-
Notifications
You must be signed in to change notification settings - Fork 698
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Slmicro5 auth,security and audit STIG rules #12192
Slmicro5 auth,security and audit STIG rules #12192
Conversation
🤖 A k8s content image for this PR is available at: Click here to see how to deploy itIf you alread have Compliance Operator deployed: Otherwise deploy the content and operator together by checking out ComplianceAsCode/compliance-operator and: |
3da1c08
to
db702a7
Compare
This datastream diff is auto generated by the check Click here to see the full diffbash remediation for rule 'xccdf_org.ssgproject.content_rule_accounts_password_pam_pwhistory_remember' differs.
--- xccdf_org.ssgproject.content_rule_accounts_password_pam_pwhistory_remember
+++ xccdf_org.ssgproject.content_rule_accounts_password_pam_pwhistory_remember
@@ -5,6 +5,7 @@
declare -a VALUE_NAMES=()
declare -a ARGS=()
declare -a NEW_ARGS=()
+declare -a DEL_ARGS=()
var_password_pam_remember=''
@@ -12,10 +13,12 @@
VALUE_NAMES+=("remember")
ARGS+=("")
NEW_ARGS+=("")
+
VALUES+=("")
VALUE_NAMES+=("")
ARGS+=("use_authtok")
NEW_ARGS+=("use_authtok")
+
for idx in "${!VALUES[@]}"
do
@@ -48,6 +51,9 @@
do
if ! grep -q -P "^\s*password\s+requisite\s+pam_pwhistory.so.*\s+${ARGS[$idx]}\s*$" /etc/pam.d/common-password ; then
sed --follow-symlinks -i -E -e "s/^\\s*password\\s+requisite\\s+pam_pwhistory.so.*\$/& ${NEW_ARGS[$idx]}/" /etc/pam.d/common-password
+ if [ -n "${DEL_ARGS[$idx]}" ]; then
+ sed --follow-symlinks -i -E -e "s/\s+${DEL_ARGS[$idx]}\S+\s+/ /g" /etc/pam.d/common-password
+ fi
fi
done
bash remediation for rule 'xccdf_org.ssgproject.content_rule_cracklib_accounts_password_pam_dcredit' differs.
--- xccdf_org.ssgproject.content_rule_cracklib_accounts_password_pam_dcredit
+++ xccdf_org.ssgproject.content_rule_cracklib_accounts_password_pam_dcredit
@@ -3,6 +3,7 @@
declare -a VALUE_NAMES=()
declare -a ARGS=()
declare -a NEW_ARGS=()
+declare -a DEL_ARGS=()
var_password_pam_dcredit=''
@@ -10,6 +11,7 @@
VALUE_NAMES+=("dcredit")
ARGS+=("")
NEW_ARGS+=("")
+
for idx in "${!VALUES[@]}"
do
@@ -42,5 +44,8 @@
do
if ! grep -q -P "^\s*password\s+requisite\s+pam_cracklib.so.*\s+${ARGS[$idx]}\s*$" /etc/pam.d/common-password ; then
sed --follow-symlinks -i -E -e "s/^\\s*password\\s+requisite\\s+pam_cracklib.so.*\$/& ${NEW_ARGS[$idx]}/" /etc/pam.d/common-password
+ if [ -n "${DEL_ARGS[$idx]}" ]; then
+ sed --follow-symlinks -i -E -e "s/\s+${DEL_ARGS[$idx]}\S+\s+/ /g" /etc/pam.d/common-password
+ fi
fi
done
bash remediation for rule 'xccdf_org.ssgproject.content_rule_cracklib_accounts_password_pam_difok' differs.
--- xccdf_org.ssgproject.content_rule_cracklib_accounts_password_pam_difok
+++ xccdf_org.ssgproject.content_rule_cracklib_accounts_password_pam_difok
@@ -3,6 +3,7 @@
declare -a VALUE_NAMES=()
declare -a ARGS=()
declare -a NEW_ARGS=()
+declare -a DEL_ARGS=()
var_password_pam_difok=''
@@ -10,6 +11,7 @@
VALUE_NAMES+=("difok")
ARGS+=("")
NEW_ARGS+=("")
+
for idx in "${!VALUES[@]}"
do
@@ -42,5 +44,8 @@
do
if ! grep -q -P "^\s*password\s+requisite\s+pam_cracklib.so.*\s+${ARGS[$idx]}\s*$" /etc/pam.d/common-password ; then
sed --follow-symlinks -i -E -e "s/^\\s*password\\s+requisite\\s+pam_cracklib.so.*\$/& ${NEW_ARGS[$idx]}/" /etc/pam.d/common-password
+ if [ -n "${DEL_ARGS[$idx]}" ]; then
+ sed --follow-symlinks -i -E -e "s/\s+${DEL_ARGS[$idx]}\S+\s+/ /g" /etc/pam.d/common-password
+ fi
fi
done
bash remediation for rule 'xccdf_org.ssgproject.content_rule_cracklib_accounts_password_pam_lcredit' differs.
