From ad6a5866369608239bd318e51b7d14f7b576f327 Mon Sep 17 00:00:00 2001 From: Jon Metzger Date: Wed, 28 Aug 2024 09:47:20 -0400 Subject: [PATCH 01/21] fix syntax issues --- controls/SV-257787.rb | 8 ++++---- controls/SV-257790.rb | 2 +- controls/SV-257791.rb | 2 +- controls/SV-257967.rb | 2 +- controls/SV-258100.rb | 2 +- controls/SV-258242.rb | 3 +++ inspec.yml | 19 ++++++++++--------- 7 files changed, 21 insertions(+), 17 deletions(-) diff --git a/controls/SV-257787.rb b/controls/SV-257787.rb index 50aa781..5e22105 100644 --- a/controls/SV-257787.rb +++ b/controls/SV-257787.rb @@ -44,14 +44,14 @@ !virtualization.system.eql?('docker') end - grubfile = file(input('grub_conf_path')) - grub_userfile = file(input('grub_user_conf_path')) + grubfile = input('grub_conf_path') + grub_userfile = input('grub_user_conf_path') - describe grubfile do + describe file(grubfile) do it { should exist } end - describe grub_userfile do + describe file(grub_userfile) do it { should exist } end diff --git a/controls/SV-257790.rb b/controls/SV-257790.rb index c475ab3..ec60f2f 100644 --- a/controls/SV-257790.rb +++ b/controls/SV-257790.rb @@ -29,7 +29,7 @@ !virtualization.system.eql?('docker') } - grubfile = file(input('grub_conf_path')) + grubfile = input('grub_conf_path') describe file(grubfile) do it { should exist } diff --git a/controls/SV-257791.rb b/controls/SV-257791.rb index b1bf459..3e7bce1 100644 --- a/controls/SV-257791.rb +++ b/controls/SV-257791.rb @@ -29,7 +29,7 @@ !virtualization.system.eql?('docker') } - grubfile = file(input('grub_conf_path')) + grubfile = input('grub_conf_path') describe file(grubfile) do it { should exist } diff --git a/controls/SV-257967.rb b/controls/SV-257967.rb index 35c5852..14a04c8 100644 --- a/controls/SV-257967.rb +++ b/controls/SV-257967.rb @@ -43,7 +43,7 @@ !virtualization.system.eql?('docker') } - parameter = 'net.ipv4.icmp_ignore_bogus_error_response' + parameter = 'net.ipv4.icmp_ignore_bogus_error_responses' value = 1 regexp = /^\s*#{parameter}\s*=\s*#{value}\s*$/ diff --git a/controls/SV-258100.rb b/controls/SV-258100.rb index e228959..9141cb2 100644 --- a/controls/SV-258100.rb +++ b/controls/SV-258100.rb @@ -36,7 +36,7 @@ expected_line = 'password sufficient pam_unix.so sha512' pam_auth_files = input('pam_auth_files') - describe pam(pam_auth_files['password-auth']) do + describe pam(pam_auth_files['system-auth']) do its('lines') { should match_pam_rule(expected_line).any_with_integer_arg('rounds', '>=', input('password_hash_rounds')) } end end diff --git a/controls/SV-258242.rb b/controls/SV-258242.rb index 654d62e..578bf74 100644 --- a/controls/SV-258242.rb +++ b/controls/SV-258242.rb @@ -39,6 +39,9 @@ only_if('This control is Not Applicable to containers', impact: 0.0) { !virtualization.system.eql?('docker') } + only_if('This control is Not Applicable since bind is not installed', impact: 0.0) { + !package('bind').installed? + } describe file('/etc/named.conf') do it { should exist } diff --git a/inspec.yml b/inspec.yml index fc43bc8..9e03dea 100644 --- a/inspec.yml +++ b/inspec.yml @@ -5,14 +5,15 @@ copyright: MITRE license: Apache-2.0 summary: "InSpec profile aligned to DISA STIG for RHEL9" version: 1.2.0 -inspec_version: ">= 6.0" +# NOTE: for testing with test-kitchen, put back to ">= 6.0" when finished +inspec_version: ">= 5.0" supports: - platform-name: redhat release: 9.* ### INPUTS ### -# Inputs are variables that can be referenced by any control in the profile, +# Inputs are variables that can be referenced by any control in the profile, # and are defined and given a default value in this file. # By default, each parameter is set to exactly comply with the STIG baseline @@ -21,7 +22,7 @@ supports: # For example, control SV-230379 checks that only 'necessary accounts' exist # on the system. The list of 'necessary' accounts depends on the function of -# the system, and you will likely need to add approved accounts to the +# the system, and you will likely need to add approved accounts to the # 'known_system_accounts' input. Also, depending on your local organizational # security policy, you may need to deviate from the STIG on some controls to # make the test profile 'stricter' or 'looser.' @@ -133,8 +134,8 @@ inputs: - name: exempt_ini_files description: List of initialization files that are exempt from permissions checks type: Array - value: [] - + value: [] + # SV-257889 - name: alternate_ini_file_dirs description: List of directories, other than a user's homedir, to search for initialization files @@ -330,7 +331,7 @@ inputs: - name: unapproved_ssl_tls_versions description: type: Array - value: + value: - -VERS-DTLS0.9 - -VERS-SSL3.0 - -VERS-TLS1.0 @@ -834,7 +835,7 @@ inputs: description: Set to true if there is a documented requirement for the target system to use iprutils type: Boolean value: false - + # SV-257834 - name: tuned_required description: Set to true if there is a documented requirement for the target system to use tuned @@ -963,7 +964,7 @@ inputs: - name: device_file_locations description: Directories where device files live type: Array - value: + value: - /dev # SV-257932 @@ -987,7 +988,7 @@ inputs: - name: approved_openssh_server_conf description: Config values expected for openssh server (order matters, so these values are comma-delimited strings and not arrays) type: Hash - value: + value: ciphers: aes256-gcm@openssh.com,chacha20-poly1305@openssh.com,aes256-ctr,aes128-gcm@openssh.com,aes128-ctr macs: hmac-sha2-256-etm@openssh.com,hmac-sha2-256,hmac-sha2-512-etm@openssh.com,hmac-sha2-512 From 2ee16110d53f429b5772c030f5f2baa035540d18 Mon Sep 17 00:00:00 2001 From: Jon Metzger Date: Wed, 28 Aug 2024 09:49:15 -0400 Subject: [PATCH 02/21] added cookstyle --- Rakefile | 2 +- controls/SV-258137.rb | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/Rakefile b/Rakefile index 139a368..14494ea 100755 --- a/Rakefile +++ b/Rakefile @@ -14,7 +14,7 @@ end begin RuboCop::RakeTask.new(:lint) do |task| - task.options += %w[--display-cop-names --no-color --parallel] + task.options += %w(--display-cop-names --no-color --parallel) end rescue LoadError puts 'rubocop is not available. Install the rubocop gem to run the lint tests.' diff --git a/controls/SV-258137.rb b/controls/SV-258137.rb index d4f56f0..8acf570 100644 --- a/controls/SV-258137.rb +++ b/controls/SV-258137.rb @@ -45,13 +45,13 @@ !virtualization.system.eql?('docker') } - audit_tools = %w[/usr/sbin/auditctl + audit_tools = %w(/usr/sbin/auditctl /usr/sbin/auditd /usr/sbin/ausearch /usr/sbin/aureport /usr/sbin/autrace /usr/sbin/rsyslogd - /usr/sbin/augenrules] + /usr/sbin/augenrules) if package('aide').installed? audit_tools.each do |tool| From e34ac4ecaa947e0ebeca3dd1fe148129e55fc4b1 Mon Sep 17 00:00:00 2001 From: Jon Metzger Date: Wed, 28 Aug 2024 15:11:26 -0400 Subject: [PATCH 03/21] fix openssh path --- controls/SV-257787.rb | 2 +- controls/SV-257860.rb | 7 ++----- controls/SV-257989.rb | 2 +- controls/SV-257990.rb | 2 +- controls/SV-258116.rb | 2 +- controls/SV-258136.rb | 2 +- controls/SV-258242.rb | 2 +- 7 files changed, 8 insertions(+), 11 deletions(-) diff --git a/controls/SV-257787.rb b/controls/SV-257787.rb index 5e22105..f010c58 100644 --- a/controls/SV-257787.rb +++ b/controls/SV-257787.rb @@ -55,7 +55,7 @@ it { should exist } end - if grubfile.exist? && grub_userfile.exist? + if file(grubfile).exist? && file(grub_userfile).exist? password_set = file(grubfile).content.lines.select { |line| line.match(/password_pbkdf2\s+\w+\s+\$\{\w+\}/) } describe 'The GRUB bootloader superuser password' do diff --git a/controls/SV-257860.rb b/controls/SV-257860.rb index 5f96509..e69c498 100644 --- a/controls/SV-257860.rb +++ b/controls/SV-257860.rb @@ -29,18 +29,15 @@ !virtualization.system.eql?