Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Ubuntu 22.04 CIS #9953

Merged
merged 29 commits into from
Dec 16, 2022
Merged

Ubuntu 22.04 CIS #9953

merged 29 commits into from
Dec 16, 2022

Conversation

dodys
Copy link
Contributor

@dodys dodys commented Dec 12, 2022

Description:

  • This PR introduces the base for Ubuntu 22.04 CIS.
  • It adds:
  1. ubuntu2204 to prodtype in rules
  2. cis@ubuntu2204 references
  3. fix grub2 path in product.yml
  4. add avahi and dconf to platform_package_overrides
  5. add multi_platform_ubuntu to some remediations
  6. add some ubuntu specific template vars
  7. address some rules descriptions
  8. for faillock rules, added ubuntu specific oval
  9. and more

@dodys dodys requested a review from a team as a code owner December 12, 2022 10:19
@github-actions
Copy link

Start a new ephemeral environment with changes proposed in this pull request:

rhel8 (from CTF) Environment (using Fedora as testing environment)
Open in Gitpod

Fedora Testing Environment
Open in Gitpod

Oracle Linux 8 Environment
Open in Gitpod

@github-actions
Copy link

This datastream diff is auto generated by the check Compare DS/Generate Diff

Click here to see the full diff 
bash remediation for rule 'xccdf_org.ssgproject.content_rule_account_passwords_pam_faillock_audit' differs.
--- xccdf_org.ssgproject.content_rule_account_passwords_pam_faillock_audit
+++ xccdf_org.ssgproject.content_rule_account_passwords_pam_faillock_audit
@@ -12,7 +12,8 @@
 
 authselect apply-changes -b
 else
- AUTH_FILES=("/etc/pam.d/system-auth" "/etc/pam.d/password-auth")
+ 
+AUTH_FILES=("/etc/pam.d/system-auth" "/etc/pam.d/password-auth")
 for pam_file in "${AUTH_FILES[@]}"
 do
 if ! grep -qE '^\s*auth\s+required\s+pam_faillock\.so\s+(preauth silent|authfail).*$' "$pam_file" ; then
@@ -22,8 +23,9 @@
 fi
 sed -Ei 's/(auth.*)(\[default=die\])(.*pam_faillock\.so)/\1required \3/g' "$pam_file"
 done
+
 fi
-AUTH_FILES=("/etc/pam.d/system-auth" "/etc/pam.d/password-auth")
+AUTH_FILES=("/etc/pam.d/system-auth" "/etc/pam.d/password-auth" "/etc/pam.d/common-auth")
 FAILLOCK_CONF="/etc/security/faillock.conf"
 if [ -f $FAILLOCK_CONF ]; then
 regex="^\s*audit"
@@ -33,7 +35,8 @@
 fi
 for pam_file in "${AUTH_FILES[@]}"
 do
- if [ -e "$pam_file" ] ; then
+ if [ -f $pam_file ]; then
+ if [ -e "$pam_file" ] ; then
 PAM_FILE_PATH="$pam_file"
 if [ -f /usr/bin/authselect ]; then
 if ! authselect check; then
@@ -75,6 +78,7 @@
 else
 echo "$pam_file was not found" >&2
 fi
+ fi
 done
 else
 for pam_file in "${AUTH_FILES[@]}"

bash remediation for rule 'xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_audit' differs.
--- xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_audit
+++ xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_audit
@@ -12,7 +12,8 @@
 
