yaml): return load_sce_and_metadata_parsed(raw_content) +def _modify_sce_with_environment(sce_content, environment): + if environment == "any": + return + if environment == "bootc": + condition = "\"$OSCAP_BOOTC_BUILD\" == \"YES\"" + if environment == "normal": + condition = "\"$OSCAP_BOOTC_BUILD\" != \"YES\"" + for i in range(len(sce_content)): + if len(sce_content[i]) > 0: + sce_content[i] = (4 * " ") + sce_content[i] + sce_content.insert(0, "if [[ " + condition + " ]] ; then") + sce_content.append("else") + sce_content.append(" echo \"The SCE check can't run in this environment.\"") + sce_content.append(" exit \"$XCCDF_RESULT_ERROR\"") + sce_content.append("fi") + + def load_sce_and_metadata_parsed(raw_content): metadata = dict() sce_content = [] - keywords = ['platform', 'check-import', 'check-export', 'complex-check'] + keywords = ['platform', 'check-import', 'check-export', 'complex-check', 'environment'] + shebang = "#!/usr/bin/bash" for line in raw_content.split("\n"): + if line.startswith("#!"): + shebang = line + continue found_metadata = False for keyword in keywords: if not line.startswith('# ' + keyword + ' = '): @@ -66,6 +87,18 @@ def load_sce_and_metadata_parsed(raw_content): if 'platform' in metadata: metadata['platform'] = metadata['platform'].split(',') + if "environment" not in metadata: + metadata["environment"] = "normal" + environment_options = ["normal", "bootc", "any"] + if metadata["environment"] not in environment_options: + raise RuntimeError( + "Wrong value of the 'environment' headers: '%s'. It needs to be " + "one of %s" % ( + metadata["environment"], ", ".join(environment_options)) + ) + + _modify_sce_with_environment(sce_content, metadata["environment"]) + sce_content.insert(0, shebang) return "\n".join(sce_content), metadata From da7a670de5d8f6d62b047316e3e9cc6219898ac4 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= Date: Wed, 18 Dec 2024 17:23:12 +0100 Subject: [PATCH 10/26] Split function Extracts code to separate functions. Reduces code complexity and addresses Code Climate problem. --- ssg/build_sce.py | 51 ++++++++++++++++++++++++++++-------------------- 1 file changed, 30 insertions(+), 21 deletions(-) diff --git a/ssg/build_sce.py b/ssg/build_sce.py index b8fc73703c1..19f35a4c241 100644 --- a/ssg/build_sce.py +++ b/ssg/build_sce.py @@ -34,24 +34,7 @@ def load_sce_and_metadata(file_path, local_env_yaml): return load_sce_and_metadata_parsed(raw_content) -def _modify_sce_with_environment(sce_content, environment): - if environment == "any": - return - if environment == "bootc": - condition = "\"$OSCAP_BOOTC_BUILD\" == \"YES\"" - if environment == "normal": - condition = "\"$OSCAP_BOOTC_BUILD\" != \"YES\"" - for i in range(len(sce_content)): - if len(sce_content[i]) > 0: - sce_content[i] = (4 * " ") + sce_content[i] - sce_content.insert(0, "if [[ " + condition + " ]] ; then") - sce_content.append("else") - sce_content.append(" echo \"The SCE check can't run in this environment.\"") - sce_content.append(" exit \"$XCCDF_RESULT_ERROR\"") - sce_content.append("fi") - - -def load_sce_and_metadata_parsed(raw_content): +def _parse_metadata(raw_content): metadata = dict() sce_content = [] @@ -74,7 +57,10 @@ def load_sce_and_metadata_parsed(raw_content): if not found_metadata: sce_content.append(line) + return shebang, "\n".join(sce_content), metadata + +def _set_metadata_default_values(metadata): if 'check-export' in metadata: # Special case for the variables exposed to the SCE script: prepend # the OSCAP_VALUE prefix to reference the variable @@ -97,9 +83,32 @@ def load_sce_and_metadata_parsed(raw_content): metadata["environment"], ", ".join(environment_options)) ) - _modify_sce_with_environment(sce_content, metadata["environment"]) - sce_content.insert(0, shebang) - return "\n".join(sce_content), metadata + +def _modify_sce_with_environment(sce_content, environment): + if environment == "any": + return + if environment == "bootc": + condition = "\"$OSCAP_BOOTC_BUILD\" == \"YES\"" + if environment == "normal": + condition = "\"$OSCAP_BOOTC_BUILD\" != \"YES\"" + lines = list(sce_content.split("\n")) + for i in range(len(lines)): + if len(lines[i]) > 0: + lines[i] = (4 * " ") + lines[i] + lines.insert(0, "if [[ " + condition + " ]] ; then") + lines.append("else") + lines.append(" echo \"The SCE check can't run in this environment.\"") + lines.append(" exit \"$XCCDF_RESULT_ERROR\"") + lines.append("fi") + return "\n".join(lines) + + +def load_sce_and_metadata_parsed(raw_content): + shebang, sce_content, metadata = _parse_metadata(raw_content) + _set_metadata_default_values(metadata) + sce_content = _modify_sce_with_environment(sce_content, metadata["environment"]) + sce_content = shebang + "\n" + sce_content + return sce_content, metadata def _check_is_applicable_for_product(metadata, product): From 49635400887c694f756134715f4bf8fa6abff97e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= Date: Thu, 2 Jan 2025 14:26:03 +0100 Subject: [PATCH 11/26] Change condition Do not depend on setting the environment variable OSCAP_BOOTC_BUILD by oscap. Instead, detect the bootable container build process by a direct check in SCE script code. --- ssg/build_sce.py | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/ssg/build_sce.py b/ssg/build_sce.py index 19f35a4c241..71f14007207 100644 --- a/ssg/build_sce.py +++ b/ssg/build_sce.py @@ -88,14 +88,14 @@ def _modify_sce_with_environment(sce_content, environment): if environment == "any": return if environment == "bootc": - condition = "\"$OSCAP_BOOTC_BUILD\" == \"YES\"" + condition = "(rpm -q --quiet bootc && [ -e /run/.containerenv ])" if environment == "normal": - condition = "\"$OSCAP_BOOTC_BUILD\" != \"YES\"" + condition = "! (rpm -q --quiet bootc && [ -e /run/.containerenv ])" lines = list(sce_content.split("\n")) for i in range(len(lines)): if len(lines[i]) > 0: lines[i] = (4 * " ") + lines[i] - lines.insert(0, "if [[ " + condition + " ]] ; then") + lines.insert(0, "if " + condition + " ; then") lines.append("else") lines.append(" echo \"The SCE check can't run in this environment.\"") lines.append(" exit \"$XCCDF_RESULT_ERROR\"") From 234d5964dbeac668efb41d86ac7b649c187d0fa3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= Date: Thu, 2 Jan 2025 14:36:35 +0100 Subject: [PATCH 12/26] Change the default value of environment Change the default value of the `environment` header to `any`. Using `any` does not modify the built content therefore this PR won't modify the existing SCE checks unless we add the `environment` header explicitly. --- docs/manual/developer/06_contributing_with_content.md | 2 +- ssg/build_sce.py | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/manual/developer/06_contributing_with_content.md b/docs/manual/developer/06_contributing_with_content.md index 11af2c115d5..ab5c430c7e9 100644 --- a/docs/manual/developer/06_contributing_with_content.md +++ b/docs/manual/developer/06_contributing_with_content.md @@ -826,7 +826,7 @@ are unique to SCE: `rule.yml`, are added as a top-level OR-operator `` with the results of this ``. - `environment`: can be `normal`, `bootc`, `any`. - The default value that is used when this key is not set is `normal`. + The default value that is used when this key is not set is `any`. This key specifies the environment in which the SCE check can run in. This way you can restrict some SCE checks to run or not run in Image mode. If set to `bootc`, the SCE check code will be modified to not run outside of the bootable image build process. diff --git a/ssg/build_sce.py b/ssg/build_sce.py index 71f14007207..bd2c0afe0b6 100644 --- a/ssg/build_sce.py +++ b/ssg/build_sce.py @@ -74,7 +74,7 @@ def _set_metadata_default_values(metadata): metadata['platform'] = metadata['platform'].split(',') if "environment" not in metadata: - metadata["environment"] = "normal" + metadata["environment"] = "any" environment_options = ["normal", "bootc", "any"] if metadata["environment"] not in environment_options: raise RuntimeError( From 78ba328465cdd0df0bd99ca0c3b72a1bca7247f1 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= Date: Thu, 2 Jan 2025 15:12:57 +0100 Subject: [PATCH 13/26] Fix missing return value in a function --- ssg/build_sce.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ssg/build_sce.py b/ssg/build_sce.py index bd2c0afe0b6..dda367bbb31 100644 --- a/ssg/build_sce.py +++ b/ssg/build_sce.py @@ -86,7 +86,7 @@ def _set_metadata_default_values(metadata): def _modify_sce_with_environment(sce_content, environment): if environment == "any": - return + return sce_content if environment == "bootc": condition = "(rpm -q --quiet bootc && [ -e /run/.containerenv ])" if environment == "normal": From 00fe29b6614be793842fb26a8200b024324b79f1 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= Date: Thu, 2 Jan 2025 16:00:11 +0100 Subject: [PATCH 14/26] Fix ensure_redhat_gpgkey_installed on RHEL 10 We have discovered during productization that the rule ensure_redhat_gpgkey_installed fails on RHEL 10. It seems to have an easy fix so we aren't opening a ticket but we are fixing it directly. The release and version values in product.yml were swapped. ``` [root@XXX ~]# rpm -q redhat-release redhat-release-10.0-24.el10.x86_64 [root@XXX ~]# rpm -q --queryformat 'release=%{RELEASE} version=%{VERSION}\n' gpg-pubkey release=4ae0493b version=fd431d51 release=6229229e version=5a6340b3 ``` --- products/rhel10/product.