fix enable_fips_mode remediations #7936
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
vojtapolasek
added
bugfix
|
I am aware that I used copy paste. We can consider macro. |
|
This datastream diff is auto generated by the check Click here to see the full diffOCIL for rule 'xccdf_org.ssgproject.content_rule_enable_fips_mode' differs:
--- old datastream
+++ new datastream
@@ -2,5 +2,9 @@
fips-mode-setup --check
The output should contain the following:
FIPS mode is enabled.
+To verify that the cryptographic policy has been configured correctly, run the
+following command:
+$ update-crypto-policies --show
+The output should return .
Is it the case that FIPS mode is not enabled?
bash remediation for rule 'xccdf_org.ssgproject.content_rule_enable_fips_mode' differs:
--- old datastream
+++ new datastream
@@ -1,7 +1,25 @@
# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+var_system_crypto_policy=''
+
+
fips-mode-setup --enable
+
+stderr_of_call=$(update-crypto-policies --set ${var_system_crypto_policy} 2>&1 > /dev/null)
+rc=$?
+
+if test "$rc" = 127; then
+ echo "$stderr_of_call" >&2
+ echo "Make sure that the script is installed on the remediated system." >&2
+ echo "See output of the 'dnf provides update-crypto-policies' command" >&2
+ echo "to see what package to (re)install" >&2
+
+ false # end with an error code
+elif test "$rc" != 0; then
+ echo "Error invoking the update-crypto-policies script: $stderr_of_call" >&2
+ false # end with an error code
+fi
else
>&2 echo 'Remediation is not applicable, nothing was done'
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_enable_fips_mode' differs:
--- old datastream
+++ new datastream
@@ -1,3 +1,9 @@
+- name: XCCDF Value var_system_crypto_policy # promote to variable
+ set_fact:
+ var_system_crypto_policy: !!str
+ tags:
+ - always
+
- name: Check to see the current status of FIPS mode
command: /usr/bin/fips-mode-setup --check
register: is_fips_enabled
@@ -39,3 +45,45 @@
- medium_disruption
- reboot_required
- restrict_strategy
+
+- name: Enable FIPS Mode
+ lineinfile:
+ path: /etc/crypto-policies/config
+ regexp: ^(?!#)(\S+)$
+ line: '{{ var_system_crypto_policy }}'
+ create: true
+ when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ tags:
+ - CCE-80942-6
+ - DISA-STIG-RHEL-08-010020
+ - NIST-800-53-CM-6(a)
+ - NIST-800-53-IA-7
+ - NIST-800-53-SC-12
+ - NIST-800-53-SC-12(2)
+ - NIST-800-53-SC-12(3)
+ - NIST-800-53-SC-13
+ - enable_fips_mode
+ - high_severity
+ - medium_complexity
+ - medium_disruption
+ - reboot_required
+ - restrict_strategy
+
+- name: Verify that Crypto Policy is Set (runtime)
+ command: /usr/bin/update-crypto-policies --set {{ var_system_crypto_policy }}
+ when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ tags:
+ - CCE-80942-6
+ - DISA-STIG-RHEL-08-010020
+ - NIST-800-53-CM-6(a)
+ - NIST-800-53-IA-7
+ - NIST-800-53-SC-12
+ - NIST-800-53-SC-12(2)
+ - NIST-800-53-SC-12(3)
+ - NIST-800-53-SC-13
+ - enable_fips_mode
+ - high_severity
+ - medium_complexity
+ - medium_disruption
+ - reboot_required
+ - restrict_strategy
OVAL definition file for rule 'xccdf_org.ssgproject.content_rule_security_patches_up_to_date' has changed from 'security-data-oval-com.redhat.rhsa-RHEL8.xml.bz2' to 'security-data-oval-com.redhat.rhsa-RHEL8.xml'.
bash remediation for rule 'xccdf_org.ssgproject.content_rule_accounts_password_pam_pwhistory_remember_password_auth' differs:
--- old datastream
+++ new datastream
@@ -19,7 +19,7 @@
option=$(sed -rn 's/^(.*pam_pwhistory\.so.*)(remember=[0-9]+)(.*)$/\2/p' $pamFile)
if [[ -z $option ]]; then
# option is not set, append to module
- sed -i --follow-symlinks "/pam_pwhistory.so/ s/$/ remember=$var_password_pam_remember/" $pamFile
+ sed -i --follow-symlinks "/pam_pwhistory.so/ s/$/ remember=$var_password_pam_remember/"
else
# option is set, replace value
sed -r -i --follow-symlinks "s/^(.*pam_pwhistory\.so.*)(remember=[0-9]+)(.*)$/\1remember=$var_password_pam_remember\3/" $pamFile
bash remediation for rule 'xccdf_org.ssgproject.content_rule_accounts_password_pam_pwhistory_remember_system_auth' differs:
--- old datastream
+++ new datastream
@@ -19,7 +19,7 @@
option=$(sed -rn 's/^(.*pam_pwhistory\.so.*)(remember=[0-9]+)(.*)$/\2/p' $pamFile)
if [[ -z $option ]]; then
# option is not set, append to module
- sed -i --follow-symlinks "/pam_pwhistory.so/ s/$/ remember=$var_password_pam_remember/" $pamFile
+ sed -i --follow-symlinks "/pam_pwhistory.so/ s/$/ remember=$var_password_pam_remember/"
else
# option is set, replace value
sed -r -i --follow-symlinks "s/^(.*pam_pwhistory\.so.*)(remember=[0-9]+)(.*)$/\1remember=$var_password_pam_remember\3/" $pamFile
OVAL definition oval:ssg-accounts_passwords_pam_faillock_deny:def:1 differs:
--- old datastream
+++ new datastream
- criteria AND
- criterion oval:ssg-test_accounts_passwords_pam_faillock_deny_system_pam_unix_auth:tst:1
- criterion oval:ssg-test_accounts_passwords_pam_faillock_deny_password_pam_unix_auth:tst:1
- criteria AND
- criterion oval:ssg-test_accounts_passwords_pam_faillock_deny_system_pam_faillock_auth:tst:1
- criterion oval:ssg-test_accounts_passwords_pam_faillock_deny_system_pam_faillock_account:tst:1
- criterion oval:ssg-test_accounts_passwords_pam_faillock_deny_password_pam_faillock_auth:tst:1
- criterion oval:ssg-test_accounts_passwords_pam_faillock_deny_password_pam_faillock_account:tst:1
- criteria AND
- criterion oval:ssg-test_accounts_passwords_pam_faillock_deny_parameter_pamd_system:tst:1
- criterion oval:ssg-test_accounts_passwords_pam_faillock_deny_parameter_pamd_password:tst:1
- criterion oval:ssg-test_accounts_passwords_pam_faillock_deny_parameter_no_faillock_conf:tst:1
- criteria AND
- criterion oval:ssg-test_accounts_passwords_pam_faillock_deny_parameter_no_pamd_system:tst:1
- criterion oval:ssg-test_accounts_passwords_pam_faillock_deny_parameter_no_pamd_password:tst:1
- criterion oval:ssg-test_accounts_passwords_pam_faillock_deny_parameter_faillock_conf:tst:1
+ criterion oval:ssg-test_accounts_passwords_pam_faillock_preauth_silent_system-auth:tst:1
+ criterion oval:ssg-test_accounts_passwords_pam_faillock_account_phase_system-auth:tst:1
+ criterion oval:ssg-test_accounts_passwords_pam_faillock_preauth_silent_password-auth:tst:1
+ criterion oval:ssg-test_accounts_passwords_pam_faillock_account_phase_password-auth:tst:1
+ criterion oval:ssg-test_accounts_passwords_pam_faillock_numeric_default_check_system-auth:tst:1
+ criterion oval:ssg-test_accounts_passwords_pam_faillock_authfail_deny_system-auth:tst:1
+ criteria OR
+ criterion oval:ssg-test_accounts_passwords_pam_faillock_numeric_default_check_password-auth:tst:1
+ criterion oval:ssg-test_accounts_passwords_pam_faillock_authfail_deny_password-auth:tst:1
OCIL for rule 'xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_deny' differs:
--- old datastream
+++ new datastream
@@ -1,6 +1,5 @@
To ensure the failed password attempt policy is configured correctly, run the following command:
-
-$ grep deny /etc/security/faillock.conf
+$ grep pam_faillock /etc/pam.d/system-auth
The output should show deny=.
- Is it the case that limiting the number of failed logon attempts for users is not configured?
+ Is it the case that that is not the case?
bash remediation for rule 'xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_deny' differs:
--- old datastream
+++ new datastream
@@ -4,35 +4,7 @@
var_accounts_passwords_pam_faillock_deny=''
-SYSTEM_AUTH="/etc/pam.d/system-auth"
-PASSWORD_AUTH="/etc/pam.d/password-auth"
-FAILLOCK_CONF="/etc/security/faillock.conf"
-
-if [ $(grep -c "^\s*auth.*pam_unix.so" $SYSTEM_AUTH) > 1 ] || \
- [ $(grep -c "^\s*auth.*pam_unix.so" $PASSWORD_AUTH) > 1 ]; then
- echo "Skipping remediation because there are more pam_unix.so entries than expected."
- false
-fi
-
-if [ -f $FAILLOCK_CONF ]; then
- if $(grep -q '^\s*deny\s*=' $FAILLOCK_CONF); then
- sed -i --follow-symlinks "s/^\s*\(deny\s*\)=.*$/\1 = $var_accounts_passwords_pam_faillock_deny/g" $FAILLOCK_CONF
- else
- echo "deny = $var_accounts_passwords_pam_faillock_deny" >> $FAILLOCK_CONF
- fi
- # If the faillock.conf file is present, but for any reason, like an OS upgrade, the
- # pam_faillock.so parameters are still defined in pam files, this makes them compatible with
- # the newer versions of authselect tool and ensure the parameters are only in faillock.conf.
- sed -i --follow-symlinks 's/\(pam_faillock.so preauth\).*$/\1 silent/g' $SYSTEM_AUTH $PASSWORD_AUTH
- sed -i --follow-symlinks 's/\(pam_faillock.so authfail\).*$/\1/g' $SYSTEM_AUTH $PASSWORD_AUTH
- authselect enable-feature with-faillock
-else
- if [ -f /usr/sbin/authconfig ]; then
- authconfig --enablefaillock --update
- else
- authselect enable-feature with-faillock
- fi
- AUTH_FILES=("/etc/pam.d/system-auth" "/etc/pam.d/password-auth")
+AUTH_FILES=("/etc/pam.d/system-auth" "/etc/pam.d/password-auth")
for pam_file in "${AUTH_FILES[@]}"
do
@@ -70,7 +42,6 @@
sed -E -i --follow-symlinks '/^\s*account\s*required\s*pam_unix.so/i account required pam_faillock.so' "$pam_file"
fi
done
-fi
else
>&2 echo 'Remediation is not applicable, nothing was done'
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_deny' differs:
--- old datastream
+++ new datastream
@@ -21,10 +21,21 @@
tags:
- always
-- name: Check if system relies on authconfig
- ansible.builtin.stat:
- path: /usr/sbin/authconfig
- register: result_authconfig_check
+- name: Add auth pam_faillock preauth deny before pam_unix.so
+ pamd:
+ name: '{{ item }}'
+ type: auth
+ control: sufficient
+ module_path: pam_unix.so
+ new_type: auth
+ new_control: required
+ new_module_path: pam_faillock.so
+ module_arguments: preauth silent deny={{ var_accounts_passwords_pam_faillock_deny
+ }}
+ state: before
+ loop:
+ - system-auth
+ - password-auth
when: '"pam" in ansible_facts.packages'
tags:
- CCE-80667-9
@@ -41,10 +52,18 @@
- no_reboot_needed
- restrict_strategy
-- name: Check the presence of /etc/security/faillock.conf file
- ansible.builtin.stat:
- path: /etc/security/faillock.conf
- register: result_faillock_conf_check
+- name: Add deny argument to auth pam_faillock preauth
+ pamd:
+ name: '{{ item }}'
+ type: auth
+ control: required
+ module_path: pam_faillock.so
+ module_arguments: preauth silent deny={{ var_accounts_passwords_pam_faillock_deny
+ }}
+ state: args_present
+ loop:
+ - system-auth
+ - password-auth
when: '"pam" in ansible_facts.packages'
tags:
- CCE-80667-9
@@ -61,38 +80,20 @@
- no_reboot_needed
- restrict_strategy
-- name: Ensure the pam_faillock.so deny parameter in /etc/security/faillock.conf
- ansible.builtin.lineinfile:
- path: /etc/security/faillock.conf
- regexp: ^\s*deny\s*=
- line: deny = {{ var_accounts_passwords_pam_faillock_deny }}
- state: present
- when:
- - '"pam" in ansible_facts.packages'
- - result_faillock_conf_check.stat.exists
