Create new rules for ANSSI R39

controls/anssi.yml

@@ -567,7 +567,15 @@ controls:
   - id: R39
     level: intermediary
     title: Temporary directories dedicated to accounts
-    # rules: TBD
+    description: >-
+      Each user or service account must have its own temporary directory
+      and dispose of it exclusively.
+    rules:
+    - enable_pam_namespace
+    - accounts_polyinstantiated_tmp
+    - accounts_polyinstantiated_var_tmp
+    - var_polyinstantiation_enabled=on
+    - sebool_polyinstantiation_enabled
 
   - id: R40
     level: intermediary

linux_os/guide/system/accounts/accounts-pam/enable_pam_namespace/ansible/shared.yml

@@ -0,0 +1,12 @@
+# platform = multi_platform_fedora,Red Hat Enterprise Linux 7,Red Hat Enterprise Linux 8
+# reboot = false
+# strategy = restrict
+# complexity = low
+# disruption = low
+
+{{{ ansible_lineinfile(
+  msg="Make changes to /etc/pam.d/login",
+  path="/etc/pam.d/login",
+  regex="^\s*session\s+required\s+pam_namespace.so\s*$",
+  new_line="session    required     pam_namespace.so"
+) }}}

linux_os/guide/system/accounts/accounts-pam/enable_pam_namespace/bash/shared.sh

@@ -0,0 +1,4 @@
+# platform = multi_platform_fedora,Red Hat Enterprise Linux 7,Red Hat Enterprise Linux 8
+if ! grep -Eq '^\s*session\s+required\s+pam_namespace.so\s*$' '/etc/pam.d/login' ; then
+    echo "session    required     pam_namespace.so" >> "/etc/pam.d/login"
+fi

linux_os/guide/system/accounts/accounts-pam/enable_pam_namespace/oval/shared.xml

@@ -0,0 +1,20 @@
+<def-group>
+  <definition class="compliance" id="enable_pam_namespace" version="1">
+    {{{ oval_metadata("Check presence of pam_namespace.so module in the /etc/pam.d/login file") }}}
+    <criteria operator="AND" comment="Check that /etc/pam.d/login contains a line with certain text">
+      <criterion comment="Check that /etc/pam.d/login contains a line with certain text" test_ref="test_enable_pam_namespace" />
+    </criteria>
+  </definition>
+
+  <ind:textfilecontent54_test check="all"
+    comment="tests the presence of pam_namespace.so module in the /etc/pam.d/login file"
+    id="test_enable_pam_namespace" version="1">
+  <ind:object object_ref="obj_enable_pam_namespace" />
+  </ind:textfilecontent54_test>
+
+  <ind:textfilecontent54_object id="obj_enable_pam_namespace" version="1">
+    <ind:filepath>/etc/pam.d/login</ind:filepath>
+    <ind:pattern operation="pattern match">^\s*session\s+required\s+pam_namespace\.so\s*$</ind:pattern>
+    <ind:instance operation="greater than or equal" datatype="int">1</ind:instance>
+  </ind:textfilecontent54_object>
+</def-group>

linux_os/guide/system/accounts/accounts-pam/enable_pam_namespace/rule.yml

@@ -0,0 +1,37 @@
+documentation_complete: true
+
+prodtype: fedora,rhel7,rhel8
+
+title: Set Up a Private Namespace in PAM Configuration
+
+description: |-
+  To setup a private namespace add the following line to <tt>/etc/pam.d/login</tt>:
+  <pre>session    required     pam_namespace.so</pre>
+
+
+rationale: |-
+  The pam_namespace PAM module sets up a private namespace for a
+  session with polyinstantiated directories. A polyinstantiated directory
+  provides a different instance of itself based on user name, or when using
+  SELinux, user name, security context or both. The polyinstatied directories
+  can be used to dedicate separate temporary directories to each account.
+
+severity: low
+
+identifiers:
+  cce@rhel7: CCE-83743-5
+  cce@rhel8: CCE-83744-3
+
+references:
+  anssi: BP28(R39)
+
+ocil_clause: |-
+    pam_namespace.so is not required or is commented out
+
+ocil: |-
+  To check if pam_namespace.so is required for user login, run the following command:
+  <pre>$ grep pam_namespace.so /etc/pam.d/login</pre>
+  The output should return the following uncommented:
+  <pre>session    required     pam_namespace.so</pre>
+
+platform: pam

linux_os/guide/system/accounts/accounts-pam/enable_pam_namespace/tests/commented.fail.sh