--- xccdf_org.ssgproject.content_rule_cracklib_accounts_password_pam_lcredit
+++ xccdf_org.ssgproject.content_rule_cracklib_accounts_password_pam_lcredit
@@ -3,6 +3,7 @@
declare -a VALUE_NAMES=()
declare -a ARGS=()
declare -a NEW_ARGS=()
+declare -a DEL_ARGS=()
var_password_pam_lcredit=''
@@ -10,6 +11,7 @@
VALUE_NAMES+=("lcredit")
ARGS+=("")
NEW_ARGS+=("")
+
for idx in "${!VALUES[@]}"
do
@@ -42,5 +44,8 @@
do
if ! grep -q -P "^\s*password\s+requisite\s+pam_cracklib.so.*\s+${ARGS[$idx]}\s*$" /etc/pam.d/common-password ; then
sed --follow-symlinks -i -E -e "s/^\\s*password\\s+requisite\\s+pam_cracklib.so.*\$/& ${NEW_ARGS[$idx]}/" /etc/pam.d/common-password
+ if [ -n "${DEL_ARGS[$idx]}" ]; then
+ sed --follow-symlinks -i -E -e "s/\s+${DEL_ARGS[$idx]}\S+\s+/ /g" /etc/pam.d/common-password
+ fi
fi
done
bash remediation for rule 'xccdf_org.ssgproject.content_rule_cracklib_accounts_password_pam_minlen' differs.
--- xccdf_org.ssgproject.content_rule_cracklib_accounts_password_pam_minlen
+++ xccdf_org.ssgproject.content_rule_cracklib_accounts_password_pam_minlen
@@ -3,6 +3,7 @@
declare -a VALUE_NAMES=()
declare -a ARGS=()
declare -a NEW_ARGS=()
+declare -a DEL_ARGS=()
var_password_pam_minlen=''
@@ -10,6 +11,7 @@
VALUE_NAMES+=("minlen")
ARGS+=("")
NEW_ARGS+=("")
+
for idx in "${!VALUES[@]}"
do
@@ -42,5 +44,8 @@
do
if ! grep -q -P "^\s*password\s+requisite\s+pam_cracklib.so.*\s+${ARGS[$idx]}\s*$" /etc/pam.d/common-password ; then
sed --follow-symlinks -i -E -e "s/^\\s*password\\s+requisite\\s+pam_cracklib.so.*\$/& ${NEW_ARGS[$idx]}/" /etc/pam.d/common-password
+ if [ -n "${DEL_ARGS[$idx]}" ]; then
+ sed --follow-symlinks -i -E -e "s/\s+${DEL_ARGS[$idx]}\S+\s+/ /g" /etc/pam.d/common-password
+ fi
fi
done
bash remediation for rule 'xccdf_org.ssgproject.content_rule_cracklib_accounts_password_pam_ocredit' differs.
--- xccdf_org.ssgproject.content_rule_cracklib_accounts_password_pam_ocredit
+++ xccdf_org.ssgproject.content_rule_cracklib_accounts_password_pam_ocredit
@@ -3,6 +3,7 @@
declare -a VALUE_NAMES=()
declare -a ARGS=()
declare -a NEW_ARGS=()
+declare -a DEL_ARGS=()
var_password_pam_ocredit=''
@@ -10,6 +11,7 @@
VALUE_NAMES+=("ocredit")
ARGS+=("")
NEW_ARGS+=("")
+
for idx in "${!VALUES[@]}"
do
@@ -42,5 +44,8 @@
do
if ! grep -q -P "^\s*password\s+requisite\s+pam_cracklib.so.*\s+${ARGS[$idx]}\s*$" /etc/pam.d/common-password ; then
sed --follow-symlinks -i -E -e "s/^\\s*password\\s+requisite\\s+pam_cracklib.so.*\$/& ${NEW_ARGS[$idx]}/" /etc/pam.d/common-password
+ if [ -n "${DEL_ARGS[$idx]}" ]; then
+ sed --follow-symlinks -i -E -e "s/\s+${DEL_ARGS[$idx]}\S+\s+/ /g" /etc/pam.d/common-password
+ fi
fi
done
bash remediation for rule 'xccdf_org.ssgproject.content_rule_cracklib_accounts_password_pam_retry' differs.