- tags:
- - CCE-80667-9
- - CJIS-5.5.3
- - DISA-STIG-RHEL-08-020010
- - NIST-800-171-3.1.8
- - NIST-800-53-AC-7(a)
- - NIST-800-53-CM-6(a)
- - PCI-DSS-Req-8.1.6
- - accounts_passwords_pam_faillock_deny
- - low_complexity
- - low_disruption
- - medium_severity
- - no_reboot_needed
- - restrict_strategy
-
-- name: Check if pam_faillock.so is already enabled
- ansible.builtin.lineinfile:
- path: /etc/pam.d/system-auth
- regexp: .*auth.*pam_faillock.so.*
- state: absent
- check_mode: true
- changed_when: false
- register: result_pam_faillock_enabled
+- name: Add auth pam_faillock authfail deny after pam_unix.so
+ pamd:
+ name: '{{ item }}'
+ type: auth
+ control: sufficient
+ module_path: pam_unix.so
+ new_type: auth
+ new_control: '[default=die]'
+ new_module_path: pam_faillock.so
+ module_arguments: authfail deny={{ var_accounts_passwords_pam_faillock_deny }}
+ state: after
+ loop:
+ - system-auth
+ - password-auth
when: '"pam" in ansible_facts.packages'
tags:
- CCE-80667-9
@@ -109,20 +110,19 @@
- no_reboot_needed
- restrict_strategy
-- name: Ensure the pam_faillock.so preauth parameters are not present in the pam files
- ansible.builtin.lineinfile:
- path: '{{ item }}'
- backrefs: true
- regexp: (.*pam_faillock.so preauth).*$
- line: \1 silent
- state: present
+- name: Add deny argument to auth pam_faillock authfail
+ pamd:
+ name: '{{ item }}'
+ type: auth
+ new_type: auth
+ control: '[default=die]'
+ module_path: pam_faillock.so
+ module_arguments: authfail deny={{ var_accounts_passwords_pam_faillock_deny }}
+ state: args_present
loop:
- - /etc/pam.d/system-auth
- - /etc/pam.d/password-auth
- when:
- - '"pam" in ansible_facts.packages'
- - result_faillock_conf_check.stat.exists
- - result_pam_faillock_enabled.found
+ - system-auth
+ - password-auth
+ when: '"pam" in ansible_facts.packages'
tags:
- CCE-80667-9
- CJIS-5.5.3
@@ -138,21 +138,20 @@
- no_reboot_needed
- restrict_strategy
-- name: Ensure the pam_faillock.so authfail parameters are not present in the pam
- files
- ansible.builtin.lineinfile:
- path: '{{ item }}'
- backrefs: true
- regexp: (.*pam_faillock.so authfail).*$
- line: \1
- state: present
+- name: Add account pam_faillock before pam_unix.so
+ pamd:
+ name: '{{ item }}'
+ type: account
+ control: required
+ module_path: pam_unix.so
+ new_type: account
+ new_control: required
+ new_module_path: pam_faillock.so
+ state: before
loop:
- - /etc/pam.d/system-auth
- - /etc/pam.d/password-auth
- when:
- - '"pam" in ansible_facts.packages'
- - result_faillock_conf_check.stat.exists
- - result_pam_faillock_enabled.found
+ - system-auth
+ - password-auth
+ when: '"pam" in ansible_facts.packages'
tags:
- CCE-80667-9
- CJIS-5.5.3
@@ -167,103 +166,3 @@
- medium_severity
- no_reboot_needed
- restrict_strategy
-
-- name: Ensure pam_faillock.so is properly enabled using authconfig tool
- ansible.builtin.command:
- cmd: authconfig --enablefaillock --update
- when:
- - '"pam" in ansible_facts.packages'
- - result_authconfig_check.stat.exists
- tags:
- - CCE-80667-9
- - CJIS-5.5.3
- - DISA-STIG-RHEL-08-020010
- - NIST-800-171-3.1.8
- - NIST-800-53-AC-7(a)
- - NIST-800-53-CM-6(a)
- - PCI-DSS-Req-8.1.6
- - accounts_passwords_pam_faillock_deny
- - low_complexity
- - low_disruption
- - medium_severity
- - no_reboot_needed
- - restrict_strategy
-
-- name: Ensure pam_faillock.so is properly enabled using authselect
- ansible.builtin.command:
- cmd: authselect enable-feature with-faillock
- register: result_pam_authselect_cmd
- when:
- - '"pam" in ansible_facts.packages'
- - result_faillock_conf_check.stat.exists
- - not result_pam_faillock_enabled.found
- tags:
- - CCE-80667-9
- - CJIS-5.5.3
- - DISA-STIG-RHEL-08-020010
- - NIST-800-171-3.1.8
- - NIST-800-53-AC-7(a)
- - NIST-800-53-CM-6(a)
- - PCI-DSS-Req-8.1.6
- - accounts_passwords_pam_faillock_deny
- - low_complexity
- - low_disruption
- - medium_severity
- - no_reboot_needed
- - restrict_strategy
-
-- name: Ensure the pam_faillock.so preauth deny parameter in auth section
- ansible.builtin.lineinfile:
- path: '{{ item }}'
- backrefs: true
- regexp: (^\s*auth\s+)([\w\[].*\b)(\s+pam_faillock.so preauth.*)(deny)=[0-5]+(.*)
- line: \1required\3\4={{ var_accounts_passwords_pam_faillock_deny }}\5
- state: present
- loop:
- - /etc/pam.d/system-auth
- - /etc/pam.d/password-auth
- when:
- - '"pam" in ansible_facts.packages'
- - not result_faillock_conf_check.stat.exists
- tags:
- - CCE-80667-9
- - CJIS-5.5.3
- - DISA-STIG-RHEL-08-020010
- - NIST-800-171-3.1.8
- - NIST-800-53-AC-7(a)
- - NIST-800-53-CM-6(a)
- - PCI-DSS-Req-8.1.6
- - accounts_passwords_pam_faillock_deny
- - low_complexity
- - low_disruption
- - medium_severity
- - no_reboot_needed
- - restrict_strategy
-
-- name: Ensure the pam_faillock.so authfail deny parameter in auth section
- ansible.builtin.lineinfile:
- path: '{{ item }}'
- backrefs: true
- regexp: (^\s*auth\s+)([\w\[].*\b)(\s+pam_faillock.so authfail.*)(deny)=[0-5]+(.*)
- line: \1required\3\4={{ var_accounts_passwords_pam_faillock_deny }}\5
- state: present
- loop:
- - /etc/pam.d/system-auth
- - /etc/pam.d/password-auth
- when:
- - '"pam" in ansible_facts.packages'
- - not result_faillock_conf_check.stat.exists
- tags:
- - CCE-80667-9
- - CJIS-5.5.3
- - DISA-STIG-RHEL-08-020010
- - NIST-800-171-3.1.8
- - NIST-800-53-AC-7(a)
- - NIST-800-53-CM-6(a)
- - PCI-DSS-Req-8.1.6
- - accounts_passwords_pam_faillock_deny
- - low_complexity
- - low_disruption
- - medium_severity
- - no_reboot_needed
- - restrict_strategy
OVAL definition oval:ssg-accounts_passwords_pam_faillock_deny_root:def:1 differs:
--- old datastream
+++ new datastream
- criteria AND
- criteria AND
- criteria AND
- criterion oval:ssg-test_accounts_passwords_pam_faillock_deny_root_system_pam_unix_auth:tst:1
- criterion oval:ssg-test_accounts_passwords_pam_faillock_deny_root_password_pam_unix_auth:tst:1
- criteria AND
- criterion oval:ssg-test_accounts_passwords_pam_faillock_deny_root_system_pam_faillock_auth:tst:1
- criterion oval:ssg-test_accounts_passwords_pam_faillock_deny_root_system_pam_faillock_account:tst:1
- criterion oval:ssg-test_accounts_passwords_pam_faillock_deny_root_password_pam_faillock_auth:tst:1
- criterion oval:ssg-test_accounts_passwords_pam_faillock_deny_root_password_pam_faillock_account:tst:1
- criteria OR
- criteria AND
- criterion oval:ssg-test_accounts_passwords_pam_faillock_deny_root_parameter_pamd_system:tst:1
- criterion oval:ssg-test_accounts_passwords_pam_faillock_deny_root_parameter_pamd_password:tst:1
- criterion oval:ssg-test_accounts_passwords_pam_faillock_deny_root_parameter_no_faillock_conf:tst:1
- criteria AND
- criterion oval:ssg-test_accounts_passwords_pam_faillock_deny_root_parameter_no_pamd_system:tst:1
- criterion oval:ssg-test_accounts_passwords_pam_faillock_deny_root_parameter_no_pamd_password:tst:1
- criterion oval:ssg-test_accounts_passwords_pam_faillock_deny_root_parameter_faillock_conf:tst:1
+ criteria None
+ criterion oval:ssg-test_pam_faillock_preauth_silent_system-auth:tst:1
+ criterion oval:ssg-test_pam_faillock_authfail_deny_root_system-auth:tst:1
+ criterion oval:ssg-test_pam_faillock_preauth_silent_password-auth:tst:1
+ criterion oval:ssg-test_pam_faillock_authfail_deny_root_password-auth:tst:1
OCIL for rule 'xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_deny_root' differs:
--- old datastream
+++ new datastream
@@ -1,7 +1,6 @@
To ensure that even the root account is locked after a defined number of failed password
attempts, run the following command:
-
-$ grep even_deny_root /etc/security/faillock.conf
+$ grep even_deny_root /etc/pam.d/system-auth
The output should show even_deny_root.
- Is it the case that limiting the number of failed logon attempts for the root user is not configured?
+ Is it the case that that is not the case?
bash remediation for rule 'xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_deny_root' differs:
--- old datastream
+++ new datastream
@@ -1,38 +1,49 @@
# Remediation is applicable only in certain platforms
if rpm --quiet -q pam; then
-SYSTEM_AUTH="/etc/pam.d/system-auth"
-PASSWORD_AUTH="/etc/pam.d/password-auth"
-FAILLOCK_CONF="/etc/security/faillock.conf"
+AUTH_FILES[0]="/etc/pam.d/system-auth"
+AUTH_FILES[1]="/etc/pam.d/password-auth"
-if [ $(grep -c "^\s*auth.*pam_unix.so" $SYSTEM_AUTH) > 1 ] || \
- [ $(grep -c "^\s*auth.*pam_unix.so" $PASSWORD_AUTH) > 1 ]; then
- echo "Skipping remediation because there are more pam_unix.so entries than expected."
- false
-fi
+# This script fixes absence of pam_faillock.so in PAM stack or the
+# absense of even_deny_root in pam_faillock.so arguments
+# When inserting auth pam_faillock.so entries,
+# the entry with preauth argument will be added before pam_unix.so module
+# and entry with authfail argument will be added before pam_deny.so module.
-if [ -f $FAILLOCK_CONF ]; then
- if [ ! $(grep -q '^\s*even_deny_root' $FAILLOCK_CONF) ]; then
- echo "even_deny_root" >> $FAILLOCK_CONF
- fi
- # If the faillock.conf file is present, but for any reason, like an OS upgrade, the
- # pam_faillock.so parameters are still defined in pam files, this makes them compatible with
- # the newer versions of authselect tool and ensure the parameters are only in faillock.conf.
- sed -i --follow-symlinks 's/\(pam_faillock.so preauth\).*$/\1 silent/g' $SYSTEM_AUTH $PASSWORD_AUTH
- sed -i --follow-symlinks 's/\(pam_faillock.so authfail\).*$/\1/g' $SYSTEM_AUTH $PASSWORD_AUTH
- authselect enable-feature with-faillock
-else
- if [ -f /usr/sbin/authconfig ]; then
- authconfig --enablefaillock --update
- else
- authselect enable-feature with-faillock
- fi
- for file in $SYSTEM_AUTH $PASSWORD_AUTH; do
- if ! grep -q "^auth.*pam_faillock.so \(preauth silent\|authfail\).*even_deny_root" $file; then
- sed -i --follow-symlinks 's/\(pam_faillock.so \(preauth silent\|authfail\).*\)$/\1 even_deny_root/g' $file
+# The placement of pam_faillock.so entries will not be changed
+# if they are already present
+
+for pamFile in "${AUTH_FILES[@]}"
+do
+ # if PAM file is missing, system is not using PAM or broken
+ if [ ! -f $pamFile ]; then
+ continue
+ fi
+
+ # is 'auth required' here?
+ if grep -q "^auth.*required.*pam_faillock.so.*" $pamFile; then
+ # has 'auth required' even_deny_root option?
+ if ! grep -q "^auth.*required.*pam_faillock.so.*preauth.*even_deny_root" $pamFile; then
+ # even_deny_root is not present
+ sed -i --follow-symlinks "s/\(^auth.*required.*pam_faillock.so.*preauth.*\).*/\1 even_deny_root/" $pamFile
fi
- done
-fi
+ else
+ # no 'auth required', add it
+ sed -i --follow-symlinks "/^auth.*pam_unix.so.*/i auth required pam_faillock.so preauth silent even_deny_root" $pamFile
+ fi
+
+ # is 'auth [default=die]' here?
+ if grep -q "^auth.*\[default=die\].*pam_faillock.so.*" $pamFile; then
+ # has 'auth [default=die]' even_deny_root option?
