Merge pull request #12192 from teacup-on-rockingchair/slmicro5_auth_s…

…ecurity_rules Slmicro5 auth,security and audit STIG rules
ComplianceAsCode · Jul 29, 2024 · 2ff314f · 2ff314f
2 parents 29e5b62 + 9b94058
commit 2ff314f
Show file tree

Hide file tree

Showing 36 changed files with 280 additions and 47 deletions.
diff --git a/components/pam.yml b/components/pam.yml
@@ -25,6 +25,8 @@ rules:
 - account_password_selinux_faillock_dir
 - account_passwords_pam_faillock_audit
 - account_passwords_pam_faillock_dir
+- accounts_passwords_pam_tally2_file
+- accounts_passwords_pam_tally2_file_selinux
 - account_temp_expire_date
 - account_unique_id
 - account_unique_name

diff --git a/controls/stig_slmicro5.yml b/controls/stig_slmicro5.yml
@@ -602,8 +602,10 @@ controls:
   - medium
   title: SLEM 5 shadow password suite must be configured to enforce a delay of at
     least five seconds between logon prompts following a failed logon attempt.
-  rules: []
-  status: pending
+  rules:
+    - accounts_logon_fail_delay
+    - var_accounts_fail_delay=5
+  status: automated
 - id: SLEM-05-411025
   levels:
   - medium
@@ -700,14 +702,18 @@ controls:
   - medium
   title: SLEM 5 must enforce a delay of at least five seconds between logon prompts
     following a failed logon attempt via pluggable authentication modules (PAM).
-  rules: []
-  status: pending
+  rules:
+    - accounts_passwords_pam_faildelay_delay
+    - var_password_pam_delay=4000000
+  status: automated
 - id: SLEM-05-412030
   levels:
   - medium
   title: SLEM 5 must use the default pam_tally2 tally directory.
-  rules: []
-  status: pending
+  rules:
+    - accounts_passwords_pam_tally2_file
+    - accounts_passwords_pam_tally2_file_selinux
+  status: automated
 - id: SLEM-05-412035
   levels:
   - low
@@ -719,21 +725,25 @@ controls:
   levels:
   - low
   title: SLEM 5 must have policycoreutils package installed.
-  rules: []
-  status: pending
+  rules:
+    - package_policycoreutils_installed
+  status: automated
 - id: SLEM-05-431015
   levels:
   - high
   title: SLEM 5 must use a Linux Security Module configured to enforce limits on system
     services.
-  rules: []
-  status: pending
+  rules:
+    - selinux_state
+    - var_selinux_state=enforcing
 - id: SLEM-05-431020
   levels:
   - medium
   title: SLEM 5 must enable the SELinux targeted policy.
-  rules: []
-  status: pending
+  rules:
+    - selinux_policytype
+    - var_selinux_policy_name=targeted
+  status: automated
 - id: SLEM-05-431025
   levels:
   - medium
@@ -1020,8 +1030,9 @@ controls:
   title: SLEM 5 must allocate audit record storage capacity to store at least one
     week of audit records when audit records are not immediately sent to a central
     audit record storage facility.
-  rules: []
-  status: pending
+  rules:
+    - package_audit-audispd-plugins_installed
+  status: automated
 - id: SLEM-05-653030
   levels:
   - medium
@@ -1376,22 +1387,25 @@ controls:
   - medium
   title: Successful/unsuccessful uses of "setfiles" in SLEM 5 must generate an audit
     record.
-  rules: []
-  status: pending
+  rules:
+    - audit_rules_execution_setfiles
+  status: automated
 - id: SLEM-05-654220
   levels:
   - medium
   title: Successful/unsuccessful uses of "semanage" in SLEM 5 must generate an audit
     record.
-  rules: []
-  status: pending
+    - package_policycoreutils-python-utils_installed
+    - audit_rules_execution_semanage
+  status: automated
 - id: SLEM-05-654225
   levels:
   - medium
   title: Successful/unsuccessful uses of "setsebool" in SLEM 5 must generate an audit
     record.
-  rules: []
-  status: pending
+  rules:
+    - audit_rules_execution_setsebool
+  status: automated
 - id: SLEM-05-654230
   levels:
   - medium