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/products/rhel10/product.yml b/products/rhel10/product.yml index 6104f9d2e22..be5634ab6a1 100644 --- a/products/rhel10/product.yml +++ b/products/rhel10/product.yml @@ -28,10 +28,10 @@ dconf_gdm_dir: "distro.d" faillock_path: "/var/log/faillock" # The fingerprints below are retrieved from https://access.redhat.com/security/team/key -pkg_release: "fd431d51" -pkg_version: "4ae0493c" -aux_pkg_release: "5a6340b3" -aux_pkg_version: "6229229e" +pkg_release: "4ae0493c" +pkg_version: "fd431d51" +aux_pkg_release: "6229229e" +aux_pkg_version: "5a6340b3" release_key_fingerprint: "567E347AD0044ADE55BA8A5F199E2F91FD431D51" auxiliary_key_fingerprint: "7E4624258C406535D56D6F135054E4A45A6340B3" From f5043b0d5a2412f054a8918d448a0be70fed9f32 Mon Sep 17 00:00:00 2001 From: Alan Moore Date: Thu, 2 Jan 2025 18:24:32 +0000 Subject: [PATCH 15/26] Implement rule 5.3.3.2.8 Ensure password quality is enforced for the root user --- controls/cis_ubuntu2404.yml | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/controls/cis_ubuntu2404.yml b/controls/cis_ubuntu2404.yml index 74b56aa1cae..d47cc140036 100644 --- a/controls/cis_ubuntu2404.yml +++ b/controls/cis_ubuntu2404.yml @@ -1997,8 +1997,9 @@ controls: levels: - l1_server - l1_workstation - status: planned - notes: TODO. Rule does not seem to be implemented, nor does it map to any rules in ubuntu2204 profile. + rules: + - accounts_password_pam_enforce_root + status: automated - id: 5.3.3.3.1 title: Ensure password history remember is configured (Automated) From e112f21a5598432d47f24955c8fac410c135f97c Mon Sep 17 00:00:00 2001 From: Alan Moore Date: Thu, 2 Jan 2025 18:31:54 +0000 Subject: [PATCH 16/26] Implement rule 5.3.3.4.3 Ensure pam_unix includes a strong password hashing algorithm --- controls/cis_ubuntu2404.yml | 9 ++++----- 1 file changed, 4 insertions(+), 5 deletions(-) diff --git a/controls/cis_ubuntu2404.yml b/controls/cis_ubuntu2404.yml index 74b56aa1cae..0fcdd4d2c63 100644 --- a/controls/cis_ubuntu2404.yml +++ b/controls/cis_ubuntu2404.yml @@ -2048,11 +2048,10 @@ controls: levels: - l1_server - l1_workstation - related_rules: - - var_password_hashing_algorithm=yescrypt - - set_password_hashing_algorithm_logindefs - status: planned - notes: TODO. Partial/incorrect implementation exists.See related rules. Analogous to ubuntu2204/5.4.4. + rules: + - var_password_hashing_algorithm_pam=yescrypt + - set_password_hashing_algorithm_systemauth + status: automated - id: 5.3.3.4.4 title: Ensure pam_unix includes use_authtok (Automated) From b0be6f82858a94ae4087b98eb9f000da7b5af15d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= Date: Fri, 3 Jan 2025 11:14:11 +0100 Subject: [PATCH 17/26] Refactor: extract function --- ssg/build_sce.py | 31 ++++++++++++++++--------------- 1 file changed, 16 insertions(+), 15 deletions(-) diff --git a/ssg/build_sce.py b/ssg/build_sce.py index dda367bbb31..17906a0f560 100644 --- a/ssg/build_sce.py +++ b/ssg/build_sce.py @@ -34,29 +34,30 @@ def load_sce_and_metadata(file_path, local_env_yaml): return load_sce_and_metadata_parsed(raw_content) +def _process_raw_content_line(line, sce_content, metadata): + found_metadata = False + keywords = ['platform', 'check-import', 'check-export', 'complex-check', 'environment'] + for keyword in keywords: + if not line.startswith('# ' + keyword + ' = '): + continue + found_metadata = True + # Strip off the initial comment marker + _, value = line[2:].split('=', maxsplit=1) + metadata[keyword] = value.strip() + + if not found_metadata: + sce_content.append(line) + + def _parse_metadata(raw_content): metadata = dict() sce_content = [] - - keywords = ['platform', 'check-import', 'check-export', 'complex-check', 'environment'] shebang = "#!/usr/bin/bash" for line in raw_content.split("\n"): if line.startswith("#!"): shebang = line continue - found_metadata = False - for keyword in keywords: - if not line.startswith('# ' + keyword + ' = '): - continue - - found_metadata = True - - # Strip off the initial comment marker - _, value = line[2:].split('=', maxsplit=1) - metadata[keyword] = value.strip() - - if not found_metadata: - sce_content.append(line) + _process_raw_content_line(line, sce_content, metadata) return shebang, "\n".join(sce_content), metadata From 7ce17f8fcbb0369935d462753043c13e7a505a58 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= Date: Fri, 3 Jan 2025 14:58:09 +0100 Subject: [PATCH 18/26] Enable OSPP profile in RHEL 10 Currently, the data stream in RHEL 10 daily productization contains OSPP profile and therefore differs from upstream defaults. We still want to run tests with OSPP profile in daily productization. At the same time, we don't want to test different data stream in daily productization than in upstream tests and CI. This will be solved by enabling the OSPP profile by default. --- .../bootloader-grub2/grub2_init_on_alloc_argument/rule.yml | 1 + .../system/bootloader-zipl/zipl_bls_entries_only/rule.yml | 1 + .../bootloader-zipl/zipl_bootmap_is_up_to_date/rule.yml | 1 + .../bootloader-zipl/zipl_init_on_alloc_argument/rule.yml | 1 + .../zipl_page_alloc_shuffle_argument/rule.yml | 1 + products/rhel10/profiles/ospp.profile | 2 +- shared/references/cce-redhat-avail.txt | 5 ----- 7 files changed, 6 insertions(+), 6 deletions(-) diff --git a/linux_os/guide/system/bootloader-grub2/grub2_init_on_alloc_argument/rule.yml b/linux_os/guide/system/bootloader-grub2/grub2_init_on_alloc_argument/rule.yml index 2e721d99c54..bc3f5508cf8 100644 --- a/linux_os/guide/system/bootloader-grub2/grub2_init_on_alloc_argument/rule.yml +++ b/linux_os/guide/system/bootloader-grub2/grub2_init_on_alloc_argument/rule.yml @@ -18,6 +18,7 @@ severity: medium identifiers: cce@rhel9: CCE-85867-0 + cce@rhel10: CCE-86953-7 ocil_clause: 'the kernel is not configured to zero out memory before allocation' diff --git a/linux_os/guide/system/bootloader-zipl/zipl_bls_entries_only/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_bls_entries_only/rule.yml index c115ba0ecd5..e2ec1168f44 100644 --- a/linux_os/guide/system/bootloader-zipl/zipl_bls_entries_only/rule.yml +++ b/linux_os/guide/system/bootloader-zipl/zipl_bls_entries_only/rule.yml @@ -16,6 +16,7 @@ severity: medium identifiers: cce@rhel8: CCE-83485-3 cce@rhel9: CCE-84092-6 + cce@rhel10: CCE-87335-6 ocil_clause: 'a non BLS boot entry is configured' diff --git a/linux_os/guide/system/bootloader-zipl/zipl_bootmap_is_up_to_date/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_bootmap_is_up_to_date/rule.yml index 6f4626639b6..82a0242e256 100644 --- a/linux_os/guide/system/bootloader-zipl/zipl_bootmap_is_up_to_date/rule.yml +++ b/linux_os/guide/system/bootloader-zipl/zipl_bootmap_is_up_to_date/rule.yml @@ -18,6 +18,7 @@ severity: medium identifiers: cce@rhel8: CCE-83486-1 cce@rhel9: CCE-84098-3 + cce@rhel10: CCE-87515-3 ocil_clause: 'the bootmap is outdated' diff --git a/linux_os/guide/system/bootloader-zipl/zipl_init_on_alloc_argument/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_init_on_alloc_argument/rule.yml index e679e43b431..d0f21b0957e 100644 --- a/linux_os/guide/system/bootloader-zipl/zipl_init_on_alloc_argument/rule.yml +++ b/linux_os/guide/system/bootloader-zipl/zipl_init_on_alloc_argument/rule.yml @@ -22,6 +22,7 @@ severity: medium identifiers: cce@rhel9: CCE-85868-8 + cce@rhel10: CCE-88443-7 ocil_clause: 'the kernel is not configured to zero out memory before allocation' diff --git a/linux_os/guide/system/bootloader-zipl/zipl_page_alloc_shuffle_argument/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_page_alloc_shuffle_argument/rule.yml index b82d08e0614..8abdaaf0822 100644 --- a/linux_os/guide/system/bootloader-zipl/zipl_page_alloc_shuffle_argument/rule.yml +++ b/linux_os/guide/system/bootloader-zipl/zipl_page_alloc_shuffle_argument/rule.yml @@ -27,6 +27,7 @@ severity: medium identifiers: cce@rhel9: CCE-85880-3 + cce@rhel10: CCE-89057-4 ocil_clause: 'randomization of the page allocator is not enabled in the kernel' diff --git a/products/rhel10/profiles/ospp.profile b/products/rhel10/profiles/ospp.profile index 9abfd024e29..0642cbab2ec 100644 --- a/products/rhel10/profiles/ospp.profile +++ b/products/rhel10/profiles/ospp.profile @@ -1,4 +1,4 @@ -documentation_complete: false +documentation_complete: true metadata: version: 4.3 diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt index c4686286517..71dddd11669 100644 --- a/shared/references/cce-redhat-avail.txt +++ b/shared/references/cce-redhat-avail.txt @@ -224,7 +224,6 @@ CCE-86935-4 CCE-86936-2 CCE-86937-0 CCE-86952-9 -CCE-86953-7 CCE-86955-2 CCE-86956-0 CCE-86958-6 @@ -446,7 +445,6 @@ CCE-87325-7 CCE-87326-5 CCE-87327-3 CCE-87334-9 -CCE-87335-6 CCE-87342-2 CCE-87343-0 CCE-87346-3 @@ -553,7 +551,6 @@ CCE-87510-4 CCE-87511-2 CCE-87512-0 CCE-87513-8 -CCE-87515-3 CCE-87516-1 CCE-87517-9 CCE-87519-5 @@ -1129,7 +1126,6 @@ CCE-88431-2 CCE-88432-0 CCE-88434-6 CCE-88442-9 -CCE-88443-7 CCE-88445-2 CCE-88446-0 CCE-88447-8 @@ -1503,7 +1499,6 @@ CCE-89050-9 CCE-89052-5 CCE-89053-3 CCE-89054-1 -CCE-89057-4 CCE-89065-7 CCE-89066-5 CCE-89067-3 From 4847da106b84536b0d1b6be0e2342a319eef45a9 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= Date: Fri, 3 Jan 2025 16:23:32 +0100 Subject: [PATCH 19/26] Add missing OSPP references Based on contest test `/static-checks/rule-identifiers/ospp/` --- controls/ospp.yml | 1 - .../auditd_data_retention_flush/rule.yml | 1 + .../services/fapolicyd/package_fapolicyd_installed/rule.yml | 1 + .../ssh/ssh_server/sshd_use_directory_configuration/rule.yml | 1 + .../services/usbguard/package_usbguard_installed/rule.yml | 1 + .../bootloader-grub2/grub2_init_on_alloc_argument/rule.yml | 2 ++ .../grub2_page_alloc_shuffle_argument/rule.yml | 2 ++ .../system/bootloader-zipl/zipl_bls_entries_only/rule.yml | 3 +++ .../system/bootloader-zipl/zipl_bootmap_is_up_to_date/rule.yml | 3 +++ .../bootloader-zipl/zipl_init_on_alloc_argument/rule.yml | 3 +++ .../bootloader-zipl/zipl_page_alloc_shuffle_argument/rule.yml | 3 +++ .../network-uncommon/kernel_module_sctp_disabled/rule.yml | 1 + .../kernel_module_bluetooth_disabled/rule.yml | 1 + .../partitions/mount_option_var_log_audit_nodev/rule.yml | 1 + .../partitions/mount_option_var_log_audit_noexec/rule.yml | 1 + .../partitions/mount_option_var_log_audit_nosuid/rule.yml | 1 + .../sysctl_kernel_kptr_restrict/rule.yml | 1 + .../restrictions/sysctl_kernel_dmesg_restrict/rule.yml | 1 + .../restrictions/sysctl_kernel_kexec_load_disabled/rule.yml | 1 + .../restrictions/sysctl_kernel_yama_ptrace_scope/rule.yml | 1 + linux_os/guide/system/selinux/selinux_policytype/rule.yml | 1 + linux_os/guide/system/selinux/selinux_state/rule.yml | 1 + .../integrity/crypto/configure_openssl_crypto_policy/rule.yml | 1 + .../software/updating/package_dnf-automatic_installed/rule.yml | 1 + 24 files changed, 33 insertions(+), 1 deletion(-) diff --git a/controls/ospp.yml b/controls/ospp.yml index 8e3f400ed27..20ae9fa45e5 100644 --- a/controls/ospp.yml +++ b/controls/ospp.yml @@ -378,7 +378,6 @@ controls: - chronyd_client_only - package_chrony_installed - configure_usbguard_auditbackend - - package_fapolicyd_installed - package_usbguard_installed - service_usbguard_enabled - usbguard_allow_hid_and_hub diff --git a/linux_os/guide/auditing/configure_auditd_data_retention/auditd_data_retention_flush/rule.yml b/linux_os/guide/auditing/configure_auditd_data_retention/auditd_data_retention_flush/rule.yml index 87e1b08b5b4..6964921722d 100644 --- a/linux_os/guide/auditing/configure_auditd_data_retention/auditd_data_retention_flush/rule.yml +++ b/linux_os/guide/auditing/configure_auditd_data_retention/auditd_data_retention_flush/rule.yml @@ -36,6 +36,7 @@ references: nerc-cip: CIP-004-6 R2.2.3,CIP-004-6 R3.3,CIP-007-3 R5.2,CIP-007-3 R5.3.1,CIP-007-3 R5.3.2,CIP-007-3 R5.3.3,CIP-007-3 R6.5 nist: AU-11,CM-6(a) nist-csf: DE.CM-1,DE.CM-3,DE.CM-7,ID.SC-4,PR.PT-1 + ospp: FAU_GEN.1 srg: SRG-OS-000480-GPOS-00227 ocil_clause: 'auditd is not configured to synchronously write audit event data to disk' diff --git a/linux_os/guide/services/fapolicyd/package_fapolicyd_installed/rule.yml b/linux_os/guide/services/fapolicyd/package_fapolicyd_installed/rule.yml index 5b602d1963d..5149ccb54bc 100644 --- a/linux_os/guide/services/fapolicyd/package_fapolicyd_installed/rule.yml +++ b/linux_os/guide/services/fapolicyd/package_fapolicyd_installed/rule.yml @@ -21,6 +21,7 @@ identifiers: references: disa: CCI-001774,CCI-001764 nist: CM-6(a),SI-4(22) + ospp: FMT_SMF_EXT.1 srg: SRG-OS-000370-GPOS-00155,SRG-OS-000368-GPOS-00154,SRG-OS-000480-GPOS-00230 stigid@ol8: OL08-00-040135 stigid@rhel8: RHEL-08-040135 diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_directory_configuration/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_use_directory_configuration/rule.yml index 45d7813fcba..9f10f37ec75 100644 --- a/linux_os/guide/services/ssh/ssh_server/sshd_use_directory_configuration/rule.yml +++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_directory_configuration/rule.yml @@ -20,6 +20,7 @@ identifiers: references: hipaa: 164.312(a) + ospp: FCS_SSH_EXT.1 ocil_clause: "you don't include other configuration files from the main configuration file" diff --git a/linux_os/guide/services/usbguard/package_usbguard_installed/rule.yml b/linux_os/guide/services/usbguard/package_usbguard_installed/rule.yml index 2e8ab4691bb..0ee95605233 100644 --- a/linux_os/guide/services/usbguard/package_usbguard_installed/rule.yml +++ b/linux_os/guide/services/usbguard/package_usbguard_installed/rule.yml @@ -47,6 +47,7 @@ references: disa: CCI-001958,CCI-003959 ism: "1418" nist: CM-8(3),IA-3 + ospp: FMT_SMF_EXT.1 srg: SRG-OS-000378-GPOS-00163,SRG-APP-000141-CTR-000315 stigid@ol8: OL08-00-040139 stigid@rhel8: RHEL-08-040139 diff --git a/linux_os/guide/system/bootloader-grub2/grub2_init_on_alloc_argument/rule.yml b/linux_os/guide/system/bootloader-grub2/grub2_init_on_alloc_argument/rule.yml index bc3f5508cf8..3f61c7dec7d 100644 --- a/linux_os/guide/system/bootloader-grub2/grub2_init_on_alloc_argument/rule.yml +++ b/linux_os/guide/system/bootloader-grub2/grub2_init_on_alloc_argument/rule.yml @@ -25,6 +25,8 @@ ocil_clause: 'the kernel is not configured to zero out memory before allocation' ocil: |- {{{ ocil_grub2_argument("init_on_alloc=1") | indent(4) }}} +references: + ospp: AVA_VAN.1 template: name: grub2_bootloader_argument diff --git a/linux_os/guide/system/bootloader-grub2/grub2_page_alloc_shuffle_argument/rule.yml b/linux_os/guide/system/bootloader-grub2/grub2_page_alloc_shuffle_argument/rule.yml index f94c8556847..49212c0bc28 100644 --- a/linux_os/guide/system/bootloader-grub2/grub2_page_alloc_shuffle_argument/rule.yml +++ b/linux_os/guide/system/bootloader-grub2/grub2_page_alloc_shuffle_argument/rule.yml @@ -31,6 +31,8 @@ ocil_clause: 'randomization of the page allocator is not enabled in the kernel' ocil: |- {{{ ocil_grub2_argument("page_alloc.shuffle=1") | indent(4) }}} +references: + ospp: AVA_VAN.1 template: name: grub2_bootloader_argument diff --git a/linux_os/guide/system/bootloader-zipl/zipl_bls_entries_only/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_bls_entries_only/rule.yml index e2ec1168f44..52506c41173 100644 --- a/linux_os/guide/system/bootloader-zipl/zipl_bls_entries_only/rule.yml +++ b/linux_os/guide/system/bootloader-zipl/zipl_bls_entries_only/rule.yml @@ -18,6 +18,9 @@ identifiers: cce@rhel9: CCE-84092-6 cce@rhel10: CCE-87335-6 +references: + ospp: FPT_TST_EXT.1 + ocil_clause: 'a non BLS boot entry is configured' ocil: |- diff --git a/linux_os/guide/system/bootloader-zipl/zipl_bootmap_is_up_to_date/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_bootmap_is_up_to_date/rule.yml index 82a0242e256..dfebe5b96c0 100644 --- a/linux_os/guide/system/bootloader-zipl/zipl_bootmap_is_up_to_date/rule.yml +++ b/linux_os/guide/system/bootloader-zipl/zipl_bootmap_is_up_to_date/rule.yml @@ -20,6 +20,9 @@ identifiers: cce@rhel9: CCE-84098-3 cce@rhel10: CCE-87515-3 +references: + ospp: FPT_TST_EXT.1 + ocil_clause: 'the bootmap is outdated' ocil: |- diff --git a/linux_os/guide/system/bootloader-zipl/zipl_init_on_alloc_argument/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_init_on_alloc_argument/rule.yml index d0f21b0957e..ce431bdcea8 100644 --- a/linux_os/guide/system/bootloader-zipl/zipl_init_on_alloc_argument/rule.yml +++ b/linux_os/guide/system/bootloader-zipl/zipl_init_on_alloc_argument/rule.yml @@ -24,6 +24,9 @@ identifiers: cce@rhel9: CCE-85868-8 cce@rhel10: CCE-88443-7 +references: + ospp: AVA_VAN.1 + ocil_clause: 'the kernel is not configured to zero out memory before allocation' ocil: |- diff --git a/linux_os/guide/system/bootloader-zipl/zipl_page_alloc_shuffle_argument/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_page_alloc_shuffle_argument/rule.yml index 8abdaaf0822..6cbbc0b821b 100644 --- a/linux_os/guide/system/bootloader-zipl/zipl_page_alloc_shuffle_argument/rule.yml +++ b/linux_os/guide/system/bootloader-zipl/zipl_page_alloc_shuffle_argument/rule.yml @@ -29,6 +29,9 @@ identifiers: cce@rhel9: CCE-85880-3 cce@rhel10: CCE-89057-4 +references: + ospp: AVA_VAN.1 + ocil_clause: 'randomization of the page allocator is not enabled in the kernel' ocil: |- diff --git a/linux_os/guide/system/network/network-uncommon/kernel_module_sctp_disabled/rule.yml b/linux_os/guide/system/network/network-uncommon/kernel_module_sctp_disabled/rule.yml index c594719aab0..5894d44b876 100644 --- a/linux_os/guide/system/network/network-uncommon/kernel_module_sctp_disabled/rule.yml +++ b/linux_os/guide/system/network/network-uncommon/kernel_module_sctp_disabled/rule.yml @@ -41,6 +41,7 @@ references: iso27001-2013: A.12.1.2,A.12.5.1,A.12.6.2,A.14.2.2,A.14.2.3,A.14.2.4,A.9.1.2 nist: CM-7(a),CM-7(b),CM-6(a) nist-csf: PR.IP-1,PR.PT-3 + ospp: FMT_SMF_EXT.1 pcidss: Req-1.4.2 srg: SRG-OS-000095-GPOS-00049,SRG-OS-000480-GPOS-00227 stigid@ol8: OL08-00-040023 diff --git a/linux_os/guide/system/network/network-wireless/wireless_software/kernel_module_bluetooth_disabled/rule.yml b/linux_os/guide/system/network/network-wireless/wireless_software/kernel_module_bluetooth_disabled/rule.yml index e14d31803f3..69f5aac256d 100644 --- a/linux_os/guide/system/network/network-wireless/wireless_software/kernel_module_bluetooth_disabled/rule.yml +++ b/linux_os/guide/system/network/network-wireless/wireless_software/kernel_module_bluetooth_disabled/rule.yml @@ -34,6 +34,7 @@ references: iso27001-2013: A.11.2.6,A.12.1.2,A.12.5.1,A.12.6.2,A.13.1.1,A.13.2.1,A.14.1.3,A.14.2.2,A.14.2.3,A.14.2.4,A.6.2.1,A.6.2.2,A.9.1.2 nist: AC-18(a),AC-18(3),CM-7(a),CM-7(b),CM-6(a),MP-7 nist-csf: PR.AC-3,PR.IP-1,PR.PT-3,PR.PT-4 + ospp: FMT_SMF_EXT.1 srg: SRG-OS-000095-GPOS-00049,SRG-OS-000300-GPOS-00118 stigid@ol8: OL08-00-040111 stigid@rhel8: RHEL-08-040111 diff --git a/linux_os/guide/system/permissions/partitions/mount_option_var_log_audit_nodev/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_var_log_audit_nodev/rule.yml index 1a14ae6615e..a0afbcf7298 100644 --- a/linux_os/guide/system/permissions/partitions/mount_option_var_log_audit_nodev/rule.yml +++ b/linux_os/guide/system/permissions/partitions/mount_option_var_log_audit_nodev/rule.yml @@ -30,6 +30,7 @@ references: nerc-cip: CIP-003-8 R5.1.1,CIP-003-8 R5.3,CIP-004-6 R2.3,CIP-007-3 R2.1,CIP-007-3 R2.2,CIP-007-3 R2.3,CIP-007-3 R5.1,CIP-007-3 R5.1.1,CIP-007-3 R5.1.2 nist: CM-7(a),CM-7(b),CM-6(a),AC-6,AC-6(1),MP-7 nist-csf: PR.IP-1,PR.PT-2,PR.PT-3 + ospp: FMT_SMF_EXT.1 srg: SRG-OS-000368-GPOS-00154 stigid@ol8: OL08-00-040129 stigid@rhel8: RHEL-08-040129 diff --git a/linux_os/guide/system/permissions/partitions/mount_option_var_log_audit_noexec/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_var_log_audit_noexec/rule.yml index 12fd9b470b6..eeb5906df3f 100644 --- a/linux_os/guide/system/permissions/partitions/mount_option_var_log_audit_noexec/rule.yml +++ b/linux_os/guide/system/permissions/partitions/mount_option_var_log_audit_noexec/rule.yml @@ -28,6 +28,7 @@ references: nerc-cip: CIP-003-8 R5.1.1,CIP-003-8 R5.3,CIP-004-6 R2.3,CIP-007-3 R2.1,CIP-007-3 R2.2,CIP-007-3 R2.3,CIP-007-3 R5.1,CIP-007-3 R5.1.1,CIP-007-3 R5.1.2 nist: CM-7(a),CM-7(b),CM-6(a),AC-6,AC-6(1),MP-7 nist-csf: PR.IP-1,PR.PT-2,PR.PT-3 + ospp: FMT_SMF_EXT.1 srg: SRG-OS-000368-GPOS-00154 stigid@ol8: OL08-00-040131 stigid@rhel8: RHEL-08-040131 diff --git a/linux_os/guide/system/permissions/partitions/mount_option_var_log_audit_nosuid/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_var_log_audit_nosuid/rule.yml index 06d864887ed..bd5ed3cea05 100644 --- a/linux_os/guide/system/permissions/partitions/mount_option_var_log_audit_nosuid/rule.yml +++ b/linux_os/guide/system/permissions/partitions/mount_option_var_log_audit_nosuid/rule.yml @@ -29,6 +29,7 @@ references: nerc-cip: CIP-003-8 R5.1.1,CIP-003-8 R5.3,CIP-004-6 R2.3,CIP-007-3 R2.1,CIP-007-3 R2.2,CIP-007-3 R2.3,CIP-007-3 R5.1,CIP-007-3 R5.1.1,CIP-007-3 R5.1.2 nist: CM-7(a),CM-7(b),CM-6(a),AC-6,AC-6(1),MP-7 nist-csf: PR.IP-1,PR.PT-2,PR.PT-3 + ospp: FMT_SMF_EXT.1 srg: SRG-OS-000368-GPOS-00154 stigid@ol8: OL08-00-040130 stigid@rhel8: RHEL-08-040130 diff --git a/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/rule.yml b/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/rule.yml index 772868e5300..95f13e13b18 100644 --- a/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/rule.yml +++ b/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/rule.yml @@ -26,6 +26,7 @@ references: disa: CCI-000366,CCI-002824,CCI-001082 nerc-cip: CIP-002-5 R1.1,CIP-002-5 R1.2,CIP-003-8 R5.1.1,CIP-003-8 R5.3,CIP-004-6 4.1,CIP-004-6 4.2,CIP-004-6 R2.2.3,CIP-004-6 R2.2.4,CIP-004-6 R2.3,CIP-004-6 R4,CIP-005-6 R1,CIP-005-6 R1.1,CIP-005-6 R1.2,CIP-007-3 R3,CIP-007-3 R3.1,CIP-007-3 R5.1,CIP-007-3 R5.1.2,CIP-007-3 R5.1.3,CIP-007-3 R5.2.1,CIP-007-3 R5.2.3,CIP-007-3 R8.4,CIP-009-6 R.1.1,CIP-009-6 R4 nist: SC-30,SC-30(2),SC-30(5),CM-6(a) + ospp: FMT_SMF_EXT.1 srg: SRG-OS-000132-GPOS-00067,SRG-OS-000433-GPOS-00192,SRG-OS-000480-GPOS-00227 stigid@ol8: OL08-00-040283 stigid@rhel8: RHEL-08-040283 diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_dmesg_restrict/rule.yml b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_dmesg_restrict/rule.yml