From ffb3670224dd625f60b3bc08e758f54625394129 Mon Sep 17 00:00:00 2001 From: Marcus Burghardt Date: Wed, 18 Oct 2023 21:21:41 +0200 Subject: [PATCH 1/4] Create bash remediation for fapolicy_default_deny The remediation ensures the fapolicyd is not working in permissive mode and also explicitly creates a final rule denying everything as required by some policies. --- .../fapolicy_default_deny/bash/shared.sh | 24 +++++++++++++++++++ 1 file changed, 24 insertions(+) create mode 100644 linux_os/guide/services/fapolicyd/fapolicy_default_deny/bash/shared.sh diff --git a/linux_os/guide/services/fapolicyd/fapolicy_default_deny/bash/shared.sh b/linux_os/guide/services/fapolicyd/fapolicy_default_deny/bash/shared.sh new file mode 100644 index 00000000000..af00aa0ee72 --- /dev/null +++ b/linux_os/guide/services/fapolicyd/fapolicy_default_deny/bash/shared.sh @@ -0,0 +1,24 @@ +# platform = multi_platform_all +# reboot = false +# strategy = restrict +# complexity = low +# disruption = low + +cat > /etc/fapolicyd/rules.d/99-deny-everything.rules << EOF +# Red Hat KCS 7003854 (https://access.redhat.com/solutions/7003854) +deny perm=any all : all +EOF + +chmod 644 /etc/fapolicyd/rules.d/99-deny-everything.rules +chgrp fapolicyd /etc/fapolicyd/rules.d/99-deny-everything.rules + +{{{ set_config_file(path="/etc/fapolicyd/fapolicyd.conf", + parameter="permissive", + value="0", + create=true, + insensitive=true, + separator=" = ", + separator_regex="\s*=\s*", + prefix_regex="^\s*") }}} + +systemctl restart fapolicyd From c8ee879d97469e9623a190c3ed54eef0d9f35020 Mon Sep 17 00:00:00 2001 From: Marcus Burghardt Date: Wed, 18 Oct 2023 21:25:00 +0200 Subject: [PATCH 2/4] Create Ansible remediation for fapolicy_default_deny The Ansible remediation is aligned to the Bash remediation. --- .../fapolicy_default_deny/ansible/shared.yml | 31 +++++++++++++++++++ 1 file changed, 31 insertions(+) create mode 100644 linux_os/guide/services/fapolicyd/fapolicy_default_deny/ansible/shared.yml diff --git a/linux_os/guide/services/fapolicyd/fapolicy_default_deny/ansible/shared.yml b/linux_os/guide/services/fapolicyd/fapolicy_default_deny/ansible/shared.yml new file mode 100644 index 00000000000..16aa203f3ea --- /dev/null +++ b/linux_os/guide/services/fapolicyd/fapolicy_default_deny/ansible/shared.yml @@ -0,0 +1,31 @@ +# platform = multi_platform_all +# reboot = false +# strategy = restrict +# complexity = low +# disruption = low + +- name: {{{ rule_title }}} - Ensure a Final Rule Denying Everything + ansible.builtin.copy: + content: | + # Red Hat KCS 7003854 (https://access.redhat.com/solutions/7003854) + deny perm=any all : all + dest: /etc/fapolicyd/rules.d/99-deny-everything.rules + owner: root + group: fapolicyd + mode: '0644' + register: result_fapolicyd_final_rule + +- name: {{{ rule_title }}} - Ensure fapolicyd is Not Permissive + ansible.builtin.lineinfile: + path: /etc/fapolicyd/fapolicyd.conf + regexp: '^(permissive\s*=).*$' + line: '\1 0' + backrefs: true + register: result_fapolicyd_enforced + +- name: "{{{ rule_title }}} - Restart fapolicyd If Permissive Mode or Final Rule is Changed" + ansible.builtin.service: + name: fapolicyd + state: restarted + when: + - result_fapolicyd_final_rule is changed or result_fapolicyd_enforced is changed From bc534de7a71f3d0b10b2717fca1f0ea6b9cffe4d Mon Sep 17 00:00:00 2001 From: Marcus Burghardt Date: Wed, 18 Oct 2023 21:25:52 +0200 Subject: [PATCH 3/4] Fix test scenarios for fapolicy_default_deny The test scenarios were using a macro which was enough to test the OVAL but was breaking the fapolicyd service due to syntax error. The same macro was used twice while the