diff --git a/..._configure_rules/audit_execution_selinux_commands/audit_rules_execution_semanage/rule.yml b/..._configure_rules/audit_execution_selinux_commands/audit_rules_execution_semanage/rule.yml
@@ -1,4 +1,4 @@
-{{%- if product in ["fedora", "ol7", "ol8", "ol9", "rhel8", "rhel9", "rhel10", "sle12", "sle15", "ubuntu2004", "ubuntu2204"] %}}
+{{%- if product in ["fedora", "ol7", "ol8", "ol9", "rhel8", "rhel9", "rhel10", "sle12", "sle15", "slmicro5", "ubuntu2004", "ubuntu2204"] %}}
   {{%- set perm_x="-F perm=x " %}}
 {{%- endif %}}
 
@@ -39,6 +39,7 @@ identifiers:
     cce@rhel9: CCE-83750-0
     cce@rhel10: CCE-89541-7
     cce@sle15: CCE-85819-1
+    cce@slmicro5: CCE-94098-1
 
 references:
     cis-csc: 1,12,13,14,15,16,2,3,5,6,7,8,9

diff --git a/..._configure_rules/audit_execution_selinux_commands/audit_rules_execution_setfiles/rule.yml b/..._configure_rules/audit_execution_selinux_commands/audit_rules_execution_setfiles/rule.yml
@@ -1,4 +1,4 @@
-{{%- if product in ["fedora", "ol7", "ol8", "ol9", "rhel8", "rhel9", "rhel10", "sle12", "sle15", "ubuntu2004", "ubuntu2204"] %}}
+{{%- if product in ["fedora", "ol7", "ol8", "ol9", "rhel8", "rhel9", "rhel10", "sle12", "sle15", "slmicro5", "ubuntu2004", "ubuntu2204"] %}}
   {{%- set perm_x="-F perm=x " %}}
 {{%- endif %}}
 
@@ -38,6 +38,7 @@ identifiers:
     cce@rhel8: CCE-82280-9
     cce@rhel9: CCE-83736-9
     cce@rhel10: CCE-88818-0
+    cce@slmicro5: CCE-94099-9
 
 references:
     disa: CCI-000169,CCI-000172,CCI-002884

diff --git a/...configure_rules/audit_execution_selinux_commands/audit_rules_execution_setsebool/rule.yml b/...configure_rules/audit_execution_selinux_commands/audit_rules_execution_setsebool/rule.yml
@@ -1,4 +1,4 @@
-{{%- if product in ["fedora", "ol7", "ol8", "ol9", "rhel8", "rhel9", "rhel10", "sle12", "sle15", "ubuntu2004", "ubuntu2204"] %}}
+{{%- if product in ["fedora", "ol7", "ol8", "ol9", "rhel8", "rhel9", "rhel10", "sle12", "sle15", "slmicro5", "ubuntu2004", "ubuntu2204"] %}}
   {{%- set perm_x="-F perm=x " %}}
 {{%- endif %}}
 
@@ -39,6 +39,7 @@ identifiers:
     cce@rhel9: CCE-83751-8
     cce@rhel10: CCE-87741-5
     cce@sle15: CCE-85818-3
+    cce@slmicro5: CCE-94100-5
 
 references:
     cis-csc: 1,12,13,14,15,16,2,3,5,6,7,8,9

diff --git a/linux_os/guide/auditing/package_audit-audispd-plugins_installed/rule.yml b/linux_os/guide/auditing/package_audit-audispd-plugins_installed/rule.yml
@@ -13,6 +13,7 @@ identifiers:
     cce@rhel9: CCE-89457-6
     cce@sle12: CCE-83033-1
     cce@sle15: CCE-85613-8
+    cce@slmicro5: CCE-94096-5
 
