Merge branch 'ComplianceAsCode:master' into sys-1-6-A1-A4

ComplianceAsCode · Jul 18, 2024 · ffa02ce · ffa02ce
2 parents d0469ec + 4817a00
commit ffa02ce
Show file tree

Hide file tree

Showing 50 changed files with 271 additions and 158 deletions.
diff --git a/.github/workflows/automatus-ubuntu2204.yaml b/.github/workflows/automatus-ubuntu2204.yaml
@@ -13,7 +13,7 @@ jobs:
     runs-on: ubuntu-22.04
     steps:
       - name: Install Deps
-        run: sudo apt-get update && sudo apt-get install -y cmake ninja-build libopenscap8 python3-yaml python3-jinja2 git python3-deepdiff python3-requests jq python3-pip libxml2-utils
+        run: sudo apt-get update && sudo apt-get install -y cmake ninja-build libopenscap8 python3-yaml python3-jinja2 git python3-deepdiff python3-requests jq python3-pip libxml2-utils xsltproc
       - name: Install deps python
         run: pip3 install gitpython xmldiff compliance-trestle==2.4.0 lxml lxml-stubs requests
       - name: Checkout

diff --git a/.github/workflows/k8s-content-pr-test.yaml b/.github/workflows/k8s-content-pr-test.yaml
@@ -43,7 +43,7 @@ jobs:
         id: save-go-version
         run: |
           echo "go-version=$(cat compliance-operator/go-version)" > compliance-operator/go-version
-      - uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # v5
+      - uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5
         with:
           go-version: ${{ steps.save-go-version.outputs.go-version }}
       - name: Run ginkgo tests and check if each XCCDF file is parsed correctly

diff --git a/.github/workflows/k8s-content-pr.yaml b/.github/workflows/k8s-content-pr.yaml
@@ -84,7 +84,7 @@ jobs:
             org.opencontainers.image.vendor='Compliance Operator Authors'
       - name: Build container images and push
         id: docker_build
-        uses: docker/build-push-action@a254f8ca60a858f3136a2f1f23a60969f2c402dd # v6
+        uses: docker/build-push-action@1ca370b3a9802c92e886402e0dd88098a2533b12 # v6
         with:
           context: .
           file: ./Dockerfiles/ocp4_content

diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
@@ -45,7 +45,7 @@ jobs:
         env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
       - name: Release
-        uses: softprops/action-gh-release@a74c6b72af54cfa997e81df42d94703d6313a2d0 # v2.0.6
+        uses: softprops/action-gh-release@fb2d03176f42a1f0dd433ca263f314051d3edd44 # v2.0.7
         with:
           draft: True
           name: Content ${{ steps.set_version.outputs.ver }}

diff --git a/.github/workflows/update-oscal.yml b/.github/workflows/update-oscal.yml
@@ -28,7 +28,7 @@ jobs:
             - name: Checkout
               uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4
             - name: Install Python
-              uses: actions/setup-python@82c7e631bb3cdc910f68e0081d67478d79c6982d # v5
+              uses: actions/setup-python@39cd14951b08e74b54015e9e001cdefcf80e669f # v5
               with:
                   python-version: '3.9'
             - name: Install python deps

diff --git a/controls/anssi.yml b/controls/anssi.yml
@@ -977,7 +977,13 @@ controls:
     - enhanced
     description: >-
       All AppArmor security profiles on the system must be enabled by default.
-    status: not applicable
+    status: automated
+    rules:
+    - apparmor_configured
+    - all_apparmor_profiles_enforced
+    - grub2_enable_apparmor
+    - package_apparmor_installed
+    - package_pam_apparmor_installed
 
