diff --git a/applications/openshift/integrity/crypto/machine_volume_encrypted/rule.yml b/applications/openshift/integrity/crypto/machine_volume_encrypted/rule.yml index d6bc04ce973..1d5909e08ef 100644 --- a/applications/openshift/integrity/crypto/machine_volume_encrypted/rule.yml +++ b/applications/openshift/integrity/crypto/machine_volume_encrypted/rule.yml @@ -42,7 +42,7 @@ ocil: |- with
$ oc get machineset --all-namespaces -o yaml
Run the following command to retrieve if the Azure disk encryption is enabled: -
$ oc get machineset --all-namespaces -o json | jq '{{{ azurejqfilter }}}}'
+
$ oc get machineset --all-namespaces -o json | jq '{{{ azurejqfilter }}}'
Make sure that the result is an array of machineset names where disk encryption is enabled. This can be inspected by going through them diff --git a/docs/manual/developer/04_style_guide.md b/docs/manual/developer/04_style_guide.md index 409eb8a4b6d..5f8a968ce74 100644 --- a/docs/manual/developer/04_style_guide.md +++ b/docs/manual/developer/04_style_guide.md @@ -159,8 +159,11 @@ and keep these guidelines in mind when writing new code. * Shall use 4-space indentation * Shall have a docstring comment describe what the macro does * Shall have a docstring comment describing all parameters and their types - * Types shall be Python class names. (E.g. `str`, `bool`, `dict`, etc) + * Types shall be Python built-in types with | operator. (E.g. `str`, + `bool`, `dict`, `None | int`, `list[str]`, etc), with exceptions: + * `char`: `str` with length exactly 1 * Shall be the last section of the docstring + * Shall start at the beginning of the line * Shall have one blank after a list before the close of the docstring block * Shall have two blank lines between macros diff --git a/linux_os/guide/services/ftp/ftp_configure_vsftpd/ftp_configure_firewall/rule.yml b/linux_os/guide/services/ftp/ftp_configure_vsftpd/ftp_configure_firewall/rule.yml index b44ce874672..24db0f19859 100644 --- a/linux_os/guide/services/ftp/ftp_configure_vsftpd/ftp_configure_firewall/rule.yml +++ b/linux_os/guide/services/ftp/ftp_configure_vsftpd/ftp_configure_firewall/rule.yml @@ -7,7 +7,7 @@ description: |- By default, firewalld blocks access to the ports used by the web server. - {{{ describe_firewalld_allow(proto="tcp", service="ftp") }}} + {{{ describe_firewalld_allow_service(service="ftp") }}} {{% else %}} By default, iptables blocks access to the ports used by the web server. diff --git a/linux_os/guide/services/http/securing_httpd/httpd_configure_os_protect_web_server/httpd_configure_firewall/rule.yml b/linux_os/guide/services/http/securing_httpd/httpd_configure_os_protect_web_server/httpd_configure_firewall/rule.yml index 2d0a5c51461..989d9daa25b 100644 --- a/linux_os/guide/services/http/securing_httpd/httpd_configure_os_protect_web_server/httpd_configure_firewall/rule.yml +++ b/linux_os/guide/services/http/securing_httpd/httpd_configure_os_protect_web_server/httpd_configure_firewall/rule.yml @@ -8,8 +8,8 @@ description: |- {{% if product == "rhel7" %}} By default, firewalld blocks access to the ports used by the web server. - {{{ describe_firewalld_allow(proto="tcp", service="http") }}} - {{{ describe_firewalld_allow(proto="tcp", service="https") }}} + {{{ describe_firewalld_allow_service(service="http") }}} + {{{ describe_firewalld_allow_service(service="https") }}} {{% else %}} By default, iptables blocks access to the ports used by the web server. @@ -33,5 +33,5 @@ ocil: |- Review the web site to determine if HTTP and HTTPs are used in accordance with well known ports (e.g., 80 and 443) or those ports and services as registered and approved for use by the DoD PPSM. - {{{ describe_firewalld_allow(proto="tcp", service="http") }}} - {{{ describe_firewalld_allow(proto="tcp", service="https") }}} + {{{ describe_firewalld_allow_service(service="http") }}} + {{{ describe_firewalld_allow_service(service="https") }}} diff --git a/linux_os/guide/services/imap/configure_dovecot/dovecot_allow_imap_access/group.yml b/linux_os/guide/services/imap/configure_dovecot/dovecot_allow_imap_access/group.yml index 6ff3cd69e6c..b3a99424e61 100644 --- a/linux_os/guide/services/imap/configure_dovecot/dovecot_allow_imap_access/group.yml +++ b/linux_os/guide/services/imap/configure_dovecot/dovecot_allow_imap_access/group.yml @@ -8,7 +8,7 @@ description: |- access to any services. This modification will allow remote hosts to initiate connections to the IMAP daemon, while keeping all other ports on the server in their default protected state. - {{{ describe_firewalld_allow(port="143", proto="tcp") }}} + {{{ describe_firewalld_allow_port(port="143", proto="tcp") }}} {{% else %}} The default iptables configuration does not allow inbound access to any services. This modification will allow remote hosts to initiate connections to the IMAP daemon, diff --git a/linux_os/guide/services/ssh/firewalld_sshd_disabled/rule.yml b/linux_os/guide/services/ssh/firewalld_sshd_disabled/rule.yml index d49b5e58c4f..48733677db0 100644 --- a/linux_os/guide/services/ssh/firewalld_sshd_disabled/rule.yml +++ b/linux_os/guide/services/ssh/firewalld_sshd_disabled/rule.yml @@ -9,7 +9,7 @@ description: |- the SSH server is not being used, this exception should be removed from the firewall configuration.