index 7ad7a4b5fd0..651e3bc35c7 100644 --- a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_dmesg_restrict/rule.yml +++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_dmesg_restrict/rule.yml @@ -25,6 +25,7 @@ references: disa: CCI-001082,CCI-001090 hipaa: 164.308(a)(1)(ii)(D),164.308(a)(3),164.308(a)(4),164.310(b),164.310(c),164.312(a),164.312(e) nist: SI-11(a),SI-11(b) + ospp: FMT_SMF_EXT.1 srg: SRG-OS-000132-GPOS-00067,SRG-OS-000138-GPOS-00069,SRG-APP-000243-CTR-000600 stigid@ol7: OL07-00-010375 stigid@ol8: OL08-00-010375 diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_kexec_load_disabled/rule.yml b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_kexec_load_disabled/rule.yml index ae651f6dfeb..c763c7d057c 100644 --- a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_kexec_load_disabled/rule.yml +++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_kexec_load_disabled/rule.yml @@ -20,6 +20,7 @@ identifiers: references: disa: CCI-003992,CCI-000366 nist: CM-6 + ospp: FMT_SMF_EXT.1 srg: SRG-OS-000480-GPOS-00227,SRG-OS-000366-GPOS-00153 stigid@ol8: OL08-00-010372 stigid@rhel8: RHEL-08-010372 diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_yama_ptrace_scope/rule.yml b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_yama_ptrace_scope/rule.yml index fd00ea142d3..498e93e15fd 100644 --- a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_yama_ptrace_scope/rule.yml +++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_yama_ptrace_scope/rule.yml @@ -24,6 +24,7 @@ identifiers: references: disa: CCI-000366,CCI-001082 nist: SC-7(10) + ospp: FMT_SMF_EXT.1 srg: SRG-OS-000132-GPOS-00067,SRG-OS-000480-GPOS-00227 stigid@ol8: OL08-00-040282 stigid@rhel8: RHEL-08-040282 diff --git a/linux_os/guide/system/selinux/selinux_policytype/rule.yml b/linux_os/guide/system/selinux/selinux_policytype/rule.yml index 3369554bc90..0ce6648a9ec 100644 --- a/linux_os/guide/system/selinux/selinux_policytype/rule.yml +++ b/linux_os/guide/system/selinux/selinux_policytype/rule.yml @@ -47,6 +47,7 @@ references: nerc-cip: CIP-003-8 R5.1.1,CIP-003-8 R5.2,CIP-003-8 R5.3,CIP-004-6 R2.2.3,CIP-004-6 R2.3,CIP-004-6 R3.3,CIP-007-3 R5.1,CIP-007-3 R5.1.2,CIP-007-3 R5.2,CIP-007-3 R5.3.1,CIP-007-3 R5.3.2,CIP-007-3 R5.3.3,CIP-007-3 R6.5 nist: AC-3,AC-3(3)(a),AU-9,SC-7(21) nist-csf: DE.AE-1,ID.AM-3,PR.AC-4,PR.AC-5,PR.AC-6,PR.DS-5,PR.PT-1,PR.PT-3,PR.PT-4 + ospp: FMT_MOF_EXT.1 srg: SRG-OS-000445-GPOS-00199,SRG-APP-000233-CTR-000585 stigid@ol7: OL07-00-020220 stigid@ol8: OL08-00-010450 diff --git a/linux_os/guide/system/selinux/selinux_state/rule.yml b/linux_os/guide/system/selinux/selinux_state/rule.yml index 237064080e1..ba0a43a4a0a 100644 --- a/linux_os/guide/system/selinux/selinux_state/rule.yml +++ b/linux_os/guide/system/selinux/selinux_state/rule.yml @@ -40,6 +40,7 @@ references: nerc-cip: CIP-003-8 R5.1.1,CIP-003-8 R5.2,CIP-003-8 R5.3,CIP-004-6 R2.2.3,CIP-004-6 R2.3,CIP-004-6 R3.3,CIP-007-3 R5.1,CIP-007-3 R5.1.2,CIP-007-3 R5.2,CIP-007-3 R5.3.1,CIP-007-3 R5.3.2,CIP-007-3 R5.3.3,CIP-007-3 R6.5 nist: AC-3,AC-3(3)(a),AU-9,SC-7(21) nist-csf: DE.AE-1,ID.AM-3,PR.AC-4,PR.AC-5,PR.AC-6,PR.DS-5,PR.PT-1,PR.PT-3,PR.PT-4 + ospp: FMT_MOF_EXT.1 srg: SRG-OS-000445-GPOS-00199,SRG-OS-000134-GPOS-00068 stigid@ol7: OL07-00-020210 stigid@ol8: OL08-00-010170 diff --git a/linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/rule.yml b/linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/rule.yml index de245380fea..20101a46a84 100644 --- a/linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/rule.yml +++ b/linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/rule.yml @@ -42,6 +42,7 @@ references: disa: CCI-001453 nerc-cip: CIP-003-8 R4.2,CIP-007-3 R5.1,CIP-007-3 R7.1 nist: AC-17(a),AC-17(2),CM-6(a),MA-4(6),SC-13,SC-12(2),SC-12(3) + ospp: FCS_CKM.1,FCS_CKM.1.1,FCS_CKM.2,FCS_COP.1/ENCRYPT,FCS_COP.1/HASH,FCS_COP.1/SIGN,FCS_COP.1/KEYHMAC,FCS_TLSC_EXT.1,FCS_TLSC_EXT.1.1 pcidss: Req-2.2 srg: SRG-OS-000250-GPOS-00093 stigid@ol8: OL08-00-010293 diff --git a/linux_os/guide/system/software/updating/package_dnf-automatic_installed/rule.yml b/linux_os/guide/system/software/updating/package_dnf-automatic_installed/rule.yml index 05d7f63da06..aab38c322a0 100644 --- a/linux_os/guide/system/software/updating/package_dnf-automatic_installed/rule.yml +++ b/linux_os/guide/system/software/updating/package_dnf-automatic_installed/rule.yml @@ -20,6 +20,7 @@ identifiers: cce@sle15: CCE-91163-6 references: + ospp: FPT_TUD_EXT.1,FPT_TUD_EXT.2 srg: SRG-OS-000191-GPOS-00080 ocil_clause: 'the package is not installed' From e4ced68734bef0d59e70c8df3b92628c474366ff Mon Sep 17 00:00:00 2001 From: Lance Bragstad Date: Wed, 18 Dec 2024 16:53:56 -0600 Subject: [PATCH 20/26] Add Containerfile for building OCP content in Konflux Konflux is being enabled in https://github.com/ComplianceAsCode/content/pull/12745 This will make it so we can build images with CaC/content using Konflux. --- ...nce-operator-content-konflux.Containerfile | 95 +++++++++++++++++++ 1 file changed, 95 insertions(+) create mode 100644 Dockerfiles/compliance-operator-content-konflux.Containerfile diff --git a/Dockerfiles/compliance-operator-content-konflux.Containerfile b/Dockerfiles/compliance-operator-content-konflux.Containerfile new file mode 100644 index 00000000000..05ab40cf015 --- /dev/null +++ b/Dockerfiles/compliance-operator-content-konflux.Containerfile @@ -0,0 +1,95 @@ +FROM registry.redhat.io/ubi9/ubi:latest AS builder + +# The build tooling requires python, and the openscap-utils package to build +# the content. +RUN yum -y install python3 cmake make python3-pyyaml python3-jinja2 openscap-utils + +WORKDIR /go/src/github.com/ComplianceAsCode/content +COPY . . + + +# Disable all profiles so we don't accidentally ship a profile we don't intend to ship +RUN find . -name "*.profile" -exec sed -i 's/\(documentation_complete: \).*/\1false/' '{}' \; +# Enable the default.profiles as they maintain a list rules to be added to the datastream +RUN find . -name "default\.profile" -exec sed -i 's/\(documentation_complete: \).*/\1true/' '{}' \; + +# Choose profile to enable for all architectures +RUN sed -i 's/\(documentation_complete: \).*/\1true/' \ + products/ocp4/profiles/pci-dss-node-3-2.profile \ + products/ocp4/profiles/pci-dss-3-2.profile \ + products/ocp4/profiles/pci-dss-node-4-0.profile \ + products/ocp4/profiles/pci-dss-4-0.profile \ + products/ocp4/profiles/pci-dss-node.profile \ + products/ocp4/profiles/pci-dss.profile \ + products/ocp4/profiles/cis-node.profile \ + products/ocp4/profiles/cis.profile \ + products/ocp4/profiles/cis-node-1-4.profile \ + products/ocp4/profiles/cis-1-4.profile \ + products/ocp4/profiles/cis-node-1-5.profile \ + products/ocp4/profiles/cis-1-5.profile \ + products/ocp4/profiles/moderate-node.profile \ + products/ocp4/profiles/moderate.profile \ + products/ocp4/profiles/moderate-node-rev-4.profile \ + products/ocp4/profiles/moderate-rev-4.profile + +# Only enable for x86_64 +RUN if [ "$(uname -m)" = "x86_64" ]; then \ + sed -i 's/\(documentation_complete: \).*/\1true/' products/ocp4/profiles/e8.profile && \ + sed -i 's/\(documentation_complete: \).*/\1true/' products/ocp4/profiles/high.profile && \ + sed -i 's/\(documentation_complete: \).*/\1true/' products/ocp4/profiles/high-node.profile && \ + sed -i 's/\(documentation_complete: \).*/\1true/' products/ocp4/profiles/high-rev-4.profile && \ + sed -i 's/\(documentation_complete: \).*/\1true/' products/ocp4/profiles/high-node-rev-4.profile && \ + sed -i 's/\(documentation_complete: \).*/\1true/' products/ocp4/profiles/nerc-cip.profile && \ + sed -i 's/\(documentation_complete: \).*/\1true/' products/ocp4/profiles/nerc-cip-node.profile && \ + sed -i 's/\(documentation_complete: \).*/\1true/' products/rhcos4/profiles/moderate.profile && \ + sed -i 's/\(documentation_complete: \).*/\1true/' products/rhcos4/profiles/high.profile && \ + sed -i 's/\(documentation_complete: \).*/\1true/' products/rhcos4/profiles/moderate-rev-4.profile && \ + sed -i 's/\(documentation_complete: \).*/\1true/' products/rhcos4/profiles/high-rev-4.profile && \ + sed -i 's/\(documentation_complete: \).*/\1true/' products/rhcos4/profiles/e8.profile && \ + sed -i 's/\(documentation_complete: \).*/\1true/' products/rhcos4/profiles/nerc-cip.profile && \ + sed -i 's/\(documentation_complete: \).*/\1true/' products/ocp4/profiles/pci-dss-node.profile && \ + sed -i 's/\(documentation_complete: \).*/\1true/' products/ocp4/profiles/pci-dss.profile && \ + sed -i 's/\(documentation_complete: \).*/\1true/' products/ocp4/profiles/pci-dss-node-3-2.profile && \ + sed -i 's/\(documentation_complete: \).*/\1true/' products/ocp4/profiles/pci-dss-3-2.profile && \ + sed -i 's/\(documentation_complete: \).*/\1true/' products/ocp4/profiles/stig.profile && \ + sed -i 's/\(documentation_complete: \).*/\1true/' products/ocp4/profiles/stig-node.profile && \ + sed -i 's/\(documentation_complete: \).*/\1true/' products/rhcos4/profiles/stig.profile && \ + sed -i 's/\(documentation_complete: \).*/\1true/' products/ocp4/profiles/stig-v1r1.profile && \ + sed -i 's/\(documentation_complete: \).*/\1true/' products/ocp4/profiles/stig-node-v1r1.profile && \ + sed -i 's/\(documentation_complete: \).*/\1true/' products/rhcos4/profiles/stig-v1r1.profile && \ + sed -i 's/\(documentation_complete: \).*/\1true/' products/ocp4/profiles/stig-v2r1.profile && \ + sed -i 's/\(documentation_complete: \).*/\1true/' products/ocp4/profiles/stig-node-v2r1.profile && \ + sed -i 's/\(documentation_complete: \).*/\1true/' products/rhcos4/profiles/stig-v2r1.profile; \ + fi + +# OCPBUGS-32794: Ensure stability of rules shipped +# Before building the content we re-enable all profiles as hidden, this will include any rule selected +# by these profiles in the data stream without creating a profile for them. +RUN grep -lr 'documentation_complete: false' ./products | xargs -I '{}' \ + sed -i -e 's/\(documentation_complete: \).