   - id: R46
     title: Activate SELinux with the Targeted Policy

diff --git a/controls/cis_rhel10.yml b/controls/cis_rhel10.yml
@@ -1516,7 +1516,7 @@ controls:
       Introduced in CIS RHEL9 v2.0.0
       The status was automated but we need to double check the approach used in this rule.
       Therefore I moved it to pending until deeper investigation.
-    rules:
+    related_rules:
       - sshd_use_approved_ciphers
       - sshd_approved_ciphers=cis_rhel8
 

diff --git a/controls/cis_rhel9.yml b/controls/cis_rhel9.yml
@@ -1518,7 +1518,7 @@ controls:
       Introduced in CIS RHEL9 v2.0.0
       The status was automated but we need to double check the approach used in this rule.
       Therefore I moved it to pending until deeper investigation.
-    rules:
+    related_rules:
       - sshd_use_approved_ciphers
       - sshd_approved_ciphers=cis_rhel9
 

diff --git a/docs/templates/template_reference.md b/docs/templates/template_reference.md
@@ -914,6 +914,31 @@ The selected value can be changed in the profile (consult the actual variable fo
 
 -   Languages: Ansible, Bash, OVAL
 
+#### systemd_dropin_configuration
+- checks if a Systemd-style configuration exists either in the main file or in any file within specified dropin directory.
+    The remediation tries to modify already existing configuration.
+    If the correct section is found and the parameter exists, its value is changed to match the desired one.
+    If the section is found but the parameter does not exist, it is added to this section.
+    If none of inspected files contains the desired section a new file called complianceascode_hardening.conf within the dropin directory is created.
+- parameters:
+    - **master_cfg_file** - the main configuration file to check, e.g. /etc/systemd/journald.conf
+
+    - **dropin_dir** - the respective dropin directory, e.g. the /etc/systemd/journald.conf.d directory when keeping to the example mentioned above
+
+    - **section** - the section of the Systemd file
+
+    - **param** - the parameter to be configured
+
+    - **value** - the value of the parameter
+
+    - **no_quotes** - if set to "true", the value will not be enclosed in quotes
+
+    - **missing_parameter_pass** - effective only in OVAL checks, if
+        set to `"false"` and the parameter is not present in the
+        configuration file, the OVAL check will return false (default value: `"false"`).
+
+-   Languages: Ansible, Bash, OVAL
+
 #### systemd_mount_enabled
 -   Checks if a `systemd` mount unit is enabled
 

diff --git a/linux_os/guide/services/sssd/sssd_enable_smartcards/ansible/shared.yml b/linux_os/guide/services/sssd/sssd_enable_smartcards/ansible/shared.yml
@@ -62,7 +62,7 @@
 - name: '{{{ rule_title }}} - Remediate by directly editing PAM files'
   block:
     {{{ ansible_ensure_pam_module_option('/etc/pam.d/smartcard-auth', 'auth', 'sufficient', 'pam_sss.so', 'allow_missing_name', '', '') | indent(4) }}}
-    {{{ ansible_ensure_pam_module_option('/etc/pam.d/system-auth', 'auth', '\[success=done authinfo_unavail=ignore ignore=ignore default=die\]', 'pam_sss.so', 'try_cert_auth', '', '') | indent(4) }}}
+    {{{ ansible_ensure_pam_module_option('/etc/pam.d/system-auth', 'auth', '[success=done authinfo_unavail=ignore ignore=ignore default=die]', 'pam_sss.so', 'try_cert_auth', '', '') | indent(4) }}}
   when:
     - not result_authselect_present.stat.exists
 {{% endif %}}
diff --git a/...ts-restrictions/password_storage/accounts_password_last_change_is_in_past/oval/shared.xml b/...ts-restrictions/password_storage/accounts_password_last_change_is_in_past/oval/shared.xml
@@ -13,47 +13,54 @@
     <unix:password operation="pattern match">^(!|!!|!\*|\*|!locked)$</unix:password>
   </unix:shadow_state>
 
-  <unix:shadow_object id="object_accounts_password_all_chage_in_past" version="1">
+  <unix:shadow_object id="object_accounts_password_last_change_is_in_past" version="1">
     <unix:username operation="pattern match">.*</unix:username>
     <filter action="exclude">state_accounts_password_all_chage_past_has_no_password</filter>
   </unix:shadow_object>
 