+ if ! grep -q "^auth.*\[default=die\].*pam_faillock.so.*authfail.*even_deny_root" $pamFile; then
+ # even_deny_root is not present
+ sed -i --follow-symlinks "s/\(^auth.*\[default=die\].*pam_faillock.so.*authfail.*\).*/\1 even_deny_root/" $pamFile
+ fi
+ else
+ # no 'auth [default=die]', add it
+ sed -i --follow-symlinks "/^auth.*pam_unix.so.*/a auth [default=die] pam_faillock.so authfail silent even_deny_root" $pamFile
+ fi
+done
else
>&2 echo 'Remediation is not applicable, nothing was done'
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_deny_root' differs:
--- old datastream
+++ new datastream
@@ -14,10 +14,20 @@
- no_reboot_needed
- restrict_strategy
-- name: Check if system relies on authconfig
- ansible.builtin.stat:
- path: /usr/sbin/authconfig
- register: result_authconfig_check
+- name: Add auth pam_faillock preauth even_deny_root before pam_unix.so
+ pamd:
+ name: '{{ item }}'
+ type: auth
+ control: sufficient
+ module_path: pam_unix.so
+ new_type: auth
+ new_control: required
+ new_module_path: pam_faillock.so
+ module_arguments: preauth silent even_deny_root
+ state: before
+ loop:
+ - system-auth
+ - password-auth
when: '"pam" in ansible_facts.packages'
tags:
- CCE-80668-7
@@ -32,10 +42,17 @@
- no_reboot_needed
- restrict_strategy
-- name: Check the presence of /etc/security/faillock.conf file
- ansible.builtin.stat:
- path: /etc/security/faillock.conf
- register: result_faillock_conf_check
+- name: Add even_deny_root argument to auth pam_faillock preauth
+ pamd:
+ name: '{{ item }}'
+ type: auth
+ control: required
+ module_path: pam_faillock.so
+ module_arguments: preauth silent even_deny_root
+ state: args_present
+ loop:
+ - system-auth
+ - password-auth
when: '"pam" in ansible_facts.packages'
tags:
- CCE-80668-7
@@ -50,36 +67,20 @@
- no_reboot_needed
- restrict_strategy
-- name: Ensure the pam_faillock.so even_deny_root parameter in /etc/security/faillock.conf
- ansible.builtin.lineinfile:
- path: /etc/security/faillock.conf
- regexp: ^\s*even_deny_root
- line: even_deny_root
- state: present
- when:
- - '"pam" in ansible_facts.packages'
- - result_faillock_conf_check.stat.exists
- tags:
- - CCE-80668-7
- - DISA-STIG-RHEL-08-020022
- - NIST-800-53-AC-7(b)
- - NIST-800-53-CM-6(a)
- - NIST-800-53-IA-5(c)
- - accounts_passwords_pam_faillock_deny_root
- - low_complexity
- - low_disruption
- - medium_severity
- - no_reboot_needed
- - restrict_strategy
-
-- name: Check if pam_faillock.so is already enabled
- ansible.builtin.lineinfile:
- path: /etc/pam.d/system-auth
- regexp: .*auth.*pam_faillock.so.*
- state: absent
- check_mode: true
- changed_when: false
- register: result_pam_faillock_enabled
+- name: Add auth pam_faillock authfail even_deny_root after pam_unix.so
+ pamd:
+ name: '{{ item }}'
+ type: auth
+ control: sufficient
+ module_path: pam_unix.so
+ new_type: auth
+ new_control: '[default=die]'
+ new_module_path: pam_faillock.so
+ module_arguments: authfail even_deny_root
+ state: after
+ loop:
+ - system-auth
+ - password-auth
when: '"pam" in ansible_facts.packages'
tags:
- CCE-80668-7
@@ -94,20 +95,18 @@
- no_reboot_needed
- restrict_strategy
-- name: Ensure the pam_faillock.so preauth parameters are not present in the pam files
- ansible.builtin.lineinfile:
- path: '{{ item }}'
- backrefs: true
- regexp: (.*pam_faillock.so preauth).*$
- line: \1 silent
- state: present
+- name: Add even_deny_root argument to auth pam_faillock authfail
+ pamd:
+ name: '{{ item }}'
+ type: auth
+ control: '[default=die]'
+ module_path: pam_faillock.so
+ module_arguments: authfail even_deny_root
+ state: args_present
loop:
- - /etc/pam.d/system-auth
- - /etc/pam.d/password-auth
- when:
- - '"pam" in ansible_facts.packages'
- - result_faillock_conf_check.stat.exists
- - result_pam_faillock_enabled.found
+ - system-auth
+ - password-auth
+ when: '"pam" in ansible_facts.packages'
tags:
- CCE-80668-7
- DISA-STIG-RHEL-08-020022
@@ -121,21 +120,20 @@
- no_reboot_needed
- restrict_strategy
-- name: Ensure the pam_faillock.so authfail parameters are not present in the pam
- files
- ansible.builtin.lineinfile:
- path: '{{ item }}'
- backrefs: true
- regexp: (.*pam_faillock.so authfail).*$
- line: \1
- state: present
+- name: Add account pam_faillock before pam_unix.so
+ pamd:
+ name: '{{ item }}'
+ type: account
+ control: required
+ module_path: pam_unix.so
+ new_type: account
+ new_control: required
+ new_module_path: pam_faillock.so
+ state: before
loop:
- - /etc/pam.d/system-auth
- - /etc/pam.d/password-auth
- when:
- - '"pam" in ansible_facts.packages'
- - result_faillock_conf_check.stat.exists
- - result_pam_faillock_enabled.found
+ - system-auth
+ - password-auth
+ when: '"pam" in ansible_facts.packages'
tags:
- CCE-80668-7
- DISA-STIG-RHEL-08-020022
@@ -148,122 +146,3 @@
- medium_severity
- no_reboot_needed
- restrict_strategy
-
-- name: Ensure pam_faillock.so is properly enabled using authconfig tool
- ansible.builtin.command:
- cmd: authconfig --enablefaillock --update
- when:
- - '"pam" in ansible_facts.packages'
- - result_authconfig_check.stat.exists
- tags:
- - CCE-80668-7
- - DISA-STIG-RHEL-08-020022
- - NIST-800-53-AC-7(b)
- - NIST-800-53-CM-6(a)
- - NIST-800-53-IA-5(c)
- - accounts_passwords_pam_faillock_deny_root
- - low_complexity
- - low_disruption
- - medium_severity
- - no_reboot_needed
- - restrict_strategy
-
-- name: Ensure pam_faillock.so is properly enabled using authselect tool
- ansible.builtin.command:
- cmd: authselect enable-feature with-faillock
- register: result_pam_authselect_cmd
- when:
- - '"pam" in ansible_facts.packages'
- - result_faillock_conf_check.stat.exists
- - not result_pam_faillock_enabled.found
- tags:
- - CCE-80668-7
- - DISA-STIG-RHEL-08-020022
- - NIST-800-53-AC-7(b)
- - NIST-800-53-CM-6(a)
- - NIST-800-53-IA-5(c)
- - accounts_passwords_pam_faillock_deny_root
- - low_complexity
- - low_disruption
- - medium_severity
- - no_reboot_needed
- - restrict_strategy
-
-- name: Check if pam_faillock.so even_deny_root parameter is already enabled in pam
- files
- ansible.builtin.lineinfile:
- path: /etc/pam.d/system-auth
- regexp: .*auth.*pam_faillock.so (preauth|authfail).*even_deny_root
- state: absent
- check_mode: true
- changed_when: false
- register: result_pam_faillock_even_deny_root
- when:
- - '"pam" in ansible_facts.packages'
- - not result_faillock_conf_check.stat.exists
- tags:
- - CCE-80668-7
- - DISA-STIG-RHEL-08-020022
- - NIST-800-53-AC-7(b)
- - NIST-800-53-CM-6(a)
- - NIST-800-53-IA-5(c)
- - accounts_passwords_pam_faillock_deny_root
- - low_complexity
- - low_disruption
- - medium_severity
- - no_reboot_needed
- - restrict_strategy
-
-- name: Ensure the pam_faillock.so preauth even_deny_root parameter in auth section
- ansible.builtin.lineinfile:
- path: '{{ item }}'
- backrefs: true
- regexp: (^\s*auth\s+)([\w\[].*\b)(\s+pam_faillock.so preauth.*)
- line: \1required\3 even_deny_root
- state: present
- loop:
- - /etc/pam.d/system-auth
- - /etc/pam.d/password-auth
- when:
- - '"pam" in ansible_facts.packages'
- - not result_faillock_conf_check.stat.exists
- - result_pam_faillock_even_deny_root.found == 0
- tags:
- - CCE-80668-7
- - DISA-STIG-RHEL-08-020022
- - NIST-800-53-AC-7(b)
- - NIST-800-53-CM-6(a)
- - NIST-800-53-IA-5(c)
- - accounts_passwords_pam_faillock_deny_root
- - low_complexity
- - low_disruption
- - medium_severity
- - no_reboot_needed
- - restrict_strategy
-
-- name: Ensure the pam_faillock.so authfail even_deny_root parameter in auth section
- ansible.builtin.lineinfile:
- path: '{{ item }}'
- backrefs: true
- regexp: (^\s*auth\s+)([\w\[].*\b)(\s+pam_faillock.so authfail.*)
- line: \1required\3 even_deny_root
- state: present
- loop:
- - /etc/pam.d/system-auth
- - /etc/pam.d/password-auth
- when:
- - '"pam" in ansible_facts.packages'
- - not result_faillock_conf_check.stat.exists
- - result_pam_faillock_even_deny_root.found == 0
- tags:
- - CCE-80668-7
- - DISA-STIG-RHEL-08-020022
- - NIST-800-53-AC-7(b)
- - NIST-800-53-CM-6(a)
- - NIST-800-53-IA-5(c)
- - accounts_passwords_pam_faillock_deny_root
- - low_complexity
- - low_disruption
- - medium_severity
- - no_reboot_needed
- - restrict_strategy
OVAL definition oval:ssg-accounts_passwords_pam_faillock_enforce_local:def:1 differs:
--- old datastream
+++ new datastream
- criteria AND
- criteria AND
- criterion oval:ssg-test_accounts_passwords_pam_faillock_enforce_local_system_pam_unix_auth:tst:1
- criterion oval:ssg-test_accounts_passwords_pam_faillock_enforce_local_password_pam_unix_auth:tst:1
- criteria AND
- criterion oval:ssg-test_accounts_passwords_pam_faillock_enforce_local_system_pam_faillock_auth:tst:1
- criterion oval:ssg-test_accounts_passwords_pam_faillock_enforce_local_system_pam_faillock_account:tst:1
- criterion oval:ssg-test_accounts_passwords_pam_faillock_enforce_local_password_pam_faillock_auth:tst:1
- criterion oval:ssg-test_accounts_passwords_pam_faillock_enforce_local_password_pam_faillock_account:tst:1
- criterion oval:ssg-test_accounts_passwords_pam_faillock_enforce_local_parameter_faillock_conf:tst:1
+ extend_definition oval:ssg-accounts_password_pam_faillock:def:1
+ criterion oval:ssg-test_accounts_passwords_pam_faillock_enforce_local:tst:1
OCIL for rule 'xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_enforce_local' differs:
--- old datastream
+++ new datastream
@@ -1,5 +1,5 @@
-To check if only local user are impacted by pam_faillock, run the following command:
+To check if root user is required to use complex passwords, run the following command:
$ grep local_users_only /etc/security/faillock.conf
-The output should return local_users_only not commented.
+The output should return local_users_only uncommented.
Is it the case that local_users_only is not uncommented or configured correctly?
bash remediation for rule 'xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_enforce_local' differs:
--- old datastream
+++ new datastream
@@ -1,20 +1,20 @@
# Remediation is applicable only in certain platforms
if rpm --quiet -q pam; then
-SYSTEM_AUTH="/etc/pam.d/system-auth"
-PASSWORD_AUTH="/etc/pam.d/password-auth"
-FAILLOCK_CONF="/etc/security/faillock.conf"
+if [ -e "/etc/security/faillock.conf" ] ; then
+
+ LC_ALL=C sed -i "/^\s*local_users_only/Id" "/etc/security/faillock.conf"
+else
+ touch "/etc/security/faillock.conf"
+fi
+# make sure file has newline at the end
+sed -i -e '$a\' "/etc/security/faillock.conf"
-if [ $(grep -c "^\s*auth.*pam_unix.so" $SYSTEM_AUTH) > 1 ] || \
- [ $(grep -c "^\s*auth.*pam_unix.so" $PASSWORD_AUTH) > 1 ]; then
- echo "Skipping remediation because there are more pam_unix.so entries than expected."
- false
-fi
-
-if [ ! $(grep -q '^\s*local_users_only' $FAILLOCK_CONF) ]; then
- echo "local_users_only" >> $FAILLOCK_CONF
-fi
-authselect enable-feature with-faillock
+cp "/etc/security/faillock.conf" "/etc/security/faillock.conf.bak"
+# Insert at the end of the file
+printf '%s\n' "local_users_only" >> "/etc/security/faillock.conf"
+# Clean up after ourselves.
+rm "/etc/security/faillock.conf.bak"
else
>&2 echo 'Remediation is not applicable, nothing was done'
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_enforce_local' differs:
--- old datastream
+++ new datastream
@@ -11,10 +11,10 @@
- no_reboot_needed
- restrict_strategy
-- name: Ensure the pam_faillock.so local_users_only parameter in /etc/security/faillock.conf
- ansible.builtin.lineinfile:
+- name: Enforce pam_faillock for Local Accounts Only
+ lineinfile:
path: /etc/security/faillock.conf
- regexp: ^\s*local_users_only
+ create: true
line: local_users_only
state: present
when: '"pam" in ansible_facts.packages'
@@ -27,39 +27,3 @@
- medium_severity
- no_reboot_needed
- restrict_strategy
-
-- name: Check if pam_faillock.so is already enabled
- ansible.builtin.lineinfile:
- path: /etc/pam.d/system-auth
- regexp: .*auth.*pam_faillock.so.*
- state: absent
- check_mode: true
- changed_when: false
- register: result_pam_faillock_enabled
- when: '"pam" in ansible_facts.packages'
- tags:
- - CCE-83401-0
- - NIST-800-53-AC-2(1)
- - accounts_passwords_pam_faillock_enforce_local
- - low_complexity
- - low_disruption
- - medium_severity
- - no_reboot_needed
- - restrict_strategy
-
-- name: Ensure pam_faillock.so is properly enabled using authselect tool
- ansible.builtin.command:
- cmd: authselect enable-feature with-faillock
- register: result_pam_authselect_cmd
- when:
- - '"pam" in ansible_facts.packages'
- - not result_pam_faillock_enabled.found
- tags:
- - CCE-83401-0
- - NIST-800-53-AC-2(1)
- - accounts_passwords_pam_faillock_enforce_local
- - low_complexity
- - low_disruption
- - medium_severity
- - no_reboot_needed
- - restrict_strategy
OVAL definition oval:ssg-accounts_passwords_pam_faillock_interval:def:1 differs:
--- old datastream
+++ new datastream
- criteria AND
- criteria AND
- criteria AND
- criterion oval:ssg-test_accounts_passwords_pam_faillock_interval_system_pam_unix_auth:tst:1
- criterion oval:ssg-test_accounts_passwords_pam_faillock_interval_password_pam_unix_auth:tst:1
- criteria AND
- criterion oval:ssg-test_accounts_passwords_pam_faillock_interval_system_pam_faillock_auth:tst:1
- criterion oval:ssg-test_accounts_passwords_pam_faillock_interval_system_pam_faillock_account:tst:1
- criterion oval:ssg-test_accounts_passwords_pam_faillock_interval_password_pam_faillock_auth:tst:1
- criterion oval:ssg-test_accounts_passwords_pam_faillock_interval_password_pam_faillock_account:tst:1
- criteria OR
- criteria AND
- criterion oval:ssg-test_accounts_passwords_pam_faillock_interval_parameter_pamd_system:tst:1
- criterion oval:ssg-test_accounts_passwords_pam_faillock_interval_parameter_pamd_password:tst:1
- criterion oval:ssg-test_accounts_passwords_pam_faillock_interval_parameter_no_faillock_conf:tst:1
- criteria AND
- criterion oval:ssg-test_accounts_passwords_pam_faillock_interval_parameter_no_pamd_system:tst:1
- criterion oval:ssg-test_accounts_passwords_pam_faillock_interval_parameter_no_pamd_password:tst:1
- criterion oval:ssg-test_accounts_passwords_pam_faillock_interval_parameter_faillock_conf:tst:1
+ criteria None
+ criterion oval:ssg-test_accounts_passwords_pam_faillock_fail_interval_system-auth:tst:1
+ criterion oval:ssg-test_accounts_passwords_pam_faillock_authfail_fail_interval_system-auth:tst:1
+ criterion oval:ssg-test_accounts_passwords_pam_faillock_fail_interval_password-auth:tst:1
+ criterion oval:ssg-test_accounts_passwords_pam_faillock_preauth_fail_interval_password-auth:tst:1
+ criterion oval:ssg-test_accounts_passwords_pam_faillock_account_requires_password-auth:tst:1
+ criterion oval:ssg-test_accounts_passwords_pam_faillock_account_requires_system-auth:tst:1
OCIL for rule 'xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_interval' differs:
--- old datastream
+++ new datastream
@@ -1,6 +1,8 @@
-To ensure the failed password attempt policy is configured correctly, run the following command:
-
-$ grep fail_interval /etc/security/faillock.conf
-The output should show fail_interval = <interval-in-seconds> where interval-in-seconds is or greater.
