From 77a28ab3799135a2e7125903476e4ca8cfd9e2e9 Mon Sep 17 00:00:00 2001 From: Federico Ramirez Date: Thu, 19 Jan 2023 15:29:36 -0600 Subject: [PATCH 1/3] Introduce rule authconfig_config_files_symlinks This new rule covers the DISA STIG requirement OL07-00-010199. Add OVAL checks and a few tests for this new rule. Also include this rule in OL7 stig profile. Signed-off-by: Federico Ramirez --- .../oval/shared.xml | 43 ++++++++++++++ .../authconfig_config_files_symlinks/rule.yml | 56 +++++++++++++++++++ .../tests/correct_set-up.pass.sh | 41 ++++++++++++++ .../tests/no_symlinks.fail.sh | 5 ++ .../tests/symlinks_wrong_target.fail.sh | 41 ++++++++++++++ products/ol7/profiles/stig.profile | 1 + 6 files changed, 187 insertions(+) create mode 100644 linux_os/guide/system/auditing/authconfig_config_files_symlinks/oval/shared.xml create mode 100644 linux_os/guide/system/auditing/authconfig_config_files_symlinks/rule.yml create mode 100644 linux_os/guide/system/auditing/authconfig_config_files_symlinks/tests/correct_set-up.pass.sh create mode 100644 linux_os/guide/system/auditing/authconfig_config_files_symlinks/tests/no_symlinks.fail.sh create mode 100644 linux_os/guide/system/auditing/authconfig_config_files_symlinks/tests/symlinks_wrong_target.fail.sh diff --git a/linux_os/guide/system/auditing/authconfig_config_files_symlinks/oval/shared.xml b/linux_os/guide/system/auditing/authconfig_config_files_symlinks/oval/shared.xml new file mode 100644 index 00000000000..77f1f0cf64d --- /dev/null +++ b/linux_os/guide/system/auditing/authconfig_config_files_symlinks/oval/shared.xml @@ -0,0 +1,43 @@ + + + {{{ oval_metadata("Ensure system-auth and password-auth files are symbolic links pointing to system-auth-local and password-auth-local") }}} + + + + + + + + + + + + + + + + + + /etc/pam.d/system-auth + + + + /etc/pam.d/password-auth + + + + /etc/pam.d/system-auth-local + + + + /etc/pam.d/password-auth-local + + diff --git a/linux_os/guide/system/auditing/authconfig_config_files_symlinks/rule.yml b/linux_os/guide/system/auditing/authconfig_config_files_symlinks/rule.yml new file mode 100644 index 00000000000..0af985dbf66 --- /dev/null +++ b/linux_os/guide/system/auditing/authconfig_config_files_symlinks/rule.yml @@ -0,0 +1,56 @@ +documentation_complete: true + +prodtype: ol7 + +title: 'Ensure system-auth and password-auth files are symbolic links pointing to system-auth-local and password-auth-local' + +description: |- + {{{ full_name }}} must be configured to prevent overwriting of custom authentication configuration settings by the authconfig utility. + This can be avoided by creating new local configuration files and creating new or moving existing + symbolic links to them. The authconfig utility will recognize the local configuration files and not + overwrite them, while writing its own settings to the original configuration files. + +rationale: |- + When using the authconfig utility to modify authentication configuration settings, the "system-auth" + and "password-auth" files and any custom settings that they may contain are overwritten. + +severity: medium + +references: + disa: CCI-000196 + srg: SRG-OS-000073-GPOS-00041 + stigid@ol7: OL07-00-010199 + +ocil_clause: 'The system-auth and password-auth files are not symbolic links or they do not point to system-auth-local password-auth-local' + +ocil: |- + Verify "system-auth" and "password-auth" files are symbolic links pointing to "system-auth-local" and "password-auth-local": + 
$ sudo ls -l /etc/pam.d/{password,system}-auth
+ +fixtext: |- + Create custom configuration files and their corresponding symbolic links: + + Rename the existing configuration files (skip this step if symbolic links are already present): + 
$ sudo mv /etc/pam.d/system-auth /etc/pam.d/system-auth-ac
+ 
$ sudo mv /etc/pam.d/password-auth /etc/pam.d/password-auth-ac
+ + Create custom system- and password-auth configuration file: + 
$ sudo touch /etc/pam.d/{system,password}-auth-local