- {{{ describe_firewalld_prevent(proto="tcp", service="ssh") }}} + {{{ describe_firewalld_prevent_service(service="ssh") }}} rationale: |- If inbound SSH connections are not expected, disallowing access to the SSH port will diff --git a/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/rule.yml b/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/rule.yml index fb69561525d..473d2aa104b 100644 --- a/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/rule.yml +++ b/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/rule.yml @@ -9,7 +9,7 @@ description: |- remote access through SSH. In more restrictive firewalld settings, the SSH port should be added to the proper firewalld zone in order to allow SSH remote access.

- {{{ describe_firewalld_allow(proto="tcp", service="ssh") }}} + {{{ describe_firewalld_allow_service(service="ssh") }}} rationale: |- If inbound SSH connections are expected, adding the SSH port to the proper firewalld zone @@ -38,7 +38,7 @@ ocil: | fixtext: |- Enable SSH service in firewalld configuration. - {{{ describe_firewalld_allow(proto="tcp", service="ssh") }}} + {{{ describe_firewalld_allow_service(service="ssh") }}} warnings: - general: |- diff --git a/linux_os/guide/system/software/integrity/crypto/harden_ssh_client_crypto_policy/oval/shared.xml b/linux_os/guide/system/software/integrity/crypto/harden_ssh_client_crypto_policy/oval/shared.xml index 6124f744808..b13eb0d6e24 100644 --- a/linux_os/guide/system/software/integrity/crypto/harden_ssh_client_crypto_policy/oval/shared.xml +++ b/linux_os/guide/system/software/integrity/crypto/harden_ssh_client_crypto_policy/oval/shared.xml @@ -114,7 +114,7 @@ - parameter (String): The parameter to be checked in the configuration file. Not used in the actual state definition, but only to connect the state to the test. - missing_parameter_pass (boolean): If set, the check will also pass if the parameter is not present in the configuration file (default is applied). Not used in the actual state definition, but only to connect the state to the test. #}} -{{%- macro oval_line_in_file_state(value='', multi_value='', parameter='', missing_parameter_pass=false) -%}} +{{%- macro oval_line_in_file_state(value='', multi_value=false, parameter='', missing_parameter_pass=false) -%}} {{%- if multi_value %}} {{%- set regex = "^.*\\b"+value+"\\b.*$" -%}} {{%- else %}} diff --git a/shared/macros/01-general.jinja b/shared/macros/01-general.jinja index f45a8857e95..453fd4ea9a8 100644 --- a/shared/macros/01-general.jinja +++ b/shared/macros/01-general.jinja @@ -4,7 +4,7 @@ Operator to automatically figure out what resources to fetch. :param endpoint: The Kubernetes object path(s) to fetch -:type endpoint: str/list +:type endpoint: str | list[str] :param suppress: Whether to suppress the warning :type suppress: bool @@ -14,6 +14,7 @@ This rule's check operates on the cluster configuration dump. Therefore, you need to use a tool that can query the OCP API, retrieve the {{% if endpoint is string %}}{{{ endpoint }}} API endpoint to the local {{{ xccdf_value("ocp_data_root") }}}/{{{ endpoint.lstrip("/") }}} file. {{% if suppress %}} {{{suppressed_warning()}}} {{% endif %}}{{% else %}}{{% for item in endpoint %}}{{{ item }}} API endpoint to the local {{{ xccdf_value("ocp_data_root") }}}/{{{ item.lstrip("/") }}} file {{% if suppress %}} {{{suppressed_warning()}}} {{% endif %}}{{% endfor %}}.{{% endif %}} {{%- endmacro %}} + {{% macro openshift_cluster_setting_kubeletconfig() -%}} This rule's check operates on the cluster configuration dump. This will be a Platform rule, var_role_worker and var_role_master needed to be set if scan is not expected to run on master, and worker nodes. Therefore, you need to use a tool that can query the OCP API, retrieve KubeletConfig through "/api/v1/nodes/NODE_NAME/proxy/configz" {{{suppressed_warning()}}} API endpoint to the local {{{ xccdf_value("ocp_data_root") }}}"/kubeletconfig/role/role" file. @@ -28,9 +29,9 @@ Therefore, you need to use a tool that can query the OCP API, retrieve KubeletCo by the jq command ( https://stedolan.github.io/jq/manual/ ). :param path_filter_pairs: Kubernetes object path/filter directive pairs -:type path_filter_pairs: dict +:type path_filter_pairs: dict[str, str] :param varargs: A list of path_filter_pairs (in case repeated paths need to be used) -:type path_filter_pairs: list +:type varargs: list[dict[str, str]] #}} {{% macro openshift_filtered_cluster_setting(path_filter_pairs) -%}} @@ -171,7 +172,7 @@ Therefore, you need to use a tool that can query the OCP API, retrieve the follo #}} {{% macro hide_rule() -%}} -This rule will be a hidden rule +This rule will be a hidden rule true {{%- endmacro %}} @@ -295,49 +296,45 @@ Therefore, you need to use a tool that can query the OCP API, retrieve the follo {{# - Describe preventing access a port or service in firewalld. If the :code:`service` parameter is defined - it is assumed to be a service and the :code:`port` and :code:`proto` parameters will have no effect. +Describe preventing access to service in firewalld. -:param port: The port to allow -:type port: int -:param proto: The protocol to allow -:type proto: str :param service: The service to allow :type service: str #}} -{{%- macro describe_firewalld_prevent(port, proto, service) %}} +{{%- macro describe_firewalld_prevent_service(service) %}} To configure firewalld to prevent access, run the following command(s): - {{% if port %}} - firewall-cmd --permanent --remove-port={{{ port }}}/{{{ proto }}} - {{% endif %}} - {{% if service %}} firewall-cmd --permanent --remove-service={{{ service }}} - {{% endif %}} {{%- endmacro %}} {{# - Describe allowing access a port or service in firewalld. If the :code:`service` parameter is defined - it is assumed to be a service and the :code:`port` and :code:`proto` parameters will have no effect. +Describe allowing access to a port in firewalld. :param port: The port to allow :type port: int :param proto: The protocol to allow :type proto: str -:param service: The service to allow -:type service: str #}} -{{%- macro describe_firewalld_allow(port, proto, service) %}} - {{% if port %}} +{{%- macro describe_firewalld_allow_port(port, proto) %}} To configure firewalld to allow {{{ port }}}/{{{ proto }}} access, run the following command(s):
firewall-cmd --permanent --add-port={{{ port }}}/{{{ proto }}}
- {{% endif %}} - {{% if service %}} + Then run the following command to load the newly created rule(s): +
firewall-cmd --reload
+{{%- endmacro %}} + + +{{# +Describe allowing access to a service in firewalld. + +:param service: The service to allow +:type service: str + +#}} +{{%- macro describe_firewalld_allow_service(service) %}} To configure firewalld to allow {{{ service }}} access, run the following command(s):
firewall-cmd --permanent --add-service={{{ service }}}
- {{% endif %}} Then run the following command to load the newly created rule(s):
firewall-cmd --reload
{{%- endmacro %}} @@ -979,25 +976,6 @@ substituting the correct package management software. {{%- endmacro %}} -{{# - A warning about rule depending on another. - -:param rule_id: Rule id of the rule that must be selected. -:type rule_id: str -:param why: The reasoning for the dependency. Should fit into this part of the sentence "make sure that rule with ID is selected as well:". -:type why: str - -#}} -{{% macro body_of_warning_about_dependent_rule(rule_id, why) -%}} - When selecting this rule in a profile, - {{%- if why %}} - make sure that rule with ID {{{ rule_id }}} is selected as well: {{{ why }}} - {{%- else %}} - rule {{{ rule_id }}} has to be selected as well. - {{%- endif %}} -{{% endmacro %}} - - {{# An openssl config file with strong entropy. @@ -1112,41 +1090,6 @@ Configure the default Grub2 kernel command line to contain {{{ arg_name_value }} {{%- endmacro %}} -{{# - Adds a default "no easy remediation" warning for kernel_build_config warning. - -#}} -{{% macro kernel_build_config_warning() %}} -- general: |- - There is no remediation for this besides re-compiling the kernel with the appropriate value for the config. -{{% endmacro %}} - - -{{# - OCIL for a kernel build config rule. - - Example usage:: - - ocil_kernel_build_config(config="config_kernel_strict_rwx", value="y") - -:param config: The kernel config parameter -:type config: str -:param value: The value for the given config -:type value: str - -#}} -{{% macro kernel_build_config_ocil(config, value) -%}} - To determine the config value the kernel was built with, run the following command: -
$ grep {{{ config }}} /boot/config.*
- {{% if value == "n" %}} - Configs with value 'n' are not explicitly set in the file, so either commented lines or no - lines should be returned. - {{% else %}} - For each kernel installed, a line with value "{{{ value }}}" should be returned. - {{% endif %}} -{{%- endmacro %}} - - {{# Returns the AIDE strings based on the current product @@ -1262,8 +1205,8 @@ Part of the grub2_bootloader_argument(_absent) templates. Join list of items to create a human readable list in which the last item is separated by an and and others are separated by a comma. -:param items: list of strings -:type items: list +:param items: list of strings to join +:type items: list[str] #}} {{%- macro join_list(items) -%}} diff --git a/shared/macros/10-ansible.jinja b/shared/macros/10-ansible.jinja index 0539e003218..84bddf54633 100644 --- a/shared/macros/10-ansible.jinja +++ b/shared/macros/10-ansible.jinja @@ -142,7 +142,7 @@ value: :code:`Setting={{ varname1 }}` instead of lineinfile-based solutions. #}} -{{%- macro ansible_set_config_file(msg, file, parameter, separator=' ', separator_regex='\s+', value='', prefix_regex='^\s*', create='no', validate='', insert_after='', insert_before='', escape_regex=False, mode='') %}} +{{%- macro ansible_set_config_file(msg, file, parameter, separator=' ', separator_regex='\s+', value='', prefix_regex='^\s*', create='no', validate='', insert_after='', insert_before='', mode='') %}} {{{ ansible_only_lineinfile(msg, file, prefix_regex + parameter + separator_regex, parameter + separator + value, create=create, block=True, validate=validate, insert_after=insert_after, insert_before=insert_before, mode=mode) }}} {{%- endmacro %}} @@ -263,18 +263,6 @@ value: :code:`Setting={{ varname1 }}` {{%- endmacro %}} -{{# - High level macro to set a value in /etc/profile (and /etc/profile.d) bash - files. Note this is only suitable for calling a single command once with the - correct arguments and not for calling the same command multiple times with - different arguments. This includes setting an environment variable once. - -#}} -{{%- macro ansible_etc_profile_set(msg='', parameter='', value='') %}} -{{{ ansible_set_config_file_dir(msg, "/etc/profile", "/etc/profile.d", "/etc/profile", parameter, separator='=', separator_regex='=', value=value, create='yes', validate="bash -n %s") }}} -{{%- endmacro %}} - - {{# High level macro to set a command in auditd configuration file /etc/audit/auditd.conf. @@ -765,7 +753,7 @@ The following macro remediates Audit syscall rule in :code:`/etc/audit/audit.rul :param op: version comparison operator ("<", "<=", "==", "!=", ">", ">=") :type op: str :param ver: package version (optional argument, use together with "op") -:type ver: version +:type ver: str #}} {{%- macro ansible_pkg_conditional(package, op=None, ver=None) -%}} @@ -1162,7 +1150,6 @@ The following macro remediates Audit syscall rule in :code:`/etc/audit/audit.rul when: - result_faillock_conf_check.stat.exists - - name: {{{ rule_title }}} - Ensure the pam_faillock.so {{{ parameter }}} parameter in PAM files block: - name: {{{ rule_title }}} - Check if pam_faillock.so {{{ parameter }}} parameter is already enabled in pam files diff --git a/shared/macros/10-bash.jinja b/shared/macros/10-bash.jinja index 6170f61b18e..7653fffe4ca 100644 --- a/shared/macros/10-bash.jinja +++ b/shared/macros/10-bash.jinja @@ -160,160 +160,6 @@ fi {{%- endmacro -%}} -{{# - Macro to perform remediation for 'audit_rules_privileged_commands' rule - - Example macro invocation(s):: - - perform_audit_rules_privileged_commands_remediation("auditctl", "500") - perform_audit_rules_privileged_commands_remediation("augenrules", "1000") - -:param tool: tool used to load audit rules either 'auditctl' or 'augenrules' -:type tool: str -:param min_auid: minimum original ID the user logged in with -:type min_auid: str - -#}} -{{%- macro bash_perform_audit_rules_privileged_commands_remediation(tool, min_auid) -%}} -files_to_inspect=() -{{% if tool == "auditctl" %}} -# If the audit tool is 'auditctl', then: -# * add '/etc/audit/audit.rules'to the list of files to be inspected, -# * specify '/etc/audit/audit.rules' as the output audit file, where -# missing rules should be inserted -files_to_inspect=("/etc/audit/audit.rules") -output_audit_file="/etc/audit/audit.rules" -{{%- elif tool == "augenrules" -%}} -# If the audit tool is 'augenrules', then: -# * add '/etc/audit/rules.d/*.rules' to the list of files to be inspected -# (split by newline), -# * specify /etc/audit/rules.d/privileged.rules' as the output file, where -# missing rules should be inserted -readarray -t files_to_inspect < <(find /etc/audit/rules.d -maxdepth 1 -type f -name '*.rules' -print) -output_audit_file="/etc/audit/rules.d/privileged.rules" -{{%- else -%}} -{{{ raise("Unknown tool used: " + tool) }}} -{{%- endif %}} - -# Obtain the list of SUID/SGID binaries on the particular system (split by newline) -# into privileged_binaries array -privileged_binaries=() -readarray -t privileged_binaries < <(find / -not \( -fstype afs -o -fstype ceph -o -fstype cifs -o -fstype smb3 -o -fstype smbfs -o -fstype sshfs -o -fstype ncpfs -o -fstype ncp -o -fstype nfs -o -fstype nfs4 -o -fstype gfs -o -fstype gfs2 -o -fstype glusterfs -o -fstype gpfs -o -fstype pvfs2 -o -fstype ocfs2 -o -fstype lustre -o -fstype davfs -o -fstype fuse.sshfs \) -type f \( -perm -4000 -o -perm -2000 \) 2> /dev/null) - -# Keep list of SUID/SGID binaries that have been already handled within some previous iteration -sbinaries_to_skip=() - -# For each found sbinary in privileged_binaries list -for sbinary in "${privileged_binaries[@]}" -do - - # Check if this sbinary wasn't already handled in some of the previous sbinary iterations - # Return match only if whole sbinary definition matched (not in the case just prefix matched!!!) - if [[ $(sed -ne "\|${sbinary}|p" <<< "${sbinaries_to_skip[*]}") ]] - then - # If so, don't process it second time & go to process next sbinary - continue - fi - - # Reset the counter of inspected files when starting to check - # presence of existing audit rule for new sbinary - count_of_inspected_files=0 - - # Define expected rule form for this binary - expected_rule="-a always,exit -F path=${sbinary} -F auid>={{{ min_auid }}} -F auid!