+To ensure the failed password attempt policy is configured correctly,
+run the following command:
+$ grep pam_faillock /etc/pam.d/system-auth /etc/pam.d/password-auth
+For each file, the output should show fail_interval=<interval-in-seconds> where interval-in-seconds is or greater.
+If the fail_interval parameter is not set, the default setting
+of 900 seconds is acceptable.
Is it the case that fail_interval is less than the required value?
bash remediation for rule 'xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_interval' differs:
--- old datastream
+++ new datastream
@@ -4,35 +4,7 @@
var_accounts_passwords_pam_faillock_fail_interval=''
-SYSTEM_AUTH="/etc/pam.d/system-auth"
-PASSWORD_AUTH="/etc/pam.d/password-auth"
-FAILLOCK_CONF="/etc/security/faillock.conf"
-
-if [ $(grep -c "^\s*auth.*pam_unix.so" $SYSTEM_AUTH) > 1 ] || \
- [ $(grep -c "^\s*auth.*pam_unix.so" $PASSWORD_AUTH) > 1 ]; then
- echo "Skipping remediation because there are more pam_unix.so entries than expected."
- false
-fi
-
-if [ -f $FAILLOCK_CONF ]; then
- if $(grep -q '^\s*fail_interval\s*=' $FAILLOCK_CONF); then
- sed -i --follow-symlinks "s/^\s*\(fail_interval\s*\)=.*$/\1 = $var_accounts_passwords_pam_faillock_fail_interval/g" $FAILLOCK_CONF
- else
- echo "fail_interval = $var_accounts_passwords_pam_faillock_fail_interval" >> $FAILLOCK_CONF
- fi
- # If the faillock.conf file is present, but for any reason, like an OS upgrade, the
- # pam_faillock.so parameters are still defined in pam files, this makes them compatible with
- # the newer versions of authselect tool and ensure the parameters are only in faillock.conf.
- sed -i --follow-symlinks 's/\(pam_faillock.so preauth\).*$/\1 silent/g' $SYSTEM_AUTH $PASSWORD_AUTH
- sed -i --follow-symlinks 's/\(pam_faillock.so authfail\).*$/\1/g' $SYSTEM_AUTH $PASSWORD_AUTH
- authselect enable-feature with-faillock
-else
- if [ -f /usr/sbin/authconfig ]; then
- authconfig --enablefaillock --update
- else
- authselect enable-feature with-faillock
- fi
- AUTH_FILES=("/etc/pam.d/system-auth" "/etc/pam.d/password-auth")
+AUTH_FILES=("/etc/pam.d/system-auth" "/etc/pam.d/password-auth")
for pam_file in "${AUTH_FILES[@]}"
do
@@ -70,7 +42,6 @@
sed -E -i --follow-symlinks '/^\s*account\s*required\s*pam_unix.so/i account required pam_faillock.so' "$pam_file"
fi
done
-fi
else
>&2 echo 'Remediation is not applicable, nothing was done'
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_interval' differs:
--- old datastream
+++ new datastream
@@ -18,10 +18,21 @@
tags:
- always
-- name: Check if system relies on authconfig
- ansible.builtin.stat:
- path: /usr/sbin/authconfig
- register: result_authconfig_check
+- name: Add auth pam_faillock preauth fail_interval before pam_unix.so
+ pamd:
+ name: '{{ item }}'
+ type: auth
+ control: sufficient
+ module_path: pam_unix.so
+ new_type: auth
+ new_control: required
+ new_module_path: pam_faillock.so
+ module_arguments: preauth silent fail_interval={{ var_accounts_passwords_pam_faillock_fail_interval
+ }}
+ state: before
+ loop:
+ - system-auth
+ - password-auth
when: '"pam" in ansible_facts.packages'
tags:
- CCE-80669-5
@@ -35,10 +46,18 @@
- no_reboot_needed
- restrict_strategy
-- name: Check the presence of /etc/security/faillock.conf file
- ansible.builtin.stat:
- path: /etc/security/faillock.conf
- register: result_faillock_conf_check
+- name: Add fail_interval argument to auth pam_faillock preauth
+ pamd:
+ name: '{{ item }}'
+ type: auth
+ control: required
+ module_path: pam_faillock.so
+ module_arguments: preauth silent fail_interval={{ var_accounts_passwords_pam_faillock_fail_interval
+ }}
+ state: args_present
+ loop:
+ - system-auth
+ - password-auth
when: '"pam" in ansible_facts.packages'
tags:
- CCE-80669-5
@@ -52,35 +71,21 @@
- no_reboot_needed
- restrict_strategy
-- name: Ensure the pam_faillock.so fail_interval parameter in /etc/security/faillock.conf
- ansible.builtin.lineinfile:
- path: /etc/security/faillock.conf
- regexp: ^\s*fail_interval\s*=
- line: fail_interval = {{ var_accounts_passwords_pam_faillock_fail_interval }}
- state: present
- when:
- - '"pam" in ansible_facts.packages'
- - result_faillock_conf_check.stat.exists
- tags:
- - CCE-80669-5
- - DISA-STIG-RHEL-08-020012
- - NIST-800-53-AC-7(a)
- - NIST-800-53-CM-6(a)
- - accounts_passwords_pam_faillock_interval
- - low_complexity
- - low_disruption
- - medium_severity
- - no_reboot_needed
- - restrict_strategy
-
-- name: Check if pam_faillock.so is already enabled
- ansible.builtin.lineinfile:
- path: /etc/pam.d/system-auth
- regexp: .*auth.*pam_faillock.so.*
- state: absent
- check_mode: true
- changed_when: false
- register: result_pam_faillock_enabled
+- name: Add auth pam_faillock aufthfail fail_interval after pam_unix.so
+ pamd:
+ name: '{{ item }}'
+ type: auth
+ control: sufficient
+ module_path: pam_unix.so
+ new_type: auth
+ new_control: '[default=die]'
+ new_module_path: pam_faillock.so
+ module_arguments: authfail fail_interval={{ var_accounts_passwords_pam_faillock_fail_interval
+ }}
+ state: after
+ loop:
+ - system-auth
+ - password-auth
when: '"pam" in ansible_facts.packages'
tags:
- CCE-80669-5
@@ -94,20 +99,19 @@
- no_reboot_needed
- restrict_strategy
-- name: Ensure the pam_faillock.so preauth parameters are not present in the pam files
- ansible.builtin.lineinfile:
- path: '{{ item }}'
- backrefs: true
- regexp: (.*pam_faillock.so preauth).*$
- line: \1 silent
- state: present
+- name: Add fail_interval argument to auth pam_faillock authfail
+ pamd:
+ name: '{{ item }}'
+ type: auth
+ control: '[default=die]'
+ module_path: pam_faillock.so
+ module_arguments: authfail fail_interval={{ var_accounts_passwords_pam_faillock_fail_interval
+ }}
+ state: args_present
loop:
- - /etc/pam.d/system-auth
- - /etc/pam.d/password-auth
- when:
- - '"pam" in ansible_facts.packages'
- - result_faillock_conf_check.stat.exists
- - result_pam_faillock_enabled.found
+ - system-auth
+ - password-auth
+ when: '"pam" in ansible_facts.packages'
tags:
- CCE-80669-5
- DISA-STIG-RHEL-08-020012
@@ -120,21 +124,20 @@
- no_reboot_needed
- restrict_strategy
-- name: Ensure the pam_faillock.so authfail parameters are not present in the pam
- files
- ansible.builtin.lineinfile:
- path: '{{ item }}'
- backrefs: true
- regexp: (.*pam_faillock.so authfail).*$
- line: \1
- state: present
+- name: Add account pam_faillock before pam_unix.so
+ pamd:
+ name: '{{ item }}'
+ type: account
+ control: required
+ module_path: pam_unix.so
+ new_type: account
+ new_control: required
+ new_module_path: pam_faillock.so
+ state: before
loop:
- - /etc/pam.d/system-auth
- - /etc/pam.d/password-auth
- when:
- - '"pam" in ansible_facts.packages'
- - result_faillock_conf_check.stat.exists
- - result_pam_faillock_enabled.found
+ - system-auth
+ - password-auth
+ when: '"pam" in ansible_facts.packages'
tags:
- CCE-80669-5
- DISA-STIG-RHEL-08-020012
@@ -146,175 +149,3 @@
- medium_severity
- no_reboot_needed
- restrict_strategy
-
-- name: Ensure pam_faillock.so is properly enabled using authconfig tool
- ansible.builtin.command:
- cmd: authconfig --enablefaillock --update
- when:
- - '"pam" in ansible_facts.packages'
- - result_authconfig_check.stat.exists
- tags:
- - CCE-80669-5
- - DISA-STIG-RHEL-08-020012
- - NIST-800-53-AC-7(a)
- - NIST-800-53-CM-6(a)
- - accounts_passwords_pam_faillock_interval
- - low_complexity
- - low_disruption
- - medium_severity
- - no_reboot_needed
- - restrict_strategy
-
-- name: Ensure pam_faillock.so is properly enabled using authselect
- ansible.builtin.command:
- cmd: authselect enable-feature with-faillock
- register: result_pam_authselect_cmd
- when:
- - '"pam" in ansible_facts.packages'
- - result_faillock_conf_check.stat.exists
- - not result_pam_faillock_enabled.found
- tags:
- - CCE-80669-5
- - DISA-STIG-RHEL-08-020012
- - NIST-800-53-AC-7(a)
- - NIST-800-53-CM-6(a)
- - accounts_passwords_pam_faillock_interval
- - low_complexity
- - low_disruption
- - medium_severity
- - no_reboot_needed
- - restrict_strategy
-
-- name: Check if pam_faillock.so fail_interval parameter is already enabled in pam
- files
- ansible.builtin.lineinfile:
- path: /etc/pam.d/system-auth
- regexp: .*auth.*pam_faillock.so (preauth|authfail).*fail_interval
- state: absent
- check_mode: true
- changed_when: false
- register: result_pam_faillock_fail_interval
- when:
- - '"pam" in ansible_facts.packages'
- - not result_faillock_conf_check.stat.exists
- tags:
- - CCE-80669-5
- - DISA-STIG-RHEL-08-020012
- - NIST-800-53-AC-7(a)
- - NIST-800-53-CM-6(a)
- - accounts_passwords_pam_faillock_interval
- - low_complexity
- - low_disruption
- - medium_severity
- - no_reboot_needed
- - restrict_strategy
-
-- name: Ensure the desired value for pam_faillock.so preauth fail_interval parameter
- in auth section
- ansible.builtin.lineinfile:
- path: '{{ item }}'
- backrefs: true
- regexp: (^\s*auth\s+)([\w\[].*\b)(\s+pam_faillock.so preauth.*)(fail_interval)=[0-5]+(.*)
- line: \1required\3\4={{ var_accounts_passwords_pam_faillock_fail_interval }}\5
- state: present
- loop:
- - /etc/pam.d/system-auth
- - /etc/pam.d/password-auth
- when:
- - '"pam" in ansible_facts.packages'
- - not result_faillock_conf_check.stat.exists
- - result_pam_faillock_fail_interval.found > 0
- tags:
- - CCE-80669-5
- - DISA-STIG-RHEL-08-020012
- - NIST-800-53-AC-7(a)
- - NIST-800-53-CM-6(a)
- - accounts_passwords_pam_faillock_interval
- - low_complexity
- - low_disruption
- - medium_severity
- - no_reboot_needed
- - restrict_strategy
-
-- name: Ensure the desired value for pam_faillock.so authfail fail_interval parameter
- in auth section
- ansible.builtin.lineinfile:
- path: '{{ item }}'
- backrefs: true
- regexp: (^\s*auth\s+)([\w\[].*\b)(\s+pam_faillock.so authfail.*)(fail_interval)=[0-5]+(.*)
- line: \1required\3\4={{ var_accounts_passwords_pam_faillock_fail_interval }}\5
- state: present
- loop:
- - /etc/pam.d/system-auth
- - /etc/pam.d/password-auth
- when:
- - '"pam" in ansible_facts.packages'
- - not result_faillock_conf_check.stat.exists
- - result_pam_faillock_fail_interval.found > 0
- tags:
- - CCE-80669-5
- - DISA-STIG-RHEL-08-020012
- - NIST-800-53-AC-7(a)
- - NIST-800-53-CM-6(a)
- - accounts_passwords_pam_faillock_interval
- - low_complexity
- - low_disruption
- - medium_severity
- - no_reboot_needed
- - restrict_strategy
-
-- name: Ensure the inclusion of pam_faillock.so preauth fail_interval parameter in
- auth section
- ansible.builtin.lineinfile:
- path: '{{ item }}'
- backrefs: true
- regexp: (^\s*auth\s+)([\w\[].*\b)(\s+pam_faillock.so preauth.*)
- line: \1required\3 fail_interval={{ var_accounts_passwords_pam_faillock_fail_interval
- }}
- state: present
- loop:
- - /etc/pam.d/system-auth
- - /etc/pam.d/password-auth
- when:
- - '"pam" in ansible_facts.packages'
- - not result_faillock_conf_check.stat.exists
- - result_pam_faillock_fail_interval.found == 0
- tags:
- - CCE-80669-5
- - DISA-STIG-RHEL-08-020012
- - NIST-800-53-AC-7(a)
- - NIST-800-53-CM-6(a)
- - accounts_passwords_pam_faillock_interval
- - low_complexity
- - low_disruption
- - medium_severity
- - no_reboot_needed
- - restrict_strategy
-
-- name: Ensure the inclusion of pam_faillock.so authfail fail_interval parameter in
- auth section
- ansible.builtin.lineinfile:
- path: '{{ item }}'
- backrefs: true
- regexp: (^\s*auth\s+)([\w\[].*\b)(\s+pam_faillock.so authfail.*)
- line: \1required\3 fail_interval={{ var_accounts_passwords_pam_faillock_fail_interval
- }}
- state: present
- loop:
- - /etc/pam.d/system-auth
- - /etc/pam.d/password-auth
- when:
- - '"pam" in ansible_facts.packages'
- - not result_faillock_conf_check.stat.exists
- - result_pam_faillock_fail_interval.found == 0
- tags:
- - CCE-80669-5
- - DISA-STIG-RHEL-08-020012
- - NIST-800-53-AC-7(a)
- - NIST-800-53-CM-6(a)
- - accounts_passwords_pam_faillock_interval
- - low_complexity
- - low_disruption
- - medium_severity
- - no_reboot_needed
- - restrict_strategy
OVAL definition oval:ssg-accounts_passwords_pam_faillock_unlock_time:def:1 differs:
--- old datastream
+++ new datastream
- criteria AND
- criteria AND
- criteria AND
- criterion oval:ssg-test_accounts_passwords_pam_faillock_unlock_time_system_pam_unix_auth:tst:1
- criterion oval:ssg-test_accounts_passwords_pam_faillock_unlock_time_password_pam_unix_auth:tst:1
- criteria AND
- criterion oval:ssg-test_accounts_passwords_pam_faillock_unlock_time_system_pam_faillock_auth:tst:1
- criterion oval:ssg-test_accounts_passwords_pam_faillock_unlock_time_system_pam_faillock_account:tst:1