+ + Make sure the custom config files include the -ac files: + 
(type)     include       password-auth-ac
+ + Create new or move existing symbolic links to the new custom configuration files: + 
$ sudo ln -sf /etc/pam.d/system-auth-local /etc/pam.d/system-auth
+ 
$ sudo ln -sf /etc/pam.d/password-auth-local /etc/pam.d/password-auth
+ + Once finished, the file structure should be the following: + 
$ sudo ls -1 /etc/pam.d/{password,system}-auth*
+
+    /etc/pam.d/password-auth
+    /etc/pam.d/password-auth-ac
+    /etc/pam.d/password-auth-local
+    /etc/pam.d/system-auth
+    /etc/pam.d/system-auth-ac
+    /etc/pam.d/system-auth-local
+ diff --git a/linux_os/guide/system/auditing/authconfig_config_files_symlinks/tests/correct_set-up.pass.sh b/linux_os/guide/system/auditing/authconfig_config_files_symlinks/tests/correct_set-up.pass.sh new file mode 100644 index 00000000000..ec75bf6d2d4 --- /dev/null +++ b/linux_os/guide/system/auditing/authconfig_config_files_symlinks/tests/correct_set-up.pass.sh @@ -0,0 +1,41 @@ +#!/bin/bash +# platform = multi_platform_ol,multi_platform_rhel +# remediation = none + +mv /etc/pam.d/system-auth /etc/pam.d/system-auth-ac +mv /etc/pam.d/password-auth /etc/pam.d/password-auth-ac + +cat << EOF > /etc/pam.d/system-auth-local +auth required pam_faillock.so preauth silent audit deny=3 even_deny_root fail_interval=900 unlock_time=900 +auth include system-auth-ac +auth sufficient pam_unix.so try_first_pass +auth [default=die] pam_faillock.so authfail audit deny=3 even_deny_root fail_interval=900 unlock_time=900 + +account required pam_faillock.so +account include system-auth-ac + +password requisite pam_pwhistory.so use_authtok remember=5 retry=3 +password include system-auth-ac +password sufficient pam_unix.so sha512 shadow try_first_pass use_authtok + +session include system-auth-ac +EOF + +cat << EOF > /etc/pam.d/password-auth-local +auth required pam_faillock.so preauth silent audit deny=3 even_deny_root fail_interval=900 unlock_time=900 +auth include password-auth-ac +auth sufficient pam_unix.so try_first_pass +auth [default=die] pam_faillock.so authfail audit deny=3 even_deny_root fail_interval=900 unlock_time=900 + +account required pam_faillock.so +account include password-auth-ac + +password requisite pam_pwhistory.so use_authtok remember=5 retry=3 +password include password-auth-ac +password sufficient pam_unix.so sha512 shadow try_first_pass use_authtok + +session include password-auth-ac +EOF + +ln -sf /etc/pam.d/system-auth-local /etc/pam.d/system-auth +ln -sf /etc/pam.d/password-auth-local /etc/pam.d/password-auth diff --git a/linux_os/guide/system/auditing/authconfig_config_files_symlinks/tests/no_symlinks.fail.sh b/linux_os/guide/system/auditing/authconfig_config_files_symlinks/tests/no_symlinks.fail.sh new file mode 100644 index 00000000000..a545d979122 --- /dev/null +++ b/linux_os/guide/system/auditing/authconfig_config_files_symlinks/tests/no_symlinks.fail.sh @@ -0,0 +1,5 @@ +#!/bin/bash +# platform = multi_platform_ol,multi_platform_rhel +# remediation = none + +touch /etc/pam.d/{password,system}-auth-{mycustomconfig,ac} diff --git a/linux_os/guide/system/auditing/authconfig_config_files_symlinks/tests/symlinks_wrong_target.fail.sh b/linux_os/guide/system/auditing/authconfig_config_files_symlinks/tests/symlinks_wrong_target.fail.sh new file mode 100644 index 00000000000..82fb5d543e9 --- /dev/null +++ b/linux_os/guide/system/auditing/authconfig_config_files_symlinks/tests/symlinks_wrong_target.fail.sh @@ -0,0 +1,41 @@ +#!/bin/bash +# platform = multi_platform_ol,multi_platform_rhel +# remediation = none + +mv /etc/pam.d/system-auth /etc/pam.d/system-auth-ac +mv /etc/pam.d/password-auth /etc/pam.d/password-auth-ac + +cat << EOF > /etc/pam.d/system-auth-mycustomconfig +auth required pam_faillock.so preauth silent audit deny=3 even_deny_root fail_interval=900 unlock_time=900 +auth include system-auth-ac +auth sufficient pam_unix.so try_first_pass +auth [default=die] pam_faillock.so authfail audit deny=3 even_deny_root fail_interval=900 unlock_time=900 + +account required pam_faillock.so +account include system-auth-ac + +password requisite pam_pwhistory.so use_authtok remember=5 retry=3 +password include system-auth-ac +password sufficient pam_unix.so sha512 shadow try_first_pass use_authtok + +session include system-auth-ac +EOF + +cat << EOF > /etc/pam.d/password-auth-mycustomconfig +auth required pam_faillock.so preauth silent audit deny=3 even_deny_root fail_interval=900 unlock_time=900 +auth include password-auth-ac +auth sufficient pam_unix.so try_first_pass +auth [default=die] pam_faillock.so authfail audit deny=3 even_deny_root fail_interval=900 unlock_time=900 + +account required pam_faillock.so +account include password-auth-ac + +password requisite pam_pwhistory.so use_authtok remember=5 retry=3 +password include password-auth-ac +password sufficient pam_unix.so sha512 shadow try_first_pass use_authtok + +session include password-auth-ac +EOF + +ln -sf /etc/pam.d/system-auth-mycustomconfig /etc/pam.d/system-auth +ln -sf /etc/pam.d/password-auth-mycustomconfig /etc/pam.d/password-auth diff --git a/products/ol7/profiles/stig.profile b/products/ol7/profiles/stig.profile index 5f01204850f..fbb7e203f75 100644 --- a/products/ol7/profiles/stig.profile +++ b/products/ol7/profiles/stig.profile @@ -335,3 +335,4 @@ selections: - account_emergency_expire_date - package_screen_installed - sysctl_kernel_dmesg_restric + - authconfig_config_files_symlinks From 90e21a20fd45837387f0178ac3405e4a47e30a2b Mon Sep 17 00:00:00 2001 From: Federico Ramirez Date: Tue, 31 Jan 2023 12:54:57 -0600 Subject: [PATCH 2/3] Add missing remediation warning to authconfig rule Add a warning about the missing remediations to the authconfig_config_files_symlinks rule. Also update both YAML and OVAL files to avoid lines longer than 99 characters whenever possible Signed-off-by: Federico Ramirez --- .../oval/shared.xml | 15 +++++--- .../authconfig_config_files_symlinks/rule.yml | 37 +++++++++++++------ 2 files changed, 36 insertions(+), 16 deletions(-) diff --git a/linux_os/guide/system/auditing/authconfig_config_files_symlinks/oval/shared.xml b/linux_os/guide/system/auditing/authconfig_config_files_symlinks/oval/shared.xml index 77f1f0cf64d..ce090899fb9 100644 --- a/linux_os/guide/system/auditing/authconfig_config_files_symlinks/oval/shared.xml +++ b/linux_os/guide/system/auditing/authconfig_config_files_symlinks/oval/shared.xml @@ -2,9 +2,11 @@ {{{ oval_metadata("Ensure system-auth and password-auth files are symbolic links pointing to system-auth-local and password-auth-local") }}} - - @@ -23,11 +25,13 @@ - + /etc/pam.d/system-auth - + /etc/pam.d/password-auth @@ -36,7 +40,8 @@ /etc/pam.d/system-auth-local - /etc/pam.d/password-auth-local diff --git a/linux_os/guide/system/auditing/authconfig_config_files_symlinks/rule.yml b/linux_os/guide/system/auditing/authconfig_config_files_symlinks/rule.yml index 0af985dbf66..894d6fe2efb 100644 --- a/linux_os/guide/system/auditing/authconfig_config_files_symlinks/rule.yml +++ b/linux_os/guide/system/auditing/authconfig_config_files_symlinks/rule.yml @@ -2,17 +2,22 @@ documentation_complete: true prodtype: ol7 -title: 'Ensure system-auth and password-auth files are symbolic links pointing to system-auth-local and password-auth-local' +title: |- + Ensure system-auth and password-auth files are symbolic links pointing + to system-auth-local and password-auth-local description: |- - {{{ full_name }}} must be configured to prevent overwriting of custom authentication configuration settings by the authconfig utility. - This can be avoided by creating new local configuration files and creating new or moving existing - symbolic links to them. The authconfig utility will recognize the local configuration files and not - overwrite them, while writing its own settings to the original configuration files. + {{{ full_name }}} must be configured to prevent overwriting of custom authentication + configuration settings by the authconfig utility. + This can be avoided by creating new local configuration files and creating new or moving + existing symbolic links to them. The authconfig utility will recognize the local configuration + files and not overwrite them, while writing its own settings to the original configuration + files. rationale: |- - When using the authconfig utility to modify authentication configuration settings, the "system-auth" - and "password-auth" files and any custom settings that they may contain are overwritten. + When using the authconfig utility to modify authentication configuration settings, + the "system-auth" and "password-auth" files and any custom settings that they may + contain are overwritten. severity: medium @@ -21,16 +26,26 @@ references: srg: SRG-OS-000073-GPOS-00041 stigid@ol7: OL07-00-010199 -ocil_clause: 'The system-auth and password-auth files are not symbolic links or they do not point to system-auth-local password-auth-local' +warnings: + - general: |- + This rule doesn't come with a remediation. PAM files are very sensible to ordering and + custom PAM files make it nearly impossible to design an automated remediation that + is safe to use for all cases. + +ocil_clause: |- + The system-auth and password-auth files are not symbolic links or they + do not point to system-auth-local password-auth-local ocil: |- - Verify "system-auth" and "password-auth" files are symbolic links pointing to "system-auth-local" and "password-auth-local": - 
$ sudo ls -l /etc/pam.d/{password,system}-auth
+ Verify "system-auth" and "password-auth" files are symbolic + links pointing to "system-auth-local" and "password-auth-local": + 
$ sudo ls -l /etc/pam.d/{password,system}-auth
fixtext: |- Create custom configuration files and their corresponding symbolic links: - Rename the existing configuration files (skip this step if symbolic links are already present): + Rename the existing configuration files + (skip this step if symbolic links are already present): 
$ sudo mv /etc/pam.d/system-auth /etc/pam.d/system-auth-ac
$ sudo mv /etc/pam.d/password-auth /etc/pam.d/password-auth-ac
From 3728a7a9413fcded53043419a0d85864906a1a86 Mon Sep 17 00:00:00 2001 From: Federico Ramirez Date: Tue, 31 Jan 2023 16:26:28 -0600 Subject: [PATCH 3/3] Add authconfig_config_files_symlinks to RHEL7 stig Signed-off-by: Federico Ramirez --- .../auditing/authconfig_config_files_symlinks/rule.yml | 6 +++++- products/rhel7/profiles/stig.profile | 1 + shared/references/cce-redhat-avail.txt | 5 ----- 3 files changed, 6 insertions(+), 6 deletions(-) diff --git a/linux_os/guide/system/auditing/authconfig_config_files_symlinks/rule.yml b/linux_os/guide/system/auditing/authconfig_config_files_symlinks/rule.yml index 894d6fe2efb..179a7b8bdaf 100644 --- a/linux_os/guide/system/auditing/authconfig_config_files_symlinks/rule.yml +++ b/linux_os/guide/system/auditing/authconfig_config_files_symlinks/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: ol7 +prodtype: ol7,rhel7 title: |- Ensure system-auth and password-auth files are symbolic links pointing @@ -21,10 +21,14 @@ rationale: |- severity: medium +identifiers: + cce@rhel7: CCE-86062-7 + references: disa: CCI-000196 srg: SRG-OS-000073-GPOS-00041 stigid@ol7: OL07-00-010199 + stigid@rhel7: RHEL-07-010199 warnings: - general: |- diff --git a/products/rhel7/profiles/stig.profile b/products/rhel7/profiles/stig.profile index dba166b43fe..7e8af97387d 100644 --- a/products/rhel7/profiles/stig.profile +++ b/products/rhel7/profiles/stig.profile @@ -344,3 +344,4 @@ selections: - package_screen_installed - sysctl_kernel_dmesg_restrict - aide_build_database + - authconfig_config_files_symlinks diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt index b12b80d73a7..51a8412982b 100644 --- a/shared/references/cce-redhat-avail.txt +++ b/shared/references/cce-redhat-avail.txt @@ -1,8 +1,3 @@ -CCE-86035-3 -CCE-86036-1 -CCE-86037-9 -CCE-86039-5 -CCE-86062-7 CCE-86063-5 CCE-86064-3 CCE-86065-0