=unset -F key=privileged" - - # If list of audit rules files to be inspected is empty, just add new rule and move on to next binary - if [[ ${#files_to_inspect[@]} -eq 0 ]]; then - echo "$expected_rule" >> "$output_audit_file" - continue - fi - - # Replace possible slash '/' character in sbinary definition so we could use it in sed expressions below - sbinary_esc=${sbinary//$'/'/$'\/'} - - # For each audit rules file from the list of files to be inspected - for afile in "${files_to_inspect[@]}" - do - # Search current audit rules file's content for match. Match criteria: - # * existing rule is for the same SUID/SGID binary we are currently processing (but - # can contain multiple -F path= elements covering multiple SUID/SGID binaries) - # * existing rule contains all arguments from expected rule form (though can contain - # them in arbitrary order) - - base_search=$(sed -e '/-a always,exit/!d' -e '/-F path='"${sbinary_esc}"'[^[:graph:]]/!d' \ - -e '/-F path=[^[:space:]]\+/!d' \ - -e '/-F auid>='"{{{ min_auid }}}"'/!d' -e '/-F auid!=\(4294967295\|unset\)/!d' \ - -e '/-k \|-F key=/!d' "$afile") - - # Increase the count of inspected files for this sbinary - count_of_inspected_files=$((count_of_inspected_files + 1)) - - # Search current audit rules file's content for presence of rule pattern for this sbinary - if [[ $base_search ]] - then - - # Current audit rules file already contains rule for this binary => - # Store the exact form of found rule for this binary for further processing - concrete_rule=$base_search - - # Select all other SUID/SGID binaries possibly also present in the found rule - - readarray -t handled_sbinaries < <(grep -o -e "-F path=[^[:space:]]\+" <<< "$concrete_rule") - handled_sbinaries=("${handled_sbinaries[@]//-F path=/}") - - # Merge the list of such SUID/SGID binaries found in this iteration with global list ignoring duplicates - readarray -t sbinaries_to_skip < <(for i in "${sbinaries_to_skip[@]}" "${handled_sbinaries[@]}"; do echo "$i"; done | sort -du) - - # if there is a -F perm flag, remove it - if grep -q '.*-F\s\+perm=[rwxa]\+.*' <<< "$concrete_rule"; then - - # Separate concrete_rule into three sections using hash '#' - # sign as a delimiter around rule's permission section borders - # note that the trailing space after perm flag is captured because there would be - # two consecutive spaces after joining remaining parts of the rule together - concrete_rule="$(echo "$concrete_rule" | sed -n "s/\(.*\)\+\(-F perm=[rwax]\+\ \?\)\+/\1#\2#/p")" - - # Split concrete_rule into head and tail sections using hash '#' delimiter - # The second column contains the permission section, which we don't need to extract - rule_head=$(cut -d '#' -f 1 <<< "$concrete_rule") - rule_tail=$(cut -d '#' -f 3 <<< "$concrete_rule") - - # Remove permissions section from existing rule in the file - sed -i "s#${rule_head}\(.*\)${rule_tail}#${rule_head}${rule_tail}#" "$afile" - fi - # If the required audit rule for particular sbinary wasn't found yet, insert it under following conditions: - # - # * in the "auditctl" mode of operation insert particular rule each time - # (because in this mode there's only one file -- /etc/audit/audit.rules to be inspected for presence of this rule), - # - # * in the "augenrules" mode of operation insert particular rule only once and only in case we have already - # searched all of the files from /etc/audit/rules.d/*.rules location (since that audit rule can be defined - # in any of those files and if not, we want it to be inserted only once into /etc/audit/rules.d/privileged.rules file) - # - {{% if tool in ("augenrules", "auditctl") -%}} - {{% if tool == "augenrules" -%}} - elif [[ $count_of_inspected_files -eq "${#files_to_inspect[@]}" ]] - then - {{%- endif %}} - {{% if tool == "auditctl" -%}} - else - {{%- endif %}} - # Check if this sbinary wasn't already handled in some of the previous afile iterations - # Return match only if whole sbinary definition matched (not in the case just prefix matched!!!) - if [[ ! $(sed -ne "\|${sbinary}|p" <<< "${sbinaries_to_skip[*]}") ]] - then - # Current audit rules file's content doesn't contain expected rule for this - # SUID/SGID binary yet => append it - echo "$expected_rule" >> "$output_audit_file" - fi - continue - {{%- endif %}} - fi - done -done -{{%- endmacro -%}} - - {{# Set set a parameter in /etc/sshd_config @@ -761,7 +607,6 @@ then fi fi - [ ! -z "${DCONFFILE}" ] && echo "" >> "${DCONFFILE}" if ! grep -q "\\[{{{ path }}}\\]" "${DCONFFILE}" then @@ -856,147 +701,6 @@ sed -i "s/disable.*/disable = yes/gI" "/etc/xinetd.d/$xinetd" {{%- endmacro -%}} -{{%- macro _put_into_firefox_cfg(config_item, key, value_varname, where, sed_separator) -%}} -# If the key exists, change it. Otherwise, add it to the config_file. -if LC_ALL=C grep -m 1 -q '^{{{ config_item }}}("{{{ key }}}", ' "{{{ where }}}"; then - {{% if sed_separator in config_item %}} - {{{ raise("config_item (" + config_item + ") uses sed path separator (" + sed_separator + ") in " + rule_id) }}} - {{% elif sed_separator in key %}} - {{{ raise("key (" + key + ") uses sed path separator (" + sed_separator + ") in " + rule_id) }}} - {{% endif %}} - sed -i 's{{{ sed_separator }}}{{{ config_item }}}("{{{ key }}}".