- criterion oval:ssg-test_accounts_passwords_pam_faillock_unlock_time_password_pam_faillock_auth:tst:1
- criterion oval:ssg-test_accounts_passwords_pam_faillock_unlock_time_password_pam_faillock_account:tst:1
- criteria AND
- criterion oval:ssg-test_accounts_passwords_pam_faillock_unlock_time_parameter_pamd_system:tst:1
- criterion oval:ssg-test_accounts_passwords_pam_faillock_unlock_time_parameter_pamd_password:tst:1
- criterion oval:ssg-test_accounts_passwords_pam_faillock_unlock_time_parameter_no_faillock_conf:tst:1
- criteria AND
- criterion oval:ssg-test_accounts_passwords_pam_faillock_unlock_time_parameter_no_pamd_system:tst:1
- criterion oval:ssg-test_accounts_passwords_pam_faillock_unlock_time_parameter_no_pamd_password:tst:1
- criterion oval:ssg-test_accounts_passwords_pam_faillock_unlock_time_parameter_faillock_conf:tst:1
+ criteria None
+ criterion oval:ssg-test_var_faillock_unlock_time_is_never:tst:1
+ criterion oval:ssg-test_accounts_passwords_pam_faillock_unlock_time_is_never:tst:1
+ criteria None
+ criterion oval:ssg-test_var_faillock_unlock_time_is_never:tst:1
+ criterion oval:ssg-test_accounts_passwords_pam_faillock_unlock_time_greater_or_equal_ext_var:tst:1
OCIL for rule 'xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_unlock_time' differs:
--- old datastream
+++ new datastream
@@ -1,8 +1,5 @@
To ensure the failed password attempt policy is configured correctly, run the following command:
-
-$ grep fail_interval /etc/security/faillock.conf
-The output should show unlock_time = <interval-in-seconds> where interval-in-seconds is or greater.
-
-It can also be 0 for never.
+$ grep pam_faillock /etc/pam.d/system-auth
+The output should show unlock_time=<some-large-number> or 0 for never.
Is it the case that unlock_time is less than the expected value?
bash remediation for rule 'xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_unlock_time' differs:
--- old datastream
+++ new datastream
@@ -4,35 +4,7 @@
var_accounts_passwords_pam_faillock_unlock_time=''
-SYSTEM_AUTH="/etc/pam.d/system-auth"
-PASSWORD_AUTH="/etc/pam.d/password-auth"
-FAILLOCK_CONF="/etc/security/faillock.conf"
-
-if [ $(grep -c "^\s*auth.*pam_unix.so" $SYSTEM_AUTH) > 1 ] || \
- [ $(grep -c "^\s*auth.*pam_unix.so" $PASSWORD_AUTH) > 1 ]; then
- echo "Skipping remediation because there are more pam_unix.so entries than expected."
- false
-fi
-
-if [ -f $FAILLOCK_CONF ]; then
- if $(grep -q '^\s*unlock_time\s*=' $FAILLOCK_CONF); then
- sed -i --follow-symlinks "s/^\s*\(unlock_time\s*\)=.*$/\1 = $var_accounts_passwords_pam_faillock_unlock_time/g" $FAILLOCK_CONF
- else
- echo "unlock_time = $var_accounts_passwords_pam_faillock_unlock_time" >> $FAILLOCK_CONF
- fi
- # If the faillock.conf file is present, but for any reason, like an OS upgrade, the
- # pam_faillock.so parameters are still defined in pam files, this makes them compatible with
- # the newer versions of authselect tool and ensure the parameters are only in faillock.conf.
- sed -i --follow-symlinks 's/\(pam_faillock.so preauth\).*$/\1 silent/g' $SYSTEM_AUTH $PASSWORD_AUTH
- sed -i --follow-symlinks 's/\(pam_faillock.so authfail\).*$/\1/g' $SYSTEM_AUTH $PASSWORD_AUTH
- authselect enable-feature with-faillock
-else
- if [ -f /usr/sbin/authconfig ]; then
- authconfig --enablefaillock --update
- else
- authselect enable-feature with-faillock
- fi
- AUTH_FILES=("/etc/pam.d/system-auth" "/etc/pam.d/password-auth")
+AUTH_FILES=("/etc/pam.d/system-auth" "/etc/pam.d/password-auth")
for pam_file in "${AUTH_FILES[@]}"
do
@@ -70,7 +42,6 @@
sed -E -i --follow-symlinks '/^\s*account\s*required\s*pam_unix.so/i account required pam_faillock.so' "$pam_file"
fi
done
-fi
else
>&2 echo 'Remediation is not applicable, nothing was done'
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_unlock_time' differs:
--- old datastream
+++ new datastream
@@ -4,7 +4,7 @@
tags:
- CCE-80670-3
- CJIS-5.5.3
- - DISA-STIG-RHEL-08-020016
+ - DISA-STIG-RHEL-08-020014
- NIST-800-171-3.1.8
- NIST-800-53-AC-7(b)
- NIST-800-53-CM-6(a)
@@ -21,15 +21,26 @@
tags:
- always
-- name: Check if system relies on authconfig
- ansible.builtin.stat:
- path: /usr/sbin/authconfig
- register: result_authconfig_check
+- name: Add auth pam_faillock preauth unlock_time before pam_unix.so
+ pamd:
+ name: '{{ item }}'
+ type: auth
+ control: sufficient
+ module_path: pam_unix.so
+ new_type: auth
+ new_control: required
+ new_module_path: pam_faillock.so
+ module_arguments: preauth silent unlock_time={{ var_accounts_passwords_pam_faillock_unlock_time
+ }}
+ state: before
+ loop:
+ - system-auth
+ - password-auth
when: '"pam" in ansible_facts.packages'
tags:
- CCE-80670-3
- CJIS-5.5.3
- - DISA-STIG-RHEL-08-020016
+ - DISA-STIG-RHEL-08-020014
- NIST-800-171-3.1.8
- NIST-800-53-AC-7(b)
- NIST-800-53-CM-6(a)
@@ -41,15 +52,23 @@
- no_reboot_needed
- restrict_strategy
-- name: Check the presence of /etc/security/faillock.conf file
- ansible.builtin.stat:
- path: /etc/security/faillock.conf
- register: result_faillock_conf_check
+- name: Add unlock_time argument to pam_faillock preauth
+ pamd:
+ name: '{{ item }}'
+ type: auth
+ control: required
+ module_path: pam_faillock.so
+ module_arguments: preauth silent unlock_time={{ var_accounts_passwords_pam_faillock_unlock_time
+ }}
+ state: args_present
+ loop:
+ - system-auth
+ - password-auth
when: '"pam" in ansible_facts.packages'
tags:
- CCE-80670-3
- CJIS-5.5.3
- - DISA-STIG-RHEL-08-020016
+ - DISA-STIG-RHEL-08-020014
- NIST-800-171-3.1.8
- NIST-800-53-AC-7(b)
- NIST-800-53-CM-6(a)
@@ -61,19 +80,26 @@
- no_reboot_needed
- restrict_strategy
-- name: Ensure the pam_faillock.so unlock_time parameter in /etc/security/faillock.conf
- ansible.builtin.lineinfile:
- path: /etc/security/faillock.conf
- regexp: ^\s*unlock_time\s*=
- line: unlock_time = {{ var_accounts_passwords_pam_faillock_unlock_time }}
- state: present
- when:
- - '"pam" in ansible_facts.packages'
- - result_faillock_conf_check.stat.exists
+- name: Add auth pam_faillock authfail unlock_interval after pam_unix.so
+ pamd:
+ name: '{{ item }}'
+ type: auth
+ control: sufficient
+ module_path: pam_unix.so
+ new_type: auth
+ new_control: '[default=die]'
+ new_module_path: pam_faillock.so
+ module_arguments: authfail unlock_time={{ var_accounts_passwords_pam_faillock_unlock_time
+ }}
+ state: after
+ loop:
+ - system-auth
+ - password-auth
+ when: '"pam" in ansible_facts.packages'
tags:
- CCE-80670-3
- CJIS-5.5.3
- - DISA-STIG-RHEL-08-020016
+ - DISA-STIG-RHEL-08-020014
- NIST-800-171-3.1.8
- NIST-800-53-AC-7(b)
- NIST-800-53-CM-6(a)
@@ -85,19 +111,23 @@
- no_reboot_needed
- restrict_strategy
-- name: Check if pam_faillock.so is already enabled
- ansible.builtin.lineinfile:
- path: /etc/pam.d/system-auth
- regexp: .*auth.*pam_faillock.so.*
- state: absent
- check_mode: true
- changed_when: false
- register: result_pam_faillock_enabled
+- name: Add unlock_time argument to auth pam_faillock authfail
+ pamd:
+ name: '{{ item }}'
+ type: auth
+ control: '[default=die]'
+ module_path: pam_faillock.so
+ module_arguments: authfail unlock_time={{ var_accounts_passwords_pam_faillock_unlock_time
+ }}
+ state: args_present
+ loop:
+ - system-auth
+ - password-auth
when: '"pam" in ansible_facts.packages'
tags:
- CCE-80670-3
- CJIS-5.5.3
- - DISA-STIG-RHEL-08-020016
+ - DISA-STIG-RHEL-08-020014
- NIST-800-171-3.1.8
- NIST-800-53-AC-7(b)
- NIST-800-53-CM-6(a)
@@ -109,24 +139,24 @@
- no_reboot_needed
- restrict_strategy
-- name: Ensure the pam_faillock.so preauth parameters are not present in the pam files
- ansible.builtin.lineinfile:
- path: '{{ item }}'
- backrefs: true
- regexp: (.*pam_faillock.so preauth).*$
- line: \1 silent
- state: present
+- name: Add account pam_faillock before pam_unix.so
+ pamd:
+ name: '{{ item }}'
+ type: account
+ control: required
+ module_path: pam_unix.so
+ new_type: account
+ new_control: required
+ new_module_path: pam_faillock.so
+ state: before
loop:
- - /etc/pam.d/system-auth
- - /etc/pam.d/password-auth
- when:
- - '"pam" in ansible_facts.packages'
- - result_faillock_conf_check.stat.exists
- - result_pam_faillock_enabled.found
+ - system-auth
+ - password-auth
+ when: '"pam" in ansible_facts.packages'
tags:
- CCE-80670-3
- CJIS-5.5.3
- - DISA-STIG-RHEL-08-020016
+ - DISA-STIG-RHEL-08-020014
- NIST-800-171-3.1.8
- NIST-800-53-AC-7(b)
- NIST-800-53-CM-6(a)
@@ -137,133 +167,3 @@
- medium_severity
- no_reboot_needed
- restrict_strategy
-
-- name: Ensure the pam_faillock.so authfail parameters are not present in the pam
- files
- ansible.builtin.lineinfile:
- path: '{{ item }}'
- backrefs: true
- regexp: (.*pam_faillock.so authfail).*$
- line: \1
- state: present
- loop:
- - /etc/pam.d/system-auth
- - /etc/pam.d/password-auth
- when:
- - '"pam" in ansible_facts.packages'
- - result_faillock_conf_check.stat.exists
- - result_pam_faillock_enabled.found
- tags:
- - CCE-80670-3
- - CJIS-5.5.3
- - DISA-STIG-RHEL-08-020016
- - NIST-800-171-3.1.8
- - NIST-800-53-AC-7(b)
- - NIST-800-53-CM-6(a)
- - PCI-DSS-Req-8.1.7
- - accounts_passwords_pam_faillock_unlock_time
- - low_complexity
- - low_disruption
- - medium_severity
- - no_reboot_needed
- - restrict_strategy
-
-- name: Ensure pam_faillock.so is properly enabled using authconfig tool
- ansible.builtin.command:
- cmd: authconfig --enablefaillock --update
- when:
- - '"pam" in ansible_facts.packages'
- - result_authconfig_check.stat.exists
- tags:
- - CCE-80670-3
- - CJIS-5.5.3
- - DISA-STIG-RHEL-08-020016
- - NIST-800-171-3.1.8
- - NIST-800-53-AC-7(b)
- - NIST-800-53-CM-6(a)
- - PCI-DSS-Req-8.1.7
- - accounts_passwords_pam_faillock_unlock_time
- - low_complexity
- - low_disruption
- - medium_severity
- - no_reboot_needed
- - restrict_strategy
-
-- name: Ensure pam_faillock.so is properly enabled using authselect
- ansible.builtin.command:
- cmd: authselect enable-feature with-faillock
- register: result_pam_authselect_cmd
- when:
- - '"pam" in ansible_facts.packages'
- - result_faillock_conf_check.stat.exists
- - not result_pam_faillock_enabled.found
- tags:
- - CCE-80670-3
- - CJIS-5.5.3
- - DISA-STIG-RHEL-08-020016
- - NIST-800-171-3.1.8
- - NIST-800-53-AC-7(b)
- - NIST-800-53-CM-6(a)
- - PCI-DSS-Req-8.1.7
- - accounts_passwords_pam_faillock_unlock_time
- - low_complexity
- - low_disruption
- - medium_severity
- - no_reboot_needed
- - restrict_strategy
-
-- name: Ensure the pam_faillock.so preauth unlock_time parameter in auth section
- ansible.builtin.lineinfile:
- path: '{{ item }}'
- backrefs: true
- regexp: (^\s*auth\s+)([\w\[].*\b)(\s+pam_faillock.so preauth.*)(unlock_time)=[0-5]+(.*)
- line: \1required\3\4={{ var_accounts_passwords_pam_faillock_unlock_time }}\5
- state: present
- loop:
- - /etc/pam.d/system-auth
- - /etc/pam.d/password-auth
- when:
- - '"pam" in ansible_facts.packages'
- - not result_faillock_conf_check.stat.exists
- tags:
- - CCE-80670-3
- - CJIS-5.5.3
- - DISA-STIG-RHEL-08-020016
- - NIST-800-171-3.1.8
- - NIST-800-53-AC-7(b)
- - NIST-800-53-CM-6(a)
- - PCI-DSS-Req-8.1.7
- - accounts_passwords_pam_faillock_unlock_time
- - low_complexity
- - low_disruption
- - medium_severity
- - no_reboot_needed
- - restrict_strategy
-
-- name: Ensure the pam_faillock.so authfail unlock_time parameter in auth section
- ansible.builtin.lineinfile:
- path: '{{ item }}'
- backrefs: true
- regexp: (^\s*auth\s+)([\w\[].*\b)(\s+pam_faillock.so authfail.*)(unlock_time)=[0-5]+(.*)
- line: \1required\3\4={{ var_accounts_passwords_pam_faillock_unlock_time }}\5
- state: present
- loop:
- - /etc/pam.d/system-auth
- - /etc/pam.d/password-auth
- when:
- - '"pam" in ansible_facts.packages'
- - not result_faillock_conf_check.stat.exists
- tags:
- - CCE-80670-3
- - CJIS-5.5.3
- - DISA-STIG-RHEL-08-020016
- - NIST-800-171-3.1.8
- - NIST-800-53-AC-7(b)
- - NIST-800-53-CM-6(a)
- - PCI-DSS-Req-8.1.7
- - accounts_passwords_pam_faillock_unlock_time
- - low_complexity
- - low_disruption
- - medium_severity
- - no_reboot_needed
- - restrict_strategy
bash remediation for rule 'xccdf_org.ssgproject.content_rule_file_permissions_home_directories' differs:
--- old datastream
+++ new datastream
@@ -1,7 +1,2 @@
-for home_dir in $(awk -F':' '{ if ($4 >= 1000 && $4 != 65534) print $6 }' /etc/passwd); do
- # Only update the permissions when necessary. This will avoid changing the inode timestamp when
- # the permission is already defined as expected, therefore not impacting in possible integrity
- # check systems that also check inodes timestamps.