 authselect apply-changes -b
 else
- AUTH_FILES=("/etc/pam.d/system-auth" "/etc/pam.d/password-auth")
+ 
+AUTH_FILES=("/etc/pam.d/system-auth" "/etc/pam.d/password-auth")
 for pam_file in "${AUTH_FILES[@]}"
 do
 if ! grep -qE '^\s*auth\s+required\s+pam_faillock\.so\s+(preauth silent|authfail).*$' "$pam_file" ; then
@@ -22,8 +23,9 @@
 fi
 sed -Ei 's/(auth.*)(\[default=die\])(.*pam_faillock\.so)/\1required \3/g' "$pam_file"
 done
+
 fi
-AUTH_FILES=("/etc/pam.d/system-auth" "/etc/pam.d/password-auth")
+AUTH_FILES=("/etc/pam.d/system-auth" "/etc/pam.d/password-auth" "/etc/pam.d/common-auth")
 FAILLOCK_CONF="/etc/security/faillock.conf"
 if [ -f $FAILLOCK_CONF ]; then
 regex="^\s*audit"
@@ -33,7 +35,8 @@
 fi
 for pam_file in "${AUTH_FILES[@]}"
 do
- if [ -e "$pam_file" ] ; then
+ if [ -f $pam_file ]; then
+ if [ -e "$pam_file" ] ; then
 PAM_FILE_PATH="$pam_file"
 if [ -f /usr/bin/authselect ]; then
 if ! authselect check; then
@@ -75,6 +78,7 @@
 else
 echo "$pam_file was not found" >&2
 fi
+ fi
 done
 else
 for pam_file in "${AUTH_FILES[@]}"

New content has different text for rule 'xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_deny'.
--- xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_deny
+++ xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_deny
@@ -7,7 +7,9 @@
 using pam_faillock.so.
 
 pam_faillock.so module requires multiple entries in pam files. These entries must be carefully
-defined to work as expected. In order to avoid errors when manually editing these files, it is
+defined to work as expected.
+
+In order to avoid errors when manually editing these files, it is
 recommended to use the appropriate tools, such as authselect or authconfig,
 depending on the OS version.
 

bash remediation for rule 'xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_deny' differs.
--- xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_deny
+++ xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_deny
@@ -17,7 +17,8 @@
 
 authselect apply-changes -b
 else
- AUTH_FILES=("/etc/pam.d/system-auth" "/etc/pam.d/password-auth")
+ 
+AUTH_FILES=("/etc/pam.d/system-auth" "/etc/pam.d/password-auth")
 for pam_file in "${AUTH_FILES[@]}"
 do
 if ! grep -qE '^\s*auth\s+required\s+pam_faillock\.so\s+(preauth silent|authfail).*$' "$pam_file" ; then
@@ -27,8 +28,9 @@
 fi
 sed -Ei 's/(auth.*)(\[default=die\])(.*pam_faillock\.so)/\1required \3/g' "$pam_file"
 done
+
 fi
-AUTH_FILES=("/etc/pam.d/system-auth" "/etc/pam.d/password-auth")
+AUTH_FILES=("/etc/pam.d/system-auth" "/etc/pam.d/password-auth" "/etc/pam.d/common-auth")
 FAILLOCK_CONF="/etc/security/faillock.conf"
 if [ -f $FAILLOCK_CONF ]; then
 regex="^\s*deny\s*="
@@ -40,7 +42,8 @@
 fi
 for pam_file in "${AUTH_FILES[@]}"
 do
- if [ -e "$pam_file" ] ; then
+ if [ -f $pam_file ]; then
+ if [ -e "$pam_file" ] ; then
 PAM_FILE_PATH="$pam_file"
 if [ -f /usr/bin/authselect ]; then
 if ! authselect check; then
@@ -82,6 +85,7 @@
 else
 echo "$pam_file was not found" >&2
 fi
+ fi
 done
 else
 for pam_file in "${AUTH_FILES[@]}"

bash remediation for rule 'xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_deny_root' differs.
--- xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_deny_root
+++ xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_deny_root
@@ -14,7 +14,8 @@
 
 authselect apply-changes -b
 else
- AUTH_FILES=("/etc/pam.d/system-auth" "/etc/pam.d/password-auth")
+ 
+AUTH_FILES=("/etc/pam.d/system-auth" "/etc/pam.d/password-auth")
 for pam_file in "${AUTH_FILES[@]}"
 do
 if ! grep -qE '^\s*auth\s+required\s+pam_faillock\.so\s+(preauth silent|authfail).*$' "$pam_file" ; then
@@ -24,8 +25,9 @@
 fi
 sed -Ei 's/(auth.*)(\[default=die\])(.*pam_faillock\.so)/\1required \3/g' "$pam_file"
 done
+
 fi
-AUTH_FILES=("/etc/pam.d/system-auth" "/etc/pam.d/password-auth")
+AUTH_FILES=("/etc/pam.d/system-auth" "/etc/pam.d/password-auth" "/etc/pam.d/common-auth")
 FAILLOCK_CONF="/etc/security/faillock.conf"
 if [ -f $FAILLOCK_CONF ]; then
 regex="^\s*even_deny_root"
@@ -35,7 +37,8 @@
 fi
 for pam_file in "${AUTH_FILES[@]}"
 do
- if [ -e "$pam_file" ] ; then
+ if [ -f $pam_file ]; then
+ if [ -e "$pam_file" ] ; then
 PAM_FILE_PATH="$pam_file"
 if [ -f /usr/bin/authselect ]; then
 if ! authselect check; then
@@ -77,6 +80,7 @@
 else
 echo "$pam_file was not found" >&2
 fi
+ fi
 done
 else
 for pam_file in "${AUTH_FILES[@]}"