*{{{ sed_separator }}}{{{ config_item }}}("{{{ key }}}", '"${{{ value_varname }}})"';{{{ sed_separator }}}g' "{{{ where }}}" -else - echo '{{{ config_item }}}("{{{ key }}}", '"${{{ value_varname }}}"');' >> "{{{ where }}}" -fi -{{%- endmacro -%}} - - -{{%- macro _make_bash_variable_assignment(varname, value="", quoted_value="") -%}} -{{% if value -%}} - {{{ varname }}}="{{{ value }}}" -{{%- elif quoted_value -%}} - {{{ varname }}}="\"{{{ quoted_value }}}\"" -{{%- else %}} - {{{ raise("Specify either 'value' or 'quoted_value' as macro arguments.") }}} -{{%- endif -%}} -{{%- endmacro -%}} - - -{{# - -Example Calls: - - With a fixed integer value:: - - bash_firefox_js_setting("local-settings.js", "general.config.obscure_value", "0") - - With a fixed string value:: - - bash_firefox_js_setting("local-settings.js", "general.config.filename", quoted_value="mozilla.cfg") - - With a string variable:: - - bash_firefox_js_setting("local-settings.js", "general.config.filename", quoted_value="$var_config_file_name") - -:param config_file: Configuration file that will be modified -:type config_file: str -:param key: Configuration option to change -:type key: str -:param value: Value of the configuration option to change -:type value: str -:param quoted_value: -:type quoted_value: str -:param sed_separator: -:type sed_separator: char - -#}} -{{%- macro bash_firefox_js_setting(config_file, key, value="", quoted_value="", sed_separator="/") %}} -{{{ _make_bash_variable_assignment(varname="value", value=value, quoted_value=quoted_value) }}} -firefox_js="{{{ config_file }}}" -firefox_dirs="/usr/lib/firefox /usr/lib64/firefox /usr/local/lib/firefox /usr/local/lib64/firefox" -firefox_pref="defaults/pref" -firefox_preferences="defaults/preferences" - -# Check the possible Firefox install directories -for firefox_dir in ${firefox_dirs}; do - # If the Firefox directory exists, then Firefox is installed - if [ -d "${firefox_dir}" ]; then - # Different versions of Firefox have different preferences directories, check for them and set the right one - if [ -d "${firefox_dir}/${firefox_preferences}" ] ; then - firefox_pref_dir="${firefox_dir}/${firefox_preferences}" - elif [ -d "${firefox_dir}/${firefox_pref}" ] ; then - firefox_pref_dir="${firefox_dir}/${firefox_pref}" - else - firefox_pref_dir="${firefox_dir}/${firefox_preferences}" - mkdir -p "${firefox_pref_dir}" - chmod 755 "${firefox_pref_dir}" - fi - - # Make sure the Firefox .js file exists and has the appropriate permissions - if ! [ -f "${firefox_pref_dir}/${firefox_js}" ] ; then - touch "${firefox_pref_dir}/${firefox_js}" - chmod 644 "${firefox_pref_dir}/${firefox_js}" - fi - - {{{ _put_into_firefox_cfg(config_item="pref", key=key, value_varname="value", where="${firefox_pref_dir}/${firefox_js}", sed_separator=sed_separator) | indent(4 * 2) }}} - fi -done -{{%- endmacro -%}} - - -{{# -Function to replace configuration setting(s) in the Firefox preferences configuration (.cfg) file or add the -preference if it does not exist. - -Example Call(s): - - Without string or variable:: - - bash_firefox_cfg_setting("mozilla.cfg" "extensions.update.enabled" value="false") - - With string:: - - bash_firefox_cfg_setting("mozilla.cfg" "security.default_personal_cert" quoted_value="Ask Every Time") - - With a string variable:: - - bash_firefox_cfg_setting("mozilla.cfg" "browser.startup.homepage" quoted_value="${var_default_home_page}") - -:param config_file: Configuration file that will be modified -:type config_file: str -:param key: Configuration option to change -:type key: str -:param value: Value of the configuration option to change -:type value: str -:param quoted_value: -:type quoted_value: str -:param sed_separator: -:type sed_separator: char - -#}} -{{%- macro bash_firefox_cfg_setting(config_file, key, value="", quoted_value="", sed_separator="/") %}} -firefox_cfg="{{{ config_file }}}" -{{{ _make_bash_variable_assignment(varname="value", value=value, quoted_value=quoted_value) }}} -firefox_dirs="/usr/lib/firefox /usr/lib64/firefox /usr/local/lib/firefox /usr/local/lib64/firefox" - -# Check the possible Firefox install directories -for firefox_dir in ${firefox_dirs}; do - # If the Firefox directory exists, then Firefox is installed - if [ -d "${firefox_dir}" ]; then - # Make sure the Firefox .cfg file exists and has the appropriate permissions - if ! [ -f "${firefox_dir}/${firefox_cfg}" ] ; then - echo "// IMPORTANT: Start your code on the 2nd line" > "${firefox_dir}/${firefox_cfg}" - chmod 644 "${firefox_dir}/${firefox_cfg}" - elif ! head -1 "${firefox_dir}/${firefox_cfg}" | grep -q "^//"; then - sed -i '1 i\// IMPORTANT: Start your code on the 2nd line' "${firefox_dir}/${firefox_cfg}" - fi - - {{{ _put_into_firefox_cfg(config_item="lockPref", key=key, value_varname="value", where="${firefox_dir}/${firefox_cfg}", sed_separator=sed_separator) | indent(4 * 2) }}} - fi -done -{{%- endmacro -%}} - - {{# Macro to ensure that the ntp/chrony config file contains valid server entries. @@ -1860,7 +1564,6 @@ Notes: #}} {{% macro bash_fix_audit_syscall_rule(tool, action_arch_filters, other_filters, auid_filters, syscall, syscall_groupings, key) -%}} - unset syscall_a unset syscall_grouping unset syscall_string @@ -1890,7 +1593,6 @@ read -a syscall_grouping <<< {{{ syscall_groupings }}} # files_to_inspect=() - {{% if tool == "auditctl" %}} # If