@@ -0,0 +1,9 @@
+#!/bin/bash
+
+
+if grep -Eq '^\s*session\s+required\s+pam_namespace.so\s*$' '/etc/pam.d/login' ; then
+    sed -i -E 's/^\s*session\s+required\s+pam_namespace.so\s*$/# session    required     pam_namespace.so/' /etc/pam.d/login
+else
+    echo "# session    required     pam_namespace.so" >> "/etc/pam.d/login"
+fi
+

linux_os/guide/system/accounts/accounts-pam/enable_pam_namespace/tests/correct.pass.sh

@@ -0,0 +1,5 @@
+#!/bin/bash
+
+if ! grep -Eq '^\s*session\s+required\s+pam_namespace.so\s*$' '/etc/pam.d/login' ; then
+    echo "session    required     pam_namespace.so" >> "/etc/pam.d/login"
+fi

linux_os/guide/system/accounts/accounts-pam/enable_pam_namespace/tests/missing_line.fail.sh

@@ -0,0 +1,3 @@
+#!/bin/bash
+
+sed -i -E '/^\s*session\s+required\s+pam_namespace.so\s*$/d' /etc/pam.d/login

linux_os/guide/system/accounts/accounts-session/accounts_polyinstantiated_tmp/ansible/shared.yml

@@ -0,0 +1,21 @@
+# platform = multi_platform_fedora,Red Hat Enterprise Linux 7,Red Hat Enterprise Linux 8
+# reboot = false
+# strategy = restrict
+# complexity = low
+# disruption = low
+
+- name: Create /tmp/tmp-inst directory
+  file:
+    path: /tmp/tmp-inst
+    state: directory
+    mode: '000'
+    seuser: system_u
+    serole: object_r
+    setype: tmp_t
+
+{{{ ansible_lineinfile(
+  msg="Make changes to /etc/security/namespace.conf",
+  path="/etc/security/namespace.conf",
+  regex="^\s*/tmp\s+/tmp/tmp-inst/\s+level\s+root,adm$",
+  new_line="/tmp     /tmp/tmp-inst/        level      root,adm"
+) }}}

linux_os/guide/system/accounts/accounts-session/accounts_polyinstantiated_tmp/bash/shared.sh

@@ -0,0 +1,13 @@
+# platform = multi_platform_fedora,Red Hat Enterprise Linux 7,Red Hat Enterprise Linux 8
+if ! [ -d /tmp/tmp-inst ] ; then
+    mkdir --mode 000 /tmp/tmp-inst
+fi
+chmod 000 /tmp/tmp-inst
+chcon --reference=/tmp /tmp/tmp-inst
+
+if ! grep -Eq '^\s*/tmp\s+/tmp/tmp-inst/\s+level\s+root,adm$' /etc/security/namespace.conf ; then
+    if grep -Eq '^\s*/tmp\s+' /etc/security/namespace.conf ; then
+        sed -i '/^\s*\/tmp/d' /etc/security/namespace.conf
+    fi
+    echo "/tmp     /tmp/tmp-inst/        level      root,adm" >> /etc/security/namespace.conf
+fi

linux_os/guide/system/accounts/accounts-session/accounts_polyinstantiated_tmp/oval/shared.xml