-  <local_variable id="var_accounts_password_last_change_time_secs" version="1"
+  <local_variable id="var_accounts_password_last_change_is_in_past_time_in_secs" version="1"
     datatype="int" comment="last change field of shadow entry in seconds">
     <arithmetic arithmetic_operation="multiply">
-      <object_component object_ref="object_accounts_password_all_chage_in_past"
+      <object_component object_ref="object_accounts_password_last_change_is_in_past"
         item_field="chg_lst"/>
       <literal_component datatype="int">86400</literal_component>
     </arithmetic>
   </local_variable>
 
-  <local_variable id="var_accounts_password_last_change_time_diff" datatype="int" version="1"
+  <local_variable id="var_accounts_password_last_change_is_in_past_time_diff" version="1"
+    datatype="int"
     comment="time difference between the last change field of shadow entry and the current time">
     <time_difference format_2="seconds_since_epoch">
-      <variable_component var_ref="var_accounts_password_last_change_time_secs"/>
+      <variable_component var_ref="var_accounts_password_last_change_is_in_past_time_in_secs"/>
+    </time_difference>
+  </local_variable>
+
+  <local_variable id="var_accounts_password_last_change_is_in_past_current_epoch" version="1"
+    datatype="int" comment="the current time in seconds since epoch">
+    <time_difference format_2="seconds_since_epoch">
+      <literal_component datatype="int">0</literal_component>
     </time_difference>
   </local_variable>
 
   <ind:variable_test id="test_accounts_password_last_change_is_in_past" version="1"
     check="all" check_existence="all_exist"
     comment="Check if the password last chage time is less than or equal today.">
-    <ind:object object_ref="object_accounts_password_last_change_time_diff"/>
-    <ind:state state_ref="state_accounts_password_last_change_time_diff"/>
+    <ind:object object_ref="object_accounts_password_last_change_is_in_past_time_diff"/>
+    <ind:state state_ref="state_accounts_password_last_change_is_in_past_time_diff"/>
   </ind:variable_test>
 
-  <ind:variable_object id="object_accounts_password_last_change_time_diff" version="1">
-    <ind:var_ref>var_accounts_password_last_change_time_diff</ind:var_ref>
+  <ind:variable_object id="object_accounts_password_last_change_is_in_past_time_diff" version="1">
+    <ind:var_ref>var_accounts_password_last_change_is_in_past_time_diff</ind:var_ref>
   </ind:variable_object>
 
-  <ind:variable_state id="state_accounts_password_last_change_time_diff" version="1">
-    <!-- With negative time I actually get very big number so instead
-         of checking greater than zero I am checking if less than 1000 years -->
-    <ind:value datatype="int" operation="less than or equal">86400000</ind:value>
+  <ind:variable_state id="state_accounts_password_last_change_is_in_past_time_diff" version="2">
+      <ind:value datatype="int" operation="less than or equal" var_check="all"
+        var_ref="var_accounts_password_last_change_is_in_past_current_epoch"/>
   </ind:variable_state>
 
   <unix:shadow_test id="test_accounts_password_last_change_is_in_past_no_pass" version="1"
     check="all" check_existence="none_exist"
     comment="Check the inexistence of users with a password defined">
-    <unix:object object_ref="object_accounts_password_all_chage_in_past"/>
+    <unix:object object_ref="object_accounts_password_last_change_is_in_past"/>
   </unix:shadow_test>
 </def-group>
diff --git a/..._storage/accounts_password_last_change_is_in_past/tests/last_change_long_time_ago.pass.sh b/..._storage/accounts_password_last_change_is_in_past/tests/last_change_long_time_ago.pass.sh
@@ -0,0 +1,13 @@
+#!/bin/bash
+
+# create valid testuser entry in /etc/shadow
+echo 'testuservalid:$6$exIFis0tobKRcGBk$b.UR.Z8h96FdxJ1bgA/vhdnp0Lsm488swdILNguQX/5qH5hdmClyYb5xk3TpELXWzr4JOiTlHfRkPsXSjMPjv0:10000:1:60:7:35::' >> /etc/shadow
+
+TODAY="$(($(date +%s)/86400))"
+MANY_YEARS_AGO="$(( TODAY - 10000 ))"
+
+# Ensure the sp_lstchg field holds a value which represents a date in the past
+awk -v newdate="$MANY_YEARS_AGO" 'BEGIN { FS=":"; OFS = ":"}
+    {$3=newdate; print}' /etc/shadow > /etc/shadow_new
+
+mv /etc/shadow_new /etc/shadow
diff --git a/linux_os/guide/system/logging/journald/journald_compress/rule.yml b/linux_os/guide/system/logging/journald/journald_compress/rule.yml
@@ -47,9 +47,9 @@ ocil: |-
 template:
     name: systemd_dropin_configuration
     vars:
-        component: journald
         master_cfg_file: /etc/systemd/journald.conf
         dropin_dir: {{{ journald_conf_dir_path }}}
+        section: Journal
         param: Compress
         value: yes
         no_quotes: 'true'