 ocil_clause: 'the package is not installed'
 

diff --git a/...pam/locking_out_password_attempts/accounts_passwords_pam_faildelay_delay/bash/slmicro5.sh b/...pam/locking_out_password_attempts/accounts_passwords_pam_faildelay_delay/bash/slmicro5.sh
@@ -0,0 +1,5 @@
+# platform = multi_platform_slmicro5
+
+{{{ bash_instantiate_variables("var_password_pam_delay") }}}
+
+{{{ bash_ensure_pam_module_options('/etc/pam.d/common-auth', 'auth', 'required', 'pam_faildelay.so', 'delay', "$var_password_pam_delay", "$var_password_pam_delay") }}}
diff --git a/...ccounts-pam/locking_out_password_attempts/accounts_passwords_pam_faildelay_delay/rule.yml b/...ccounts-pam/locking_out_password_attempts/accounts_passwords_pam_faildelay_delay/rule.yml
@@ -19,6 +19,7 @@ severity: medium
 identifiers:
     cce@sle12: CCE-83176-8
     cce@sle15: CCE-85619-5
+    cce@slmicro5: CCE-94092-4
 
 references:
     disa: CCI-000366

diff --git a/...ts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_tally2_file/rule.yml b/...ts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_tally2_file/rule.yml
@@ -0,0 +1,47 @@
+documentation_complete: true
+
+title: 'SLEM 5 must use the default pam_tally2 tally directory.'
+
+description: |-
+    This rule configures the system to use default pam_tally2 tally directory
+
+rationale: |-
+    By limiting the number of failed logon attempts, the risk of unauthorized
+    system access via user password guessing, otherwise known as
+    brute-force attacks, is reduced. Limits are imposed by locking the account.
+
+severity: medium
+
+identifiers:
+    cce@slmicro5: CCE-94089-0
+
+references:
+    disa: CCI-000044
+    nist@slmicro5: AC-7(a)
+    srg: SRG-OS-000021-GPOS-00005
+
+ocil_clause: 'file= is set to /var/log/tallylog or missing'
+
+ocil: |-
+    Verify the location of the default tallylog file for the pam_tally2 module,
+    with the following command
+    <pre>$sudo grep -R pam_tally2 /etc/pam.d/login | grep "file=" | grep -v "^#"</pre>
+
+fixtext: |-
+    Configure SLEM 5 to use the default pam_tally2 tally directory
+    Modify the content of <tt>/etc/pam.d/login</tt>, like this:
+    <pre>sudo sed -ri 's/\s+file=\S+\s+/ /g' /etc/pam.d/login</tt> </pre>
+
+platform: package[pam]
+
+template:
+    name: pam_options
+    vars:
+      path: /etc/pam.d/login
+      type: auth
+      control_flag: required
+      module: pam_tally2.so
+      arguments:
+        - argument: file
+          argument_match: .*
+          remove_argument: file=
diff --git a/...assword_attempts/accounts_passwords_pam_tally2_file/tests/pam_tally2_file_default.fail.sh b/...assword_attempts/accounts_passwords_pam_tally2_file/tests/pam_tally2_file_default.fail.sh
@@ -0,0 +1,17 @@
+#!/bin/bash
+# platform = multi_platform_slmicro5
+
+cat >/etc/pam.d/common-account <<CAPTC
+account	[success=1 new_authtok_reqd=done default=ignore]	pam_unix.so
+account	requisite			pam_deny.so
+account required			pam_tally2.so
+account	required			pam_permit.so
+CAPTC
+
+cat >/etc/pam.d/login <<CAPTUTC
+auth required pam_tally2.so file=/var/log/tallylog
+auth	[success=1 default=ignore]	pam_unix.so nullok_secure
+auth	requisite			pam_deny.so
+auth	required			pam_permit.so
+auth	optional			pam_cap.so
+CAPTUTC
