Introduce new rule authconfig_config_files_symlinks

linux_os/guide/system/auditing/authconfig_config_files_symlinks/oval/shared.xml

@@ -0,0 +1,48 @@
+<def-group>
+    <definition class="compliance" id="{{{ rule_id }}}" version="1">
+        {{{ oval_metadata("Ensure system-auth and password-auth files are symbolic links pointing to system-auth-local and password-auth-local") }}}
+        <criteria operator="AND" comment="password-auth and system-auth are symlinks">
+            <criterion comment="/etc/pam.d/password-auth is a symlink and
+                points to /etc/pam.d/password-auth-local"
+                test_ref="test_password-auth_is_a_symlink" />
+            <criterion comment="/etc/pam.d/system-auth is a symlink and
+                points to /etc/pam.d/system-auth-local"
+                test_ref="test_system-auth_is_a_symlink" />
+        </criteria>
+    </definition>
+
+    <unix:symlink_test check="all" check_existence="all_exist"
+      comment="/etc/pam.d/password-auth is a symlink and points to /etc/pam.d/password-auth-local"
+      id="test_password-auth_is_a_symlink" version="1">
+         <unix:object object_ref="object_password-auth_is_a_symlink" />
+         <unix:state state_ref="state_password-auth_is_a_symlink" />
+    </unix:symlink_test>
+
+    <unix:symlink_test check="all" check_existence="all_exist"
+      comment="/etc/pam.d/system-auth is a symlink and points to /etc/pam.d/system-auth-local"
+      id="test_system-auth_is_a_symlink" version="1">
+         <unix:object object_ref="object_system-auth_is_a_symlink" />
+         <unix:state state_ref="state_system-auth_is_a_symlink" />
+    </unix:symlink_test>
+
+    <unix:symlink_object comment="/etc/pam.d/system-auth is a symlink"
+      id="object_system-auth_is_a_symlink" version="1">
+        <unix:filepath>/etc/pam.d/system-auth</unix:filepath>
+    </unix:symlink_object>
+
+    <unix:symlink_object comment="/etc/pam.d/password-auth is a symlink"
+      id="object_password-auth_is_a_symlink" version="1">
+        <unix:filepath>/etc/pam.d/password-auth</unix:filepath>
+    </unix:symlink_object>
+
+    <unix:symlink_state comment="/etc/pam.d/system-auth points to /etc/pam.d/system-auth-local"
+      id="state_system-auth_is_a_symlink" version="1">
+        <unix:canonical_path>/etc/pam.d/system-auth-local</unix:canonical_path>
+    </unix:symlink_state>
+
+    <unix:symlink_state
+      comment="/etc/pam.d/password-auth points to /etc/pam.d/password-auth-local"
+      id="state_password-auth_is_a_symlink" version="1">
+        <unix:canonical_path>/etc/pam.d/password-auth-local</unix:canonical_path>
+    </unix:symlink_state>
+</def-group>

linux_os/guide/system/auditing/authconfig_config_files_symlinks/rule.yml

@@ -0,0 +1,75 @@
+documentation_complete: true
+
+prodtype: ol7,rhel7
+
+title: |-
+    Ensure system-auth and password-auth files are symbolic links pointing
+    to system-auth-local and password-auth-local
+
+description: |-
+    {{{ full_name }}} must be configured to prevent overwriting of custom authentication
+    configuration settings by the authconfig utility.
+    This can be avoided by creating new local configuration files and creating new or moving
+    existing symbolic links to them. The authconfig utility will recognize the local configuration
+    files and not overwrite them, while writing its own settings to the original configuration
+    files.
+
+rationale: |-
+    When using the authconfig utility to modify authentication configuration settings,
+    the "system-auth" and "password-auth" files and any custom settings that they may
+    contain are overwritten.
+
+severity: medium
+
+identifiers:
+    cce@rhel7: CCE-86062-7
+
+references:
+    disa: CCI-000196
+    srg: SRG-OS-000073-GPOS-00041
+    stigid@ol7: OL07-00-010199
+    stigid@rhel7: RHEL-07-010199
+
+warnings:
+    - general: |-
+        This rule doesn't come with a remediation. PAM files are very sensible to ordering and
+        custom PAM files make it nearly impossible to design an automated remediation that
+        is safe to use for all cases.
+
+ocil_clause: |-
+    The system-auth and password-auth files are not symbolic links or they
+    do not point to system-auth-local password-auth-local
+
+ocil: |-
+    Verify "system-auth" and "password-auth" files are symbolic
+    links pointing to "system-auth-local" and "password-auth-local":
+    <pre>$ sudo ls -l /etc/pam.d/{password,system}-auth</pre>
+
+fixtext: |-
+    Create custom configuration files and their corresponding symbolic links:
+
+    Rename the existing configuration files
+    (skip this step if symbolic links are already present):
+    <pre>$ sudo mv /etc/pam.d/system-auth /etc/pam.d/system-auth-ac</pre>
+    <pre>$ sudo mv /etc/pam.d/password-auth /etc/pam.d/password-auth-ac</pre>
+
+    Create custom system- and password-auth configuration file:
+    <pre>$ sudo touch /etc/pam.d/{system,password}-auth-local</pre>
+
+    Make sure the custom config files include the -ac files:
+    <pre>(type)     include       password-auth-ac</pre>
+
+    Create new or move existing symbolic links to the new custom configuration files:
+    <pre>$ sudo ln -sf /etc/pam.d/system-auth-local /etc/pam.d/system-auth</pre>
+    <pre>$ sudo ln -sf /etc/pam.d/password-auth-local /etc/pam.d/password-auth</pre>
+
+    Once finished, the file structure should be the following:
+    <pre>$ sudo ls -1 /etc/pam.d/{password,system}-auth*
+
+    /etc/pam.d/password-auth
+    /etc/pam.d/password-auth-ac
+    /etc/pam.d/password-auth-local
+    /etc/pam.d/system-auth
+    /etc/pam.d/system-auth-ac
+    /etc/pam.d/system-auth-local</pre>
+

linux_os/guide/system/auditing/authconfig_config_files_symlinks/tests/correct_set-up.pass.sh