@@ -0,0 +1,44 @@
+<def-group>
+  <definition class="compliance" id="accounts_polyinstantiated_tmp" version="1">
+    {{{ oval_metadata("") }}}
+    <criteria operator="AND" comment="Check Polyinstantiation of /tmp Directories">
+      <criterion comment="Check that /tmp/tmp-inst exists and has mode 000" test_ref="test_tmp_inst" />
+      <criterion comment="Check configuration of /tmp in /etc/security/namespace.conf file" test_ref="test_tmp_in_namespace_conf" />
+    </criteria>
+  </definition>
+
+  <unix:file_test comment="Check that /tmp/tmp-inst exists and has mode 000" check="all" check_existence="only_one_exists" id="test_tmp_inst" version="1">
+    <unix:object object_ref="obj_tmp_inst" />
+    <unix:state state_ref="state_tmp_inst" />
+  </unix:file_test>
+
+  <unix:file_object id="obj_tmp_inst" version="1">
+    <unix:path>/tmp/tmp-inst</unix:path>
+    <unix:filename xsi:nil="true" />
+  </unix:file_object>
+
+  <unix:file_state id="state_tmp_inst" version="1">
+    <unix:type>directory</unix:type>
+    <unix:uread datatype="boolean">false</unix:uread>
+    <unix:uwrite datatype="boolean">false</unix:uwrite>
+    <unix:uexec datatype="boolean">false</unix:uexec>
+    <unix:gread datatype="boolean">false</unix:gread>
+    <unix:gwrite datatype="boolean">false</unix:gwrite>
+    <unix:gexec datatype="boolean">false</unix:gexec>
+    <unix:oread datatype="boolean">false</unix:oread>
+    <unix:owrite datatype="boolean">false</unix:owrite>
+    <unix:oexec datatype="boolean">false</unix:oexec>
+  </unix:file_state>
+
+  <ind:textfilecontent54_test check="all"
+    comment="Check configuration of /tmp in /etc/security/namespace.conf file"
+    id="test_tmp_in_namespace_conf" version="1">
+  <ind:object object_ref="obj_tmp_in_namespace_conf" />
+  </ind:textfilecontent54_test>
+
+  <ind:textfilecontent54_object id="obj_tmp_in_namespace_conf" version="1">
+    <ind:filepath>/etc/security/namespace.conf</ind:filepath>
+    <ind:pattern operation="pattern match">^\s*/tmp\s+/tmp/tmp-inst/\s+level\s+root,adm$</ind:pattern>
+    <ind:instance operation="greater than or equal" datatype="int">1</ind:instance>
+  </ind:textfilecontent54_object>
+</def-group>

linux_os/guide/system/accounts/accounts-session/accounts_polyinstantiated_tmp/rule.yml

@@ -0,0 +1,33 @@
+documentation_complete: true # switch to true when rule is ready to be enabled
+
+title: Configure Polyinstantiation of /tmp Directories
+
+description: |-
+  To configure polyinstantiated /tmp directories, first create the parent directories
+  which will hold the polyinstantiation child directories. Use the following command:
+  <pre>$ sudo mkdir --mode 000 /tmp/tmp-inst</pre>
+  Then, add the following entry to <tt>/etc/security/namespace.conf</tt>:
+  <pre>/tmp     /tmp/tmp-inst/            level      root,adm</pre>
+
+rationale: |- 
+  Polyinstantiation of temporary directories is a proactive security measure
+  which reduces chances of attacks that are made possible by /tmp
+  directories being world-writable.
+
+severity: low
+
+identifiers:
+  cce@rhel7: CCE-83731-0
+  cce@rhel8: CCE-83732-8
+
+references:
+  anssi: BP28(R39)
+
+ocil_clause: is not configured
+
+ocil: |-
+  Run the following command to ensure that <tt>/tmp</tt> is configured as a
+  polyinstantiated directory:
+  <pre>$ sudo grep /tmp /etc/security/namespace.conf</pre>
+  The output should return the following:
+  <pre>/tmp     /tmp/tmp-inst/            level      root,adm</pre>

linux_os/guide/system/accounts/accounts-session/accounts_polyinstantiated_tmp/tests/correct.pass.sh

@@ -0,0 +1,4 @@
+#!/bin/bash
+rm -rf /tmp/tmp-inst
+mkdir --mode 000 /tmp/tmp-inst
+echo "/tmp     /tmp/tmp-inst/        level      root,adm" >> /etc/security/namespace.conf

linux_os/guide/system/accounts/accounts-session/accounts_polyinstantiated_tmp/tests/directory_doesnt_exist.fail.sh

@@ -0,0 +1,3 @@
+#!/bin/bash
+rm -rf /tmp/tmp-inst
+echo "/tmp     /tmp/tmp-inst/        level      root,adm" >> /etc/security/namespace.conf

linux_os/guide/system/accounts/accounts-session/accounts_polyinstantiated_tmp/tests/line_not_there.fail.sh

@@ -0,0 +1,4 @@
+#!/bin/bash
+rm -rf /tmp/tmp-inst
+mkdir --mode 000 /tmp/tmp-inst
+sed -i "/^\s*\/tmp\s*/d" /etc/security/namespace.conf

linux_os/guide/system/accounts/accounts-session/accounts_polyinstantiated_tmp/tests/wrong_mode.fail.sh