audit tool is 'auditctl', then add '/etc/audit/audit.rules' # file to the list of files to be inspected diff --git a/shared/macros/10-fixtext.jinja b/shared/macros/10-fixtext.jinja index 112f175ba08..57cea30d3d2 100644 --- a/shared/macros/10-fixtext.jinja +++ b/shared/macros/10-fixtext.jinja @@ -86,18 +86,6 @@ The audit daemon must be restarted for the changes to take effect. {{% endmacro %}} -{{# - Generate a fixtext for audit rules for dac modification events - chown - -:param syscall: syscall name -:type syscall: str - -#}} -{{% macro fixtext_audit_rules_dac_modification_chown(syscall) -%}} -{{{ fixtext_audit_rules(syscall, "perm_mod", '"chown", "fchown", "fchownat" and "lchown"') }}} -{{% endmacro %}} - - {{# Generate a fixtext for audit rules for dac modification events - attr @@ -118,7 +106,7 @@ The audit daemon must be restarted for the changes to take effect. :type syscall: str :param syscall_grouping: A list of other syscalls that can be audited with the same audit rules. -:type syscall_grouping: list +:type syscall_grouping: list[str] #}} {{% macro fixtext_audit_rules_unsuccessful_file_modification(syscall, syscall_grouping) -%}} @@ -397,26 +385,6 @@ Modify "/etc/fstab" to use the "{{{ mountoption }}}" option on the "{{{ mountpoi {{%- endmacro %}} -{{# -Fixtext macro describing how to audit a command. - -:param command: The command to be audited -:type command: str -:param filepath: The full path to the command to be audited -:type filepath: str -:param key: The key for the audit messages -:type key: str - -#}} -{{% macro fixtext_audit_rules_command(command, filepath, key) -%}} -Configure the audit system to generate an audit event for any successful/unsuccessful use of the "{{{ command }}}" command by adding or updating the following rule in the "/etc/audit/rules.d/audit.rules" file: - --a always,exit -F path={{{ filepath }}} -F perm=x -F auid>={{{ uid_min }}} -F auid!=unset -k {{{ key }}} - -The audit daemon must be restarted for the changes to take effect. -{{%- endmacro %}} - - {{# Fixtext for ensuring that a privileged command is audited. diff --git a/shared/macros/10-kubernetes.jinja b/shared/macros/10-kubernetes.jinja index 9363476fab0..6f277a62c23 100644 --- a/shared/macros/10-kubernetes.jinja +++ b/shared/macros/10-kubernetes.jinja @@ -211,34 +211,6 @@ spec: {{%- endmacro -%}} -{{# - Macro which generates Kubernetes remediation in MachineConfig format with - required value - - path (String): Path to the configuration file. - - file_permissions_mode (String): File permissions to be applied to the file represented by path argument - - source_content (String): The source of the content to be applied. - - vals (list): The list of required values for this remediation to be applies for example: var_something -#}} -{{%- macro kubernetes_machine_config_file_with_required_value(path='', file_permissions_mode='', source='', vals=[]) -%}} -apiVersion: machineconfiguration.openshift.io/v1 -kind: MachineConfig -metadata: - annotations: - complianceascode.io/value-input-required: {{{ vals | join(",") }}} -spec: - config: - ignition: - version: 3.1.0 - storage: - files: - - contents: - source: data:,{{ {{{ url_encode(source) }}} }} - mode: {{{ file_permissions_mode }}} - path: {{{ path }}} - overwrite: true -{{%- endmacro -%}} - - {{# High level macro to generate Kubernetes remediation to set the ssh daemon configuration file. #}} @@ -479,8 +451,8 @@ AuditBackend=LinuxAudit {{% macro audit_syscalls_rule(syscalls=[], key='', fields='') %}} {{%- for syscall in syscalls -%}} --a always,exit -F arch=b64 -S {{{ syscall }}}{{% if fields %}} -F {{{ fields }}}{{% endif %}} -k {{{ key }}} --a always,exit -F arch=b32 -S {{{ syscall }}}{{% if fields %}} -F {{{ fields }}}{{% endif %}} -k {{{ key }}} +-a always,exit -F arch=b64 -S {{{ syscall }}}{{% if fields %}} -F {{{ fields }}}{{% endif %}}{{% if key %}} -k {{{ key }}}{{% endif %}} +-a always,exit -F arch=b32 -S {{{ syscall }}}{{% if fields %}} -F {{{ fields }}}{{% endif %}}{{% if key %}} -k {{{ key }}}{{% endif %}} {{% endfor %}} {{%- endmacro %}} @@ -628,11 +600,6 @@ plugin_dir = /etc/audit/plugins.d {{%- endmacro %}} -{{% macro kubernetes_machineconfig_auditd_config_with_required_value(vals=[]) -%}} -{{{ kubernetes_machine_config_file_with_required_value(path='/etc/audit/auditd.conf', file_permissions_mode='0640', source=rhcos_auditd_config(),vals=vals)}}} -{{%- endmacro %}} - - {{# Macro to generate MachineConfig setting our recommended chrony.conf #}} @@ -666,7 +633,7 @@ spec: {{% macro ntp_server() -%}} # # This file controls the configuration of the ntp server -# {{.var_multiple_time_servers}} we have to put variable array name here for mutilines remediation +# {{.var_multiple_time_servers}} we have to put variable array name here for mutilines remediation {{$var_time_service_set_maxpoll:=.var_time_service_set_maxpoll}} {{range $element:=.var_multiple_time_servers|toArrayByComma}}server {{$element}} minpoll 4 maxpoll {{$var_time_service_set_maxpoll}} {{end}} diff --git a/shared/macros/10-ocil.jinja b/shared/macros/10-ocil.jinja