diff --git a/..._os/guide/system/logging/journald/journald_compress/tests/correct_value_in_quotes.fail.sh b/..._os/guide/system/logging/journald/journald_compress/tests/correct_value_in_quotes.fail.sh
@@ -2,4 +2,4 @@
 
 # This scenario is a regression test for https://bugzilla.redhat.com/show_bug.cgi?id=2193169
 
-echo "Compress='yes'" > "/etc/systemd/journald.conf"
+echo -e "[Journal]\nCompress='yes'" > "/etc/systemd/journald.conf"
diff --git a/linux_os/guide/system/logging/journald/journald_forward_to_syslog/rule.yml b/linux_os/guide/system/logging/journald/journald_forward_to_syslog/rule.yml
@@ -46,9 +46,9 @@ ocil: |-
 template:
     name: systemd_dropin_configuration
     vars:
-        component: journald
         master_cfg_file: /etc/systemd/journald.conf
         dropin_dir: {{{ journald_conf_dir_path }}}
+        section: Journal
         param: ForwardToSyslog
         value: yes
         no_quotes: 'true'

diff --git a/linux_os/guide/system/logging/journald/journald_storage/rule.yml b/linux_os/guide/system/logging/journald/journald_storage/rule.yml
@@ -46,9 +46,9 @@ ocil: |-
 template:
     name: systemd_dropin_configuration
     vars:
-        component: journald
         master_cfg_file: /etc/systemd/journald.conf
         dropin_dir: {{{ journald_conf_dir_path }}}
+        section: Journal
         param: Storage
         value: persistent
         no_quotes: 'true'

diff --git a/...x_os/guide/system/logging/journald/journald_storage/tests/correct_value_in_quotes.fail.sh b/...x_os/guide/system/logging/journald/journald_storage/tests/correct_value_in_quotes.fail.sh
@@ -2,4 +2,4 @@
 
 # This scenario is a regression test for https://bugzilla.redhat.com/show_bug.cgi?id=2169857
 
-echo "Storage='persistent'" > "/etc/systemd/journald.conf"
+echo -e "[Journal]\nStorage='persistent'" > "/etc/systemd/journald.conf"
diff --git a/products/debian12/profiles/anssi_bp28_enhanced.profile b/products/debian12/profiles/anssi_bp28_enhanced.profile
@@ -25,11 +25,12 @@ selections:
   - '!selinux_state'
   - '!audit_rules_mac_modification'
   - '!selinux_policytype'
-  - 'apparmor_configured'
-  - 'all_apparmor_profiles_enforced' 
-  - 'grub2_enable_apparmor'
-  - 'package_apparmor_installed'
-  - 'package_pam_apparmor_installed'
+  - '!sebool_selinuxuser_execheap'
+  - '!sebool_deny_execmem'
+  - '!sebool_selinuxuser_execstack'
+  - '!sebool_secure_mode_insmod'
+  - '!sebool_ssh_sysadm_login'
+
   # The following are MLS related rules (not part of ANSSI-BP-028)
   - '!accounts_polyinstantiated_tmp'
   - '!accounts_polyinstantiated_var_tmp'