@@ -0,0 +1,41 @@
+#!/bin/bash
+# platform = multi_platform_ol,multi_platform_rhel
+# remediation = none
+
+mv /etc/pam.d/system-auth /etc/pam.d/system-auth-ac
+mv /etc/pam.d/password-auth /etc/pam.d/password-auth-ac
+
+cat << EOF > /etc/pam.d/system-auth-local
+auth        required      pam_faillock.so preauth silent audit deny=3 even_deny_root fail_interval=900 unlock_time=900
+auth        include       system-auth-ac
+auth        sufficient    pam_unix.so try_first_pass
+auth        [default=die] pam_faillock.so authfail audit deny=3 even_deny_root fail_interval=900 unlock_time=900
+
+account     required      pam_faillock.so
+account     include       system-auth-ac
+
+password    requisite     pam_pwhistory.so use_authtok remember=5 retry=3
+password    include       system-auth-ac
+password    sufficient    pam_unix.so sha512 shadow try_first_pass use_authtok
+
+session     include       system-auth-ac
+EOF
+
+cat << EOF > /etc/pam.d/password-auth-local
+auth        required      pam_faillock.so preauth silent audit deny=3 even_deny_root fail_interval=900 unlock_time=900
+auth        include       password-auth-ac
+auth        sufficient    pam_unix.so try_first_pass
+auth        [default=die] pam_faillock.so authfail audit deny=3 even_deny_root fail_interval=900 unlock_time=900
+
+account     required      pam_faillock.so
+account     include       password-auth-ac
+
+password    requisite     pam_pwhistory.so use_authtok remember=5 retry=3
+password    include       password-auth-ac
+password    sufficient    pam_unix.so sha512 shadow try_first_pass use_authtok
+
+session     include       password-auth-ac
+EOF
+
+ln -sf /etc/pam.d/system-auth-local /etc/pam.d/system-auth
+ln -sf /etc/pam.d/password-auth-local /etc/pam.d/password-auth

linux_os/guide/system/auditing/authconfig_config_files_symlinks/tests/no_symlinks.fail.sh

@@ -0,0 +1,5 @@
+#!/bin/bash
+# platform = multi_platform_ol,multi_platform_rhel
+# remediation = none
+
+touch /etc/pam.d/{password,system}-auth-{mycustomconfig,ac}

linux_os/guide/system/auditing/authconfig_config_files_symlinks/tests/symlinks_wrong_target.fail.sh

@@ -0,0 +1,41 @@
+#!/bin/bash
+# platform = multi_platform_ol,multi_platform_rhel
+# remediation = none
+
+mv /etc/pam.d/system-auth /etc/pam.d/system-auth-ac
+mv /etc/pam.d/password-auth /etc/pam.d/password-auth-ac
+
+cat << EOF > /etc/pam.d/system-auth-mycustomconfig
+auth        required      pam_faillock.so preauth silent audit deny=3 even_deny_root fail_interval=900 unlock_time=900
+auth        include       system-auth-ac
+auth        sufficient    pam_unix.so try_first_pass
+auth        [default=die] pam_faillock.so authfail audit deny=3 even_deny_root fail_interval=900 unlock_time=900
+
+account     required      pam_faillock.so
+account     include       system-auth-ac
+
+password    requisite     pam_pwhistory.so use_authtok remember=5 retry=3
+password    include       system-auth-ac
+password    sufficient    pam_unix.so sha512 shadow try_first_pass use_authtok
+
+session     include       system-auth-ac
+EOF
+
+cat << EOF > /etc/pam.d/password-auth-mycustomconfig
+auth        required      pam_faillock.so preauth silent audit deny=3 even_deny_root fail_interval=900 unlock_time=900
+auth        include       password-auth-ac
+auth        sufficient    pam_unix.so try_first_pass
+auth        [default=die] pam_faillock.so authfail audit deny=3 even_deny_root fail_interval=900 unlock_time=900
+
+account     required      pam_faillock.so
+account     include       password-auth-ac
+
+password    requisite     pam_pwhistory.so use_authtok remember=5 retry=3
+password    include       password-auth-ac
+password    sufficient    pam_unix.so sha512 shadow try_first_pass use_authtok
+
+session     include       password-auth-ac
+EOF
+
+ln -sf /etc/pam.d/system-auth-mycustomconfig /etc/pam.d/system-auth
+ln -sf /etc/pam.d/password-auth-mycustomconfig /etc/pam.d/password-auth

products/ol7/profiles/stig.profile

@@ -335,3 +335,4 @@ selections:
     - account_emergency_expire_date
     - package_screen_installed
     - sysctl_kernel_dmesg_restric
+    - authconfig_config_files_symlinks

products/rhel7/profiles/stig.profile

@@ -344,3 +344,4 @@ selections:
     - package_screen_installed
     - sysctl_kernel_dmesg_restrict
     - aide_build_database
+    - authconfig_config_files_symlinks

shared/references/cce-redhat-avail.txt

@@ -1,8 +1,3 @@
-CCE-86035-3
-CCE-86036-1
-CCE-86037-9
-CCE-86039-5
-CCE-86062-7
 CCE-86063-5
 CCE-86064-3
 CCE-86065-0