diff --git a/...ord_attempts/accounts_passwords_pam_tally2_file/tests/pam_tally2_file_non_default.fail.sh b/...ord_attempts/accounts_passwords_pam_tally2_file/tests/pam_tally2_file_non_default.fail.sh
@@ -0,0 +1,17 @@
+#!/bin/bash
+# platform = multi_platform_slmicro5
+
+cat >/etc/pam.d/common-account <<CAPTC
+account	[success=1 new_authtok_reqd=done default=ignore]	pam_unix.so
+account	requisite			pam_deny.so
+account required			pam_tally2.so
+account	required			pam_permit.so
+CAPTC
+
+cat >/etc/pam.d/login <<CAPTUTA
+auth required pam_tally2.so file=/var/log/pam_tally2.log
+auth	[success=1 default=ignore]	pam_unix.so nullok_secure
+auth	requisite			pam_deny.so
+auth	required			pam_permit.so
+auth	optional			pam_cap.so
+CAPTUTA
diff --git a/...rd_attempts/accounts_passwords_pam_tally2_file/tests/pam_tally2_file_unconfigured.pass.sh b/...rd_attempts/accounts_passwords_pam_tally2_file/tests/pam_tally2_file_unconfigured.pass.sh
@@ -0,0 +1,17 @@
+#!/bin/bash
+# platform = multi_platform_slmicro5
+
+cat >/etc/pam.d/common-account <<CAPTC
+account	[success=1 new_authtok_reqd=done default=ignore]	pam_unix.so
+account	requisite			pam_deny.so
+account required			pam_tally2.so
+account	required			pam_permit.so
+CAPTC
+
+cat >/etc/pam.d/login <<CAPTUTC
+auth required pam_tally2.so deny=3
+auth	[success=1 default=ignore]	pam_unix.so nullok_secure
+auth	requisite			pam_deny.so
+auth	required			pam_permit.so
+auth	optional			pam_cap.so
+CAPTUTC
diff --git a/...cking_out_password_attempts/accounts_passwords_pam_tally2_file_selinux/ansible/shared.yml b/...cking_out_password_attempts/accounts_passwords_pam_tally2_file_selinux/ansible/shared.yml
@@ -0,0 +1,15 @@
+# platform = multi_platform_slmicro5
+# reboot = false
+# strategy = restrict
+# complexity = low
+# disruption = low
+
+
+- name: {{{ rule_title }}} - Set up SELinux context for /var/log/tallylog
+  ansible.builtin.shell: |-
+    if ! semanage fcontext -a -t faillog_t /var/log/tallylog; then
+      semanage fcontext -m -t faillog_t /var/log/tallylog
+    fi
+
+- name: {{{ rule_title }}} - Restore SELinux context on /var/log/tallylog
+  ansible.builtin.command: restorecon -R -v /var/log/tallylog
diff --git a/...m/locking_out_password_attempts/accounts_passwords_pam_tally2_file_selinux/bash/shared.sh b/...m/locking_out_password_attempts/accounts_passwords_pam_tally2_file_selinux/bash/shared.sh
@@ -0,0 +1,7 @@
+#!/bin/bash
+# platform = multi_platform_slmicro5
+
+if ! semanage fcontext -a -t faillog_t "/var/log/tallylog"; then
+    semanage fcontext -m -t faillog_t "/var/log/tallylog"
+fi
+restorecon -R -v "/var/log/tallylog"
diff --git a/.../locking_out_password_attempts/accounts_passwords_pam_tally2_file_selinux/oval/shared.xml b/.../locking_out_password_attempts/accounts_passwords_pam_tally2_file_selinux/oval/shared.xml
@@ -0,0 +1,28 @@
+<def-group>
+  <definition class="compliance" id="{{{ rule_id }}}" version="1">
+  {{{ oval_metadata("An SELinux Context faillog_t must be configured for the pam_tally2 file option.") }}}
+    <criteria operator="OR">
+      <criterion test_ref="test_account_password_selinux_pam_tally2_file"
+                 comment="The pam_tally2 file should have faillog_t as context"/>
+    </criteria>
+  </definition>
+