('docker') } - directory = '/boot' - parameter = 'nodev' - if file('/sys/firmware/efi').exist? impact 0.0 describe 'System running UEFI' do skip 'The System is running UEFI, this control is Not Applicable.' end else - describe mount(directory) do + describe mount('/boot') do it { should be_mounted } - its('options') { should include parameter } + its('options') { should include 'nodev' } end end end diff --git a/controls/SV-257989.rb b/controls/SV-257989.rb index d95e156..23de267 100644 --- a/controls/SV-257989.rb +++ b/controls/SV-257989.rb @@ -40,7 +40,7 @@ approved_ciphers = input('approved_openssh_server_conf')['ciphers'] options = { 'assignment_regex': /^(\S+)\s+(\S+)$/ } - opensshserver_conf = parse_config_file('/etc/crypto-policies/back-ends/opensshserver.config', options).params.map { |k, v| [k.downcase, v.split(',')] }.to_h + opensshserver_conf = parse_config_file('/etc/crypto-policies/back-ends/openssh.config', options).params.map { |k, v| [k.downcase, v.split(',')] }.to_h actual_ciphers = opensshserver_conf['ciphers'].join(',') diff --git a/controls/SV-257990.rb b/controls/SV-257990.rb index 13ef554..0a015d7 100644 --- a/controls/SV-257990.rb +++ b/controls/SV-257990.rb @@ -40,7 +40,7 @@ approved_macs = input('approved_openssh_server_conf')['macs'] options = { 'assignment_regex': /^(\S+)\s+(\S+)$/ } - opensshserver_conf = parse_config_file('/etc/crypto-policies/back-ends/opensshserver.config', options).params.map { |k, v| [k.downcase, v.split(',')] }.to_h + opensshserver_conf = parse_config_file('/etc/crypto-policies/back-ends/openssh.config', options).params.map { |k, v| [k.downcase, v.split(',')] }.to_h actual_macs = opensshserver_conf['macs'].join(',') diff --git a/controls/SV-258116.rb b/controls/SV-258116.rb index 40b2139..544c7d5 100644 --- a/controls/SV-258116.rb +++ b/controls/SV-258116.rb @@ -30,6 +30,6 @@ tag 'host', 'container' describe parse_config_file('/etc/libuser.conf') do - its('crypt_style') { should cmp 'sha512' } + its('crypt_style') { should match('sha512') } end end diff --git a/controls/SV-258136.rb b/controls/SV-258136.rb index 5a6a2f0..81cc766 100644 --- a/controls/SV-258136.rb +++ b/controls/SV-258136.rb @@ -35,7 +35,7 @@ if file_integrity_tool == 'aide' describe parse_config_file('/etc/aide.conf') do - its('ALL') { should match(/sha512/) } + its('All') { should match(/sha512/) } end else describe 'Manual Review' do diff --git a/controls/SV-258242.rb b/controls/SV-258242.rb index 578bf74..636be7c 100644 --- a/controls/SV-258242.rb +++ b/controls/SV-258242.rb @@ -40,7 +40,7 @@ !virtualization.system.eql?('docker') } only_if('This control is Not Applicable since bind is not installed', impact: 0.0) { - !package('bind').installed? + package('bind').installed? } describe file('/etc/named.conf') do From d63366e840bd127c01c47eb8bcaf508d29118a6f Mon Sep 17 00:00:00 2001 From: Jon Metzger Date: Wed, 28 Aug 2024 15:51:34 -0400 Subject: [PATCH 04/21] fix grep to add params -hs --- controls/SV-257991.rb | 2 +- controls/SV-258101.rb | 7 ++++--- 2 files changed, 5 insertions(+), 4 deletions(-) diff --git a/controls/SV-257991.rb b/controls/SV-257991.rb index fd9bd5c..af889f1 100644 --- a/controls/SV-257991.rb +++ b/controls/SV-257991.rb @@ -42,7 +42,7 @@ approved_macs = input('approved_openssh_server_conf')['macs'] options = { 'assignment_regex': /^(\S+)\s+(\S+)$/ } - opensshserver_conf = parse_config_file('/etc/crypto-policies/back-ends/opensshserver.config', options).params.map { |k, v| [k.downcase, v.split(',')] }.to_h + opensshserver_conf = parse_config_file('/etc/crypto-policies/back-ends/openssh.config', options).params.map { |k, v| [k.downcase, v.split(',')] }.to_h actual_macs = opensshserver_conf['macs'].join(',') diff --git a/controls/SV-258101.rb b/controls/SV-258101.rb index 3a96255..f533290 100644 --- a/controls/SV-258101.rb +++ b/controls/SV-258101.rb @@ -35,12 +35,13 @@ tag 'host' tag 'container' - # TODO: use this pattern on the rest of the pwquality.conf settings (current implementation for the other ones dont account for multiple conmf files) + # TODO: use this pattern on the rest of the pwquality.conf settings (current implementation for the other ones dont account for multiple conf files) setting = 'enforce_for_root' - setting_check = command("grep #{setting} /etc/security/pwquality.conf /etc/security/pwquality.conf/*.conf").stdout.strip.match(/^:+#{setting}$/) - + # Note: -s to supress if no files + # Note: -h to just have occurances and ignore filename + setting_check = command("grep -sh #{setting} /etc/security/pwquality.conf /etc/security/pwquality.conf/*").stdout.strip.match(/^#{setting}$/) describe 'The root account' do it 'should enforce password complexity rules' do expect(setting_check).to_not be_nil, "'#{setting}' not found (or commented out) in conf file(s)" From 61e0f14b473616edb7b9bb98b73e2f13c18479f7 Mon Sep 17 00:00:00 2001 From: Jon Metzger Date: Thu, 29 Aug 2024 09:00:58 -0400 Subject: [PATCH 05/21] new rubocop update --- .rubocop.yml | 107 ++++++++++++++++++++++++++++++++++++++++++ Rakefile | 2 +- controls/SV-257935.rb | 6 +-- controls/SV-257953.rb | 2 +- controls/SV-257989.rb | 2 +- controls/SV-257990.rb | 2 +- controls/SV-257991.rb | 2 +- controls/SV-258022.rb | 10 ++-- controls/SV-258038.rb | 12 ++--- controls/SV-258089.rb | 10 ++-- controls/SV-258101.rb | 2 +- controls/SV-258137.rb | 4 +- controls/SV-258140.rb | 10 ++-- controls/SV-258141.rb | 10 ++-- controls/SV-258146.rb | 10 ++-- controls/SV-258147.rb | 10 ++-- controls/SV-258149.rb | 10 ++-- controls/SV-258155.rb | 2 +- controls/SV-258156.rb | 10 ++-- controls/SV-258162.rb | 10 ++-- 20 files changed, 170 insertions(+), 63 deletions(-) diff --git a/.rubocop.yml b/.rubocop.yml index f4e16ea..cec6439 100644 --- a/.rubocop.yml +++ b/.rubocop.yml @@ -1,4 +1,5 @@ AllCops: + NewCops: enable Exclude: - "libraries/**/*" @@ -56,3 +57,109 @@ Style/FormatStringToken: Style/FrozenStringLiteralComment: Enabled: false + +# The following cops were added to RuboCop, but are not configured. Please set Enabled to either `true` or `false` in your `.rubocop.yml` file. +# Please also note that you can opt-in to new cops by default by adding this to your config: +# For more information: https://docs.rubocop.org/rubocop/versioning.html +Gemspec/DateAssignment: # new in 1.10 + Enabled: true +Gemspec/RequireMFA: # new in 1.23 + Enabled: true +Layout/LineEndStringConcatenationIndentation: # new in 1.18 + Enabled: true +Layout/SpaceBeforeBrackets: # new in 1.7 + Enabled: true +Lint/AmbiguousAssignment: # new in 1.7 + Enabled: true +Lint/AmbiguousOperatorPrecedence: # new in 1.21 + Enabled: true +Lint/AmbiguousRange: # new in 1.19 + Enabled: true +Lint/DeprecatedConstants: # new in 1.8 + Enabled: true +Lint/DuplicateBranch: # new in 1.3 + Enabled: true +Lint/DuplicateRegexpCharacterClassElement: # new in 1.1 + Enabled: true +Lint/EmptyBlock: # new in 1.1 + Enabled: true +Lint/EmptyClass: # new in 1.3 + Enabled: true +Lint/EmptyInPattern: # new in 1.16 + Enabled: true +Lint/IncompatibleIoSelectWithFiberScheduler: # new in 1.21 + Enabled: true +Lint/LambdaWithoutLiteralBlock: # new in 1.8 + Enabled: true +Lint/NoReturnInBeginEndBlocks: # new in 1.2 + Enabled: true +Lint/NumberedParameterAssignment: # new in 1.9 + Enabled: true +Lint/OrAssignmentToConstant: # new in 1.9 + Enabled: true +Lint/RedundantDirGlobSort: # new in 1.8 + Enabled: true +Lint/RequireRelativeSelfPath: # new in 1.22 + Enabled: true +Lint/SymbolConversion: # new in 1.9 + Enabled: true +Lint/ToEnumArguments: # new in 1.1 + Enabled: true +Lint/TripleQuotes: # new in 1.9 + Enabled: true +Lint/UnexpectedBlockArity: # new in 1.5 + Enabled: true +Lint/UnmodifiedReduceAccumulator: # new in 1.1 + Enabled: true +Lint/UselessRuby2Keywords: # new in 1.23 + Enabled: true +Naming/BlockForwarding: # new in 1.24 + Enabled: true +Security/IoMethods: # new in 1.22 + Enabled: true +Style/ArgumentsForwarding: # new in 1.1 + Enabled: true +Style/CollectionCompact: # new in 1.2 + Enabled: true +Style/DocumentDynamicEvalDefinition: # new in 1.1 + Enabled: true +Style/EndlessMethod: # new in 1.8 + Enabled: true +Style/FileRead: # new in 1.24 + Enabled: true +Style/FileWrite: # new in 1.24 + Enabled: true +Style/HashConversion: # new in 1.10 + Enabled: true +Style/HashExcept: # new in 1.7 + Enabled: true +Style/IfWithBooleanLiteralBranches: # new in 1.9 + Enabled: true +Style/InPatternThen: # new in 1.16 + Enabled: true +Style/MapToHash: # new in 1.24 + Enabled: true +Style/MultilineInPatternThen: # new in 1.16 + Enabled: true +Style/NegatedIfElseCondition: # new in 1.2 + Enabled: true +Style/NilLambda: # new in 1.3 + Enabled: true +Style/NumberedParameters: # new in 1.22 + Enabled: true +Style/NumberedParametersLimit: # new in 1.22 + Enabled: true +Style/OpenStructUse: # new in 1.23 + Enabled: true +Style/QuotedSymbols: # new in 1.16 + Enabled: true +Style/RedundantArgument: # new in 1.4 + Enabled: true +Style/RedundantSelfAssignmentBranch: # new in 1.19 + Enabled: true +Style/SelectByRegexp: # new in 1.22 + Enabled: true +Style/StringChars: # new in 1.12 + Enabled: true +Style/SwapValues: # new in 1.1 + Enabled: true \ No newline at end of file diff --git a/Rakefile b/Rakefile index 14494ea..139a368 100755 --- a/Rakefile +++ b/Rakefile @@ -14,7 +14,7 @@ end begin RuboCop::RakeTask.new(:lint) do |task| - task.options += %w(--display-cop-names --no-color --parallel) + task.options += %w[--display-cop-names --no-color --parallel] end rescue LoadError puts 'rubocop is not available. Install the rubocop gem to run the lint tests.' diff --git a/controls/SV-257935.rb b/controls/SV-257935.rb index 91b9641..7e4a879 100644 --- a/controls/SV-257935.rb +++ b/controls/SV-257935.rb @@ -37,12 +37,12 @@ alternate_firewall_tool = input('alternate_firewall_tool') - if alternate_firewall_tool != '' - describe package(alternate_firewall_tool) do + if alternate_firewall_tool == '' + describe package('firewalld') do it { should be_installed } end else - describe package('firewalld') do + describe package(alternate_firewall_tool) do it { should be_installed } end end diff --git a/controls/SV-257953.rb b/controls/SV-257953.rb index a203e9f..92f185f 100644 --- a/controls/SV-257953.rb +++ b/controls/SV-257953.rb @@ -33,7 +33,7 @@ tag nist: ['AU-5 a'] tag 'host', 'container' - options = { "assignment_regex": /^(\S+):\s*(\S+)/ } + options = { assignment_regex: /^(\S+):\s*(\S+)/ } describe parse_config_file('/etc/aliases', options) do its('postmaster') { should cmp 'root' } diff --git a/controls/SV-257989.rb b/controls/SV-257989.rb index 23de267..cad87fd 100644 --- a/controls/SV-257989.rb +++ b/controls/SV-257989.rb @@ -39,7 +39,7 @@ approved_ciphers = input('approved_openssh_server_conf')['ciphers'] - options = { 'assignment_regex': /^(\S+)\s+(\S+)$/ } + options = { assignment_regex: /^(\S+)\s+(\S+)$/ } opensshserver_conf = parse_config_file('/etc/crypto-policies/back-ends/openssh.config', options).params.map { |k, v| [k.downcase, v.split(',')] }.to_h actual_ciphers = opensshserver_conf['ciphers'].join(',') diff --git a/controls/SV-257990.rb b/controls/SV-257990.rb index 0a015d7..9c5035b 100644 --- a/controls/SV-257990.rb +++ b/controls/SV-257990.rb @@ -39,7 +39,7 @@ approved_macs = input('approved_openssh_server_conf')['macs'] - options = { 'assignment_regex': /^(\S+)\s+(\S+)$/ } + options = { assignment_regex: /^(\S+)\s+(\S+)$/ } opensshserver_conf = parse_config_file('/etc/crypto-policies/back-ends/openssh.config', options).params.map { |k, v| [k.downcase, v.split(',')] }.to_h actual_macs = opensshserver_conf['macs'].join(',') diff --git a/controls/SV-257991.rb b/controls/SV-257991.rb index af889f1..0e7fd4d 100644 --- a/controls/SV-257991.rb +++ b/controls/SV-257991.rb @@ -41,7 +41,7 @@ approved_macs = input('approved_openssh_server_conf')['macs'] - options = { 'assignment_regex': /^(\S+)\s+(\S+)$/ } + options = { assignment_regex: /^(\S+)\s+(\S+)$/ } opensshserver_conf = parse_config_file('/etc/crypto-policies/back-ends/openssh.config', options).params.map { |k, v| [k.downcase, v.split(',')] }.to_h actual_macs = opensshserver_conf['macs'].join(',') diff --git a/controls/SV-258022.rb b/controls/SV-258022.rb index bccfd71..1cda9e9 100644 --- a/controls/SV-258022.rb +++ b/controls/SV-258022.rb @@ -52,14 +52,14 @@ !virtualization.system.eql?('docker') } - if !package('gnome-desktop3').installed? + if package('gnome-desktop3').installed? + describe command('grep -i lock-enabled /etc/dconf/db/local.d/locks/*') do + its('stdout.split') { should include '/org/gnome/desktop/screensaver/lock-enabled' } + end + else impact 0.0 describe 'The GNOME desktop is not installed, this control is Not Applicable.' do skip 'The GNOME desktop is not installed, this control is Not Applicable.' end - else - describe command('grep -i lock-enabled /etc/dconf/db/local.d/locks/*') do - its('stdout.split') { should include '/org/gnome/desktop/screensaver/lock-enabled' } - end end end diff --git a/controls/SV-258038.rb b/controls/SV-258038.rb index 4bc79a5..3a8154a 100644 --- a/controls/SV-258038.rb +++ b/controls/SV-258038.rb @@ -39,16 +39,16 @@ peripherals_package = input('peripherals_package') - if peripherals_package != 'usbguard' + if peripherals_package == 'usbguard' + describe command('usbguard list-rules') do + its('stdout') { should_not be_empty } + its('exit_status') { should eq 0 } + end + else describe 'Non-standard package' do it 'is handling peripherals' do expect(peripherals_package).to exist end end - else - describe command('usbguard list-rules') do - its('stdout') { should_not be_empty } - its('exit_status') { should eq 0 } - end end end diff --git a/controls/SV-258089.rb b/controls/SV-258089.rb index 376a172..ccad445 100644 --- a/controls/SV-258089.rb +++ b/controls/SV-258089.rb @@ -38,14 +38,14 @@ !virtualization.system.eql?('docker') } - if !input('use_fapolicyd') + if input('use_fapolicyd') + describe package('fapolicyd') do + it { should be_installed } + end + else impact 0.0 describe 'The organization is not using the Fapolicyd service to manage firewall servies, this control is Not Applicable' do skip 'The organization is not using the Fapolicyd service to manage firewall servies, this control is Not Applicable' end - else - describe package('fapolicyd') do - it { should be_installed } - end end end diff --git a/controls/SV-258101.rb b/controls/SV-258101.rb index f533290..d0e37ee 100644 --- a/controls/SV-258101.rb +++ b/controls/SV-258101.rb @@ -39,7 +39,7 @@ setting = 'enforce_for_root' - # Note: -s to supress if no files + # NOTE: -s to supress if no files # Note: -h to just have occurances and ignore filename setting_check = command("grep -sh #{setting} /etc/security/pwquality.conf /etc/security/pwquality.conf/*").stdout.strip.match(/^#{setting}$/) describe 'The root account' do diff --git a/controls/SV-258137.rb b/controls/SV-258137.rb index 8acf570..d4f56f0 100644 --- a/controls/SV-258137.rb +++ b/controls/SV-258137.rb @@ -45,13 +45,13 @@ !virtualization.system.eql?('docker') } - audit_tools = %w(/usr/sbin/auditctl + audit_tools = %w[/usr/sbin/auditctl /usr/sbin/auditd /usr/sbin/ausearch /usr/sbin/aureport /usr/sbin/autrace /usr/sbin/rsyslogd - /usr/sbin/augenrules) + /usr/sbin/augenrules] if package('aide').installed? audit_tools.each do |tool| diff --git a/controls/SV-258140.rb b/controls/SV-258140.rb index d450ec8..1fe5d4b 100644 --- a/controls/SV-258140.rb +++ b/controls/SV-258140.rb @@ -29,13 +29,13 @@ !virtualization.system.eql?('docker') } - if input('alternative_logging_method') != '' - describe 'manual check' do - skip 'Manual check required. Ask the administrator to indicate how logging is done for this system.' - end - else + if input('alternative_logging_method') == '' describe package('rsyslog') do it { should be_installed } end + else + describe 'manual check' do + skip 'Manual check required. Ask the administrator to indicate how logging is done for this system.' + end end end diff --git a/controls/SV-258141.rb b/controls/SV-258141.rb index d35aa75..3ff699b 100644 --- a/controls/SV-258141.rb +++ b/controls/SV-258141.rb @@ -29,13 +29,13 @@ !virtualization.system.eql?('docker') } - if input('alternative_logging_method') != '' - describe 'manual check' do - skip 'Manual check required. Ask the administrator to indicate how logging is done for this system.' - end - else + if input('alternative_logging_method') == '' describe package('rsyslog-gnutls') do it { should be_installed } end + else + describe 'manual check' do + skip 'Manual check required. Ask the administrator to indicate how logging is done for this system.' + end end end diff --git a/controls/SV-258146.rb b/controls/SV-258146.rb index 9e1cf90..d6c0a4b 100644 --- a/controls/SV-258146.rb +++ b/controls/SV-258146.rb @@ -40,16 +40,16 @@ !virtualization.system.eql?('docker') } - if input('alternative_logging_method') != '' - describe 'manual check' do - skip 'Manual check required. Ask the administrator to indicate how logging is done for this system.' - end - else + if input('alternative_logging_method') == '' describe 'rsyslog configuration' do subject { command("grep -i '^\$ActionSendStreamDriverAuthMode' #{input('logging_conf_files').join(' ')} | awk -F ':' '{ print $2 }'").stdout } it { should match %r{\$ActionSendStreamDriverAuthMode\s+x509/name} } end + else + describe 'manual check' do + skip 'Manual check required. Ask the administrator to indicate how logging is done for this system.' + end end end diff --git a/controls/SV-258147.rb b/controls/SV-258147.rb index 5a9848b..531bb9c 100644 --- a/controls/SV-258147.rb +++ b/controls/SV-258147.rb @@ -38,11 +38,7 @@ !virtualization.system.eql?('docker') } - if input('alternative_logging_method') != '' - describe 'manual check' do - skip 'Manual check required. Ask the administrator to indicate how logging is done for this system.' - end - else + if input('alternative_logging_method') == '' describe 'rsyslog configuration' do subject { command("grep -i '^\$DefaultNetstreamDriver' #{input('logging_conf_files').join(' ')} | awk -F ':' '{ print $2 }'").stdout @@ -56,5 +52,9 @@ } it { should match(/\$ActionSendStreamDriverMode\s+1/) } end + else + describe 'manual check' do + skip 'Manual check required. Ask the administrator to indicate how logging is done for this system.' + end end end diff --git a/controls/SV-258149.rb b/controls/SV-258149.rb index 3d95cd3..c739a66 100644 --- a/controls/SV-258149.rb +++ b/controls/SV-258149.rb @@ -42,13 +42,13 @@ !virtualization.system.eql?