diff --git a/products/debian12/profiles/anssi_bp28_high.profile b/products/debian12/profiles/anssi_bp28_high.profile
@@ -25,11 +25,12 @@ selections:
   - '!selinux_state'
   - '!audit_rules_mac_modification'
   - '!selinux_policytype'
-  - apparmor_configured
-  - all_apparmor_profiles_enforced 
-  - grub2_enable_apparmor
-  - package_apparmor_installed
-  - package_pam_apparmor_installed
+  - '!sebool_selinuxuser_execheap'
+  - '!sebool_deny_execmem'
+  - '!sebool_selinuxuser_execstack'
+  - '!sebool_secure_mode_insmod'
+  - '!sebool_ssh_sysadm_login'
+
   # The following are MLS related rules (not part of ANSSI-BP-028)
   - '!accounts_polyinstantiated_tmp'
   - '!accounts_polyinstantiated_var_tmp'

diff --git a/products/rhel10/profiles/anssi_bp28_enhanced.profile b/products/rhel10/profiles/anssi_bp28_enhanced.profile
@@ -53,3 +53,9 @@ selections:
     - '!file_groupowner_efi_user_cfg'
     - '!file_owner_efi_user_cfg'
     - '!file_permissions_efi_user_cfg'
+    # disable R45: Enable AppArmor security profiles
+    - '!apparmor_configured'
+    - '!all_apparmor_profiles_enforced'
+    - '!grub2_enable_apparmor'
+    - '!package_apparmor_installed'
+    - '!package_pam_apparmor_installed'
diff --git a/products/rhel10/profiles/anssi_bp28_high.profile b/products/rhel10/profiles/anssi_bp28_high.profile
@@ -49,3 +49,9 @@ selections:
     - '!cracklib_accounts_password_pam_dcredit'
     - '!ensure_oracle_gpgkey_installed'
     - '!security_patches_up_to_date'
+    # disable R45: Enable AppArmor security profiles
+    - '!apparmor_configured'
+    - '!all_apparmor_profiles_enforced'
+    - '!grub2_enable_apparmor'
+    - '!package_apparmor_installed'
+    - '!package_pam_apparmor_installed'
diff --git a/products/rhel8/profiles/anssi_bp28_enhanced.profile b/products/rhel8/profiles/anssi_bp28_enhanced.profile
@@ -24,6 +24,12 @@ selections:
     - var_password_hashing_algorithm=SHA512
     - var_password_pam_unix_rounds=65536
     - '!timer_logrotate_enabled'
+    # disable R45: Enable AppArmor security profiles
+    - '!apparmor_configured'
+    - '!all_apparmor_profiles_enforced'
+    - '!grub2_enable_apparmor'
+    - '!package_apparmor_installed'
+    - '!package_pam_apparmor_installed'
     # Following rules once had a prodtype incompatible with the rhel8 product
     - '!cracklib_accounts_password_pam_minlen'
     - '!sysctl_fs_protected_fifos'

diff --git a/products/rhel8/profiles/anssi_bp28_high.profile b/products/rhel8/profiles/anssi_bp28_high.profile
@@ -26,6 +26,12 @@ selections:
     # the following rule renders UEFI systems unbootable
     - '!sebool_secure_mode_insmod'
     - '!timer_logrotate_enabled'
+    # disable R45: Enable AppArmor security profiles
+    - '!apparmor_configured'
+    - '!all_apparmor_profiles_enforced'
+    - '!grub2_enable_apparmor'
+    - '!package_apparmor_installed'
+    - '!package_pam_apparmor_installed'
     # Following rules once had a prodtype incompatible with the rhel8 product
     - '!kernel_config_gcc_plugin_structleak_byref_all'
     - '!accounts_passwords_pam_tally2_deny_root'