index ee12b2889b3..37c1d5ada96 100644 --- a/shared/macros/10-ocil.jinja +++ b/shared/macros/10-ocil.jinja @@ -640,17 +640,28 @@ ocil_clause: '"{{{ part }}} is not a mountpoint" is returned' {{# Firewalld macros #}} {{%- macro _firewalld_check(access_action, port, proto, service) %}} - To determine if firewalld is configured to {{{ access_action }}} to {{{ service }}} + To determine if firewalld is configured to {{{ access_action }}} + {{% if port is not none %}} on port {{{ port }}}/{{{ proto }}}, run the following command(s): - {{% if port %}} firewall-cmd --list-ports {{% endif %}} - {{% if service %}} + {{% if service is not none %}} + to {{{ service }}} firewall-cmd --list-services {{% endif %}} {{%- endmacro %}} +{{%- macro _firewalld_access_param_check(macroname, port, proto, service) %}} + {{%- if ((port is none) and (proto is not none)) or ((port is not none) and (proto is none)) %}} + {{{- raise(macroname ~ ": if you have proto/port you need respectively port/proto") }}} + {{%- endif %}} + {{%- if (service is none) and (port is none) %}} + {{{- raise(macroname ~ ": define either service, or port+proto") }}} + {{%- endif %}} +{{%- endmacro %}} + + {{# OCIL for allowing a port or service in firewalld. If the :code:`service` parameter is defined it is assumed to be a service and the :code:`port` and :code:`proto` parameters will have no effect. @@ -663,14 +674,15 @@ ocil_clause: '"{{{ part }}} is not a mountpoint" is returned' :type service: str #}} -{{%- macro ocil_firewalld_allow_access(port, proto, service) %}} +{{%- macro ocil_firewalld_allow_access(port=none, proto=none, service=none) %}} +{{{ _firewalld_access_param_check(name, port, proto, service) }}} {{{ _firewalld_check("allow access", port, proto, service) }}} If firewalld is configured to allow access through the firewall, something similar to the following will be output: - {{% if service %}} + {{% if service is not none %}} If it is a service: {{{ service }}} {{% endif %}} - {{% if port %}} + {{% if port is not none %}} If it is a port: {{{ port }}}/{{{ proto }}} {{% endif %}} @@ -689,7 +701,8 @@ ocil_clause: '"{{{ part }}} is not a mountpoint" is returned' :type service: str #}} -{{%- macro ocil_firewalld_prevent_access(port, proto, service) %}} +{{%- macro ocil_firewalld_prevent_access(port=none, proto=none, service=none) %}} +{{{ _firewalld_access_param_check(name, port, proto, service) }}} {{{ _firewalld_check("prevent access", port, proto, service) }}} If firewalld is configured to prevent access, no output will be returned. {{%- endmacro %}} @@ -1086,39 +1099,6 @@ Fill in GRUBENV_FILE_LOCATION based on information above. {{# Firefox macros #}} -{{# -Write out the OCIL for generating the common check for Firefox configuration - -:param preference: Name of preference -:type preference: str -:param config: configuration item name in Firefox -:type config: str -:param value: Expected value for preference, "true" or "false" -:type value: str - -#}} -{{% macro ocil_firefox_config(preference, config, value) -%}} -{{%- if value == "true" -%}} -ocil_clause: 'it is not enabled' -{{%- elif value == "false" %}} -ocil_clause: 'it is not disabled' -{{%- endif %}} - -ocil: |- - {{% if value == "true" -%}} - To verify that {{preference}} is enabled, - {{%- elif value == "false" %}} - To verify that {{preference}} is disabled, -{{% else %}} - To verify the correct setting of {{preference}}, -{{% endif %}} - run the following command: -
$ grep '{{config}}' FIREFOX_INSTALL_DIR/*.cfg
- The output should return: -
lockPref("{{config}}", "{{value}}");
-{{%- endmacro %}} - - {{# Create an OCIL text for rules using the audit_rules_unsuccessful_file_modification template diff --git a/shared/macros/10-oval.jinja b/shared/macros/10-oval.jinja index 92c1aa262f6..2c7c6560b47 100644 --- a/shared/macros/10-oval.jinja +++ b/shared/macros/10-oval.jinja @@ -317,7 +317,7 @@ Generates the :code:`` tag for OVAL check using correct product platfo :type id_stem: str #}} -{{%- macro oval_line_in_file_state(value='', multi_value='', quotes='', id_stem='') -%}} +{{%- macro oval_line_in_file_state(value='', multi_value=false, quotes='', id_stem='') -%}} {{%- set id_stem = id_stem or rule_id -%}} {{%- set regex = value -%}} {{%- if quotes != "" %}} @@ -471,7 +471,7 @@ Generates the :code:`` tag for OVAL check using correct product platfo :type is_regex: bool #}} -{{%- macro oval_argument_value_in_line_test(filepath, name, value, line_prefix='', line_suffix='', is_regex=False) -%}} +{{%- macro oval_argument_value_in_line_test(filepath, name, value='', line_prefix='', line_suffix='', is_regex=False) -%}} {{%- if value -%}} {{%- set name_value = name+"="+value -%}} {{%- else -%}} @@ -1293,8 +1293,8 @@ Generates the :code:`` tag for OVAL check using correct product platfo The macro receives a string as parameter, which is used as the password_object id in the rule. - :param object_id: Object id to be created. - :type object_id: str +:param object_id: Object id to be created. +:type object_id: str #}} {{%- macro create_system_accounts_list_object(object_id) -%}}