- find $home_dir -perm /7027 -exec chmod u-s,g-w-s,o=- {} \;
-done
+awk -F':' '{ if ($4 >= 1000 && $4 != 65534) system("chmod -f 700 "$6) }' /etc/passwd
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_file_permissions_home_directories' differs:
--- old datastream
+++ new datastream
@@ -48,7 +48,7 @@
directories
ansible.builtin.file:
path: '{{ item.0.value[4] }}'
- mode: u-s,g-w-s,o=-
+ mode: '0700'
loop: '{{ local_users|zip(path_exists.results)|list }}'
when: item.1.stat is defined and item.1.stat.exists
tags:
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_accounts_umask_etc_csh_cshrc' differs:
--- old datastream
+++ new datastream
@@ -11,12 +11,11 @@
replace: umask {{ var_accounts_user_umask }}
tags:
- CCE-81037-4
- - DISA-STIG-RHEL-08-020353
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- accounts_umask_etc_csh_cshrc
- low_complexity
- low_disruption
- - medium_severity
- no_reboot_needed
- restrict_strategy
+ - unknown_severity
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_accounts_umask_etc_profile' differs:
--- old datastream
+++ new datastream
@@ -11,12 +11,11 @@
replace: umask {{ var_accounts_user_umask }}
tags:
- CCE-81035-8
- - DISA-STIG-RHEL-08-020353
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- accounts_umask_etc_profile
- low_complexity
- low_disruption
- - medium_severity
- no_reboot_needed
- restrict_strategy
+ - unknown_severity
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_grub2_audit_argument' differs:
--- old datastream
+++ new datastream
@@ -23,7 +23,6 @@
ansible.builtin.shell:
cmd: /usr/bin/grub2-editenv - list | grep "kernelopts="
register: kernelopts
- ignore_errors: true
changed_when: false
when:
- ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
@@ -53,7 +52,6 @@
when:
- ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- '"grub2-common" in ansible_facts.packages'
- - kernelopts.rc == 0
- kernelopts.stdout_lines is defined
- kernelopts.stdout_lines | length > 0
- kernelopts.stdout | regex_search('^kernelopts=(?:.*\s)?audit=1(?:\s.*)?$', multiline=True)
@@ -75,27 +73,3 @@
- medium_severity
- reboot_required
- restrict_strategy
-
-- name: Update the bootloader menu when there are no entries previously set
- command: /usr/bin/grub2-editenv - set "kernelopts=audit=1"
- when:
- - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- - '"grub2-common" in ansible_facts.packages'
- - kernelopts.rc != 0
- tags:
- - CCE-80825-3
- - CJIS-5.4.1.1
- - DISA-STIG-RHEL-08-030601
- - NIST-800-171-3.3.1
- - NIST-800-53-AC-17(1)
- - NIST-800-53-AU-10
- - NIST-800-53-AU-14(1)
- - NIST-800-53-CM-6(a)
- - NIST-800-53-IR-5(1)
- - PCI-DSS-Req-10.3
- - grub2_audit_argument
- - low_disruption
- - medium_complexity
- - medium_severity
- - reboot_required
- - restrict_strategy
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_grub2_audit_backlog_limit_argument' differs:
--- old datastream
+++ new datastream
@@ -16,7 +16,6 @@
ansible.builtin.shell:
cmd: /usr/bin/grub2-editenv - list | grep "kernelopts="
register: kernelopts
- ignore_errors: true
changed_when: false
when:
- ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
@@ -39,7 +38,6 @@
when:
- ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- '"grub2-common" in ansible_facts.packages'
- - kernelopts.rc == 0
- kernelopts.stdout_lines is defined
- kernelopts.stdout_lines | length > 0
- kernelopts.stdout | regex_search('^kernelopts=(?:.*\s)?audit_backlog_limit=8192(?:\s.*)?$',
@@ -54,20 +52,3 @@
- medium_severity
- reboot_required
- restrict_strategy
-
-- name: Update the bootloader menu when there are no entries previously set
- command: /usr/bin/grub2-editenv - set "kernelopts=audit_backlog_limit=8192"
- when:
- - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- - '"grub2-common" in ansible_facts.packages'
- - kernelopts.rc != 0
- tags:
- - CCE-80943-4
- - DISA-STIG-RHEL-08-030602
- - NIST-800-53-CM-6(a)
- - grub2_audit_backlog_limit_argument
- - low_disruption
- - medium_complexity
- - medium_severity
- - reboot_required
- - restrict_strategy
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_grub2_enable_iommu_force' differs:
--- old datastream
+++ new datastream
@@ -14,7 +14,6 @@
ansible.builtin.shell:
cmd: /usr/bin/grub2-editenv - list | grep "kernelopts="
register: kernelopts
- ignore_errors: true
changed_when: false
when:
- '"grub2-common" in ansible_facts.packages'
@@ -35,7 +34,6 @@
when:
- '"grub2-common" in ansible_facts.packages'
- ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- - kernelopts.rc == 0
- kernelopts.stdout_lines is defined
- kernelopts.stdout_lines | length > 0
- kernelopts.stdout | regex_search('^kernelopts=(?:.*\s)?iommu=force(?:\s.*)?$',
@@ -48,18 +46,3 @@
- reboot_required
- restrict_strategy
- unknown_severity
-
-- name: Update the bootloader menu when there are no entries previously set
- command: /usr/bin/grub2-editenv - set "kernelopts=iommu=force"
- when:
- - '"grub2-common" in ansible_facts.packages'
- - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- - kernelopts.rc != 0
- tags:
- - CCE-83920-9
- - grub2_enable_iommu_force
- - low_disruption
- - medium_complexity
- - reboot_required
- - restrict_strategy
- - unknown_severity
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_grub2_kernel_trust_cpu_rng' differs:
--- old datastream
+++ new datastream
@@ -14,7 +14,6 @@
ansible.builtin.shell:
cmd: /usr/bin/grub2-editenv - list | grep "kernelopts="
register: kernelopts
- ignore_errors: true
changed_when: false
when:
- '"grub2-common" in ansible_facts.packages'
@@ -35,7 +34,6 @@
when:
- '"grub2-common" in ansible_facts.packages'
- ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- - kernelopts.rc == 0
- kernelopts.stdout_lines is defined
- kernelopts.stdout_lines | length > 0
- kernelopts.stdout | regex_search('^kernelopts=(?:.*\s)?random.trust_cpu=on(?:\s.*)?$',
@@ -48,18 +46,3 @@
- medium_severity
- reboot_required
- restrict_strategy
-
-- name: Update the bootloader menu when there are no entries previously set
- command: /usr/bin/grub2-editenv - set "kernelopts=random.trust_cpu=on"
- when:
- - '"grub2-common" in ansible_facts.packages'
- - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- - kernelopts.rc != 0
- tags:
- - CCE-83314-5
- - grub2_kernel_trust_cpu_rng
- - low_disruption
- - medium_complexity
- - medium_severity
- - reboot_required
- - restrict_strategy
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_grub2_pti_argument' differs:
--- old datastream
+++ new datastream
@@ -16,7 +16,6 @@
ansible.builtin.shell:
cmd: /usr/bin/grub2-editenv - list | grep "kernelopts="
register: kernelopts
- ignore_errors: true
changed_when: false
when:
- '"grub2-common" in ansible_facts.packages'
@@ -39,7 +38,6 @@
when:
- '"grub2-common" in ansible_facts.packages'
- ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- - kernelopts.rc == 0
- kernelopts.stdout_lines is defined
- kernelopts.stdout_lines | length > 0
- kernelopts.stdout | regex_search('^kernelopts=(?:.*\s)?pti=on(?:\s.*)?$', multiline=True)
@@ -54,20 +52,3 @@
- medium_complexity
- reboot_required
- restrict_strategy
-
-- name: Update the bootloader menu when there are no entries previously set
- command: /usr/bin/grub2-editenv - set "kernelopts=pti=on"
- when:
- - '"grub2-common" in ansible_facts.packages'
- - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- - kernelopts.rc != 0
- tags:
- - CCE-82194-2
- - DISA-STIG-RHEL-08-040004
- - NIST-800-53-SI-16
- - grub2_pti_argument
- - high_severity
- - low_disruption
- - medium_complexity
- - reboot_required
- - restrict_strategy
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_grub2_vsyscall_argument' differs:
--- old datastream
+++ new datastream
@@ -16,7 +16,6 @@
ansible.builtin.shell:
cmd: /usr/bin/grub2-editenv - list | grep "kernelopts="
register: kernelopts
- ignore_errors: true
changed_when: false
when:
- '"grub2-common" in ansible_facts.packages'
@@ -39,7 +38,6 @@
when:
- '"grub2-common" in ansible_facts.packages'
- ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- - kernelopts.rc == 0
- kernelopts.stdout_lines is defined
- kernelopts.stdout_lines | length > 0
- kernelopts.stdout | regex_search('^kernelopts=(?:.*\s)?vsyscall=none(?:\s.*)?$',
@@ -54,20 +52,3 @@
- medium_severity
- reboot_required
- restrict_strategy
-
-- name: Update the bootloader menu when there are no entries previously set
- command: /usr/bin/grub2-editenv - set "kernelopts=vsyscall=none"
- when:
- - '"grub2-common" in ansible_facts.packages'
- - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- - kernelopts.rc != 0
- tags:
- - CCE-80946-7
- - DISA-STIG-RHEL-08-010422
- - NIST-800-53-CM-7(a)
- - grub2_vsyscall_argument
- - low_disruption
- - medium_complexity
- - medium_severity
- - reboot_required
- - restrict_strategy
bash remediation for rule 'xccdf_org.ssgproject.content_rule_configure_firewalld_ports' differs:
--- old datastream
+++ new datastream
@@ -10,7 +10,7 @@
-
+ {% set network_config_path = "/etc/sysconfig/network-scripts/ifcfg-${eth_interface_list[0]}" %}
# This assumes that firewalld_sshd_zone is one of the pre-defined zones
@@ -26,7 +26,7 @@
nic_bound=false
eth_interface_list=$(ip link show up | cut -d ' ' -f2 | cut -d ':' -s -f1 | grep -E '^(en|eth)')
for interface in $eth_interface_list; do
- if grep -qi "ZONE=$firewalld_sshd_zone" /etc/sysconfig/network-scripts/ifcfg-${eth_interface_list[0]}; then
+ if grep -qi "ZONE=$firewalld_sshd_zone" ; then
nic_bound=true
break;