*/\1true/' -e '/documentation_complete/a hidden: true' {} + +# Build the OpenShift and RHCOS content for x86 architectures. Only build +# OpenShift content for ppc64le and s390x architectures. +RUN if [ "$(uname -m)" = "x86_64" ]; then \ + ./build_product ocp4 rhcos4 --datastream-only; \ + else ./build_product ocp4 --datastream-only; \ + fi + +FROM registry.redhat.io/ubi9/ubi-micro:latest + +LABEL \ + io.k8s.display-name="Compliance Content" \ + io.k8s.description="OpenSCAP content for the compliance-operator." \ + io.openshift.tags="openshift,compliance,security" \ + com.redhat.delivery.appregistry="false" \ + maintainer="Red Hat ISC " \ + License="GPLv2+" \ + name="openshift-compliance-content" \ + com.redhat.component="openshift-compliance-content-container" \ + io.openshift.maintainer.product="OpenShift Container Platform" \ + io.openshift.maintainer.component="Compliance Operator" + # Implement this using Konflux dynamic labels + # version=1.6.1-dev + +WORKDIR / +COPY --from=builder /go/src/github.com/ComplianceAsCode/content/build/ssg-*-ds.xml . From ee87ed960d424ee4d282bf4918d13d3390714d84 Mon Sep 17 00:00:00 2001 From: Alan Moore Date: Thu, 2 Jan 2025 17:37:48 +0000 Subject: [PATCH 21/26] Implement rule 5.3.3.1.1 Ensure password failed attempts lockout is configured --- controls/cis_ubuntu2404.yml | 9 ++------- 1 file changed, 2 insertions(+), 7 deletions(-) diff --git a/controls/cis_ubuntu2404.yml b/controls/cis_ubuntu2404.yml index 74b56aa1cae..a2edbacd43c 100644 --- a/controls/cis_ubuntu2404.yml +++ b/controls/cis_ubuntu2404.yml @@ -1889,15 +1889,10 @@ controls: levels: - l1_server - l1_workstation - related_rules: + rules: - var_accounts_passwords_pam_faillock_deny=4 - - var_accounts_passwords_pam_faillock_fail_interval=900 - - var_accounts_passwords_pam_faillock_unlock_time=600 - accounts_passwords_pam_faillock_deny - - accounts_passwords_pam_faillock_interval - - accounts_passwords_pam_faillock_unlock_time - status: planned - notes: TODO. Partial/incorrect implementation exists.See related rules. Analogous to ubuntu2204/5.4.2. + status: automated - id: 5.3.3.1.2 title: Ensure password unlock time is configured (Automated) From a5e1e1052ab349acb4573306d6c35735f1e71497 Mon Sep 17 00:00:00 2001 From: Alan Moore Date: Mon, 6 Jan 2025 13:38:36 +0000 Subject: [PATCH 22/26] Fix the _rule_id and var access in template.py --- shared/templates/pam_account_password_faillock/template.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/shared/templates/pam_account_password_faillock/template.py b/shared/templates/pam_account_password_faillock/template.py index 654209336c1..5e56392fd69 100644 --- a/shared/templates/pam_account_password_faillock/template.py +++ b/shared/templates/pam_account_password_faillock/template.py @@ -1,7 +1,7 @@ def preprocess(data, lang): if data.get("ext_variable") is None: errmsg = ("The template instance of the rule {0} requires the " - "ext_variable to be defined".format(_rule_id)) + "ext_variable to be defined".format(data["_rule_id"])) raise ValueError(errmsg) for var in ["variable_upper_bound", "variable_lower_bound"]: @@ -11,6 +11,6 @@ def preprocess(data, lang): type(data.get(var)) != int: errmsg = ("The template instance of the rule {0} requires the " "parameter {1} is either 'use_ext_variable' or " - "a number or undefined".formate(_rule_id, var)) + "a number or undefined".formate(data["_rule_id"], date["var"])) raise ValueError(errmsg) return data From f92ed0d2ca9fd7bbb645eddafe9960e73ce6faf2 Mon Sep 17 00:00:00 2001 From: Alan Moore Date: Mon, 6 Jan 2025 15:43:19 +0000 Subject: [PATCH 23/26] Fix more --- shared/templates/pam_account_password_faillock/template.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/shared/templates/pam_account_password_faillock/template.py b/shared/templates/pam_account_password_faillock/template.py index 5e56392fd69..b2d97387c5c 100644 --- a/shared/templates/pam_account_password_faillock/template.py +++ b/shared/templates/pam_account_password_faillock/template.py @@ -11,6 +11,6 @@ def preprocess(data, lang): type(data.get(var)) != int: errmsg = ("The template instance of the rule {0} requires the " "parameter {1} is either 'use_ext_variable' or " - "a number or undefined".formate(data["_rule_id"], date["var"])) + "a number or undefined".format(data["_rule_id"], data["var"])) raise ValueError(errmsg) return data From 8c300959cb0731a4954bc547deef0c122cd6870d Mon Sep 17 00:00:00 2001 From: red-hat-konflux Date: Wed, 18 Dec 2024 22:47:12 +0000 Subject: [PATCH 24/26] Red Hat Konflux update compliance-operator-content Signed-off-by: red-hat-konflux --- ...pliance-operator-content-pull-request.yaml | 580 ++++++++++++++++++ .tekton/compliance-operator-content-push.yaml | 577 +++++++++++++++++ 2 files changed, 1157 insertions(+) create mode 100644 .tekton/compliance-operator-content-pull-request.yaml create mode 100644 .tekton/compliance-operator-content-push.yaml diff --git a/.tekton/compliance-operator-content-pull-request.yaml b/.tekton/compliance-operator-content-pull-request.yaml new file mode 100644 index 00000000000..d24fec679c3 --- /dev/null +++ b/.tekton/compliance-operator-content-pull-request.yaml @@ -0,0 +1,580 @@ +apiVersion: tekton.dev/v1 +kind: PipelineRun +metadata: + annotations: + build.appstudio.openshift.io/repo: https://github.com/ComplianceAsCode/content?rev={{revision}} + build.appstudio.redhat.com/commit_sha: '{{revision}}' + build.appstudio.redhat.com/pull_request_number: '{{pull_request_number}}' + build.appstudio.redhat.com/target_branch: '{{target_branch}}' + pipelinesascode.tekton.dev/max-keep-runs: "3" + pipelinesascode.tekton.dev/on-cel-expression: event == "pull_request" && target_branch + == "master" + creationTimestamp: null + labels: + appstudio.openshift.io/application: compliance-operator + appstudio.openshift.io/component: compliance-operator-content + pipelines.appstudio.openshift.io/type: build + name: compliance-operator-content-on-pull-request + namespace: ocp-isc-tenant +spec: + params: + - name: git-url + value: '{{source_url}}' + - name: revision + value: '{{revision}}' + - name: output-image + value: quay.io/redhat-user-workloads/ocp-isc-tenant/compliance-operator-content:on-pr-{{revision}} + - name: image-expires-after + value: 5d + - name: dockerfile + value: Dockerfiles/compliance-operator-content-konflux.Containerfile + pipelineSpec: + description: | + This pipeline is ideal for building container images from a Containerfile while maintaining trust after pipeline customization. + + _Uses `buildah` to create a container image leveraging [trusted artifacts](https://konflux-ci.dev/architecture/ADR/0036-trusted-artifacts.html). It also optionally creates a source image and runs some build-time tests. Information is shared between tasks using OCI artifacts instead of PVCs. EC will pass the [`trusted_task.trusted`](https://enterprisecontract.dev/docs/ec-policies/release_policy.html#trusted_task__trusted) policy as long as all data used to build the artifact is generated from trusted tasks. + This pipeline is pushed as a Tekton bundle to [quay.io](https://quay.io/repository/konflux-ci/tekton-catalog/pipeline-docker-build-oci-ta?tab=tags)_ + finally: + - name: show-sbom + params: + - name: IMAGE_URL + value: $(tasks.build-image-index.results.IMAGE_URL) + taskRef: + params: + - name: name + value: show-sbom + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-show-sbom:0.1@sha256:945a7c9066d3e0a95d3fddb7e8a6992e4d632a2a75d8f3a9bd2ff2fef0ec9aa0 + - name: kind + value: task + resolver: bundles + params: + - description: Source Repository URL + name: git-url + type: string + - default: "" + description: Revision of the Source Repository + name: revision + type: string + - description: Fully Qualified Output Image + name: output-image + type: string + - default: . + description: Path to the source code of an application's component from where + to build image. + name: path-context + type: string + - default: Dockerfile + description: Path to the Dockerfile inside the context specified by parameter + path-context + name: dockerfile + type: string + - default: "false" + description: Force rebuild image + name: rebuild + type: string + - default: "false" + description: Skip checks against built image + name: skip-checks + type: string + - default: "false" + description: Execute the build with network isolation + name: hermetic + type: string + - default: "" + description: Build dependencies to be prefetched by Cachi2 + name: prefetch-input + type: string + - default: "" + description: Image tag expiration time, time values could be something like + 1h, 2d, 3w for hours, days, and weeks, respectively. + name: image-expires-after + - default: "false" + description: Build a source image. + name: build-source-image + type: string + - default: "false" + description: Add built image into an OCI image index + name: build-image-index + type: string + - default: [] + description: Array of --build-arg values ("arg=value" strings) for buildah + name: build-args + type: array + - default: "" + description: Path to a file with build arguments for buildah, see https://www.mankier.com/1/buildah-build#--build-arg-file + name: build-args-file + type: string + results: + - description: "" + name: IMAGE_URL + value: $(tasks.build-image-index.results.IMAGE_URL) + - description: "" + name: IMAGE_DIGEST + value: $(tasks.build-image-index.results.IMAGE_DIGEST) + - description: "" + name: CHAINS-GIT_URL + value: $(tasks.clone-repository.results.url) + - description: "" + name: CHAINS-GIT_COMMIT + value: $(tasks.clone-repository.results.commit) + tasks: + - name: init + params: + - name: image-url + value: $(params.output-image) + - name: rebuild + value: $(params.rebuild) + - name: skip-checks + value: $(params.skip-checks) + taskRef: + params: + - name: name + value: init + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-init:0.2@sha256:60063fefe88e111d129cb59caff97c912722927c8a0f750253553d4c527a2396 + - name: kind + value: task + resolver: bundles + - name: clone-repository + params: + - name: url + value: $(params.git-url) + - name: revision + value: $(params.revision) + - name: ociStorage + value: $(params.output-image).git + - name: ociArtifactExpiresAfter + value: $(params.image-expires-after) + runAfter: + - init + taskRef: + params: + - name: name + value: git-clone-oci-ta + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-git-clone-oci-ta:0.1@sha256:8ab0c7a7ac4a4c59740a24304e17cc64fe8745376d19396c4660fc0e1a957a1b + - name: kind + value: task + resolver: bundles + when: + - input: $(tasks.init.results.build) + operator: in + values: + - "true" + workspaces: + - name: basic-auth + workspace: git-auth + - name: prefetch-dependencies + params: + - name: input + value: $(params.prefetch-input) + - name: SOURCE_ARTIFACT + value: $(tasks.clone-repository.results.SOURCE_ARTIFACT) + - name: ociStorage + value: $(params.output-image).prefetch + - name: ociArtifactExpiresAfter + value: $(params.image-expires-after) + runAfter: + - clone-repository + taskRef: + params: + - name: name + value: prefetch-dependencies-oci-ta + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-prefetch-dependencies-oci-ta:0.1@sha256:3e51d7c477ba00bd0c7de2d8f89269131646d2582e631b9aee91fb4b022d4555 + - name: kind + value: task + resolver: bundles + workspaces: + - name: git-basic-auth + workspace: git-auth + - name: netrc + workspace: netrc + - name: build-container + params: + - name: IMAGE + value: $(params.output-image) + - name: DOCKERFILE + value: $(params.dockerfile) + - name: CONTEXT + value: $(params.path-context) + - name: HERMETIC + value: $(params.hermetic) + - name: PREFETCH_INPUT + value: $(params.prefetch-input) + - name: IMAGE_EXPIRES_AFTER + value: $(params.image-expires-after) + - name: COMMIT_SHA + value: $(tasks.clone-repository.results.commit) + - name: BUILD_ARGS + value: + - $(params.build-args[*]) + - name: BUILD_ARGS_FILE + value: $(params.build-args-file) + - name: SOURCE_ARTIFACT + value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT) + - name: CACHI2_ARTIFACT + value: $(tasks.prefetch-dependencies.results.CACHI2_ARTIFACT) + runAfter: + - prefetch-dependencies + taskRef: + params: + - name: name + value: buildah-oci-ta + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-buildah-oci-ta:0.2@sha256:33cc4005cb06a865676d523fa92a0312466c688fc4c98993700e42f2034efc75 + - name: kind + value: task + resolver: bundles + when: + - input: $(tasks.init.results.build) + operator: in + values: + - "true" + - name: build-image-index + params: + - name: IMAGE + value: $(params.output-image) + - name: COMMIT_SHA + value: $(tasks.clone-repository.results.commit) + - name: IMAGE_EXPIRES_AFTER + value: $(params.image-expires-after) + - name: ALWAYS_BUILD_INDEX + value: $(params.build-image-index) + - name: IMAGES + value: + - $(tasks.build-container.results.IMAGE_URL)@$(tasks.build-container.results.IMAGE_DIGEST) + runAfter: + - build-container + taskRef: + params: + - name: name + value: build-image-index + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-build-image-index:0.1@sha256:37328a4b2fc686435531ba423c26c2051822a4e70b06088c4d8eaf0e8fa6d65b + - name: kind + value: task + resolver: bundles + when: + - input: $(tasks.init.results.build) + operator: in + values: + - "true" + - name: build-source-image + params: + - name: BINARY_IMAGE + value: $(params.output-image) + - name: SOURCE_ARTIFACT + value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT) + - name: CACHI2_ARTIFACT + value: $(tasks.prefetch-dependencies.results.CACHI2_ARTIFACT) + runAfter: + - build-image-index + taskRef: + params: + - name: name + value: source-build-oci-ta + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-source-build-oci-ta:0.1@sha256:26278e5373a726594975a9ec2f177a67e3674bbf905d7d317b9ea60ca7993978 + - name: kind + value: task + resolver: bundles + when: + - input: $(tasks.init.results.build) + operator: in + values: + - "true" + - input: $(params.build-source-image) + operator: in + values: + - "true" + - name: deprecated-base-image-check + params: + - name: IMAGE_URL + value: $(tasks.build-image-index.results.IMAGE_URL) + - name: IMAGE_DIGEST + value: $(tasks.build-image-index.results.IMAGE_DIGEST) + runAfter: + - build-image-index + taskRef: + params: + - name: name + value: deprecated-image-check + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-deprecated-image-check:0.4@sha256:f8efb0b22692fad908a1a75f8d5c0b6ed3b0bcd2a9853577e7be275e5bac1bb8 + - name: kind + value: task + resolver: bundles + when: + - input: $(params.skip-checks) + operator: in + values: + - "false" + - name: clair-scan + params: + - name: image-digest + value: $(tasks.build-image-index.results.IMAGE_DIGEST) + - name: image-url + value: $(tasks.build-image-index.results.IMAGE_URL) + runAfter: + - build-image-index + taskRef: + params: + - name: name + value: clair-scan + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-clair-scan:0.2@sha256:e428b37d253621365ffb24d4053e5f3141988ae6a30fce1c8ba73b7211396eb0 + - name: kind + value: task + resolver: bundles + when: + - input: $(params.skip-checks) + operator: in + values: + - "false" + - name: ecosystem-cert-preflight-checks + params: + - name: image-url + value: $(tasks.build-image-index.results.IMAGE_URL) + runAfter: + - build-image-index + taskRef: + params: + - name: name + value: ecosystem-cert-preflight-checks + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-ecosystem-cert-preflight-checks:0.1@sha256:df8a25a3431a70544172ed4844f9d0c6229d39130633960729f825a031a7dea9 + - name: kind + value: task + resolver: bundles + when: + - input: $(params.skip-checks) + operator: in + values: + - "false" + - name: sast-snyk-check + params: + - name: image-digest + value: $(tasks.build-image-index.results.IMAGE_DIGEST) + - name: image-url + value: $(tasks.build-image-index.results.IMAGE_URL) + - name: SOURCE_ARTIFACT + value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT) + - name: CACHI2_ARTIFACT + value: $(tasks.prefetch-dependencies.results.CACHI2_ARTIFACT) + runAfter: + - build-image-index + taskRef: + params: + - name: name + value: sast-snyk-check-oci-ta + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-sast-snyk-check-oci-ta:0.3@sha256:6d232347739a0366dcfc4e40afbcb5d1937dd3fea8952afb1bd6a4b0c5d1c1f5 + - name: kind + value: task + resolver: bundles + when: + - input: $(params.skip-checks) + operator: in + values: + - "false" + - name: clamav-scan + params: + - name: image-digest + value: $(tasks.build-image-index.results.IMAGE_DIGEST) + - name: image-url + value: $(tasks.build-image-index.results.IMAGE_URL) + runAfter: + - build-image-index + taskRef: + params: + - name: name + value: clamav-scan + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-clamav-scan:0.2@sha256:d78221853f7ff2befc6669dd0eeb91e6611ae84ac7754150ea0f071d92ff41cb + - name: kind + value: task + resolver: bundles + when: + - input: $(params.skip-checks) + operator: in + values: + - "false" + - name: sast-coverity-check + params: + - name: image-digest + value: $(tasks.build-image-index.results.IMAGE_DIGEST) + - name: image-url + value: $(tasks.build-image-index.results.IMAGE_URL) + - name: SOURCE_ARTIFACT + value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT) + - name: CACHI2_ARTIFACT + value: $(tasks.prefetch-dependencies.results.CACHI2_ARTIFACT) + runAfter: + - coverity-availability-check + taskRef: + params: + - name: name + value: sast-coverity-check-oci-ta + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-sast-coverity-check-oci-ta:0.1@sha256:a2a504ffd550e8029034fd737e237e194c13e1b593c8e37402218408e5d632df + - name: kind + value: task + resolver: bundles + when: + - input: $(params.skip-checks) + operator: in + values: + - "false" + - input: $(tasks.coverity-availability-check.results.STATUS) + operator: in + values: + - success + - name: coverity-availability-check + params: + - name: image-digest + value: $(tasks.build-image-index.results.IMAGE_DIGEST) + - name: image-url + value: $(tasks.build-image-index.results.IMAGE_URL) + - name: SOURCE_ARTIFACT + value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT) + - name: CACHI2_ARTIFACT + value: $(tasks.prefetch-dependencies.results.CACHI2_ARTIFACT) + runAfter: + - build-image-index + taskRef: + params: + - name: name + value: coverity-availability-check-oci-ta + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-coverity-availability-check-oci-ta:0.1@sha256:c6c04c3b7ab71c039fe5958559f3d0bf30cb56239ee3be6a7806a71912660da4 + - name: kind + value: task + resolver: bundles + when: + - input: $(params.skip-checks) + operator: in + values: + - "false" + - name: sast-shell-check + params: + - name: image-digest + value: $(tasks.build-image-index.results.IMAGE_DIGEST) + - name: image-url + value: $(tasks.build-image-index.results.IMAGE_URL) + - name: SOURCE_ARTIFACT + value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT) + - name: CACHI2_ARTIFACT + value: $(tasks.prefetch-dependencies.results.CACHI2_ARTIFACT) + runAfter: + - build-image-index + taskRef: + params: + - name: name + value: sast-shell-check-oci-ta + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-sast-shell-check-oci-ta:0.1@sha256:ac6a35e4143a68f841e363da3f21f2123de9f3acf76596f79ecb60c501eed408 + - name: kind + value: task + resolver: bundles + when: + - input: $(params.skip-checks) + operator: in + values: + - "false" + - name: sast-unicode-check + params: + - name: image-url + value: $(tasks.build-image-index.results.IMAGE_URL) + - name: SOURCE_ARTIFACT + value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT) + - name: CACHI2_ARTIFACT + value: $(tasks.prefetch-dependencies.results.CACHI2_ARTIFACT) + runAfter: + - build-image-index + taskRef: + params: + - name: name + value: sast-shell-check-oci-ta + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-sast-shell-check-oci-ta:0.1@sha256:ac6a35e4143a68f841e363da3f21f2123de9f3acf76596f79ecb60c501eed408 + - name: kind + value: task + resolver: bundles + when: + - input: $(params.skip-checks) + operator: in + values: + - "false" + - name: apply-tags + params: + - name: IMAGE + value: $(tasks.build-image-index.results.IMAGE_URL) + runAfter: + - build-image-index + taskRef: + params: + - name: name + value: apply-tags + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-apply-tags:0.1@sha256:0767c115d4ba4854d106c9cdfabdc1f1298bc2742a3fea4fefbac4b9c5873d6e + - name: kind + value: task + resolver: bundles + - name: push-dockerfile + params: + - name: IMAGE + value: $(tasks.build-image-index.results.IMAGE_URL) + - name: IMAGE_DIGEST + value: $(tasks.build-image-index.results.IMAGE_DIGEST) + - name: DOCKERFILE + value: $(params.dockerfile) + - name: CONTEXT + value: $(params.path-context) + - name: SOURCE_ARTIFACT + value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT) + runAfter: + - build-image-index + taskRef: + params: + - name: name + value: push-dockerfile-oci-ta + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-push-dockerfile-oci-ta:0.1@sha256:08ef41d6a98608bd5f1de75d77f015f520911a278d1875e174b88b9d04db2441 + - name: kind + value: task + resolver: bundles + - name: rpms-signature-scan + params: + - name: image-url + value: $(tasks.build-image-index.results.IMAGE_URL) + - name: image-digest + value: $(tasks.build-image-index.results.IMAGE_DIGEST) + runAfter: + - build-image-index + taskRef: + params: + - name: name + value: rpms-signature-scan + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-rpms-signature-scan:0.2@sha256:ec536e55a039052823ba74e07db3175554fb046649671d1fefd776ca064d00ac + - name: kind + value: task + resolver: bundles + when: + - input: $(params.skip-checks) + operator: in + values: + - "false" + workspaces: + - name: git-auth + optional: true + - name: netrc + optional: true + taskRunTemplate: {} + workspaces: + - name: git-auth + secret: + secretName: '{{ git_auth_secret }}' +status: {} diff --git a/.tekton/compliance-operator-content-push.yaml b/.tekton/compliance-operator-content-push.yaml new file mode 100644 index 00000000000..72b837845cb --- /dev/null +++ b/.tekton/compliance-operator-content-push.yaml @@ -0,0 +1,577 @@ +apiVersion: tekton.dev/v1 +kind: PipelineRun +metadata: + annotations: + build.appstudio.openshift.io/repo: https://github.com/ComplianceAsCode/content?rev={{revision}} + build.appstudio.redhat.com/commit_sha: '{{revision}}' + build.appstudio.redhat.com/target_branch: '{{target_branch}}' + pipelinesascode.tekton.dev/max-keep-runs: "3" + pipelinesascode.tekton.dev/on-cel-expression: event == "push" && target_branch + == "master" + creationTimestamp: null + labels: + appstudio.openshift.io/application: compliance-operator + appstudio.openshift.io/component: compliance-operator-content + pipelines.appstudio.openshift.io/type: build + name: compliance-operator-content-on-push + namespace: ocp-isc-tenant +spec: + params: + - name: git-url + value: '{{source_url}}' + - name: revision + value: '{{revision}}' + - name: output-image + value: quay.io/redhat-user-workloads/ocp-isc-tenant/compliance-operator-content:{{revision}} + - name: dockerfile + value: Dockerfiles/compliance-operator-content-konflux.Containerfile + pipelineSpec: + description: | + This pipeline is ideal for building container images from a Containerfile while maintaining trust after pipeline customization. + + _Uses `buildah` to create a container image leveraging [trusted artifacts](https://konflux-ci.dev/architecture/ADR/0036-trusted-artifacts.html). It also optionally creates a source image and runs some build-time tests. Information is shared between tasks using OCI artifacts instead of PVCs. EC will pass the [`trusted_task.trusted`](https://enterprisecontract.dev/docs/ec-policies/release_policy.html#trusted_task__trusted) policy as long as all data used to build the artifact is generated from trusted tasks. + This pipeline is pushed as a Tekton bundle to [quay.io](https://quay.io/repository/konflux-ci/tekton-catalog/pipeline-docker-build-oci-ta?tab=tags)_ + finally: + - name: show-sbom + params: + - name: IMAGE_URL + value: $(tasks.build-image-index.results.IMAGE_URL) + taskRef: + params: + - name: name + value: show-sbom + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-show-sbom:0.1@sha256:945a7c9066d3e0a95d3fddb7e8a6992e4d632a2a75d8f3a9bd2ff2fef0ec9aa0 + - name: kind + value: task + resolver: bundles + params: + - description: Source Repository URL + name: git-url + type: string + - default: "" + description: Revision of the Source Repository + name: revision + type: string + - description: Fully Qualified Output Image + name: output-image + type: string + - default: . + description: Path to the source code of an application's component from where + to build image. + name: path-context + type: string + - default: Dockerfile + description: Path to the Dockerfile inside the context specified by parameter + path-context + name: dockerfile + type: string + - default: "false" + description: Force rebuild image + name: rebuild + type: string + - default: "false" + description: Skip checks against built image + name: skip-checks + type: string + - default: "false" + description: Execute the build with network isolation + name: hermetic + type: string + - default: "" + description: Build dependencies to be prefetched by Cachi2 + name: prefetch-input + type: string + - default: "" + description: Image tag expiration time, time values could be something like + 1h, 2d, 3w for hours, days, and weeks, respectively. + name: image-expires-after + - default: "false" + description: Build a source image. + name: build-source-image + type: string + - default: "false" + description: Add built image into an OCI image index + name: build-image-index + type: string + - default: [] + description: Array of --build-arg values ("arg=value" strings) for buildah + name: build-args + type: array + - default: "" + description: Path to a file with build arguments for buildah, see https://www.mankier.com/1/buildah-build#--build-arg-file + name: build-args-file + type: string + results: + - description: "" + name: IMAGE_URL + value: $(tasks.build-image-index.results.IMAGE_URL) + - description: "" + name: IMAGE_DIGEST + value: $(tasks.build-image-index.results.IMAGE_DIGEST) + - description: "" + name: CHAINS-GIT_URL + value: $(tasks.clone-repository.results.url) + - description: "" + name: CHAINS-GIT_COMMIT + value: $(tasks.clone-repository.results.commit) + tasks: + - name: init + params: + - name: image-url + value: $(params.output-image) + - name: rebuild + value: $(params.rebuild) + - name: skip-checks + value: $(params.skip-checks) + taskRef: + params: + - name: name + value: init + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-init:0.2@sha256:60063fefe88e111d129cb59caff97c912722927c8a0f750253553d4c527a2396 + - name: kind + value: task + resolver: bundles + - name: clone-repository + params: + - name: url + value: $(params.git-url) + - name: revision + value: $(params.revision) + - name: ociStorage + value: $(params.output-image).git + - name: ociArtifactExpiresAfter + value: $(params.image-expires-after) + runAfter: + - init + taskRef: + params: + - name: name + value: git-clone-oci-ta + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-git-clone-oci-ta:0.1@sha256:8ab0c7a7ac4a4c59740a24304e17cc64fe8745376d19396c4660fc0e1a957a1b + - name: kind + value: task + resolver: bundles + when: + - input: $(tasks.init.results.build) + operator: in + values: + - "true" + workspaces: + - name: basic-auth + workspace: git-auth + - name: prefetch-dependencies + params: + - name: input + value: $(params.prefetch-input) + - name: SOURCE_ARTIFACT + value: $(tasks.clone-repository.results.SOURCE_ARTIFACT) + - name: ociStorage + value: $(params.output-image).prefetch + - name: ociArtifactExpiresAfter + value: $(params.image-expires-after) + runAfter: + - clone-repository + taskRef: + params: + - name: name + value: prefetch-dependencies-oci-ta + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-prefetch-dependencies-oci-ta:0.1@sha256:3e51d7c477ba00bd0c7de2d8f89269131646d2582e631b9aee91fb4b022d4555 + - name: kind + value: task + resolver: bundles + workspaces: + - name: git-basic-auth + workspace: git-auth + - name: netrc + workspace: netrc + - name: build-container + params: + - name: IMAGE + value: $(params.output-image) + - name: DOCKERFILE + value: $(params.dockerfile) + - name: CONTEXT + value: $(params.path-context) + - name: HERMETIC + value: $(params.hermetic) + - name: PREFETCH_INPUT + value: $(params.prefetch-input) + - name: IMAGE_EXPIRES_AFTER + value: $(params.image-expires-after) + - name: COMMIT_SHA + value: $(tasks.clone-repository.results.commit) + - name: BUILD_ARGS + value: + - $(params.build-args[*]) + - name: BUILD_ARGS_FILE + value: $(params.build-args-file) + - name: SOURCE_ARTIFACT + value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT) + - name: CACHI2_ARTIFACT + value: $(tasks.prefetch-dependencies.results.CACHI2_ARTIFACT) + runAfter: + - prefetch-dependencies + taskRef: + params: + - name: name + value: buildah-oci-ta + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-buildah-oci-ta:0.2@sha256:33cc4005cb06a865676d523fa92a0312466c688fc4c98993700e42f2034efc75 + - name: kind + value: task + resolver: bundles + when: + - input: $(tasks.init.results.build) + operator: in + values: + - "true" + - name: build-image-index + params: + - name: IMAGE + value: $(params.output-image) + - name: COMMIT_SHA + value: $(tasks.clone-repository.results.commit) + - name: IMAGE_EXPIRES_AFTER + value: $(params.image-expires-after) + - name: ALWAYS_BUILD_INDEX + value: $(params.build-image-index) + - name: IMAGES + value: + - $(tasks.build-container.results.IMAGE_URL)@$(tasks.build-container.results.IMAGE_DIGEST) + runAfter: + - build-container + taskRef: + params: + - name: name + value: build-image-index + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-build-image-index:0.1@sha256:37328a4b2fc686435531ba423c26c2051822a4e70b06088c4d8eaf0e8fa6d65b + - name: kind + value: task + resolver: bundles + when: + - input: $(tasks.init.results.build) + operator: in + values: + - "true" + - name: build-source-image + params: + - name: BINARY_IMAGE + value: $(params.output-image) + - name: SOURCE_ARTIFACT + value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT) + - name: CACHI2_ARTIFACT + value: $(tasks.prefetch-dependencies.results.CACHI2_ARTIFACT) + runAfter: + - build-image-index + taskRef: + params: + - name: name + value: source-build-oci-ta + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-source-build-oci-ta:0.1@sha256:26278e5373a726594975a9ec2f177a67e3674bbf905d7d317b9ea60ca7993978 + - name: kind + value: task + resolver: bundles + when: + - input: $(tasks.init.results.build) + operator: in + values: + - "true" + - input: $(params.build-source-image) + operator: in + values: + - "true" + - name: deprecated-base-image-check + params: + - name: IMAGE_URL + value: $(tasks.build-image-index.results.IMAGE_URL) + - name: IMAGE_DIGEST + value: $(tasks.build-image-index.results.IMAGE_DIGEST) + runAfter: + - build-image-index + taskRef: + params: + - name: name + value: deprecated-image-check + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-deprecated-image-check:0.4@sha256:f8efb0b22692fad908a1a75f8d5c0b6ed3b0bcd2a9853577e7be275e5bac1bb8 + - name: kind + value: task + resolver: bundles + when: + - input: $(params.skip-checks) + operator: in + values: + - "false" + - name: clair-scan + params: + - name: image-digest + value: $(tasks.build-image-index.results.IMAGE_DIGEST) + - name: image-url + value: $(tasks.build-image-index.results.IMAGE_URL) + runAfter: + - build-image-index + taskRef: + params: + - name: name + value: clair-scan + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-clair-scan:0.2@sha256:e428b37d253621365ffb24d4053e5f3141988ae6a30fce1c8ba73b7211396eb0 + - name: kind + value: task + resolver: bundles + when: + - input: $(params.skip-checks) + operator: in + values: + - "false" + - name: ecosystem-cert-preflight-checks + params: + - name: image-url + value: $(tasks.build-image-index.results.IMAGE_URL) + runAfter: + - build-image-index + taskRef: + params: + - name: name + value: ecosystem-cert-preflight-checks + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-ecosystem-cert-preflight-checks:0.1@sha256:df8a25a3431a70544172ed4844f9d0c6229d39130633960729f825a031a7dea9 + - name: kind + value: task + resolver: bundles + when: + - input: $(params.skip-checks) + operator: in + values: + - "false" + - name: sast-snyk-check + params: + - name: image-digest + value: $(tasks.build-image-index.results.IMAGE_DIGEST) + - name: image-url + value: $(tasks.build-image-index.results.IMAGE_URL) + - name: SOURCE_ARTIFACT + value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT) + - name: CACHI2_ARTIFACT + value: $(tasks.prefetch-dependencies.results.CACHI2_ARTIFACT) + runAfter: + - build-image-index + taskRef: + params: + - name: name + value: sast-snyk-check-oci-ta + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-sast-snyk-check-oci-ta:0.3@sha256:6d232347739a0366dcfc4e40afbcb5d1937dd3fea8952afb1bd6a4b0c5d1c1f5 + - name: kind + value: task + resolver: bundles + when: + - input: $(params.skip-checks) + operator: in + values: + - "false" + - name: clamav-scan + params: + - name: image-digest + value: $(tasks.build-image-index.results.IMAGE_DIGEST) + - name: image-url + value: $(tasks.build-image-index.results.IMAGE_URL) + runAfter: + - build-image-index + taskRef: + params: + - name: name + value: clamav-scan + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-clamav-scan:0.2@sha256:d78221853f7ff2befc6669dd0eeb91e6611ae84ac7754150ea0f071d92ff41cb + - name: kind + value: task + resolver: bundles + when: + - input: $(params.skip-checks) + operator: in + values: + - "false" + - name: sast-coverity-check + params: + - name: image-digest + value: $(tasks.build-image-index.results.IMAGE_DIGEST) + - name: image-url + value: $(tasks.build-image-index.results.IMAGE_URL) + - name: SOURCE_ARTIFACT + value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT) + - name: CACHI2_ARTIFACT + value: $(tasks.prefetch-dependencies.results.CACHI2_ARTIFACT) + runAfter: + - coverity-availability-check + taskRef: + params: + - name: name + value: sast-coverity-check-oci-ta + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-sast-coverity-check-oci-ta:0.1@sha256:a2a504ffd550e8029034fd737e237e194c13e1b593c8e37402218408e5d632df + - name: kind + value: task + resolver: bundles + when: + - input: $(params.skip-checks) + operator: in + values: + - "false" + - input: $(tasks.coverity-availability-check.results.STATUS) + operator: in + values: + - success + - name: coverity-availability-check + params: + - name: image-digest + value: $(tasks.build-image-index.results.IMAGE_DIGEST) + - name: image-url + value: $(tasks.build-image-index.results.IMAGE_URL) + - name: SOURCE_ARTIFACT + value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT) + - name: CACHI2_ARTIFACT + value: $(tasks.prefetch-dependencies.results.CACHI2_ARTIFACT) + runAfter: + - build-image-index + taskRef: + params: + - name: name + value: coverity-availability-check-oci-ta + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-coverity-availability-check-oci-ta:0.1@sha256:c6c04c3b7ab71c039fe5958559f3d0bf30cb56239ee3be6a7806a71912660da4 + - name: kind + value: task + resolver: bundles + when: + - input: $(params.skip-checks) + operator: in + values: + - "false" + - name: sast-shell-check + params: + - name: image-digest + value: $(tasks.build-image-index.results.IMAGE_DIGEST) + - name: image-url + value: $(tasks.build-image-index.results.IMAGE_URL) + - name: SOURCE_ARTIFACT + value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT) + - name: CACHI2_ARTIFACT + value: $(tasks.prefetch-dependencies.results.CACHI2_ARTIFACT) + runAfter: + - build-image-index + taskRef: + params: + - name: name + value: sast-shell-check-oci-ta + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-sast-shell-check-oci-ta:0.1@sha256:ac6a35e4143a68f841e363da3f21f2123de9f3acf76596f79ecb60c501eed408 + - name: kind + value: task + resolver: bundles + when: + - input: $(params.skip-checks) + operator: in + values: + - "false" + - name: sast-unicode-check + params: + - name: image-url + value: $(tasks.build-image-index.results.IMAGE_URL) + - name: SOURCE_ARTIFACT + value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT) + - name: CACHI2_ARTIFACT + value: $(tasks.prefetch-dependencies.results.CACHI2_ARTIFACT) + runAfter: + - build-image-index + taskRef: + params: + - name: name + value: sast-shell-check-oci-ta + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-sast-shell-check-oci-ta:0.1@sha256:ac6a35e4143a68f841e363da3f21f2123de9f3acf76596f79ecb60c501eed408 + - name: kind + value: task + resolver: bundles + when: + - input: $(params.skip-checks) + operator: in + values: + - "false" + - name: apply-tags + params: + - name: IMAGE + value: $(tasks.build-image-index.results.IMAGE_URL) + runAfter: + - build-image-index + taskRef: + params: + - name: name + value: apply-tags + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-apply-tags:0.1@sha256:0767c115d4ba4854d106c9cdfabdc1f1298bc2742a3fea4fefbac4b9c5873d6e + - name: kind + value: task + resolver: bundles + - name: push-dockerfile + params: + - name: IMAGE + value: $(tasks.build-image-index.results.IMAGE_URL) + - name: IMAGE_DIGEST + value: $(tasks.build-image-index.results.IMAGE_DIGEST) + - name: DOCKERFILE + value: $(params.dockerfile) + - name: CONTEXT + value: $(params.path-context) + - name: SOURCE_ARTIFACT + value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT) + runAfter: + - build-image-index + taskRef: + params: + - name: name + value: push-dockerfile-oci-ta + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-push-dockerfile-oci-ta:0.1@sha256:08ef41d6a98608bd5f1de75d77f015f520911a278d1875e174b88b9d04db2441 + - name: kind + value: task + resolver: bundles + - name: rpms-signature-scan + params: + - name: image-url + value: $(tasks.build-image-index.results.IMAGE_URL) + - name: image-digest + value: $(tasks.build-image-index.results.IMAGE_DIGEST) + runAfter: + - build-image-index + taskRef: + params: + - name: name + value: rpms-signature-scan + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-rpms-signature-scan:0.2@sha256:ec536e55a039052823ba74e07db3175554fb046649671d1fefd776ca064d00ac + - name: kind + value: task + resolver: bundles + when: + - input: $(params.skip-checks) + operator: in + values: + - "false" + workspaces: + - name: git-auth + optional: true + - name: netrc + optional: true + taskRunTemplate: {} + workspaces: + - name: git-auth + secret: + secretName: '{{ git_auth_secret }}' +status: {} From b386260b75ed6047e9ee6e6f49dfddade944fee9 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= Date: Tue, 7 Jan 2025 11:49:46 +0100 Subject: [PATCH 25/26] Rename oscap-bootc to oscap-im This change has been trigerred by: https://github.com/OpenSCAP/openscap/pull/2191 --- docs/manual/developer/06_contributing_with_content.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/manual/developer/06_contributing_with_content.md b/docs/manual/developer/06_contributing_with_content.md index e1f5e4f906e..f86b493d38e 100644 --- a/docs/manual/developer/06_contributing_with_content.md +++ b/docs/manual/developer/06_contributing_with_content.md @@ -518,7 +518,7 @@ then contain the following subdirectories: - `kickstart` - For Kickstart remediation content, ending in `.cfg` -- `bootc` - for remediation content used in the `oscap-bootc` tool internally, ending in `.bo` +- `bootc` - for remediation content used in the `oscap-im` tool internally, ending in `.bo` In each of these subdirectories, a file named `shared.ext` will apply to all products and be included in all builds, but `{{{ product }}}.ext` From b7679cdf0537702b39d13ec2ca7571dca33a0116 Mon Sep 17 00:00:00 2001 From: Matus Marhefka Date: Wed, 8 Jan 2025 14:06:38 +0100 Subject: [PATCH 26/26] Update file_permissions_unauthorized_world_writable Update file_permissions_unauthorized_world_writable for bootable containers. Filter out the `/sysroot` directory from results because it contains only the physical read-only root and not the real file system, see https://containers.github.io/bootc/filesystem-sysroot.html#sysroot-mount. --- .../bash/shared.sh | 8 ++++++-- .../oval/shared.xml | 6 ++++++ 2 files changed, 12 insertions(+), 2 deletions(-) diff --git a/linux_os/guide/system/permissions/files/file_permissions_unauthorized_world_writable/bash/shared.sh b/linux_os/guide/system/permissions/files/file_permissions_unauthorized_world_writable/bash/shared.sh index e5da4aa037c..6dc50f480e7 100644 --- a/linux_os/guide/system/permissions/files/file_permissions_unauthorized_world_writable/bash/shared.sh +++ b/linux_os/guide/system/permissions/files/file_permissions_unauthorized_world_writable/bash/shared.sh @@ -5,12 +5,16 @@ # disruption = low FILTER_NODEV=$(awk '/nodev/ { print $2 }' /proc/filesystems | paste -sd,) -PARTITIONS=$(findmnt -n -l -k -it $FILTER_NODEV | awk '{ print $1 }') + +# Do not consider /sysroot partition because it contains only the physical +# read-only root on bootable containers. +PARTITIONS=$(findmnt -n -l -k -it $FILTER_NODEV | awk '{ print $1 }' | grep -v "/sysroot") + for PARTITION in $PARTITIONS; do find "${PARTITION}" -xdev -type f -perm -002 -exec chmod o-w {} \; 2>/dev/null done -# Ensure /tmp is also fixed whem tmpfs is used. +# Ensure /tmp is also fixed when tmpfs is used. if grep "^tmpfs /tmp" /proc/mounts; then find /tmp -xdev -type f -perm -002 -exec chmod o-w {} \; 2>/dev/null fi diff --git a/linux_os/guide/system/permissions/files/file_permissions_unauthorized_world_writable/oval/shared.xml b/linux_os/guide/system/permissions/files/file_permissions_unauthorized_world_writable/oval/shared.xml index 837a3f35aae..6e678593bc4 100644 --- a/linux_os/guide/system/permissions/files/file_permissions_unauthorized_world_writable/oval/shared.xml +++ b/linux_os/guide/system/permissions/files/file_permissions_unauthorized_world_writable/oval/shared.xml @@ -17,6 +17,11 @@ operation="pattern match">^/selinux/(?:(?:member)|(?:user)|(?:relabel)|(?:create)|(?:access)|(?:context))$ + + ^/sysroot/.*$ + + {{%- set var_local_mount_points = "var_" ~ rule_id ~ "_local_mountpoints" -%}} {{{ create_local_mount_points_list(var_local_mount_points) }}} @@ -35,6 +40,7 @@ ^.*$ state_file_permissions_unauthorized_world_write state_file_permissions_unauthorized_world_write_special_selinux_files + state_file_permissions_unauthorized_world_write_sysroot