('docker') } - if input('alternative_logging_method') != '' - describe 'manual check' do - skip 'Manual check required. Ask the administrator to indicate how logging is done for this system.' - end - else + if input('alternative_logging_method') == '' describe command("grep @@ #{input('logging_conf_files').join(' ')}") do its('stdout') { should match(/^[^#]*:\*\.\*\s*@@[a-z.0-9]*:?[0-9]*?/) } end + else + describe 'manual check' do + skip 'Manual check required. Ask the administrator to indicate how logging is done for this system.' + end end end diff --git a/controls/SV-258155.rb b/controls/SV-258155.rb index ea91e9f..2739ba9 100644 --- a/controls/SV-258155.rb +++ b/controls/SV-258155.rb @@ -53,7 +53,7 @@ # Fetch partition sizes in 1K blocks for consistency partition_info = command("df -B 1K #{audit_log_dir}").stdout.split("\n") - partition_sz_arr = partition_info.last.gsub(/\s+/m, ' ').strip.split(' ') + partition_sz_arr = partition_info.last.gsub(/\s+/m, ' ').strip.split # Get unused space percentage percentage_space_unused = (100 - partition_sz_arr[4].to_i) diff --git a/controls/SV-258156.rb b/controls/SV-258156.rb index 4560165..0d99ef3 100644 --- a/controls/SV-258156.rb +++ b/controls/SV-258156.rb @@ -29,13 +29,13 @@ !virtualization.system.eql?('docker') } - if input('alternative_logging_method') != '' - describe 'manual check' do - skip 'Manual check required. Ask the administrator to indicate how logging is done for this system.' - end - else + if input('alternative_logging_method') == '' describe auditd_conf do its('space_left.to_i') { should cmp >= input('audit_storage_threshold') } end + else + describe 'manual check' do + skip 'Manual check required. Ask the administrator to indicate how logging is done for this system.' + end end end diff --git a/controls/SV-258162.rb b/controls/SV-258162.rb index b48d49e..9b3f251 100644 --- a/controls/SV-258162.rb +++ b/controls/SV-258162.rb @@ -35,13 +35,13 @@ !virtualization.system.eql?('docker') } - if input('alternative_logging_method') != '' - describe 'manual check' do - skip 'Manual check required. Ask the administrator to indicate how logging is done for this system.' - end - else + if input('alternative_logging_method') == '' describe parse_config_file('/etc/audit/auditd.conf') do its('overflow_action') { should match(/syslog$|single$|halt$/i) } end + else + describe 'manual check' do + skip 'Manual check required. Ask the administrator to indicate how logging is done for this system.' + end end end From 5513cdfdfe6e61bb7f11e6fc463e694b3f4708a7 Mon Sep 17 00:00:00 2001 From: Jon Metzger Date: Thu, 29 Aug 2024 11:15:17 -0400 Subject: [PATCH 06/21] fix GnuTLS syntax --- controls/SV-258230.rb | 10 +++++----- controls/SV-258238.rb | 5 +++-- inspec.yml | 10 +++++----- 3 files changed, 13 insertions(+), 12 deletions(-) diff --git a/controls/SV-258230.rb b/controls/SV-258230.rb index f7184d9..51fce15 100644 --- a/controls/SV-258230.rb +++ b/controls/SV-258230.rb @@ -41,11 +41,11 @@ its('stdout.strip') { should match(/FIPS mode is enabled/) } end - grub_config = command('grub2-editenv - list').stdout - - describe parse_config(grub_config) do - its('kernelopts') { should match(/fips=1/) } - end + # Control does not include this. Good to have? Required? + # grub_config = command('grub2-editenv - list').stdout + # describe parse_config(grub_config) do + # its('kernelopts') { should match(/fips=1/) } + # end describe file('/proc/sys/crypto/fips_enabled') do its('content.strip') { should cmp '1' } diff --git a/controls/SV-258238.rb b/controls/SV-258238.rb index b493cee..712d7a1 100644 --- a/controls/SV-258238.rb +++ b/controls/SV-258238.rb @@ -30,9 +30,10 @@ tag 'host' tag 'container' - gnutls = file('/etc/crypto-policies/back-ends/gnutls.config').content.upcase.strip.split(':') unapproved_versions = input('unapproved_ssl_tls_versions').map(&:upcase) - failing_versions = unapproved_versions - gnutls + gnutls = file('/etc/crypto-policies/back-ends/gnutls.config').content.upcase #.strip.split('=').map(&:strip) + + failing_versions = unapproved_versions.select { |version| gnutls.include?(version) } describe 'GnuTLS' do it 'should disable unapproved SSL/TLS versions' do diff --git a/inspec.yml b/inspec.yml index 9e03dea..3feb314 100644 --- a/inspec.yml +++ b/inspec.yml @@ -332,11 +332,11 @@ inputs: description: type: Array value: - - -VERS-DTLS0.9 - - -VERS-SSL3.0 - - -VERS-TLS1.0 - - -VERS-TLS1.1 - - -VERS-DTLS1.0 + - TLS0.9 + - SSL3.0 + - TLS1.0 + - TLS1.1 + - DTLS1.0 # SV-258054 - name: unsuccessful_attempts From b700e8b584fe094182266852857a1214a8d7d223 Mon Sep 17 00:00:00 2001 From: Jon Metzger Date: Thu, 29 Aug 2024 11:28:43 -0400 Subject: [PATCH 07/21] not always end of the end --- controls/SV-258242.rb | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/controls/SV-258242.rb b/controls/SV-258242.rb index 636be7c..abbc889 100644 --- a/controls/SV-258242.rb +++ b/controls/SV-258242.rb @@ -48,8 +48,7 @@ end bind_grep = command('grep include /etc/named.conf').stdout.lines.map(&:strip) - - bind_conf = bind_grep.any? { |line| line.match?(%r{/etc/crypto-policies/back-ends/bind.config$}i) } + bind_conf = bind_grep.any? { |line| line.match?(%r{/etc/crypto-policies/back-ends/bind.config}i) } describe 'Bind config file' do it 'should include system-wide crypto policies' do From db7000793e977bc7e2db00b4a775623388cc39c7 Mon Sep 17 00:00:00 2001 From: Jon Metzger Date: Thu, 29 Aug 2024 14:36:13 -0400 Subject: [PATCH 08/21] fix audit umount --- controls/SV-258180.rb | 25 +++++++++---------------- controls/SV-258215.rb | 23 +++++++++++++---------- controls/SV-258216.rb | 2 +- inspec.yml | 3 +-- 4 files changed, 24 insertions(+), 29 deletions(-) diff --git a/controls/SV-258180.rb b/controls/SV-258180.rb index 90ae978..11897a8 100644 --- a/controls/SV-258180.rb +++ b/controls/SV-258180.rb @@ -36,27 +36,20 @@ tag nist: ['AU-3 a', 'AU-12 a', 'AU-12 c', 'MA-4 (1) (a)'] tag 'host' - audit_syscalls = ['umount'] + audit_command = '/usr/bin/umount' only_if('This control is Not Applicable to containers', impact: 0.0) { !virtualization.system.eql?('docker') } - describe 'Syscall' do - audit_syscalls.each do |audit_syscall| - it "#{audit_syscall} is audited properly" do - audit_rule = auditd.syscall(audit_syscall) - expect(audit_rule).to exist - expect(audit_rule.action.uniq).to cmp 'always' - expect(audit_rule.list.uniq).to cmp 'exit' - if os.arch.match(/64/) - expect(audit_rule.arch.uniq).to include('b32', 'b64') - else - expect(audit_rule.arch.uniq).to cmp 'b32' - end - expect(audit_rule.fields.flatten).to include('auid>=1000', 'auid!=-1') - expect(audit_rule.key.uniq).to include(input('audit_rule_keynames').merge(input('audit_rule_keynames_overrides'))[audit_syscall]) - end + describe 'Command' do + it "#{audit_command} is audited properly" do + audit_rule = auditd.file(audit_command) + expect(audit_rule).to exist + expect(audit_rule.action.uniq).to cmp 'always' + expect(audit_rule.list.uniq).to cmp 'exit' + expect(audit_rule.fields.flatten).to include('perm=x', 'auid>=1000', 'auid!=-1') + expect(audit_rule.key.uniq).to include(input('audit_rule_keynames').merge(input('audit_rule_keynames_overrides'))[audit_command]) end end end diff --git a/controls/SV-258215.rb b/controls/SV-258215.rb index ab1e3c6..64b670f 100644 --- a/controls/SV-258215.rb +++ b/controls/SV-258215.rb @@ -28,20 +28,23 @@ tag nist: ['AU-12 a', 'AU-3 a', 'AU-12 c', 'MA-4 (1) (a)'] tag 'host' - audit_command = '/usr/bin/umount' - only_if('This control is Not Applicable to containers', impact: 0.0) { !virtualization.system.eql?('docker') } - describe 'Command' do - it "#{audit_command} is audited properly" do - audit_rule = auditd.file(audit_command) - expect(audit_rule).to exist - expect(audit_rule.action.uniq).to cmp 'always' - expect(audit_rule.list.uniq).to cmp 'exit' - expect(audit_rule.fields.flatten).to include('perm=x', 'auid>=1000', 'auid!=-1') - expect(audit_rule.key.uniq).to include(input('audit_rule_keynames').merge(input('audit_rule_keynames_overrides'))[audit_command]) + audit_syscalls = ['umount'] + + describe 'Syscall' do + audit_syscalls.each do |audit_syscall| + it "#{audit_syscall} is audited properly" do + audit_rule = auditd.syscall(audit_syscall) + expect(audit_rule).to exist + expect(audit_rule.action.uniq).to cmp 'always' + expect(audit_rule.list.uniq).to cmp 'exit' + expect(audit_rule.arch.uniq).to cmp 'b32' + expect(audit_rule.fields.flatten).to include('auid>=1000', 'auid!