fi
@@ -40,7 +40,7 @@
# Test if the config_file is a symbolic link. If so, use --follow-symlinks with sed.
# Otherwise, regular sed command will do.
sed_command=('sed' '-i')
- if test -L "/etc/sysconfig/network-scripts/ifcfg-${eth_interface_list[0]}"; then
+ if test -L ""; then
sed_command+=('--follow-symlinks')
fi
@@ -54,13 +54,13 @@
# If the key exists, change it. Otherwise, add it to the config_file.
# We search for the key string followed by a word boundary (matched by \>),
# so if we search for 'setting', 'setting2' won't match.
- if LC_ALL=C grep -q -m 1 -i -e "^ZONE=\\>" "/etc/sysconfig/network-scripts/ifcfg-${eth_interface_list[0]}"; then
- "${sed_command[@]}" "s/^ZONE=\\>.*/$formatted_output/gi" "/etc/sysconfig/network-scripts/ifcfg-${eth_interface_list[0]}"
+ if LC_ALL=C grep -q -m 1 -i -e "^ZONE=\\>" ""; then
+ "${sed_command[@]}" "s/^ZONE=\\>.*/$formatted_output/gi" ""
else
# \n is precaution for case where file ends without trailing newline
cce="CCE-84300-3"
- printf '\n# Per %s: Set %s in %s\n' "$cce" "$formatted_output" "/etc/sysconfig/network-scripts/ifcfg-${eth_interface_list[0]}" >> "/etc/sysconfig/network-scripts/ifcfg-${eth_interface_list[0]}"
- printf '%s\n' "$formatted_output" >> "/etc/sysconfig/network-scripts/ifcfg-${eth_interface_list[0]}"
+ printf '\n# Per %s: Set %s in %s\n' "$cce" "$formatted_output" "" >> ""
+ printf '%s\n' "$formatted_output" >> ""
fi
else
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_grub2_ipv6_disable_argument' differs:
--- old datastream
+++ new datastream
@@ -14,7 +14,6 @@
ansible.builtin.shell:
cmd: /usr/bin/grub2-editenv - list | grep "kernelopts="
register: kernelopts
- ignore_errors: true
changed_when: false
when: '"grub2-common" in ansible_facts.packages'
tags:
@@ -32,7 +31,6 @@
list }}'
when:
- '"grub2-common" in ansible_facts.packages'
- - kernelopts.rc == 0
- kernelopts.stdout_lines is defined
- kernelopts.stdout_lines | length > 0
- kernelopts.stdout | regex_search('^kernelopts=(?:.*\s)?ipv6.disable=1(?:\s.*)?$',
@@ -45,17 +43,3 @@
- medium_complexity
- reboot_required
- restrict_strategy
-
-- name: Update the bootloader menu when there are no entries previously set
- command: /usr/bin/grub2-editenv - set "kernelopts=ipv6.disable=1"
- when:
- - '"grub2-common" in ansible_facts.packages'
- - kernelopts.rc != 0
- tags:
- - CCE-82887-1
- - grub2_ipv6_disable_argument
- - low_disruption
- - low_severity
- - medium_complexity
- - reboot_required
- - restrict_strategy
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_grub2_page_poison_argument' differs:
--- old datastream
+++ new datastream
@@ -16,7 +16,6 @@
ansible.builtin.shell:
cmd: /usr/bin/grub2-editenv - list | grep "kernelopts="
register: kernelopts
- ignore_errors: true
changed_when: false
when:
- ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
@@ -39,7 +38,6 @@
when:
- ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- '"grub2-common" in ansible_facts.packages'
- - kernelopts.rc == 0
- kernelopts.stdout_lines is defined
- kernelopts.stdout_lines | length > 0
- kernelopts.stdout | regex_search('^kernelopts=(?:.*\s)?page_poison=1(?:\s.*)?$',
@@ -54,20 +52,3 @@
- medium_severity
- reboot_required
- restrict_strategy
-
-- name: Update the bootloader menu when there are no entries previously set
- command: /usr/bin/grub2-editenv - set "kernelopts=page_poison=1"
- when:
- - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- - '"grub2-common" in ansible_facts.packages'
- - kernelopts.rc != 0
- tags:
- - CCE-80944-2
- - DISA-STIG-RHEL-08-010421
- - NIST-800-53-CM-6(a)
- - grub2_page_poison_argument
- - low_disruption
- - medium_complexity
- - medium_severity
- - reboot_required
- - restrict_strategy
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_grub2_slub_debug_argument' differs:
--- old datastream
+++ new datastream
@@ -16,7 +16,6 @@
ansible.builtin.shell:
cmd: /usr/bin/grub2-editenv - list | grep "kernelopts="
register: kernelopts
- ignore_errors: true
changed_when: false
when:
- ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
@@ -39,7 +38,6 @@
when:
- ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- '"grub2-common" in ansible_facts.packages'
- - kernelopts.rc == 0
- kernelopts.stdout_lines is defined
- kernelopts.stdout_lines | length > 0
- kernelopts.stdout | regex_search('^kernelopts=(?:.*\s)?slub_debug=P(?:\s.*)?$',
@@ -54,20 +52,3 @@
- medium_severity
- reboot_required
- restrict_strategy
-
-- name: Update the bootloader menu when there are no entries previously set
- command: /usr/bin/grub2-editenv - set "kernelopts=slub_debug=P"
- when:
- - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- - '"grub2-common" in ansible_facts.packages'
- - kernelopts.rc != 0
- tags:
- - CCE-80945-9
- - DISA-STIG-RHEL-08-010423
- - NIST-800-53-CM-6(a)
- - grub2_slub_debug_argument
- - low_disruption
- - medium_complexity
- - medium_severity
- - reboot_required
- - restrict_strategy
OVAL definition oval:ssg-disable_host_auth:def:1 differs:
--- old datastream
+++ new datastream
- criterion oval:ssg-test_disable_host_auth_config_dir_default_not_overriden:tst:1
- criterion oval:ssg-test_disable_host_auth_config_dir:tst:1
OCIL for rule 'xccdf_org.ssgproject.content_rule_disable_host_auth' differs:
--- old datastream
+++ new datastream
@@ -1,7 +1,5 @@
To determine how the SSH daemon's HostbasedAuthentication option is set, run the following command:
-
$ sudo grep -i HostbasedAuthentication /etc/ssh/sshd_config
-
If no line, a commented line, or a line indicating the value no is returned, then the required value is set.
Is it the case that the required value is not set?
OVAL definition oval:ssg-sshd_disable_empty_passwords:def:1 differs:
--- old datastream
+++ new datastream
- criterion oval:ssg-test_sshd_disable_empty_passwords_config_dir_default_not_overriden:tst:1
- criterion oval:ssg-test_sshd_disable_empty_passwords_config_dir:tst:1
OCIL for rule 'xccdf_org.ssgproject.content_rule_sshd_disable_empty_passwords' differs:
--- old datastream
+++ new datastream
@@ -1,7 +1,5 @@
To determine how the SSH daemon's PermitEmptyPasswords option is set, run the following command:
-
$ sudo grep -i PermitEmptyPasswords /etc/ssh/sshd_config
-
If no line, a commented line, or a line indicating the value no is returned, then the required value is set.
Is it the case that the required value is not set?
OVAL definition oval:ssg-sshd_disable_gssapi_auth:def:1 differs:
--- old datastream
+++ new datastream
- criterion oval:ssg-test_sshd_disable_gssapi_auth_config_dir_default_not_overriden:tst:1
- criterion oval:ssg-test_sshd_disable_gssapi_auth_config_dir:tst:1
OCIL for rule 'xccdf_org.ssgproject.content_rule_sshd_disable_gssapi_auth' differs:
--- old datastream
+++ new datastream
@@ -1,8 +1,6 @@
-To determine how the SSH daemon's GSSAPIAuthentication option is set, run the following command:
-
-$ sudo grep -i GSSAPIAuthentication /etc/ssh/sshd_config
-
-If no line, a commented line, or a line indicating the value no is returned, then the required value is set.
-
- Is it the case that the required value is not set?
+To check if GSSAPIAuthentication is disabled or set correctly, run the following
+command:
+$ sudo grep GSSAPIAuthentication /etc/ssh/sshd_config
+If configured properly, output should be no
+ Is it the case that it is commented out or is not disabled?
OVAL definition oval:ssg-sshd_disable_kerb_auth:def:1 differs:
--- old datastream
+++ new datastream
- criterion oval:ssg-test_sshd_disable_kerb_auth_config_dir_default_not_overriden:tst:1
- criterion oval:ssg-test_sshd_disable_kerb_auth_config_dir:tst:1
OCIL for rule 'xccdf_org.ssgproject.content_rule_sshd_disable_kerb_auth' differs:
--- old datastream
+++ new datastream
@@ -1,8 +1,6 @@
-To determine how the SSH daemon's KerberosAuthentication option is set, run the following command:
-
-$ sudo grep -i KerberosAuthentication /etc/ssh/sshd_config
-
-If no line, a commented line, or a line indicating the value no is returned, then the required value is set.
-
- Is it the case that the required value is not set?
+To check if KerberosAuthentication is disabled or set correctly, run the
+following command:
+$ sudo grep KerberosAuthentication /etc/ssh/sshd_config
+If configured properly, output should be no
+ Is it the case that it is commented out or is not disabled?
OVAL definition oval:ssg-sshd_disable_pubkey_auth:def:1 differs:
--- old datastream
+++ new datastream
- criterion oval:ssg-test_sshd_disable_pubkey_auth_config_dir:tst:1
OCIL for rule 'xccdf_org.ssgproject.content_rule_sshd_disable_pubkey_auth' differs:
--- old datastream
+++ new datastream
@@ -1,9 +1,6 @@
-To determine how the SSH daemon's PubkeyAuthentication option is set, run the following command:
-
-$ sudo grep -i PubkeyAuthentication /etc/ssh/sshd_config
-
-
-If a line indicating no is returned, then the required value is set.
-
- Is it the case that the required value is not set?
+To check if PubkeyAuthentication is disabled or set correctly, run the following
+command:
+$ sudo grep PubkeyAuthentication /etc/ssh/sshd_config
+If configured properly, output should be no
+ Is it the case that it is not disabled?
OVAL definition oval:ssg-sshd_disable_rhosts:def:1 differs:
--- old datastream
+++ new datastream
- criterion oval:ssg-test_sshd_disable_rhosts_config_dir_default_not_overriden:tst:1
- criterion oval:ssg-test_sshd_disable_rhosts_config_dir:tst:1
OCIL for rule 'xccdf_org.ssgproject.content_rule_sshd_disable_rhosts' differs:
--- old datastream
+++ new datastream
@@ -1,7 +1,5 @@
To determine how the SSH daemon's IgnoreRhosts option is set, run the following command:
-
$ sudo grep -i IgnoreRhosts /etc/ssh/sshd_config
-
If no line, a commented line, or a line indicating the value yes is returned, then the required value is set.
Is it the case that the required value is not set?
OCIL for rule 'xccdf_org.ssgproject.content_rule_sshd_disable_rhosts_rsa' differs:
--- old datastream
+++ new datastream
@@ -4,9 +4,7 @@
Versions equal to or higher than 7.4 have deprecated the RhostsRSAAuthentication option.
If version is lower than 7.4, run the following command to check configuration:
To determine how the SSH daemon's RhostsRSAAuthentication option is set, run the following command:
-
$ sudo grep -i RhostsRSAAuthentication /etc/ssh/sshd_config
-
If no line, a commented line, or a line indicating the value no is returned, then the required value is set.
Is it the case that the required value is not set?
OVAL definition oval:ssg-sshd_disable_root_login:def:1 differs:
--- old datastream
+++ new datastream
- criterion oval:ssg-test_sshd_disable_root_login_config_dir:tst:1
OCIL for rule 'xccdf_org.ssgproject.content_rule_sshd_disable_root_login' differs:
--- old datastream
+++ new datastream
@@ -1,7 +1,5 @@
To determine how the SSH daemon's PermitRootLogin option is set, run the following command:
-
$ sudo grep -i PermitRootLogin /etc/ssh/sshd_config
-
If a line indicating no is returned, then the required value is set.
OVAL definition oval:ssg-sshd_disable_root_password_login:def:1 differs:
--- old datastream
+++ new datastream
- criterion oval:ssg-test_sshd_disable_root_password_login_config_dir_default_not_overriden:tst:1
- criterion oval:ssg-test_sshd_disable_root_password_login_config_dir:tst:1
OCIL for rule 'xccdf_org.ssgproject.content_rule_sshd_disable_root_password_login' differs:
--- old datastream
+++ new datastream
@@ -1,7 +1,5 @@
To determine how the SSH daemon's PermitRootLogin option is set, run the following command:
-
$ sudo grep -i PermitRootLogin /etc/ssh/sshd_config
-
If a line indicating prohibit-password is returned, then the required value is set.
Is it the case that it is commented out or not configured properly?
OVAL definition oval:ssg-sshd_disable_tcp_forwarding:def:1 differs:
--- old datastream
+++ new datastream
- criterion oval:ssg-test_sshd_disable_tcp_forwarding_config_dir:tst:1
OCIL for rule 'xccdf_org.ssgproject.content_rule_sshd_disable_tcp_forwarding' differs:
--- old datastream
+++ new datastream
@@ -1,7 +1,5 @@
To determine how the SSH daemon's AllowTcpForwarding option is set, run the following command:
-
$ sudo grep -i AllowTcpForwarding /etc/ssh/sshd_config
-
If no line, a commented line, or a line indicating the value no is returned, then the required value is set.
Is it the case that The AllowTcpForwarding option exists and is disabled?