--- xccdf_org.ssgproject.content_rule_cracklib_accounts_password_pam_retry
+++ xccdf_org.ssgproject.content_rule_cracklib_accounts_password_pam_retry
@@ -3,6 +3,7 @@
declare -a VALUE_NAMES=()
declare -a ARGS=()
declare -a NEW_ARGS=()
+declare -a DEL_ARGS=()
var_password_pam_retry=''
@@ -10,6 +11,7 @@
VALUE_NAMES+=("retry")
ARGS+=("")
NEW_ARGS+=("")
+
for idx in "${!VALUES[@]}"
do
@@ -42,5 +44,8 @@
do
if ! grep -q -P "^\s*password\s+requisite\s+pam_cracklib.so.*\s+${ARGS[$idx]}\s*$" /etc/pam.d/common-password ; then
sed --follow-symlinks -i -E -e "s/^\\s*password\\s+requisite\\s+pam_cracklib.so.*\$/& ${NEW_ARGS[$idx]}/" /etc/pam.d/common-password
+ if [ -n "${DEL_ARGS[$idx]}" ]; then
+ sed --follow-symlinks -i -E -e "s/\s+${DEL_ARGS[$idx]}\S+\s+/ /g" /etc/pam.d/common-password
+ fi
fi
done
bash remediation for rule 'xccdf_org.ssgproject.content_rule_cracklib_accounts_password_pam_ucredit' differs.
--- xccdf_org.ssgproject.content_rule_cracklib_accounts_password_pam_ucredit
+++ xccdf_org.ssgproject.content_rule_cracklib_accounts_password_pam_ucredit
@@ -3,6 +3,7 @@
declare -a VALUE_NAMES=()
declare -a ARGS=()
declare -a NEW_ARGS=()
+declare -a DEL_ARGS=()
var_password_pam_ucredit=''
@@ -10,6 +11,7 @@
VALUE_NAMES+=("ucredit")
ARGS+=("")
NEW_ARGS+=("")
+
for idx in "${!VALUES[@]}"
do
@@ -42,5 +44,8 @@
do
if ! grep -q -P "^\s*password\s+requisite\s+pam_cracklib.so.*\s+${ARGS[$idx]}\s*$" /etc/pam.d/common-password ; then
sed --follow-symlinks -i -E -e "s/^\\s*password\\s+requisite\\s+pam_cracklib.so.*\$/& ${NEW_ARGS[$idx]}/" /etc/pam.d/common-password
+ if [ -n "${DEL_ARGS[$idx]}" ]; then
+ sed --follow-symlinks -i -E -e "s/\s+${DEL_ARGS[$idx]}\S+\s+/ /g" /etc/pam.d/common-password
+ fi
fi
done |
db702a7
to
0a75dea
Compare
0a75dea
to
5c4bf63
Compare
|
||
unconfined_u:object_r:faillog_t:s0 /var/log/faillock | ||
|
||
If the security context type of the tally directory is not "tallylog_t", this is a finding. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
should be faillog_t
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for the note , should be fixed in 9b94058 🙇
- enabled slmicro5 platform for accounts_passwords_pam_faildelay_delay and accounts_logon_fail_delay rules - implemented new rule accounts_passwords_pam_tally2_file_selinux in the context of STIG SLEM-05-412030 requirement "SLEM 5 must use the default pam_tally2 tally directory."
- Enable some specifics of the package applicability cheks for slmicro5
…lly directory STIG requirement Also fixed some platform references
tallylog_t term was carbon copied from DISA spec, which later discovered had a mistake, and though DISA were contacted and opened a ticket on their side, we forgot to fix the rule sections involving the tallylog_t. Thanks @jan-cerny 🙇
0643f88
to
9b94058
Compare
Code Climate has analyzed commit 9b94058 and detected 0 issues on this pull request. The test coverage on the diff in this pull request is 100.0% (50% is the threshold). This pull request will bring the total coverage in the repository to 59.4% (0.0% change). View more on Code Climate. |
Description:
Rationale:
Add some user account related DISA STIG rules for SLE Micro 5.x platform
Review Hints:
xccdf generate fix
command and then after exit and reboot run the oval checks again to make sure they pass.