=-1') + expect(audit_rule.key.uniq).to include(input('audit_rule_keynames').merge(input('audit_rule_keynames_overrides'))[audit_syscall]) + end end end end diff --git a/controls/SV-258216.rb b/controls/SV-258216.rb index 563d06b..009a02b 100644 --- a/controls/SV-258216.rb +++ b/controls/SV-258216.rb @@ -50,7 +50,7 @@ else expect(audit_rule.arch.uniq).to cmp 'b32' end - expect(audit_rule.fields.flatten).to include('uid!=euid', 'gid!=egid', 'euid=0', 'egid=0') + expect(audit_rule.fields.flatten).to include('auid>=1000', 'auid!=-1') expect(audit_rule.key.uniq).to include(input('audit_rule_keynames').merge(input('audit_rule_keynames_overrides'))[audit_syscall]) end end diff --git a/inspec.yml b/inspec.yml index 3feb314..c028896 100644 --- a/inspec.yml +++ b/inspec.yml @@ -893,6 +893,7 @@ inputs: '/usr/bin/mount' : 'privileged-mount', '/usr/bin/umount' : 'privileged-mount', 'mount' : 'privileged-mount', + 'umount' : 'privileged-umount', '/usr/sbin/unix_update' : 'privileged-unix-update', '/usr/sbin/postdrop' : 'privileged-unix-update', '/usr/sbin/postqueue' : 'privileged-unix-update', @@ -940,9 +941,7 @@ inputs: '/usr/sbin/poweroff' : 'privileged-poweroff', '/usr/sbin/reboot' : 'privileged-reboot', '/usr/sbin/shutdown' : 'privileged-shutdown', - '/usr/bin/umount' : 'privileged-mount', 'umount2' : 'perm_mod', - '/var/log/faillock' : 'logins', '/var/log/tallylog' : 'logins' } From 62f93483d279b48f6c57b6ec6285f97be9ded607 Mon Sep 17 00:00:00 2001 From: Jon Metzger Date: Thu, 29 Aug 2024 15:07:00 -0400 Subject: [PATCH 09/21] fix file resource, simpler --- controls/SV-258116.rb | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/controls/SV-258116.rb b/controls/SV-258116.rb index 544c7d5..c204a9c 100644 --- a/controls/SV-258116.rb +++ b/controls/SV-258116.rb @@ -29,7 +29,7 @@ tag nist: ['IA-5 (1) (c)'] tag 'host', 'container' - describe parse_config_file('/etc/libuser.conf') do - its('crypt_style') { should match('sha512') } + describe file('/etc/libuser.conf') do + its('content') { should match(/^crypt_style\s*=\s*sha512/) } end end From 5842aa173cfbc39d01c3c18b417aa309c31b9ffa Mon Sep 17 00:00:00 2001 From: Jon Metzger Date: Thu, 29 Aug 2024 15:13:39 -0400 Subject: [PATCH 10/21] cookstyle --- Rakefile | 2 +- controls/SV-258137.rb | 4 ++-- controls/SV-258238.rb | 2 +- 3 files changed, 4 insertions(+), 4 deletions(-) diff --git a/Rakefile b/Rakefile index 139a368..14494ea 100755 --- a/Rakefile +++ b/Rakefile @@ -14,7 +14,7 @@ end begin RuboCop::RakeTask.new(:lint) do |task| - task.options += %w[--display-cop-names --no-color --parallel] + task.options += %w(--display-cop-names --no-color --parallel) end rescue LoadError puts 'rubocop is not available. Install the rubocop gem to run the lint tests.' diff --git a/controls/SV-258137.rb b/controls/SV-258137.rb index d4f56f0..8acf570 100644 --- a/controls/SV-258137.rb +++ b/controls/SV-258137.rb @@ -45,13 +45,13 @@ !virtualization.system.eql?('docker') } - audit_tools = %w[/usr/sbin/auditctl + audit_tools = %w(/usr/sbin/auditctl /usr/sbin/auditd /usr/sbin/ausearch /usr/sbin/aureport /usr/sbin/autrace /usr/sbin/rsyslogd - /usr/sbin/augenrules] + /usr/sbin/augenrules) if package('aide').installed? audit_tools.each do |tool| diff --git a/controls/SV-258238.rb b/controls/SV-258238.rb index 712d7a1..33959b3 100644 --- a/controls/SV-258238.rb +++ b/controls/SV-258238.rb @@ -31,7 +31,7 @@ tag 'container' unapproved_versions = input('unapproved_ssl_tls_versions').map(&:upcase) - gnutls = file('/etc/crypto-policies/back-ends/gnutls.config').content.upcase #.strip.split('=').map(&:strip) + gnutls = file('/etc/crypto-policies/back-ends/gnutls.config').content.upcase # .strip.split('=').map(&:strip) failing_versions = unapproved_versions.select { |version| gnutls.include?(version) } From 2d49b22cddb6f52ce56bbfd0fca3a82609708f3d Mon Sep 17 00:00:00 2001 From: Jon Metzger Date: Thu, 29 Aug 2024 15:42:07 -0400 Subject: [PATCH 11/21] fix rubocop --- Rakefile | 2 +- controls/SV-258137.rb | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/Rakefile b/Rakefile index 14494ea..139a368 100755 --- a/Rakefile +++ b/Rakefile @@ -14,7 +14,7 @@ end begin RuboCop::RakeTask.new(:lint) do |task| - task.options += %w(--display-cop-names --no-color --parallel) + task.options += %w[--display-cop-names --no-color --parallel] end rescue LoadError puts 'rubocop is not available. Install the rubocop gem to run the lint tests.' diff --git a/controls/SV-258137.rb b/controls/SV-258137.rb index 8acf570..d4f56f0 100644 --- a/controls/SV-258137.rb +++ b/controls/SV-258137.rb @@ -45,13 +45,13 @@ !virtualization.system.eql?('docker') } - audit_tools = %w(/usr/sbin/auditctl + audit_tools = %w[/usr/sbin/auditctl /usr/sbin/auditd /usr/sbin/ausearch /usr/sbin/aureport /usr/sbin/autrace /usr/sbin/rsyslogd - /usr/sbin/augenrules) + /usr/sbin/augenrules] if package('aide').installed? audit_tools.each do |tool| From 58d041c478bcca45f18c6e5fa5b148e2ece4bd55 Mon Sep 17 00:00:00 2001 From: Jon Metzger Date: Thu, 29 Aug 2024 16:03:27 -0400 Subject: [PATCH 12/21] fix issues --- controls/SV-257787.rb | 2 +- controls/SV-257937.rb | 2 +- inspec.yml | 3 +++ 3 files changed, 5 insertions(+), 2 deletions(-) diff --git a/controls/SV-257787.rb b/controls/SV-257787.rb index f010c58..f726384 100644 --- a/controls/SV-257787.rb +++ b/controls/SV-257787.rb @@ -64,7 +64,7 @@ end grub_envar = password_set.first.match(/\$\{(?\w+)\}/).captures.first - password_encrypted = file(grub_userfile).content.match(/#{grub_envar}=grub.pbkdf2/) + password_encrypted = file(grub_userfile).content.match?(/#{grub_envar}=grub.pbkdf2/) it "should be encrypted in the user config file (\'#{grub_userfile}\')" do expect(password_encrypted).to eq(true), "GRUB password environment variable not set to an encrypted value in \'#{grub_userfile}\'" end diff --git a/controls/SV-257937.rb b/controls/SV-257937.rb index 6925202..31be39e 100644 --- a/controls/SV-257937.rb +++ b/controls/SV-257937.rb @@ -64,7 +64,7 @@ its('zone') { should_not be_empty } end - failing_zones = firewalld.zone.reject { |fz| firewalld.zone(fz).target == 'DROP' } + failing_zones = firewalld.zone.select { |fz| firewalld.zone(fz).target == 'DROP' } describe 'All firewall zones' do it 'should be configured to drop all incoming network packets unless explicitly accepted' do diff --git a/inspec.yml b/inspec.yml index c028896..e795d0f 100644 --- a/inspec.yml +++ b/inspec.yml @@ -982,6 +982,9 @@ inputs: protocols: [] services: - ssh + # TODO: Do we need below? + - cockpit + - dhcpv6-client # SV-257991, SV-257990, SV-257989 - name: approved_openssh_server_conf From 5baf01916cc531c195a4c0e93460836db5d27c24 Mon Sep 17 00:00:00 2001 From: Jonathan Metzger <9845417+jrmetzger@users.noreply.github.com> Date: Thu, 29 Aug 2024 18:27:37 -0400 Subject: [PATCH 13/21] Apply suggestions from code review --- inspec.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/inspec.yml b/inspec.yml index e795d0f..d22e1d0 100644 --- a/inspec.yml +++ b/inspec.yml @@ -332,7 +332,7 @@ inputs: description: type: Array value: - - TLS0.9 + - DTLS0.9 - SSL3.0 - TLS1.0 - TLS1.1 From 403bb6f527f6cf804d4e545840789ca3816cda34 Mon Sep 17 00:00:00 2001 From: Kaden Emley <104032811+kemley76@users.noreply.github.com> Date: Thu, 29 Aug 2024 15:09:41 -0400 Subject: [PATCH 14/21] Code consistency (#47) * replaced usage of "permissions" with "mode" when appropriate Signed-off-by: kemley76 * simplified SV-257926 Signed-off-by: kemley76 * standardized use of "exempt" vs "exemption" in various inputs * fix missed variable rename Signed-off-by: kemley76 * remove a debugging test Signed-off-by: kemley76 * standardize format to be exempt_ Signed-off-by: Kaden Emley --------- Signed-off-by: kemley76 Signed-off-by: Kaden Emley Co-authored-by: suhanimalhotra --- controls/SV-257843.rb | 2 +- controls/SV-257879.rb | 4 ++-- controls/SV-257883.rb | 6 +++--- controls/SV-257926.rb | 4 +--- controls/SV-257932.rb | 6 +++--- controls/SV-258044.rb | 2 +- controls/SV-258046.rb | 2 +- controls/SV-258072.rb | 2 +- controls/SV-258073.rb | 2 +- controls/SV-258074.rb | 4 ++-- controls/SV-258075.rb | 2 +- inspec.yml | 18 +++++++++--------- 12 files changed, 26 insertions(+), 28 deletions(-) diff --git a/controls/SV-257843.rb b/controls/SV-257843.rb index efef840..d8f2a15 100644 --- a/controls/SV-257843.rb +++ b/controls/SV-257843.rb @@ -29,7 +29,7 @@ homes = users.where { uid >= 1000 && !shell.match(ignore_shells) }.homes root_device = etc_fstab.where { mount_point == '/' }.device_name - if input('separate_filesystem_exempt') + if input('exempt_separate_filesystem') impact 0.0 describe 'This system is not required to have separate filesystems for each mount point' do skip 'The system is managing filesystems and space via other mechanisms; this requirement is Not Applicable' diff --git a/controls/SV-257879.rb b/controls/SV-257879.rb index 72c1811..a47b285 100644 --- a/controls/SV-257879.rb +++ b/controls/SV-257879.rb @@ -45,9 +45,9 @@ def describe_and_skip(message) end # TODO: This should really have a resource - if input('data_at_rest_exempt') == true + if input('exempt_data_at_rest') == true impact 0.0 - describe_and_skip('Data At Rest Requirements have been set to Not Applicabe by the `data_at_rest_exempt` input.') + describe_and_skip('Data At Rest Requirements have been set to Not Applicabe by the `exempt_data_at_rest` input.') elsif all_args.empty? # TODO: Determine if this is an NA vs and NR or even a pass describe_and_skip('Command blkid did not return and non-psuedo block devices.') diff --git a/controls/SV-257883.rb b/controls/SV-257883.rb index 66ec86b..5313862 100644 --- a/controls/SV-257883.rb +++ b/controls/SV-257883.rb @@ -29,14 +29,14 @@ !virtualization.system.eql?