OVAL definition oval:ssg-sshd_disable_user_known_hosts:def:1 differs:
--- old datastream
+++ new datastream
- criterion oval:ssg-test_sshd_disable_user_known_hosts_config_dir:tst:1
OCIL for rule 'xccdf_org.ssgproject.content_rule_sshd_disable_user_known_hosts' differs:
--- old datastream
+++ new datastream
@@ -1,7 +1,5 @@
To determine how the SSH daemon's IgnoreUserKnownHosts option is set, run the following command:
-
$ sudo grep -i IgnoreUserKnownHosts /etc/ssh/sshd_config
-
If a line indicating yes is returned, then the required value is set.
OVAL definition oval:ssg-sshd_disable_x11_forwarding:def:1 differs:
--- old datastream
+++ new datastream
- criterion oval:ssg-test_sshd_disable_x11_forwarding_config_dir_default_not_overriden:tst:1
- criterion oval:ssg-test_sshd_disable_x11_forwarding_config_dir:tst:1
OCIL for rule 'xccdf_org.ssgproject.content_rule_sshd_disable_x11_forwarding' differs:
--- old datastream
+++ new datastream
@@ -1,7 +1,5 @@
To determine how the SSH daemon's X11Forwarding option is set, run the following command:
-
$ sudo grep -i X11Forwarding /etc/ssh/sshd_config
-
If no line, a commented line, or a line indicating the value no is returned, then the required value is set.
Is it the case that the required value is not set?
OVAL definition oval:ssg-sshd_do_not_permit_user_env:def:1 differs:
--- old datastream
+++ new datastream
- criterion oval:ssg-test_sshd_do_not_permit_user_env_config_dir_default_not_overriden:tst:1
- criterion oval:ssg-test_sshd_do_not_permit_user_env_config_dir:tst:1
OCIL for rule 'xccdf_org.ssgproject.content_rule_sshd_do_not_permit_user_env' differs:
--- old datastream
+++ new datastream
@@ -1,8 +1,6 @@
-To determine how the SSH daemon's PermitUserEnvironment option is set, run the following command:
-
-$ sudo grep -i PermitUserEnvironment /etc/ssh/sshd_config
-
-If no line, a commented line, or a line indicating the value no is returned, then the required value is set.
-
- Is it the case that the required value is not set?
+To ensure users are not able to send environment variables, run the following command:
+$ sudo grep PermitUserEnvironment /etc/ssh/sshd_config
+If properly configured, output should be:
+PermitUserEnvironment no
+ Is it the case that PermitUserEnvironment is not disabled?
OVAL definition oval:ssg-sshd_enable_gssapi_auth:def:1 differs:
--- old datastream
+++ new datastream
- criterion oval:ssg-test_sshd_enable_gssapi_auth_config_dir:tst:1
OCIL for rule 'xccdf_org.ssgproject.content_rule_sshd_enable_gssapi_auth' differs:
--- old datastream
+++ new datastream
@@ -1,9 +1,6 @@
-To determine how the SSH daemon's GSSAPIAuthentication option is set, run the following command:
-
-$ sudo grep -i GSSAPIAuthentication /etc/ssh/sshd_config
-
-
-If a line indicating yes is returned, then the required value is set.
-
- Is it the case that the required value is not set?
+To check if GSSAPIAuthentication is enabled or set correctly, run the following
+command:
+$ sudo grep GSSAPIAuthentication /etc/ssh/sshd_config
+If configured properly, output should be yes
+ Is it the case that it is commented out or is not enabled?
OVAL definition oval:ssg-sshd_enable_pam:def:1 differs:
--- old datastream
+++ new datastream
- criterion oval:ssg-test_sshd_enable_pam_config_dir:tst:1
OCIL for rule 'xccdf_org.ssgproject.content_rule_sshd_enable_pam' differs:
--- old datastream
+++ new datastream
@@ -1,9 +1,6 @@
-To determine how the SSH daemon's UsePAM option is set, run the following command:
-
-$ sudo grep -i UsePAM /etc/ssh/sshd_config
-
-
-If a line indicating yes is returned, then the required value is set.
-
- Is it the case that the required value is not set?
+To check if UsePAM is enabled or set correctly, run the following
+command:
+$ sudo grep UsePAM /etc/ssh/sshd_config
+If configured properly, output should be yes
+ Is it the case that it is commented out or is not enabled?
OVAL definition oval:ssg-sshd_enable_pubkey_auth:def:1 differs:
--- old datastream
+++ new datastream
- criterion oval:ssg-test_sshd_enable_pubkey_auth_config_dir:tst:1
OCIL for rule 'xccdf_org.ssgproject.content_rule_sshd_enable_pubkey_auth' differs:
--- old datastream
+++ new datastream
@@ -1,9 +1,6 @@
-To determine how the SSH daemon's PubkeyAuthentication option is set, run the following command:
-
-$ sudo grep -i PubkeyAuthentication /etc/ssh/sshd_config
-
-
-If a line indicating yes is returned, then the required value is set.
-
- Is it the case that the required value is not set?
+To check if PubkeyAuthentication is enabled or set correctly, run the
+following command:
+$ sudo grep ^PubkeyAuthentication /etc/ssh/sshd_config
+If configured properly, output should be yes
+ Is it the case that it is not enabled?
OVAL definition oval:ssg-sshd_enable_strictmodes:def:1 differs:
--- old datastream
+++ new datastream
- criterion oval:ssg-test_sshd_enable_strictmodes_config_dir_default_not_overriden:tst:1
- criterion oval:ssg-test_sshd_enable_strictmodes_config_dir:tst:1
OCIL for rule 'xccdf_org.ssgproject.content_rule_sshd_enable_strictmodes' differs:
--- old datastream
+++ new datastream
@@ -1,8 +1,6 @@
-To determine how the SSH daemon's StrictModes option is set, run the following command:
-
-$ sudo grep -i StrictModes /etc/ssh/sshd_config
-
-If no line, a commented line, or a line indicating the value yes is returned, then the required value is set.
-
- Is it the case that the required value is not set?
+To check if StrictModes is enabled or set correctly, run the
+following command:
+$ sudo grep StrictModes /etc/ssh/sshd_config
+If configured properly, output should be yes
+ Is it the case that it is commented out or is not enabled?
OVAL definition oval:ssg-sshd_enable_warning_banner:def:1 differs:
--- old datastream
+++ new datastream
- criterion oval:ssg-test_sshd_enable_warning_banner_config_dir:tst:1
OCIL for rule 'xccdf_org.ssgproject.content_rule_sshd_enable_warning_banner' differs:
--- old datastream
+++ new datastream
@@ -1,7 +1,5 @@
To determine how the SSH daemon's Banner option is set, run the following command:
-
$ sudo grep -i Banner /etc/ssh/sshd_config
-
If a line indicating /etc/issue is returned, then the required value is set.
OVAL definition oval:ssg-sshd_enable_warning_banner_net:def:1 differs:
--- old datastream
+++ new datastream
- criterion oval:ssg-test_sshd_enable_warning_banner_net_config_dir:tst:1
OCIL for rule 'xccdf_org.ssgproject.content_rule_sshd_enable_warning_banner_net' differs:
--- old datastream
+++ new datastream
@@ -1,7 +1,5 @@
To determine how the SSH daemon's Banner option is set, run the following command:
-
$ sudo grep -i Banner /etc/ssh/sshd_config
-
If a line indicating /etc/issue.net is returned, then the required value is set.
OVAL definition oval:ssg-sshd_enable_x11_forwarding:def:1 differs:
--- old datastream
+++ new datastream
- criterion oval:ssg-test_sshd_enable_x11_forwarding_config_dir:tst:1
OCIL for rule 'xccdf_org.ssgproject.content_rule_sshd_enable_x11_forwarding' differs:
--- old datastream
+++ new datastream
@@ -1,7 +1,5 @@
To determine how the SSH daemon's X11Forwarding option is set, run the following command:
-
$ sudo grep -i X11Forwarding /etc/ssh/sshd_config
-
If a line indicating yes is returned, then the required value is set.
OVAL definition oval:ssg-sshd_print_last_log:def:1 differs:
--- old datastream
+++ new datastream
- criterion oval:ssg-test_sshd_print_last_log_config_dir_default_not_overriden:tst:1
- criterion oval:ssg-test_sshd_print_last_log_config_dir:tst:1
OCIL for rule 'xccdf_org.ssgproject.content_rule_sshd_print_last_log' differs:
--- old datastream
+++ new datastream
@@ -1,8 +1,6 @@
-To determine how the SSH daemon's PrintLastLog option is set, run the following command:
-
-$ sudo grep -i PrintLastLog /etc/ssh/sshd_config
-
-If no line, a commented line, or a line indicating the value yes is returned, then the required value is set.
-
- Is it the case that the required value is not set?
+To check if PrintLastLog is enabled or set correctly, run the
+following command:
+$ sudo grep PrintLastLog /etc/ssh/sshd_config
+If configured properly, output should be yes
+ Is it the case that it is commented out or is not enabled?
OVAL definition oval:ssg-sshd_set_keepalive_0:def:1 differs:
--- old datastream
+++ new datastream
- criterion oval:ssg-test_sshd_set_keepalive_0_config_dir:tst:1
OCIL for rule 'xccdf_org.ssgproject.content_rule_sshd_set_keepalive_0' differs:
--- old datastream
+++ new datastream
@@ -1,7 +1,5 @@
To ensure ClientAliveInterval is set correctly, run the following command:
-
$ sudo grep ClientAliveCountMax /etc/ssh/sshd_config
-
If properly configured, the output should be:
ClientAliveCountMax 0
OVAL definition oval:ssg-sshd_set_loglevel_info:def:1 differs:
--- old datastream
+++ new datastream
- criterion oval:ssg-test_sshd_set_loglevel_info_config_dir_default_not_overriden:tst:1
- criterion oval:ssg-test_sshd_set_loglevel_info_config_dir:tst:1
OCIL for rule 'xccdf_org.ssgproject.content_rule_sshd_set_loglevel_info' differs:
--- old datastream
+++ new datastream
@@ -1,8 +1,6 @@
-To determine how the SSH daemon's LogLevel option is set, run the following command:
-
-$ sudo grep -i LogLevel /etc/ssh/sshd_config
-
-If no line, a commented line, or a line indicating the value INFO is returned, then the required value is set.
-
- Is it the case that the required value is not set?
+To check if LogLevel is enabled or set correctly, run the
+following command:
+$ sudo grep "^LogLevel" /etc/ssh/sshd_config
+If configured properly, output should be LogLevel INFO
+ Is it the case that it is commented out or is not enabled?
OVAL definition oval:ssg-sshd_set_loglevel_verbose:def:1 differs:
--- old datastream
+++ new datastream
- criterion oval:ssg-test_sshd_set_loglevel_verbose_config_dir:tst:1
+ criteria AND
+ criterion oval:ssg-test_sshd_set_loglevel_verbose_default_not_overriden:tst:1
OCIL for rule 'xccdf_org.ssgproject.content_rule_sshd_set_loglevel_verbose' differs:
--- old datastream
+++ new datastream
@@ -1,9 +1,6 @@
-To determine how the SSH daemon's LogLevel option is set, run the following command:
-
-$ sudo grep -i LogLevel /etc/ssh/sshd_config
-
-
-If a line indicating VERBOSE is returned, then the required value is set.
-
- Is it the case that the required value is not set?
+To check if LogLevel is enabled or set correctly, run the
+following command:
+$ sudo grep "^LogLevel" /etc/ssh/sshd_config
+If configured properly, output should be LogLevel VERBOSE
+ Is it the case that it is commented out or is not enabled?
OVAL definition oval:ssg-sshd_x11_use_localhost:def:1 differs:
--- old datastream
+++ new datastream
- criterion oval:ssg-test_sshd_x11_use_localhost_config_dir_default_not_overriden:tst:1
- criterion oval:ssg-test_sshd_x11_use_localhost_config_dir:tst:1
OCIL for rule 'xccdf_org.ssgproject.content_rule_sshd_x11_use_localhost' differs:
--- old datastream
+++ new datastream
@@ -1,7 +1,5 @@
To determine how the SSH daemon's X11UseLocalhost option is set, run the following command:
-
$ sudo grep -i X11UseLocalhost /etc/ssh/sshd_config
-
If no line, a commented line, or a line indicating the value yes is returned, then the required value is set.
Is it the case that the display proxy is listening on wildcard address?
OCIL for rule 'xccdf_org.ssgproject.content_rule_configure_usbguard_auditbackend' differs:
--- old datastream
+++ new datastream
@@ -1,4 +1,4 @@
-To verify that Linux Audit logging is enabled for the USBGuard daemon,
+To verify that Linux Audit logging si enabled for the USBGuard daemon,
run the following command:
$ sudo grep AuditBackend /etc/usbguard/usbguard-daemon.conf
The output should be |
yuumasato
reviewed
Nov 30, 2021
linux_os/guide/system/software/integrity/fips/enable_fips_mode/ansible/shared.yml
Show resolved
Hide resolved
yuumasato
reviewed
Nov 30, 2021
yuumasato
changed the title
|
I have updated the remediation and rule description. I was thinking about having there some Jinja conditional based on the value of var_system_crypto_policy... something like if the policy is set to FIPS, there will be no additional sentence. If there is a different policy, the sentence mentioning that the rule additionally configures a cryptography policy would be added. But I am not sure if the build system actually supports different rule description for different profiles. |
yuumasato
requested changes
Dec 13, 2021
linux_os/guide/system/software/integrity/fips/enable_fips_mode/rule.yml
Outdated
Show resolved
Hide resolved
I don't think this is possible with the XCCDF benchmarks we use. |
…/rule.yml Co-authored-by: Watson Yuuma Sato <wsato@redhat.com>
|
I have accepted your suggestion. HOwever, I noticed that the variable does not show in ocil. However, it is displayed correctly in the rule description. Is that expected? |
Kind of :( |
yuumasato
approved these changes
Dec 15, 2021
|
/retest |
|
@vojtapolasek: The following test failed, say
Full PR test history. Your PR dashboard. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
|
Seems like |
This pull request was closed.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Description:
Rationale: