Merge branch 'master' into debian12

linux_os/guide/services/fapolicyd/fapolicy_default_deny/ansible/shared.yml

@@ -0,0 +1,31 @@
+# platform = multi_platform_all
+# reboot = false
+# strategy = restrict
+# complexity = low
+# disruption = low
+
+- name: {{{ rule_title }}} - Ensure a Final Rule Denying Everything
+  ansible.builtin.copy:
+    content: |
+      # Red Hat KCS 7003854 (https://access.redhat.com/solutions/7003854)
+      deny perm=any all : all
+    dest: /etc/fapolicyd/rules.d/99-deny-everything.rules
+    owner: root
+    group: fapolicyd
+    mode: '0644'
+  register: result_fapolicyd_final_rule
+
+- name: {{{ rule_title }}} - Ensure fapolicyd is Not Permissive
+  ansible.builtin.lineinfile:
+    path: /etc/fapolicyd/fapolicyd.conf
+    regexp: '^(permissive\s*=).*$'
+    line: '\1 0'
+    backrefs: true
+  register: result_fapolicyd_enforced
+
+- name: "{{{ rule_title }}} - Restart fapolicyd If Permissive Mode or Final Rule is Changed"
+  ansible.builtin.service:
+    name: fapolicyd
+    state: restarted
+  when:
+    - result_fapolicyd_final_rule is changed or result_fapolicyd_enforced is changed

linux_os/guide/services/fapolicyd/fapolicy_default_deny/bash/shared.sh

@@ -0,0 +1,24 @@
+# platform = multi_platform_all
+# reboot = false
+# strategy = restrict
+# complexity = low
+# disruption = low
+
+cat > /etc/fapolicyd/rules.d/99-deny-everything.rules << EOF
+# Red Hat KCS 7003854 (https://access.redhat.com/solutions/7003854)
+deny perm=any all : all
+EOF
+
+chmod 644 /etc/fapolicyd/rules.d/99-deny-everything.rules
+chgrp fapolicyd /etc/fapolicyd/rules.d/99-deny-everything.rules
+
+{{{ set_config_file(path="/etc/fapolicyd/fapolicyd.conf",
+                    parameter="permissive",
+                    value="0",
+                    create=true,
+                    insensitive=true,
+                    separator=" = ",
+                    separator_regex="\s*=\s*",
+                    prefix_regex="^\s*") }}}
+
+systemctl restart fapolicyd

linux_os/guide/services/fapolicyd/fapolicy_default_deny/rule.yml

@@ -74,7 +74,3 @@ fixtext: |-
     permissive = 0
 
 srg_requirement: 'The {{{ full_name }}} fapolicy module must be configured to employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs.'
-
-warnings:
-  - general:
-      This rule doesn't come with a remediation. Before remediating the system administrator needs to create an allowlist of authorized software.

linux_os/guide/services/fapolicyd/fapolicy_default_deny/tests/allow_policy.fail.sh

@@ -1,8 +1,5 @@
 #!/bin/bash
 # packages = fapolicyd
-# remediation = none
-
-{{{ bash_shell_file_set("/etc/fapolicyd/fapolicyd.conf", "permissive", "1", "true") }}}
 
 if [ -f /etc/fapolicyd/compiled.rules ]; then
     active_rules_file="/etc/fapolicyd/compiled.rules"
@@ -11,8 +8,14 @@ else
 fi
 
 truncate -s 0 $active_rules_file
-
 echo "allow exe=/usr/bin/python3.7 : ftype=text/x-python" >> $active_rules_file
 echo "allow perm=any all : all" >> $active_rules_file
 
-{{{ bash_shell_file_set("/etc/fapolicyd/fapolicyd.conf", "permissive", "0", "true") }}}
+{{{ set_config_file(path="/etc/fapolicyd/fapolicyd.conf",
+                    parameter="permissive",
+                    value="0",
+                    create=true,
+                    insensitive=true,
+                    separator=" = ",
+                    separator_regex="\s*=\s*",
+                    prefix_regex="^\s*") }}}

linux_os/guide/services/fapolicyd/fapolicy_default_deny/tests/deny_policy.pass.sh

@@ -1,8 +1,5 @@
 #!/bin/bash
 # packages = fapolicyd
-# remediation = none
-
-{{{ bash_shell_file_set("/etc/fapolicyd/fapolicyd.conf", "permissive", "1", "true") }}}
 
 if [ -f /etc/fapolicyd/compiled.rules ]; then
     active_rules_file="/etc/fapolicyd/compiled.rules"
@@ -11,8 +8,14 @@ else
 fi
 
 truncate -s 0 $active_rules_file
-
 echo "allow exe=/usr/bin/python3.7 : ftype=text/x-python" >> $active_rules_file
 echo "deny perm=any all : all" >> $active_rules_file
 
-{{{ bash_shell_file_set("/etc/fapolicyd/fapolicyd.conf", "permissive", "0", "true") }}}
+{{{ set_config_file(path="/etc/fapolicyd/fapolicyd.conf",
+                    parameter="permissive",
+                    value="0",
+                    create=true,
+                    insensitive=true,
+                    separator=" = ",
+                    separator_regex="\s*=\s*",
+                    prefix_regex="^\s*") }}}

linux_os/guide/services/fapolicyd/fapolicy_default_deny/tests/deny_policy_but_permissive.fail.sh

@@ -1,8 +1,5 @@
 #!/bin/bash
 # packages = fapolicyd
-# remediation = none
-
-{{{ bash_shell_file_set("/etc/fapolicyd/fapolicyd.conf", "permissive", "1", "true") }}}
 
 if [ -f /etc/fapolicyd/compiled.rules ]; then
     active_rules_file="/etc/fapolicyd/compiled.rules"
@@ -11,6 +8,14 @@ else
 fi
 
 truncate -s 0 $active_rules_file
-
 echo "allow exe=/usr/bin/python3.7 : ftype=text/x-python" >> $active_rules_file
 echo "deny perm=any all : all" >> $active_rules_file
+
+{{{ set_config_file(path="/etc/fapolicyd/fapolicyd.conf",
+                    parameter="permissive",
+                    value="1",
+                    create=true,
+                    insensitive=true,
+                    separator=" = ",
+                    separator_regex="\s*=\s*",
+                    prefix_regex="^\s*") }}}

linux_os/guide/services/fapolicyd/fapolicy_default_deny/tests/deny_policy_commented.fail.sh

@@ -1,8 +1,5 @@
 #!/bin/bash
 # packages = fapolicyd
-# remediation = none
-
-{{{ bash_shell_file_set("/etc/fapolicyd/fapolicyd.conf", "permissive", "1", "true") }}}
 
 if [ -f /etc/fapolicyd/compiled.rules ]; then
     active_rules_file="/etc/fapolicyd/compiled.rules"
@@ -11,8 +8,14 @@ else
 fi
 
 truncate -s 0 $active_rules_file
-
 echo "allow exe=/usr/bin/python3.7 : ftype=text/x-python" >> $active_rules_file
 echo "# deny perm=any all : all" >> $active_rules_file
 
-{{{ bash_shell_file_set("/etc/fapolicyd/fapolicyd.conf", "permissive", "0", "true") }}}
+{{{ set_config_file(path="/etc/fapolicyd/fapolicyd.conf",
+                    parameter="permissive",
+                    value="0",
+                    create=true,
+                    insensitive=true,
+                    separator=" = ",
+                    separator_regex="\s*=\s*",
+                    prefix_regex="^\s*") }}}

linux_os/guide/services/fapolicyd/fapolicy_default_deny/tests/deny_policy_not_ensured.fail.sh

@@ -1,8 +1,5 @@
 #!/bin/bash
 # packages = fapolicyd
-# remediation = none
-
-{{{ bash_shell_file_set("/etc/fapolicyd/fapolicyd.conf", "permissive", "1", "true") }}}
 
 if [ -f /etc/fapolicyd/compiled.rules ]; then
     active_rules_file="/etc/fapolicyd/compiled.rules"
@@ -11,8 +8,14 @@ else
 fi
 
 truncate -s 0 $active_rules_file
-
 echo "deny perm=any all : all" >> $active_rules_file
 echo "allow exe=/usr/bin/python3.7 : ftype=text/x-python" >> $active_rules_file
 
-{{{ bash_shell_file_set("/etc/fapolicyd/fapolicyd.conf", "permissive", "0", "true") }}}
+{{{ set_config_file(path="/etc/fapolicyd/fapolicyd.conf",
+                    parameter="permissive",
+                    value="0",
+                    create=true,
+                    insensitive=true,
+                    separator=" = ",
+                    separator_regex="\s*=\s*",
+                    prefix_regex="^\s*") }}}

linux_os/guide/services/ntp/group.yml

@@ -58,9 +58,9 @@ description: |-
     {{% elif product == "rhel7" %}}
         {{{ weblink(link="https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/system_administrators_guide/ch-configuring_ntp_using_the_chrony_suite") }}}
     {{% elif product == "rhel8" %}}
-        {{{ weblink(link="https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/configuring_basic_system_settings/using-chrony-to-configure-ntp_configuring-basic-system-settings") }}}
+        {{{ weblink(link="https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/configuring_basic_system_settings/configuring-time-synchronization_configuring-basic-system-settings") }}}
     {{% elif product == "rhel9" %}}
-        {{{ weblink(link="https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/configuring_basic_system_settings/using-chrony-to-configure-ntp_configuring-basic-system-settings#doc-wrapper") }}}
+        {{{ weblink(link="https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/configuring_basic_system_settings/configuring-time-synchronization_configuring-basic-system-settings") }}}
     {{% elif "ubuntu" in product  %}}
         {{{ weblink(link="https://help.ubuntu.com/lts/serverguide/NTP.html") }}}
     {{% elif "debian" in product %}}

linux_os/guide/system/accounts/accounts-restrictions/root_logins/ensure_pam_wheel_group_empty/bash/shared.sh

@@ -7,4 +7,4 @@ if ! grep -q "^${var_pam_wheel_group_for_su}:[^:]*:[^:]*:[^:]*" /etc/group; then
 fi
 
 # group must be empty
-groupmems -g ${var_pam_wheel_group_for_su} -p
+gpasswd -M '' ${var_pam_wheel_group_for_su}

linux_os/guide/system/accounts/accounts-restrictions/root_logins/ensure_pam_wheel_group_empty/tests/group_without_members.pass.sh

@@ -3,4 +3,4 @@
 
 GRP_NAME=sugroup
 groupadd ${GRP_NAME}
-groupmems -g ${GRP_NAME} -p
+gpasswd -M '' ${GRP_NAME}

linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_groupownership/rule.yml

@@ -67,8 +67,4 @@ template:
   name: rsyslog_logfiles_attributes_modify
   vars:
     attribute: groupowner
-{{% if "ubuntu" in product or "debian" in product %}}
-    value: 4
-{{% else %}}
-    value: 0
-{{% endif %}}
+    value: {{{ target_group }}}

linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_ownership/rule.yml

@@ -87,6 +87,6 @@ template:
   name: rsyslog_logfiles_attributes_modify
   vars:
     attribute: owner
-    value: 0
-    value@ubuntu2004: 104
-    value@ubuntu2204: 104
+    value: root
+    value@ubuntu2004: syslog
+    value@ubuntu2204: syslog

linux_os/guide/system/selinux/selinux_context_elevation_for_sudo/oval/shared.xml

@@ -26,13 +26,13 @@
 
   <ind:textfilecontent54_object id="obj_sudo_selinux_elevation_type" version="1">
     <ind:filepath operation="pattern match">^/etc/sudoers(\.d/.*)?$</ind:filepath>
-    <ind:pattern operation="pattern match">^\s*%wheel.*TYPE=(\w+).*$</ind:pattern>
+    <ind:pattern operation="pattern match">^\s*%\w+.*TYPE=(\w+).*$</ind:pattern>
     <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
   </ind:textfilecontent54_object>
 
   <ind:textfilecontent54_object id="obj_sudo_selinux_elevation_role" version="1">
     <ind:filepath operation="pattern match">^/etc/sudoers(\.d/.*)?$</ind:filepath>
-    <ind:pattern operation="pattern match">^\s*%wheel.*ROLE=(\w+).*$</ind:pattern>
+    <ind:pattern operation="pattern match">^\s*%\w+.*ROLE=(\w+).*$</ind:pattern>
     <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
   </ind:textfilecontent54_object>
 

linux_os/guide/system/selinux/selinux_context_elevation_for_sudo/tests/conflicting_value.fail.sh

@@ -1,4 +1,6 @@
-# platform = multi_platform_ol
+#!/bin/bash
+
+# platform = multi_platform_all
 # packages = sudo
 # remediation = none
 

linux_os/guide/system/selinux/selinux_context_elevation_for_sudo/tests/correct_value_multiple_files.pass.sh

@@ -1,4 +1,6 @@
-# platform = multi_platform_ol
+#!/bin/bash
+
+# platform = multi_platform_all
 # packages = sudo
 
 echo '%wheel ALL=(ALL) TYPE=sysadm_t ROLE=sysadm_r ALL' >> /etc/sudoers

linux_os/guide/system/selinux/selinux_context_elevation_for_sudo/tests/correct_value_single_file.pass.sh

@@ -1,4 +1,6 @@
-# platform = multi_platform_ol
+#!/bin/bash
+
+# platform = multi_platform_all
 # packages = sudo
 
 echo '%wheel ALL=(ALL) TYPE=sysadm_t ROLE=sysadm_r ALL' >> /etc/sudoers.d/01-complianceascode.conf

linux_os/guide/system/selinux/selinux_context_elevation_for_sudo/tests/custom_group_name.pass.sh