first call was unnecessary. This commit removes the unnecessary call and replace the macro by another that does not break the fapolicyd syntax. --- .../tests/allow_policy.fail.sh | 13 ++++++++----- .../fapolicy_default_deny/tests/deny_policy.pass.sh | 13 ++++++++----- .../tests/deny_policy_but_permissive.fail.sh | 13 +++++++++---- .../tests/deny_policy_commented.fail.sh | 13 ++++++++----- .../tests/deny_policy_not_ensured.fail.sh | 13 ++++++++----- 5 files changed, 41 insertions(+), 24 deletions(-) diff --git a/linux_os/guide/services/fapolicyd/fapolicy_default_deny/tests/allow_policy.fail.sh b/linux_os/guide/services/fapolicyd/fapolicy_default_deny/tests/allow_policy.fail.sh index 23d7e699056..034e63db6a3 100644 --- a/linux_os/guide/services/fapolicyd/fapolicy_default_deny/tests/allow_policy.fail.sh +++ b/linux_os/guide/services/fapolicyd/fapolicy_default_deny/tests/allow_policy.fail.sh @@ -1,8 +1,5 @@ #!/bin/bash # packages = fapolicyd -# remediation = none - -{{{ bash_shell_file_set("/etc/fapolicyd/fapolicyd.conf", "permissive", "1", "true") }}} if [ -f /etc/fapolicyd/compiled.rules ]; then active_rules_file="/etc/fapolicyd/compiled.rules" @@ -11,8 +8,14 @@ else fi truncate -s 0 $active_rules_file - echo "allow exe=/usr/bin/python3.7 : ftype=text/x-python" >> $active_rules_file echo "allow perm=any all : all" >> $active_rules_file -{{{ bash_shell_file_set("/etc/fapolicyd/fapolicyd.conf", "permissive", "0", "true") }}} +{{{ set_config_file(path="/etc/fapolicyd/fapolicyd.conf", + parameter="permissive", + value="0", + create=true, + insensitive=true, + separator=" = ", + separator_regex="\s*=\s*", + prefix_regex="^\s*") }}} diff --git a/linux_os/guide/services/fapolicyd/fapolicy_default_deny/tests/deny_policy.pass.sh b/linux_os/guide/services/fapolicyd/fapolicy_default_deny/tests/deny_policy.pass.sh index f3ff83ca602..1c76e65c1bc 100644 --- a/linux_os/guide/services/fapolicyd/fapolicy_default_deny/tests/deny_policy.pass.sh +++ b/linux_os/guide/services/fapolicyd/fapolicy_default_deny/tests/deny_policy.pass.sh @@ -1,8 +1,5 @@ #!/bin/bash # packages = fapolicyd -# remediation = none - -{{{ bash_shell_file_set("/etc/fapolicyd/fapolicyd.conf", "permissive", "1", "true") }}} if [ -f /etc/fapolicyd/compiled.rules ]; then active_rules_file="/etc/fapolicyd/compiled.rules" @@ -11,8 +8,14 @@ else fi truncate -s 0 $active_rules_file - echo "allow exe=/usr/bin/python3.7 : ftype=text/x-python" >> $active_rules_file echo "deny perm=any all : all" >> $active_rules_file -{{{ bash_shell_file_set("/etc/fapolicyd/fapolicyd.conf", "permissive", "0", "true") }}} +{{{ set_config_file(path="/etc/fapolicyd/fapolicyd.conf", + parameter="permissive", + value="0", + create=true, + insensitive=true, + separator=" = ", + separator_regex="\s*=\s*", + prefix_regex="^\s*") }}} diff --git a/linux_os/guide/services/fapolicyd/fapolicy_default_deny/tests/deny_policy_but_permissive.fail.sh b/linux_os/guide/services/fapolicyd/fapolicy_default_deny/tests/deny_policy_but_permissive.fail.sh index caa401ca174..e46cd048a86 100644 --- a/linux_os/guide/services/fapolicyd/fapolicy_default_deny/tests/deny_policy_but_permissive.fail.sh +++ b/linux_os/guide/services/fapolicyd/fapolicy_default_deny/tests/deny_policy_but_permissive.fail.sh @@ -1,8 +1,5 @@ #!