diff --git a/products/rhel9/profiles/anssi_bp28_enhanced.profile b/products/rhel9/profiles/anssi_bp28_enhanced.profile
@@ -54,3 +54,9 @@ selections:
     - '!file_groupowner_efi_user_cfg'
     - '!file_owner_efi_user_cfg'
     - '!file_permissions_efi_user_cfg'
+    # disable R45: Enable AppArmor security profiles
+    - '!apparmor_configured'
+    - '!all_apparmor_profiles_enforced'
+    - '!grub2_enable_apparmor'
+    - '!package_apparmor_installed'
+    - '!package_pam_apparmor_installed'
diff --git a/products/rhel9/profiles/anssi_bp28_high.profile b/products/rhel9/profiles/anssi_bp28_high.profile
@@ -50,3 +50,9 @@ selections:
     - '!cracklib_accounts_password_pam_minlen'
     - '!cracklib_accounts_password_pam_dcredit'
     - '!ensure_oracle_gpgkey_installed'
+    # disable R45: Enable AppArmor security profiles
+    - '!apparmor_configured'
+    - '!all_apparmor_profiles_enforced'
+    - '!grub2_enable_apparmor'
+    - '!package_apparmor_installed'
+    - '!package_pam_apparmor_installed'
diff --git a/products/rhel9/profiles/default.profile b/products/rhel9/profiles/default.profile
@@ -556,3 +556,4 @@ selections:
     - journald_forward_to_syslog
     - rsyslog_filecreatemode
     - set_nftables_table
+    - sshd_use_approved_ciphers
diff --git a/shared/macros/10-bash.jinja b/shared/macros/10-bash.jinja
@@ -2097,7 +2097,7 @@ Example macro invocation(s)::
 :type value: str
 
 #}}
-{{% macro bash_ensure_ini_config(files, section, key, value) -%}}
+{{% macro bash_ensure_ini_config(files, section, key, value, no_quotes=true) -%}}
 found=false
 
 # set value in all files if they contain section or key
@@ -2108,12 +2108,20 @@ for f in $(echo -n "{{{ files }}}"); do
 
     # find key in section and change value
     if grep -qzosP "[[:space:]]*\[{{{ section }}}\]([^\n\[]*\n+)+?[[:space:]]*{{{ key }}}" "$f"; then
-            sed -i "s/{{{ key }}}[^(\n)]*/{{{ key }}} = {{{ value }}}/" "$f"
+{{% if no_quotes %}}
+            sed -i "s/{{{ key }}}[^(\n)]*/{{{ key }}}={{{ value }}}/" "$f"
+{{% else %}}
+            sed -i 's/{{{ key }}}[^(\n)]*/{{{ key }}}="{{{ value }}}"/' "$f"
+{{% endif %}}
             found=true
 
     # find section and add key = value to it
     elif grep -qs "[[:space:]]*\[{{{ section }}}\]" "$f"; then
-            sed -i "/[[:space:]]*\[{{{ section }}}\]/a {{{ key }}} = {{{ value }}}" "$f"
+{{% if no_quotes %}}
+            sed -i "/[[:space:]]*\[{{{ section }}}\]/a {{{ key }}}={{{ value }}}" "$f"
+{{% else %}}
+            sed -i '/[[:space:]]*\[{{{ section }}}\]/a {{{ key }}}="{{{ value }}}"' "$f"
+{{% endif %}}
             found=true
     fi
 done
@@ -2122,7 +2130,11 @@ done
 if ! $found ; then
     file=$(echo "{{{ files }}}" | cut -f1 -d ' ')
     mkdir -p "$(dirname "$file")"
-    echo -e "[{{{ section }}}]\n{{{ key }}} = {{{ value }}}" >> "$file"
+{{% if no_quotes %}}
+    echo -e "[{{{ section }}}]\n{{{ key }}}={{{ value }}}" >> "$file"
+{{% else %}}
+    echo -e '[{{{ section }}}]\n{{{ key }}}="{{{ value }}}"' >> "$file"
+{{% endif %}}
 fi
 {{%- endmacro %}}
Original file line number	Diff line number	Diff line change
Expand Up		@@ -2,4 +2,4 @@

		# This scenario is a regression test for https://bugzilla.redhat.com/show_bug.cgi?id=2193169

		echo "Compress='yes'" > "/etc/systemd/journald.conf"
		echo -e "[Journal]\nCompress='yes'" > "/etc/systemd/journald.conf"