+  <linux:selinuxsecuritycontext_test id="test_account_password_selinux_pam_tally2_file" version="2"
+    check="all" check_existence="all_exist"
+    comment="faillog_t context is set in pam_tally2.so tally file">
+    <linux:object object_ref="object_account_password_selinux_pam_tally2_file"/>
+    <linux:state state_ref="state_account_password_selinux_pam_tally2_file"/>
+  </linux:selinuxsecuritycontext_test>
+
+  <linux:selinuxsecuritycontext_object id="object_account_password_selinux_pam_tally2_file"
+    comment="SELinux context information for pam_tall2.so default file /var/log/tallylog" version="1">
+    <linux:filepath>/var/log/tallylog</linux:filepath>
+  </linux:selinuxsecuritycontext_object>
+
+  <linux:selinuxsecuritycontext_state id="state_account_password_selinux_pam_tally2_file" version="1"
+    comment="faillog_t context is set">
+    <linux:type datatype="string" operation="equals">faillog_t</linux:type>
+  </linux:selinuxsecuritycontext_state>
+
+
+</def-group>
diff --git a/...nts-pam/locking_out_password_attempts/accounts_passwords_pam_tally2_file_selinux/rule.yml b/...nts-pam/locking_out_password_attempts/accounts_passwords_pam_tally2_file_selinux/rule.yml
@@ -0,0 +1,47 @@
+documentation_complete: true
+
+title: 'An SELinux Context must be configured for default pam_tally2 file option'
+
+description: |-
+    The <tt>file</tt> configuration option in PAM pam_tally2.so module defines where to keep counts.
+    Default is /var/log/tallylog. The configured directory must have the correct SELinux context.
+
+rationale: |-
+    Not having the correct SELinux context on the pam_tally2.so file may lead to
+    unauthorized access to the directory.
+
+severity: medium
+
+identifiers:
+    cce@slmicro5: CCE-94088-2
+
+references:
+    disa: CCI-000044
+    nist: AC-7 (a)
+    srg: SRG-OS-000021-GPOS-00005
+
+platform: package[pam]
+
+ocil_clause: 'the security context type of the non-default tally directory is not "faillog_t"'
+
+ocil: |-
+    If the system does not have SELinux enabled and enforcing a targeted policy,
+    or if the pam_tally2 module is not configured for use, this requirement is not applicable
+
+    Check the security context type of the default tally2 directory with the following command:
+
+    $ sudo ls -Z /var/log/tallylog
+
+    unconfined_u:object_r:faillog_t:s0 /var/log/faillock
+
+    If the security context type of the tally directory is not "faillog_t", this is a finding.
+
+fixtext: |-
+    Update the /etc/selinux/targeted/contexts/files/file_contexts.local with "faillog_t" context
+    type for the default pam_tally2 tally directory with the following command:
+
+    $ sudo semanage fcontext -a -t faillog_t "/var/log/tallylog"
+
+    Next, update the context type of the default tallylog directory/subdirectories and files with the following command:
+
+    $ sudo restorecon -R -v /var/log/tallylog
diff --git a/..._out_password_attempts/accounts_passwords_pam_tally2_file_selinux/tests/faillog_t.pass.sh b/..._out_password_attempts/accounts_passwords_pam_tally2_file_selinux/tests/faillog_t.pass.sh
@@ -0,0 +1,5 @@
+#!/bin/bash
+# packages = policycoreutils-python-utils
+# platform = multi_platform_slmicro5
+
+semanage fcontext -m -t faillog_t "/var/log/tallylog"