/bin/bash # packages = fapolicyd -# remediation = none - -{{{ bash_shell_file_set("/etc/fapolicyd/fapolicyd.conf", "permissive", "1", "true") }}} if [ -f /etc/fapolicyd/compiled.rules ]; then active_rules_file="/etc/fapolicyd/compiled.rules" @@ -11,6 +8,14 @@ else fi truncate -s 0 $active_rules_file - echo "allow exe=/usr/bin/python3.7 : ftype=text/x-python" >> $active_rules_file echo "deny perm=any all : all" >> $active_rules_file + +{{{ set_config_file(path="/etc/fapolicyd/fapolicyd.conf", + parameter="permissive", + value="1", + create=true, + insensitive=true, + separator=" = ", + separator_regex="\s*=\s*", + prefix_regex="^\s*") }}} diff --git a/linux_os/guide/services/fapolicyd/fapolicy_default_deny/tests/deny_policy_commented.fail.sh b/linux_os/guide/services/fapolicyd/fapolicy_default_deny/tests/deny_policy_commented.fail.sh index 4e4bc430cec..9777437bb91 100644 --- a/linux_os/guide/services/fapolicyd/fapolicy_default_deny/tests/deny_policy_commented.fail.sh +++ b/linux_os/guide/services/fapolicyd/fapolicy_default_deny/tests/deny_policy_commented.fail.sh @@ -1,8 +1,5 @@ #!/bin/bash # packages = fapolicyd -# remediation = none - -{{{ bash_shell_file_set("/etc/fapolicyd/fapolicyd.conf", "permissive", "1", "true") }}} if [ -f /etc/fapolicyd/compiled.rules ]; then active_rules_file="/etc/fapolicyd/compiled.rules" @@ -11,8 +8,14 @@ else fi truncate -s 0 $active_rules_file - echo "allow exe=/usr/bin/python3.7 : ftype=text/x-python" >> $active_rules_file echo "# deny perm=any all : all" >> $active_rules_file -{{{ bash_shell_file_set("/etc/fapolicyd/fapolicyd.conf", "permissive", "0", "true") }}} +{{{ set_config_file(path="/etc/fapolicyd/fapolicyd.conf", + parameter="permissive", + value="0", + create=true, + insensitive=true, + separator=" = ", + separator_regex="\s*=\s*", + prefix_regex="^\s*") }}} diff --git a/linux_os/guide/services/fapolicyd/fapolicy_default_deny/tests/deny_policy_not_ensured.fail.sh b/linux_os/guide/services/fapolicyd/fapolicy_default_deny/tests/deny_policy_not_ensured.fail.sh index b52e5446afc..8f085824996 100644 --- a/linux_os/guide/services/fapolicyd/fapolicy_default_deny/tests/deny_policy_not_ensured.fail.sh +++ b/linux_os/guide/services/fapolicyd/fapolicy_default_deny/tests/deny_policy_not_ensured.fail.sh @@ -1,8 +1,5 @@ #!/bin/bash # packages = fapolicyd -# remediation = none - -{{{ bash_shell_file_set("/etc/fapolicyd/fapolicyd.conf", "permissive", "1", "true") }}} if [ -f /etc/fapolicyd/compiled.rules ]; then active_rules_file="/etc/fapolicyd/compiled.rules" @@ -11,8 +8,14 @@ else fi truncate -s 0 $active_rules_file - echo "deny perm=any all : all" >> $active_rules_file echo "allow exe=/usr/bin/python3.7 : ftype=text/x-python" >> $active_rules_file -{{{ bash_shell_file_set("/etc/fapolicyd/fapolicyd.conf", "permissive", "0", "true") }}} +{{{ set_config_file(path="/etc/fapolicyd/fapolicyd.conf", + parameter="permissive", + value="0", + create=true, + insensitive=true, + separator=" = ", + separator_regex="\s*=\s*", + prefix_regex="^\s*") }}} From 1034cda048315fbf93ab38ff65e86504b034f461 Mon Sep 17 00:00:00 2001 From: Marcus Burghardt Date: Wed, 18 Oct 2023 22:18:57 +0200 Subject: [PATCH 4/4] Remove warning about missing remediation --- .../guide/services/fapolicyd/fapolicy_default_deny/rule.yml | 4 ---- 1 file changed, 4 deletions(-) diff --git a/linux_os/guide/services/fapolicyd/fapolicy_default_deny/rule.yml b/linux_os/guide/services/fapolicyd/fapolicy_default_deny/rule.yml index c2de306f60e..52c640e858b 100644 --- a/linux_os/guide/services/fapolicyd/fapolicy_default_deny/rule.yml +++ b/linux_os/guide/services/fapolicyd/fapolicy_default_deny/rule.yml @@ -74,7 +74,3 @@ fixtext: |- permissive = 0 srg_requirement: 'The {{{ full_name }}} fapolicy module must be configured to employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs.' - -warnings: - - general: - This rule doesn't come with a remediation. Before remediating the system administrator needs to create an allowlist of authorized software.