@@ -0,0 +1,4 @@
+#!/bin/bash
+rm -rf /tmp/tmp-inst
+mkdir --mode 600 /tmp/tmp-inst
+echo "/tmp     /tmp/tmp-inst/        level      root,adm" >> /etc/security/namespace.conf

linux_os/guide/system/accounts/accounts-session/accounts_polyinstantiated_var_tmp/ansible/shared.yml

@@ -0,0 +1,21 @@
+# platform = multi_platform_fedora,Red Hat Enterprise Linux 7,Red Hat Enterprise Linux 8
+# reboot = false
+# strategy = restrict
+# complexity = low
+# disruption = low
+
+- name: Create /var/tmp/tmp-inst directory
+  file:
+    path: /var/tmp/tmp-inst
+    state: directory
+    mode: '000'
+    seuser: system_u
+    serole: object_r
+    setype: tmp_t
+
+{{{ ansible_lineinfile(
+  msg="Make changes to /etc/security/namespace.conf",
+  path="/etc/security/namespace.conf",
+  regex="^\s*/var/tmp\s+/var/tmp/tmp-inst/\s+level\s+root,adm$",
+  new_line="/var/tmp /var/tmp/tmp-inst/    level      root,adm"
+) }}}

linux_os/guide/system/accounts/accounts-session/accounts_polyinstantiated_var_tmp/bash/shared.sh

@@ -0,0 +1,13 @@
+# platform = multi_platform_fedora,Red Hat Enterprise Linux 7,Red Hat Enterprise Linux 8
+if ! [ -d /tmp-inst ] ; then
+    mkdir --mode 000 /var/tmp/tmp-inst
+fi
+chmod 000 /var/tmp/tmp-inst
+chcon --reference=/var/tmp/ /var/tmp/tmp-inst
+
+if ! grep -Eq '^\s*/var/tmp\s+/var/tmp/tmp-inst/\s+level\s+root,adm$' /etc/security/namespace.conf ; then
+    if grep -Eq '^\s*/var/tmp\s+' /etc/security/namespace.conf ; then
+        sed -i '/^\s*\/var\/tmp/d' /etc/security/namespace.conf
+    fi
+    echo "/var/tmp /var/tmp/tmp-inst/    level      root,adm" >> /etc/security/namespace.conf
+fi

linux_os/guide/system/accounts/accounts-session/accounts_polyinstantiated_var_tmp/oval/shared.xml

@@ -0,0 +1,44 @@
+<def-group>
+  <definition class="compliance" id="accounts_polyinstantiated_var_tmp" version="1">
+    {{{ oval_metadata("") }}}
+    <criteria operator="AND" comment="Check Polyinstantiation of /tmp Directories">
+      <criterion comment="Check that /var/tmp/tmp-inst exists and has mode 000" test_ref="test_var_tmp_tmp_inst" />
+      <criterion comment="Check configuration of /var/tmp in /etc/security/namespace.conf file" test_ref="test_var_tmp_in_namespace_conf" />
+    </criteria>
+  </definition>
+
+  <unix:file_test comment="Check that /tmp-inst exists and has mode 000" check="all" check_existence="only_one_exists" id="test_var_tmp_tmp_inst" version="1">
+    <unix:object object_ref="obj_var_tmp_tmp_inst" />
+    <unix:state state_ref="state_var_tmp_tmp_inst" />
+  </unix:file_test>
+
+  <unix:file_object id="obj_var_tmp_tmp_inst" version="1">
+    <unix:path>/var/tmp/tmp-inst</unix:path>
+    <unix:filename xsi:nil="true" />
+  </unix:file_object>
+
+  <unix:file_state id="state_var_tmp_tmp_inst" version="1">
+    <unix:type>directory</unix:type>
+    <unix:uread datatype="boolean">false</unix:uread>
+    <unix:uwrite datatype="boolean">false</unix:uwrite>
+    <unix:uexec datatype="boolean">false</unix:uexec>
+    <unix:gread datatype="boolean">false</unix:gread>
+    <unix:gwrite datatype="boolean">false</unix:gwrite>
+    <unix:gexec datatype="boolean">false</unix:gexec>
+    <unix:oread datatype="boolean">false</unix:oread>
+    <unix:owrite datatype="boolean">false</unix:owrite>
+    <unix:oexec datatype="boolean">false</unix:oexec>
+  </unix:file_state>
+
+  <ind:textfilecontent54_test check="all"
+    comment="Check configuration of /tmp in /etc/security/namespace.conf file"
+    id="test_var_tmp_in_namespace_conf" version="1">
+  <ind:object object_ref="obj_var_tmp_in_namespace_conf" />
+  </ind:textfilecontent54_test>
+
+  <ind:textfilecontent54_object id="obj_var_tmp_in_namespace_conf" version="1">
+    <ind:filepath>/etc/security/namespace.conf</ind:filepath>
+    <ind:pattern operation="pattern match">^\s*/var/tmp\s+/var/tmp/tmp-inst/\s+level\s+root,adm$</ind:pattern>
+    <ind:instance operation="greater than or equal" datatype="int">1</ind:instance>
+  </ind:textfilecontent54_object>
+</def-group>