bash remediation for rule 'xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_dir' differs.
--- xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_dir
+++ xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_dir
@@ -17,7 +17,8 @@
 
 authselect apply-changes -b
 else
- AUTH_FILES=("/etc/pam.d/system-auth" "/etc/pam.d/password-auth")
+ 
+AUTH_FILES=("/etc/pam.d/system-auth" "/etc/pam.d/password-auth")
 for pam_file in "${AUTH_FILES[@]}"
 do
 if ! grep -qE '^\s*auth\s+required\s+pam_faillock\.so\s+(preauth silent|authfail).*$' "$pam_file" ; then
@@ -27,8 +28,9 @@
 fi
 sed -Ei 's/(auth.*)(\[default=die\])(.*pam_faillock\.so)/\1required \3/g' "$pam_file"
 done
+
 fi
-AUTH_FILES=("/etc/pam.d/system-auth" "/etc/pam.d/password-auth")
+AUTH_FILES=("/etc/pam.d/system-auth" "/etc/pam.d/password-auth" "/etc/pam.d/common-auth")
 FAILLOCK_CONF="/etc/security/faillock.conf"
 if [ -f $FAILLOCK_CONF ]; then
 regex="^\s*dir\s*="
@@ -40,7 +42,8 @@
 fi
 for pam_file in "${AUTH_FILES[@]}"
 do
- if [ -e "$pam_file" ] ; then
+ if [ -f $pam_file ]; then
+ if [ -e "$pam_file" ] ; then
 PAM_FILE_PATH="$pam_file"
 if [ -f /usr/bin/authselect ]; then
 if ! authselect check; then
@@ -82,6 +85,7 @@
 else
 echo "$pam_file was not found" >&2
 fi
+ fi
 done
 else
 for pam_file in "${AUTH_FILES[@]}"

bash remediation for rule 'xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_enforce_local' differs.
--- xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_enforce_local
+++ xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_enforce_local
@@ -14,7 +14,8 @@
 
 authselect apply-changes -b
 else
- AUTH_FILES=("/etc/pam.d/system-auth" "/etc/pam.d/password-auth")
+ 
+AUTH_FILES=("/etc/pam.d/system-auth" "/etc/pam.d/password-auth")
 for pam_file in "${AUTH_FILES[@]}"
 do
 if ! grep -qE '^\s*auth\s+required\s+pam_faillock\.so\s+(preauth silent|authfail).*$' "$pam_file" ; then
@@ -24,8 +25,9 @@
 fi
 sed -Ei 's/(auth.*)(\[default=die\])(.*pam_faillock\.so)/\1required \3/g' "$pam_file"
 done
+
 fi
-AUTH_FILES=("/etc/pam.d/system-auth" "/etc/pam.d/password-auth")
+AUTH_FILES=("/etc/pam.d/system-auth" "/etc/pam.d/password-auth" "/etc/pam.d/common-auth")
 FAILLOCK_CONF="/etc/security/faillock.conf"
 if [ -f $FAILLOCK_CONF ]; then
 regex="^\s*local_users_only"
@@ -35,7 +37,8 @@
 fi
 for pam_file in "${AUTH_FILES[@]}"
 do
- if [ -e "$pam_file" ] ; then
+ if [ -f $pam_file ]; then
+ if [ -e "$pam_file" ] ; then
 PAM_FILE_PATH="$pam_file"
 if [ -f /usr/bin/authselect ]; then
 if ! authselect check; then
@@ -77,6 +80,7 @@
 else
 echo "$pam_file was not found" >&2
 fi
+ fi
 done
 else
 for pam_file in "${AUTH_FILES[@]}"

