From 54b54f7fb7caee55e710b1e8d0b8efff9d6f4916 Mon Sep 17 00:00:00 2001 From: Vojtech Polasek Date: Thu, 8 Feb 2024 16:01:47 +0100 Subject: [PATCH 1/2] Revert "Remove 'exec' from configure_bashrc_exec_tmux" This reverts commit 0acdf79c2032f5014737cc64c9ac8528d3879270. --- .../configure_bashrc_exec_tmux/ansible/shared.yml | 6 +++--- .../configure_bashrc_exec_tmux/bash/shared.sh | 4 ++-- .../configure_bashrc_exec_tmux/oval/shared.xml | 4 ++-- .../configure_bashrc_exec_tmux/rule.yml | 6 +++--- .../configure_bashrc_exec_tmux/tests/correct_value.pass.sh | 2 +- .../tests/correct_value_d_directory.pass.sh | 2 +- .../tests/duplicate_value_multiple_files.pass.sh | 4 ++-- 7 files changed, 14 insertions(+), 14 deletions(-) diff --git a/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_bashrc_exec_tmux/ansible/shared.yml b/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_bashrc_exec_tmux/ansible/shared.yml index 5c6dd41e1d0..75395cf61a7 100644 --- a/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_bashrc_exec_tmux/ansible/shared.yml +++ b/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_bashrc_exec_tmux/ansible/shared.yml @@ -8,14 +8,14 @@ ansible.builtin.find: paths: '/etc' patterns: 'bashrc' - contains: '.*case "$name" in sshd|login\) tmux ;; esac.*' + contains: '.*case "$name" in sshd|login\) exec tmux ;; esac.*' register: tmux_in_bashrc - name: "{{{ rule_title }}}: Determine If the Tmux Launch Script Is Present in /etc/profile.d/*.sh" ansible.builtin.find: paths: '/etc/profile.d' patterns: '*.sh' - contains: .*case "$name" in sshd|login\) tmux ;; esac.* + contains: .*case "$name" in sshd|login\) exec tmux ;; esac.* register: tmux_in_profile_d - name: "{{{ rule_title }}}: Insert the Correct Script into /etc/profile.d/tmux.sh" @@ -25,7 +25,7 @@ if [ "$PS1" ]; then parent=$(ps -o ppid= -p $$) name=$(ps -o comm= -p $parent) - case "$name" in sshd|login) tmux ;; esac + case "$name" in sshd|login) exec tmux ;; esac fi create: true when: diff --git a/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_bashrc_exec_tmux/bash/shared.sh b/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_bashrc_exec_tmux/bash/shared.sh index 3d056e4cf45..e139c3d494e 100644 --- a/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_bashrc_exec_tmux/bash/shared.sh +++ b/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_bashrc_exec_tmux/bash/shared.sh @@ -4,12 +4,12 @@ # complexity = low # disruption = low -if ! grep -x ' case "$name" in sshd|login) tmux ;; esac' /etc/bashrc; then +if ! grep -x ' case "$name" in sshd|login) exec tmux ;; esac' /etc/bashrc; then cat >> /etc/profile.d/tmux.sh <<'EOF' if [ "$PS1" ]; then parent=$(ps -o ppid= -p $$) name=$(ps -o comm= -p $parent) - case "$name" in sshd|login) tmux ;; esac + case "$name" in sshd|login) exec tmux ;; esac fi EOF chmod 0644 /etc/profile.d/tmux.sh diff --git a/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_bashrc_exec_tmux/oval/shared.xml b/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_bashrc_exec_tmux/oval/shared.xml index e3c4b6ef0e5..58f91eadf66 100644 --- a/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_bashrc_exec_tmux/oval/shared.xml +++ b/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_bashrc_exec_tmux/oval/shared.xml @@ -1,7 +1,7 @@ {{{ oval_metadata("Check if tmux is configured to exec at the end of bashrc.") }}} - + @@ -14,7 +14,7 @@ ^/etc/bashrc$|^/etc/profile\.d/.*$ - if \[ "\$PS1" \]; then\n\s+parent=\$\(ps -o ppid= -p \$\$\)\n\s+name=\$\(ps -o comm= -p \$parent\)\n\s+case "\$name" in sshd\|login\) tmux ;; esac\nfi + if \[ "\$PS1" \]; then\n\s+parent=\$\(ps -o ppid= -p \$\$\)\n\s+name=\$\(ps -o comm= -p \$parent\)\n\s+case "\$name" in sshd\|login\) exec tmux ;; esac\nfi 1 diff --git a/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_bashrc_exec_tmux/rule.yml b/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_bashrc_exec_tmux/rule.yml index 590b40780b1..9157dee9595 100644 --- a/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_bashrc_exec_tmux/rule.yml +++ b/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_bashrc_exec_tmux/rule.yml @@ -39,7 +39,7 @@ ocil: |-
$ sudo grep tmux /etc/bashrc /etc/profile.d/*
 
-    /etc/profile.d/tmux.sh:  case "$name" in (sshd|login) tmux ;; esac
+ /etc/profile.d/tmux.sh: case "$name" in (sshd|login) exec tmux ;; esac Review the tmux script by using the following example: @@ -48,7 +48,7 @@ ocil: |- if [ "$PS1" ]; then parent=$(ps -o ppid= -p $$) name=$(ps -o comm= -p $parent) - case "$name" in (sshd|login) tmux ;; esac + case "$name" in (sshd|login) exec tmux ;; esac fi If the shell file is not configured as the example above, is commented out, or is missing, this is a finding. @@ -63,7 +63,7 @@ fixtext: |- if [ "$PS1" ]; then parent=$(ps -o ppid= -p $$) name=$(ps -o comm= -p $parent) - case "$name" in sshd|login) tmux ;; esac + case "$name" in sshd|login) exec tmux ;; esac fi Then, ensure a correct mode of /etc/profile.d/tmux.sh using this command: diff --git a/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_bashrc_exec_tmux/tests/correct_value.pass.sh b/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_bashrc_exec_tmux/tests/correct_value.pass.sh index 77b7a61a5b9..fbc7590f27d 100644 --- a/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_bashrc_exec_tmux/tests/correct_value.pass.sh +++ b/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_bashrc_exec_tmux/tests/correct_value.pass.sh @@ -5,7 +5,7 @@ cat >> /etc/bashrc <<'EOF' if [ "$PS1" ]; then parent=$(ps -o ppid= -p $$) name=$(ps -o comm= -p $parent) - case "$name" in sshd|login) tmux ;; esac + case "$name" in sshd|login) exec tmux ;; esac fi EOF diff --git a/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_bashrc_exec_tmux/tests/correct_value_d_directory.pass.sh b/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_bashrc_exec_tmux/tests/correct_value_d_directory.pass.sh index c0ddc93e5ef..6107f86f248 100644 --- a/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_bashrc_exec_tmux/tests/correct_value_d_directory.pass.sh +++ b/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_bashrc_exec_tmux/tests/correct_value_d_directory.pass.sh @@ -6,7 +6,7 @@ cat >> /etc/profile.d/00-complianceascode.conf <<'EOF' if [ "$PS1" ]; then parent=$(ps -o ppid= -p $$) name=$(ps -o comm= -p $parent) - case "$name" in sshd|login) tmux ;; esac + case "$name" in sshd|login) exec tmux ;; esac fi EOF diff --git a/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_bashrc_exec_tmux/tests/duplicate_value_multiple_files.pass.sh b/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_bashrc_exec_tmux/tests/duplicate_value_multiple_files.pass.sh index 120541cd056..c662221eca1 100644 --- a/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_bashrc_exec_tmux/tests/duplicate_value_multiple_files.pass.sh +++ b/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_bashrc_exec_tmux/tests/duplicate_value_multiple_files.pass.sh @@ -5,7 +5,7 @@ cat >> /etc/profile.d/00-complianceascode.conf <<'EOF' if [ "$PS1" ]; then parent=$(ps -o ppid= -p $$) name=$(ps -o comm= -p $parent) - case "$name" in sshd|login) tmux ;; esac + case "$name" in sshd|login) exec tmux ;; esac fi EOF @@ -13,7 +13,7 @@ cat >> /etc/bashrc <<'EOF' if [ "$PS1" ]; then parent=$(ps -o ppid= -p $$) name=$(ps -o comm= -p $parent) - case "$name" in sshd|login) tmux ;; esac + case "$name" in sshd|login) exec tmux ;; esac fi EOF From ee739c55dbe26481f32f0915e5249f4d842d145e Mon Sep 17 00:00:00 2001 From: Vojtech Polasek Date: Thu, 8 Feb 2024 16:47:45 +0100 Subject: [PATCH 2/2] RHEL 9 STIG: replace configure_bashrc_exec_tmux with configure_bashrc_tmux it corresponds to the policy --- controls/stig_rhel9.yml | 2 +- .../console_screen_locking/configure_bashrc_exec_tmux/rule.yml | 2 +- .../console_screen_locking/configure_bashrc_tmux/rule.yml | 2 ++ shared/references/cce-redhat-avail.txt | 1 - 4 files changed, 4 insertions(+), 3 deletions(-) diff --git a/controls/stig_rhel9.yml b/controls/stig_rhel9.yml index 5449c82967a..d1a4ab494f6 100644 --- a/controls/stig_rhel9.yml +++ b/controls/stig_rhel9.yml @@ -2567,7 +2567,7 @@ controls: - medium title: RHEL 9 must ensure session control is automatically started at shell initialization. rules: - - configure_bashrc_exec_tmux + - configure_bashrc_tmux status: automated - id: RHEL-09-412020 diff --git a/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_bashrc_exec_tmux/rule.yml b/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_bashrc_exec_tmux/rule.yml index 9157dee9595..bbbbd5d8000 100644 --- a/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_bashrc_exec_tmux/rule.yml +++ b/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_bashrc_exec_tmux/rule.yml @@ -26,7 +26,7 @@ references: disa: CCI-000056,CCI-000058 ospp: FMT_SMF_EXT.1,FMT_MOF_EXT.1,FTA_SSL.1 srg: SRG-OS-000031-GPOS-00012,SRG-OS-000028-GPOS-00009,SRG-OS-000030-GPOS-00011 - stigid@rhel9: RHEL-09-412015 + platform: package[tmux] diff --git a/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_bashrc_tmux/rule.yml b/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_bashrc_tmux/rule.yml index 0afa3d15581..80bdc7a3c8e 100644 --- a/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_bashrc_tmux/rule.yml +++ b/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_bashrc_tmux/rule.yml @@ -20,6 +20,7 @@ severity: medium identifiers: cce@rhel8: CCE-90782-4 + cce@rhel9: CCE-86073-4 references: @@ -27,6 +28,7 @@ references: srg: SRG-OS-000031-GPOS-00012,SRG-OS-000028-GPOS-00009,SRG-OS-000030-GPOS-00011 stigid@ol8: OL08-00-020041 stigid@rhel8: RHEL-08-020041 + stigid@rhel9: RHEL-09-412015 platform: package[tmux] diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt index 80c5472525f..a2172147a19 100644 --- a/shared/references/cce-redhat-avail.txt +++ b/shared/references/cce-redhat-avail.txt @@ -1,4 +1,3 @@ -CCE-86073-4 CCE-86074-2 CCE-86076-7 CCE-86078-3