('docker') } - permissions_for_libs = input('permissions_for_libs') + mode_for_libs = input('mode_for_libs') overly_permissive_libs = input('system_libraries').select { |lib| - file(lib).more_permissive_than?(permissions_for_libs) + file(lib).more_permissive_than?(mode_for_libs) } describe 'System libraries' do - it "should not have permissions set higher than #{permissions_for_libs}" do + it "should not have modes set higher than #{mode_for_libs}" do fail_msg = "Overly permissive system libraries:\n\t- #{overly_permissive_libs.join("\n\t- ")}" expect(overly_permissive_libs).to be_empty, fail_msg end diff --git a/controls/SV-257926.rb b/controls/SV-257926.rb index d83cde9..9438341 100644 --- a/controls/SV-257926.rb +++ b/controls/SV-257926.rb @@ -31,9 +31,7 @@ tag nist: ['CM-6 b'] tag 'host', 'container' - crontabs = command('stat -c "%U %n" /etc/cron*').stdout.split("\n") - - failing_crontabs = crontabs.reject { |c| file(c.split[1]).owned_by?('root') } + failing_crontabs = command('find /etc/cron* ! -user root -print0').stdout.split("\0") describe 'Crontabs' do it 'should be owned by root' do diff --git a/controls/SV-257932.rb b/controls/SV-257932.rb index 33b0fc4..c4a7318 100644 --- a/controls/SV-257932.rb +++ b/controls/SV-257932.rb @@ -41,10 +41,10 @@ !virtualization.system.eql?('docker') } - exempt_device_files = input('exempt_device_files') + exempt_from_device_file_checks = input('exempt_from_device_file_checks') - device_labeled_files = command("find #{input('device_file_locations').join(' ')} -context *:device_t:* \( -type c -o -type b \) -printf \"%p\t%Z\n\"").stdout.split("\n") - exempt_device_files - unlabeled_files = command("find #{input('device_file_locations').join(' ')} -context *:unlabeled_t:* \( -type c -o -type b \) -printf \"%p\t%Z\n\"").stdout.split("\n") - exempt_device_files + device_labeled_files = command("find #{input('device_file_locations').join(' ')} -context *:device_t:* \( -type c -o -type b \) -printf \"%p\t%Z\n\"").stdout.split("\n") - exempt_from_device_file_checks + unlabeled_files = command("find #{input('device_file_locations').join(' ')} -context *:unlabeled_t:* \( -type c -o -type b \) -printf \"%p\t%Z\n\"").stdout.split("\n") - exempt_from_device_file_checks describe 'All device files' do it 'should not be incorrectly labeled as device_t' do diff --git a/controls/SV-258044.rb b/controls/SV-258044.rb index 5c434b7..92832c7 100644 --- a/controls/SV-258044.rb +++ b/controls/SV-258044.rb @@ -40,7 +40,7 @@ } exempt_home_users = input('exempt_home_users') - expected_mode = input('permissions_for_shells')['default_umask'] + expected_mode = input('modes_for_shells')['default_umask'] uid_min = login_defs.read_params['UID_MIN'].to_i uid_min = 1000 if uid_min.nil? diff --git a/controls/SV-258046.rb b/controls/SV-258046.rb index f603f2f..6b713fa 100644 --- a/controls/SV-258046.rb +++ b/controls/SV-258046.rb @@ -40,7 +40,7 @@ tag 'host', 'container' ignore_shells = input('non_interactive_shells').join('|') - non_interactive_shells = passwd.where { uid.to_i < 1000 && !shell.match(ignore_shells) }.users - input('interactive_system_account_exemptions') + non_interactive_shells = passwd.where { uid.to_i < 1000 && !shell.match(ignore_shells) }.users - input('exempt_interactive_system_accounts') describe 'Non-interactive system accounts' do it 'should have non-interactive shells' do diff --git a/controls/SV-258072.rb b/controls/SV-258072.rb index 3dc0603..e0144be 100644 --- a/controls/SV-258072.rb +++ b/controls/SV-258072.rb @@ -35,7 +35,7 @@ file = '/etc/bashrc' - expected_umask = input('permissions_for_shells')[:bashrc_umask] + expected_umask = input('modes_for_shells')[:bashrc_umask] umask_check = command("grep umask #{file}").stdout.strip.match(/^umask\s+(?\d+)$/) diff --git a/controls/SV-258073.rb b/controls/SV-258073.rb index 175523c..5037771 100644 --- a/controls/SV-258073.rb +++ b/controls/SV-258073.rb @@ -35,7 +35,7 @@ file = '/etc/csh.cshrc' - expected_umask = input('permissions_for_shells')[:cshrc_umask] + expected_umask = input('modes_for_shells')[:cshrc_umask] umask_check = command("grep umask #{file}").stdout.strip.match(/^umask\s+(?\d+)$/) diff --git a/controls/SV-258074.rb b/controls/SV-258074.rb index 75ab922..c5d0326 100644 --- a/controls/SV-258074.rb +++ b/controls/SV-258074.rb @@ -29,9 +29,9 @@ tag 'host' tag 'container' - permissions_for_shells = input('permissions_for_shells') + modes_for_shells = input('modes_for_shells') describe login_defs do - its('UMASK') { should cmp permissions_for_shells['default_umask'] } + its('UMASK') { should cmp modes_for_shells['default_umask'] } end end diff --git a/controls/SV-258075.rb b/controls/SV-258075.rb index 8c6fa89..4303ab5 100644 --- a/controls/SV-258075.rb +++ b/controls/SV-258075.rb @@ -34,7 +34,7 @@ file = '/etc/profile' - expected_umask = input('permissions_for_shells')[:profile_umask] + expected_umask = input('modes_for_shells')[:profile_umask] umask_check = command("grep umask #{file}").stdout.strip.match(/^umask\s+(?\d+)$/) diff --git a/inspec.yml b/inspec.yml index d22e1d0..6c69198 100644 --- a/inspec.yml +++ b/inspec.yml @@ -126,7 +126,7 @@ inputs: # SV-257889 TODO: fold this into expected_system_file_mode - name: initialization_file_mode - description: All initialization files (.bash_profile etc) should have permissions equal to or less than this octet + description: All initialization files (.bash_profile etc) should each have a mode equal to or less than this octet type: String value: '0740' @@ -203,7 +203,7 @@ inputs: value: 60 # SV-257843 - - name: separate_filesystem_exempt + - name: exempt_separate_filesystem description: "The system manages file system useage, LVM/XFS etc. or is managed by the service provider" type: Boolean value: false @@ -227,7 +227,7 @@ inputs: value: true # SV-257879 - - name: data_at_rest_exempt + - name: exempt_data_at_rest description: "'(boolean) Set to true if the system is exempt from using Data at Rest" type: Boolean value: false @@ -315,7 +315,7 @@ inputs: - "/bin/true" # SV-258046 - - name: interactive_system_account_exemptions + - name: exempt_interactive_system_accounts description: System accounts that are exempt from the non-interactive shell requirement type: Array value: @@ -597,8 +597,8 @@ inputs: value: "no" # SV-258072, SV-258073, SV-258044, SV-258074, SV-258075 - - name: permissions_for_shells - description: Define default permissions for logon and non-logon shells. + - name: modes_for_shells + description: Define default modes for logon and non-logon shells. type: Hash value: default_umask: "077" @@ -607,8 +607,8 @@ inputs: profile_umask: "077" # SV-257883 - - name: permissions_for_libs - description: Define default permissions for system libraries + - name: mode_for_libs + description: Define default mode for system libraries type: String value: "0755" @@ -967,7 +967,7 @@ inputs: - /dev # SV-257932 - - name: exempt_device_files + - name: exempt_from_device_file_checks description: Full filepaths of files that are exempt from device file checks if the target host is a virtual machine type: Array value: From e94ca039333caaad969210eb2b338e4dd59f1fe0 Mon Sep 17 00:00:00 2001 From: Will Date: Fri, 30 Aug 2024 14:31:34 -0400 Subject: [PATCH 15/21] hopefully fixing the openssh tests to use the right file for server and client Signed-off-by: Will --- controls/SV-257989.rb | 9 +++++++++ controls/SV-257990.rb | 20 +++++++++++++++----- controls/SV-257991.rb | 11 +++++++++-- inspec.yml | 11 ++++++++++- 4 files changed, 43 insertions(+), 8 deletions(-) diff --git a/controls/SV-257989.rb b/controls/SV-257989.rb index cad87fd..b6c5cf6 100644 --- a/controls/SV-257989.rb +++ b/controls/SV-257989.rb @@ -33,6 +33,15 @@ tag 'host' tag 'container-conditional' + # NOTE: The STIG baseline for this requirement is concerned with the OpenSSH server, but asks for + # a check against the openssh.config file, which is used for the client. + # + # We assume that the requirements for OpenSSH *server* should be checking the + # values in the opensshserver.conf file (as opposed to openssh.conf for client), + # and these tests has been written accordingly. + # + # This means that test logic may not match the STIG check text at this time. + only_if('Control not applicable - SSH is not installed within containerized RHEL', impact: 0.0) { !