bash remediation for rule 'xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_interval' differs.
--- xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_interval
+++ xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_interval
@@ -17,7 +17,8 @@
 
 authselect apply-changes -b
 else
- AUTH_FILES=("/etc/pam.d/system-auth" "/etc/pam.d/password-auth")
+ 
+AUTH_FILES=("/etc/pam.d/system-auth" "/etc/pam.d/password-auth")
 for pam_file in "${AUTH_FILES[@]}"
 do
 if ! grep -qE '^\s*auth\s+required\s+pam_faillock\.so\s+(preauth silent|authfail).*$' "$pam_file" ; then
@@ -27,8 +28,9 @@
 fi
 sed -Ei 's/(auth.*)(\[default=die\])(.*pam_faillock\.so)/\1required \3/g' "$pam_file"
 done
+
 fi
-AUTH_FILES=("/etc/pam.d/system-auth" "/etc/pam.d/password-auth")
+AUTH_FILES=("/etc/pam.d/system-auth" "/etc/pam.d/password-auth" "/etc/pam.d/common-auth")
 FAILLOCK_CONF="/etc/security/faillock.conf"
 if [ -f $FAILLOCK_CONF ]; then
 regex="^\s*fail_interval\s*="
@@ -40,7 +42,8 @@
 fi
 for pam_file in "${AUTH_FILES[@]}"
 do
- if [ -e "$pam_file" ] ; then
+ if [ -f $pam_file ]; then
+ if [ -e "$pam_file" ] ; then
 PAM_FILE_PATH="$pam_file"
 if [ -f /usr/bin/authselect ]; then
 if ! authselect check; then
@@ -82,6 +85,7 @@
 else
 echo "$pam_file was not found" >&2
 fi
+ fi
 done
 else
 for pam_file in "${AUTH_FILES[@]}"

bash remediation for rule 'xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_unlock_time' differs.
--- xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_unlock_time
+++ xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_unlock_time
@@ -17,7 +17,8 @@
 
 authselect apply-changes -b
 else
- AUTH_FILES=("/etc/pam.d/system-auth" "/etc/pam.d/password-auth")
+ 
+AUTH_FILES=("/etc/pam.d/system-auth" "/etc/pam.d/password-auth")
 for pam_file in "${AUTH_FILES[@]}"
 do
 if ! grep -qE '^\s*auth\s+required\s+pam_faillock\.so\s+(preauth silent|authfail).*$' "$pam_file" ; then
@@ -27,8 +28,9 @@
 fi
 sed -Ei 's/(auth.*)(\[default=die\])(.*pam_faillock\.so)/\1required \3/g' "$pam_file"
 done
+
 fi
-AUTH_FILES=("/etc/pam.d/system-auth" "/etc/pam.d/password-auth")
+AUTH_FILES=("/etc/pam.d/system-auth" "/etc/pam.d/password-auth" "/etc/pam.d/common-auth")
 FAILLOCK_CONF="/etc/security/faillock.conf"
 if [ -f $FAILLOCK_CONF ]; then
 regex="^\s*unlock_time\s*="
@@ -40,7 +42,8 @@
 fi
 for pam_file in "${AUTH_FILES[@]}"
 do
- if [ -e "$pam_file" ] ; then
+ if [ -f $pam_file ]; then
+ if [ -e "$pam_file" ] ; then
 PAM_FILE_PATH="$pam_file"
 if [ -f /usr/bin/authselect ]; then
 if ! authselect check; then
@@ -82,6 +85,7 @@
 else
 echo "$pam_file was not found" >&2
 fi
+ fi
 done
 else
 for pam_file in "${AUTH_FILES[@]}"