@@ -0,0 +1,8 @@
+#!/bin/bash
+
+# platform = multi_platform_all
+# packages = sudo
+
+group_add sudoers
+
+echo '%sudoers ALL=(ALL) TYPE=sysadm_t ROLE=sysadm_r ALL' >> /etc/sudoers.d/01-complianceascode.conf

linux_os/guide/system/selinux/selinux_context_elevation_for_sudo/tests/missing_role.fail.sh

@@ -1,4 +1,6 @@
-# platform = multi_platform_ol
+#!/bin/bash
+
+# platform = multi_platform_all
 # packages = sudo
 # remediation = none
 

linux_os/guide/system/selinux/selinux_context_elevation_for_sudo/tests/missing_type.fail.sh

@@ -1,4 +1,6 @@
-# platform = multi_platform_ol
+#!/bin/bash
+
+# platform = multi_platform_all
 # packages = sudo
 # remediation = none
 

products/rhel7/profiles/stig.profile

@@ -1,7 +1,7 @@
 documentation_complete: true
 
 metadata:
-    version: V3R12
+    version: V3R13
     SMEs:
         - ggbecker
 
@@ -11,7 +11,7 @@ title: 'DISA STIG for Red Hat Enterprise Linux 7'
 
 description: |-
     This profile contains configuration checks that align to the
-    DISA STIG for Red Hat Enterprise Linux V3R12.
+    DISA STIG for Red Hat Enterprise Linux V3R13.
 
     In addition to being applicable to Red Hat Enterprise Linux 7, DISA recognizes this
     configuration baseline as applicable to the operating system tier of

products/rhel7/profiles/stig_gui.profile

@@ -1,7 +1,7 @@
 documentation_complete: true
 
 metadata:
-    version: V3R12
+    version: V3R13
     SMEs:
         - ggbecker
 
@@ -11,7 +11,7 @@ title: 'DISA STIG with GUI for Red Hat Enterprise Linux 7'
 
 description: |-
     This profile contains configuration checks that align to the
-    DISA STIG with GUI for Red Hat Enterprise Linux V3R12.
+    DISA STIG with GUI for Red Hat Enterprise Linux V3R13.
 
     In addition to being applicable to Red Hat Enterprise Linux 7, DISA recognizes this
     configuration baseline as applicable to the operating system tier of

products/rhel8/profiles/stig.profile

@@ -1,7 +1,7 @@
 documentation_complete: true
 
 metadata:
-    version: V1R11
+    version: V1R12
     SMEs:
         - mab879
         - ggbecker
@@ -12,7 +12,7 @@ title: 'DISA STIG for Red Hat Enterprise Linux 8'
 
 description: |-
     This profile contains configuration checks that align to the
-    DISA STIG for Red Hat Enterprise Linux 8 V1R11.
+    DISA STIG for Red Hat Enterprise Linux 8 V1R12.
 
     In addition to being applicable to Red Hat Enterprise Linux 8, DISA recognizes this
     configuration baseline as applicable to the operating system tier of

products/rhel8/profiles/stig_gui.profile

@@ -1,7 +1,7 @@
 documentation_complete: true
 
 metadata:
-    version: V1R11
+    version: V1R12
     SMEs:
         - mab879
         - ggbecker
@@ -12,7 +12,7 @@ title: 'DISA STIG with GUI for Red Hat Enterprise Linux 8'
 
 description: |-
     This profile contains configuration checks that align to the
-    DISA STIG with GUI for Red Hat Enterprise Linux 8 V1R11.
+    DISA STIG with GUI for Red Hat Enterprise Linux 8 V1R12.
 
     In addition to being applicable to Red Hat Enterprise Linux 8, DISA recognizes this
     configuration baseline as applicable to the operating system tier of

products/ubuntu2004/profiles/cis_level1_server.profile

@@ -420,6 +420,7 @@ selections:
     - var_nftables_base_chain_types=chain_types
     - var_nftables_base_chain_hooks=chain_hooks
     - var_nftables_base_chain_priorities=chain_priorities
+    - var_nftables_base_chain_policies=chain_policies
     - set_nftables_base_chain
 
     #### 3.5.2.6 Ensure loopback traffic is configured (Automated)

products/ubuntu2204/profiles/cis_level1_server.profile

@@ -453,6 +453,7 @@ selections:
     - var_nftables_base_chain_types=chain_types
     - var_nftables_base_chain_hooks=chain_hooks
     - var_nftables_base_chain_priorities=chain_priorities
+    - var_nftables_base_chain_policies=chain_policies
     - set_nftables_base_chain
 
     #### 3.5.2.6 Ensure nftables loopback traffic is configured (Automated)