linux_os/guide/system/accounts/accounts-session/accounts_polyinstantiated_var_tmp/rule.yml

@@ -0,0 +1,33 @@
+documentation_complete: true
+
+title: Configure Polyinstantiation of /var/tmp Directories
+
+description: |-
+  To configure polyinstantiated /tmp directories, first create the parent directories
+  which will hold the polyinstantiation child directories. Use the following command:
+  <pre>$ sudo mkdir --mode 000 /var/tmp/tmp-inst</pre>
+  Then, add the following entry to <tt>/etc/security/namespace.conf</tt>:
+  <pre>/var/tmp /var/tmp/tmp-inst/    level      root,adm</pre>
+
+rationale: |- 
+  Polyinstantiation of temporary directories is a proactive security measure
+  which reduces chances of attacks that are made possible by /var/tmp
+  directories being world-writable.
+
+severity: low
+
+identifiers:
+  cce@rhel7: CCE-83777-3
+  cce@rhel8: CCE-83778-1
+
+references:
+  anssi: BP28(R39)
+
+ocil_clause: is not configured
+
+ocil: |-
+  Run the following command to ensure that <tt>/var/tmp</tt> is configured as a
+  polyinstantiated directory:
+  <pre>$ sudo grep /var/tmp /etc/security/namespace.conf</pre>
+  The output should return the following:
+  <pre>/var/tmp /var/tmp/tmp-inst/    level      root,adm</pre>

linux_os/guide/system/accounts/accounts-session/accounts_polyinstantiated_var_tmp/tests/correct.pass.sh

@@ -0,0 +1,4 @@
+#!/bin/bash
+rm -rf /var/tmp/tmp-inst
+mkdir --mode 000 /var/tmp/tmp-inst
+echo "/var/tmp /var/tmp/tmp-inst/    level      root,adm" >> /etc/security/namespace.conf

linux_os/guide/system/accounts/accounts-session/accounts_polyinstantiated_var_tmp/tests/directory_doesnt_exist.fail.sh

@@ -0,0 +1,3 @@
+#!/bin/bash
+rm -rf /var/tmp/tmp-inst
+echo "/var/tmp /var/tmp/tmp-inst/    level      root,adm" >> /etc/security/namespace.conf

linux_os/guide/system/accounts/accounts-session/accounts_polyinstantiated_var_tmp/tests/line_not_there.fail.sh

@@ -0,0 +1,4 @@
+#!/bin/bash
+rm -rf /var/tmp/tmp-inst
+mkdir --mode 000 /var/tmp/tmp-inst
+sed -i "/^\s*\/var\/tmp\s*/d" /etc/security/namespace.conf

linux_os/guide/system/accounts/accounts-session/accounts_polyinstantiated_var_tmp/tests/wrong_mode.fail.sh

@@ -0,0 +1,4 @@
+#!/bin/bash
+rm -rf /var/tmp/tmp-inst
+mkdir --mode 600 /var/tmp/tmp-inst
+echo "/var/tmp /var/tmp/tmp-inst/    level      root,adm" >> /etc/security/namespace.conf

linux_os/guide/system/selinux/selinux-booleans/sebool_polyinstantiation_enabled/rule.yml

@@ -15,6 +15,7 @@ severity: medium
 
 identifiers:
     cce@rhel7: CCE-82305-4
+    cce@rhel8: CCE-84230-2
 
 {{{ complete_ocil_entry_sebool_disabled(sebool="polyinstantiation_enabled") }}}