@marcusburghardt marcusburghardt added Ubuntu Ubuntu product related. CIS CIS Benchmark related. labels Dec 12, 2022
@marcusburghardt marcusburghardt added this to the 0.1.66 milestone Dec 12, 2022
@dodys
Copy link
Contributor Author

dodys commented Dec 13, 2022

/retest

@dodys
ubuntu2204: cis_level1_server: Update profile
2593415
@dodys
ubuntu2204: cis_level2_server: Update profile
9200bd3
@dodys
ubuntu2204: cis_level1_workstation: Update profile
3cf0cc1
@dodys
ubuntu2204: cis_level2_worstation: Update profile
fa1ace5
@dodys
ubuntu2204: cis_level1_server: Add prodtype to rules
d949095 
This is an automated commit; to redo run:

./utils/rule_dir_json.py
./utils/autoprodtyper.py ubuntu2204 cis_level1_server
@dodys
ubuntu2204: cis_level2_server: Add prodtype to rules
d5dc4c4 
This is an automated commit; to redo run:

./utils/rule_dir_json.py
./utils/autoprodtyper.py ubuntu2204 cis_level2_server
@dodys
ubuntu2204: cis_level1_server: Add cis references
97e3738
@dodys
ubuntu2204: cis_level2_server: Add cis references
9f273f2
@dodys
ubuntu2204: product.yml: Fix title
1e054f3
@dodys
ubuntu2204: product.yml: Update grub2_uefi_boot_path
18d2f79
@dodys
ubuntu2204: product.yml: Add avahi and dconf to
4a69512 
platform_package_overrides
@dodys
ubuntu2204: cis_level1_server: Add platform to bash remediations
8296cb8
@dodys
ubuntu2204: cis_level2_server: Add platform to bash remediations
4c9c9d1
@dodys
Add some ubuntu2204 specific template vars
5b987c7
@dodys
Remove ubuntu2204 prodtype and cis reference from some rules
3e1fcff
@dodys
Fix some rules descriptions and ocil for ubuntu2204
169c23d
@dodys
Fix some rules OVAL files for ubuntu2204
1ac965a
@dodys
Fix some rules bash for ubuntu2204
4e86131
@dodys
Add platforms to chronyd_run_as_chrony_user tests
6b21bd4
@dodys
chronyd_run_as_chrony_user: Add ubuntu specific tests
941bb2a
@dodys
chronyd_run_as_chrony_user: Add ubuntu specific bash
37fd35e
@dodys
accounts_tmout: Add ubuntu specific bash
69fef06
@codeclimate
Copy link

codeclimate bot commented Dec 14, 2022

Code Climate has analyzed commit 949a6f1 and detected 0 issues on this pull request.

The test coverage on the diff in this pull request is 100.0% (50% is the threshold).

This pull request will bring the total coverage in the repository to 48.8% (0.0% change).

View more on Code Climate.

@openshift-ci
Copy link

openshift-ci bot commented Dec 14, 2022

@dodys: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name Commit Details Required Rerun command
ci/prow/e2e-aws-ocp4-cis-node 949a6f1 link true /test e2e-aws-ocp4-cis-node

Full PR test history. Your PR dashboard.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.

@Mab879 Mab879 self-assigned this Dec 14, 2022
This was referenced Dec 15, 2022
Merged
Closed
Mab879
Mab879 approved these changes Dec 16, 2022
View reviewed changes
Copy link
Member

@Mab879 Mab879 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the new profile! Since you are the only approver for Ubuntu products, I will handle the approval of this PR.

@Mab879 Mab879 added Highlight This PR/Issue should make it to the featured changelog. New Profile Issues or pull requests related to new Profiles. labels Dec 16, 2022
@Mab879
Copy link
Member

Mab879 commented Dec 16, 2022

I have run some local tests for failing Automatus tests, and they pass.

@Mab879 Mab879 merged commit 02cb4f6 into ComplianceAsCode:master Dec 16, 2022
@dodys
Copy link
Contributor Author

dodys commented Dec 16, 2022

thanks @Mab879!

@dodys dodys mentioned this pull request Dec 16, 2022
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Mab879 Mab879 Mab879 approved these changes

Assignees

@Mab879 Mab879

Labels
CIS CIS Benchmark related. Highlight This PR/Issue should make it to the featured changelog. New Profile Issues or pull requests related to new Profiles. Ubuntu Ubuntu product related.
Projects
None yet
Milestone
0.1.66
Development

Successfully merging this pull request may close these issues.
3 participants
@dodys @Mab879 @marcusburghardt