(virtualization.system.eql?('docker') && !file('/etc/sysconfig/sshd').exist?) } diff --git a/controls/SV-257990.rb b/controls/SV-257990.rb index 9c5035b..6005caf 100644 --- a/controls/SV-257990.rb +++ b/controls/SV-257990.rb @@ -33,20 +33,30 @@ tag 'host' tag 'container-conditional' + # NOTE: This requirement as written is mutually exclusive with SV-257991. + # + # The STIG baseline calls for two different values for the MACs option in the openssh.config file. + # + # We assume that the requirements for OpenSSH *server* should be checking the + # values in the opensshserver.conf file (as opposed to openssh.conf for client), + # and these tests has been written accordingly. + # + # This means that test logic may not match the STIG check text at this time. + only_if('Control not applicable - SSH is not installed within containerized RHEL', impact: 0.0) { !(virtualization.system.eql?('docker') && !file('/etc/sysconfig/sshd').exist?) } - approved_macs = input('approved_openssh_server_conf')['macs'] + approved_macs = input('approved_openssh_client_conf')['macs'] options = { assignment_regex: /^(\S+)\s+(\S+)$/ } - opensshserver_conf = parse_config_file('/etc/crypto-policies/back-ends/openssh.config', options).params.map { |k, v| [k.downcase, v.split(',')] }.to_h + openssh_conf = parse_config_file('/etc/crypto-policies/back-ends/openssh.config', options).params.map { |k, v| [k.downcase, v.split(',')] }.to_h - actual_macs = opensshserver_conf['macs'].join(',') + actual_macs = openssh_conf['macs'].join(',') - describe 'OpenSSH server configuration' do + describe 'OpenSSH client configuration' do it 'implement approved MACs' do - expect(actual_macs).to eq(approved_macs), "OpenSSH server cipher configuration actual value:\n\t#{actual_macs}\ndoes not match the expected value:\n\t#{approved_macs}" + expect(actual_macs).to eq(approved_macs), "OpenSSH client cipher configuration actual value:\n\t#{actual_macs}\ndoes not match the expected value:\n\t#{approved_macs}" end end end diff --git a/controls/SV-257991.rb b/controls/SV-257991.rb index 0e7fd4d..9b1cccc 100644 --- a/controls/SV-257991.rb +++ b/controls/SV-257991.rb @@ -32,8 +32,15 @@ tag 'host' tag 'container-conditional' - # NOTE: At time of writing, the STIG baseline calls for two different values for the MACs option in the openssh.config file. - # SV-257990 calls for one set of MACs and SV-257991 calls for a mutually exclusive set. + # NOTE: This requirement as written is mutually exclusive with SV-257990. + # + # The STIG baseline calls for two different values for the MACs option in the openssh.config file. + # + # We assume that the requirements for OpenSSH *server* should be checking the + # values in the opensshserver.conf file (as opposed to openssh.conf for client), + # and these tests has been written accordingly. + # + # This means that test logic may not match the STIG check text at this time. only_if('Control not applicable - SSH is not installed within containerized RHEL', impact: 0.0) { !(virtualization.system.eql?('docker') && !file('/etc/sysconfig/sshd').exist?) diff --git a/inspec.yml b/inspec.yml index 6c69198..22e67e4 100644 --- a/inspec.yml +++ b/inspec.yml @@ -986,14 +986,23 @@ inputs: - cockpit - dhcpv6-client - # SV-257991, SV-257990, SV-257989 + # SV-257991, SV-257989 - name: approved_openssh_server_conf description: Config values expected for openssh server (order matters, so these values are comma-delimited strings and not arrays) type: Hash + value: + ciphers: aes256-gcm@openssh.com,chacha20-poly1305@openssh.com,aes256-ctr,aes128-gcm@openssh.com,aes128-ctr + macs: hmac-sha2-256-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha1,umac-128@openssh.com,hmac-sha2-512 + + # SV-257990, SV-257989 + - name: approved_openssh_client_conf + description: Config values expected for openssh client (order matters, so these values are comma-delimited strings and not arrays) + type: Hash value: ciphers: aes256-gcm@openssh.com,chacha20-poly1305@openssh.com,aes256-ctr,aes128-gcm@openssh.com,aes128-ctr macs: hmac-sha2-256-etm@openssh.com,hmac-sha2-256,hmac-sha2-512-etm@openssh.com,hmac-sha2-512 + # SV-258100, SV-258099 - name: password_hash_rounds description: Number of rounds for hashing passwords From 33cb8fb83ea880331e7a0014e5fccfd9e7b0e6d4 Mon Sep 17 00:00:00 2001 From: Will Date: Fri, 30 Aug 2024 14:32:16 -0400 Subject: [PATCH 16/21] saving a few more edits to openssh tests Signed-off-by: Will --- controls/SV-257988.rb | 4 ++-- controls/SV-257991.rb | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/controls/SV-257988.rb b/controls/SV-257988.rb index 9c2d01d..c3b1508 100644 --- a/controls/SV-257988.rb +++ b/controls/SV-257988.rb @@ -46,12 +46,12 @@ sshd_grep = command('grep Include /etc/ssh/sshd_config /etc/ssh/sshd_config.d/*').stdout.lines.map(&:strip) star_dot_conf = sshd_grep.any? { |line| line.match?(%r{Include /etc/ssh/sshd_config.d/\*\.conf$}i) } - opensshserver_config = sshd_grep.any? { |line| line.match?(%r{Include /etc/crypto-policies/back-ends/opensshserver\.config$}i) } + opensshserver_config = sshd_grep.any? { |line| line.match?(%r{Include /etc/crypto-policies/back-ends/openssh\.config$}i) } describe 'SSHD config files' do it 'should include system-wide crypto policies' do expect(star_dot_conf).to eq(true), 'SSHD conf files do not include /etc/ssh/sshd_config.d/*.conf' - expect(opensshserver_config).to eq(true), 'SSHD conf files do not include /etc/crypto-policies/back-ends/opensshserver.config' + expect(opensshserver_config).to eq(true), 'SSHD conf files do not include /etc/crypto-policies/back-ends/openssh.config' end end end diff --git a/controls/SV-257991.rb b/controls/SV-257991.rb index 9b1cccc..ef0b40b 100644 --- a/controls/SV-257991.rb +++ b/controls/SV-257991.rb @@ -38,7 +38,7 @@ # # We assume that the requirements for OpenSSH *server* should be checking the # values in the opensshserver.conf file (as opposed to openssh.conf for client), - # and these tests has been written accordingly. + # and these tests has been written accordingly. # # This means that test logic may not match the STIG check text at this time. From 2f3e44ce2c812a82102122cf7c603b25d01ccb7d Mon Sep 17 00:00:00 2001 From: Jonathan Metzger <9845417+jrmetzger@users.noreply.github.com> Date: Fri, 30 Aug 2024 14:40:32 -0400 Subject: [PATCH 17/21] Update controls/SV-258116.rb --- controls/SV-258116.rb | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/controls/SV-258116.rb b/controls/SV-258116.rb index c204a9c..3a02651 100644 --- a/controls/SV-258116.rb +++ b/controls/SV-258116.rb @@ -29,7 +29,7 @@ tag nist: ['IA-5 (1) (c)'] tag 'host', 'container' - describe file('/etc/libuser.conf') do - its('content') { should match(/^crypt_style\s*=\s*sha512/) } + describe parse_config_file('/etc/libuser.conf') do + its('defaults.crypt_style') { should cmp 'sha512' } end end From fc74529cd885a181f3d228f1436ffa27a4bb606e Mon Sep 17 00:00:00 2001 From: Jonathan Metzger <9845417+jrmetzger@users.noreply.github.com> Date: Fri, 30 Aug 2024 14:46:58 -0400 Subject: [PATCH 18/21] Update controls/SV-258230.rb --- controls/SV-258230.rb | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/controls/SV-258230.rb b/controls/SV-258230.rb index 51fce15..cb16be0 100644 --- a/controls/SV-258230.rb +++ b/controls/SV-258230.rb @@ -42,10 +42,10 @@ end # Control does not include this. Good to have? Required? - # grub_config = command('grub2-editenv - list').stdout - # describe parse_config(grub_config) do - # its('kernelopts') { should match(/fips=1/) } - # end + grub_config = command('grub2-editenv - list').stdout + describe parse_config(grub_config) do + its('kernelopts') { should match(/fips=1/) } + end describe file('/proc/sys/crypto/fips_enabled') do its('content.strip') { should cmp '1' } From 88897404e00d7447abf1e13a75790d0cc951ce5e Mon Sep 17 00:00:00 2001 From: Jon Metzger Date: Fri, 30 Aug 2024 14:58:04 -0400 Subject: [PATCH 19/21] rubocop fix --- controls/SV-257989.rb | 2 +- controls/SV-257990.rb | 2 +- controls/SV-257991.rb | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/controls/SV-257989.rb b/controls/SV-257989.rb index b6c5cf6..bbd72b1 100644 --- a/controls/SV-257989.rb +++ b/controls/SV-257989.rb @@ -36,7 +36,7 @@ # NOTE: The STIG baseline for this requirement is concerned with the OpenSSH server, but asks for # a check against the openssh.config file, which is used for the client. # - # We assume that the requirements for OpenSSH *server* should be checking the + # We assume that the requirements for OpenSSH *server* should be checking the # values in the opensshserver.conf file (as opposed to openssh.conf for client), # and these tests has been written accordingly. # diff --git a/controls/SV-257990.rb b/controls/SV-257990.rb index 6005caf..1f77878 100644 --- a/controls/SV-257990.rb +++ b/controls/SV-257990.rb @@ -37,7 +37,7 @@ # # The STIG baseline calls for two different values for the MACs option in the openssh.config file. # - # We assume that the requirements for OpenSSH *server* should be checking the + # We assume that the requirements for OpenSSH *server* should be checking the # values in the opensshserver.conf file (as opposed to openssh.conf for client), # and these tests has been written accordingly. # diff --git a/controls/SV-257991.rb b/controls/SV-257991.rb index ef0b40b..6b6c518 100644 --- a/controls/SV-257991.rb +++ b/controls/SV-257991.rb @@ -36,7 +36,7 @@ # # The STIG baseline calls for two different values for the MACs option in the openssh.config file. # - # We assume that the requirements for OpenSSH *server* should be checking the + # We assume that the requirements for OpenSSH *server* should be checking the # values in the opensshserver.conf file (as opposed to openssh.conf for client), # and these tests has been written accordingly. # From 541c0c9c55d985c240b902e5fa91673105bd08a0 Mon Sep 17 00:00:00 2001 From: Jon Metzger Date: Tue, 3 Sep 2024 10:55:19 -0400 Subject: [PATCH 20/21] fix openssh --- controls/SV-257988.rb | 9 +++++---- controls/SV-257989.rb | 9 --------- controls/SV-257990.rb | 10 ---------- controls/SV-257991.rb | 8 ++++---- 4 files changed, 9 insertions(+), 27 deletions(-) diff --git a/controls/SV-257988.rb b/controls/SV-257988.rb index c3b1508..208b884 100644 --- a/controls/SV-257988.rb +++ b/controls/SV-257988.rb @@ -43,15 +43,16 @@ it { should exist } end - sshd_grep = command('grep Include /etc/ssh/sshd_config /etc/ssh/sshd_config.d/*').stdout.lines.map(&:strip) + # NOTE: -s to supress if no files + sshd_grep = command('grep -s Include /etc/ssh/sshd_config /etc/ssh/sshd_config.d/*').stdout.lines.map(&:strip) - star_dot_conf = sshd_grep.any? { |line| line.match?(%r{Include /etc/ssh/sshd_config.d/\*\.conf$}i) } - opensshserver_config = sshd_grep.any? { |line| line.match?(%r{Include /etc/crypto-policies/back-ends/openssh\.config$}i) } + star_dot_conf = sshd_grep.any? { |line| line.match?(%r{Include /etc/ssh/sshd_config.d/\*\.conf}i) } + opensshserver_config = sshd_grep.any? { |line| line.match?(%r{Include /etc/crypto-policies/back-ends/opensshserver\.config}i) } describe 'SSHD config files' do it 'should include system-wide crypto policies' do expect(star_dot_conf).to eq(true), 'SSHD conf files do not include /etc/ssh/sshd_config.d/*.conf' - expect(opensshserver_config).to eq(true), 'SSHD conf files do not include /etc/crypto-policies/back-ends/openssh.config' + expect(opensshserver_config).to eq(true), 'SSHD conf files do not include /etc/crypto-policies/back-ends/opensshserver.config' end end end diff --git a/controls/SV-257989.rb b/controls/SV-257989.rb index bbd72b1..cad87fd 100644 --- a/controls/SV-257989.rb +++ b/controls/SV-257989.rb @@ -33,15 +33,6 @@ tag 'host' tag 'container-conditional' - # NOTE: The STIG baseline for this requirement is concerned with the OpenSSH server, but asks for - # a check against the openssh.config file, which is used for the client. - # - # We assume that the requirements for OpenSSH *server* should be checking the - # values in the opensshserver.conf file (as opposed to openssh.conf for client), - # and these tests has been written accordingly. - # - # This means that test logic may not match the STIG check text at this time. - only_if('Control not applicable - SSH is not installed within containerized RHEL', impact: 0.0) { !(virtualization.system.eql?('docker') && !file('/etc/sysconfig/sshd').exist?) } diff --git a/controls/SV-257990.rb b/controls/SV-257990.rb index 1f77878..533f116 100644 --- a/controls/SV-257990.rb +++ b/controls/SV-257990.rb @@ -33,16 +33,6 @@ tag 'host' tag 'container-conditional' - # NOTE: This requirement as written is mutually exclusive with SV-257991. - # - # The STIG baseline calls for two different values for the MACs option in the openssh.config file. - # - # We assume that the requirements for OpenSSH *server* should be checking the - # values in the opensshserver.conf file (as opposed to openssh.conf for client), - # and these tests has been written accordingly. - # - # This means that test logic may not match the STIG check text at this time. - only_if('Control not applicable - SSH is not installed within containerized RHEL', impact: 0.0) { !(virtualization.system.eql?('docker') && !file('/etc/sysconfig/sshd').exist?) } diff --git a/controls/SV-257991.rb b/controls/SV-257991.rb index 6b6c518..0593463 100644 --- a/controls/SV-257991.rb +++ b/controls/SV-257991.rb @@ -9,11 +9,11 @@ RHEL 9 incorporates system-wide crypto policies by default. The SSH configuration file has no effect on the ciphers, MACs, or algorithms unless specifically defined in the /etc/sysconfig/sshd file. The employed algorithms can be viewed in the /etc/crypto-policies/back-ends/opensshserver.config file.' desc 'check', 'Verify SSH client is configured to use only ciphers employing FIPS 140-3 approved algorithms with the following command: -$ sudo grep -i macs /etc/crypto-policies/back-ends/openssh.config +$ sudo grep -i macs /etc/crypto-policies/back-ends/opensshserver.conf MACs hmac-sha2-256-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha1,umac-128@openssh.com,hmac-sha2-512 -If the MACs entries in the "openssh.config" file have any hashes other than "hmac-sha2-256-etm@openssh.com,hmac-sha2-256,hmac-sha2-512-etm@openssh.com,hmac-sha2-512", the order differs from the example above, they are missing, or commented out, this is a finding.' - desc 'fix', 'Configure the RHEL 9 SSH client to use only MACs employing FIPS 140-3 approved algorithms by updating the "/etc/crypto-policies/back-ends/openssh.config" file with the following line: +If the MACs entries in the "opensshserver.conf" file have any hashes other than "hmac-sha2-256-etm@openssh.com,hmac-sha2-256,hmac-sha2-512-etm@openssh.com,hmac-sha2-512", the order differs from the example above, they are missing, or commented out, this is a finding.' + desc 'fix', 'Configure the RHEL 9 SSH client to use only MACs employing FIPS 140-3 approved algorithms by updating the "/etc/crypto-policies/back-ends/opensshserver.conf" file with the following line: MACs hmac-sha2-256-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha1,umac-128@openssh.com,hmac-sha2-512 @@ -49,7 +49,7 @@ approved_macs = input('approved_openssh_server_conf')['macs'] options = { assignment_regex: /^(\S+)\s+(\S+)$/ } - opensshserver_conf = parse_config_file('/etc/crypto-policies/back-ends/openssh.config', options).params.map { |k, v| [k.downcase, v.split(',')] }.to_h + opensshserver_conf = parse_config_file('/etc/crypto-policies/back-ends/opensshserver.config', options).params.map { |k, v| [k.downcase, v.split(',')] }.to_h actual_macs = opensshserver_conf['macs'].join(',') From 72c8d60fd3fe47aa66af4bbb5a7b6f08611c6d51 Mon Sep 17 00:00:00 2001 From: Jon Metzger Date: Tue, 3 Sep 2024 12:06:25 -0400 Subject: [PATCH 21/21] gpg check fix --- inspec.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/inspec.yml b/inspec.yml index 22e67e4..ae33274 100644 --- a/inspec.yml +++ b/inspec.yml @@ -746,7 +746,7 @@ inputs: - name: mail_package description: Command that is used to send email messages type: String - value: mailx + value: s-nail # SV-257819 - name: rpm_gpg_file @@ -760,7 +760,7 @@ inputs: type: Hash value: "release key 2": "567E 347A D004 4ADE 55BA 8A5F 199E 2F91 FD43 1D51" - "auxiliary key": "6A6A A7C9 7C88 90AE C6AE BFE2 F76F 66C3 D408 2792" + "auxiliary key": "7E46 2425 8C40 6535 D56D 6F13 5054 E4A4 5A63 40B3" # SV-258068, SV-258077 - name: stop_idle_session_sec @@ -992,7 +992,7 @@ inputs: type: Hash value: ciphers: aes256-gcm@openssh.com,chacha20-poly1305@openssh.com,aes256-ctr,aes128-gcm@openssh.com,aes128-ctr - macs: hmac-sha2-256-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha1,umac-128@openssh.com,hmac-sha2-512 + macs: hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,umac-128@openssh.com,hmac-sha2-512 # SV-257990, SV-257989 - name: approved_openssh_client_conf