Review CIS RHEL7 v4.0.0 Section 4 - Access, Authentication and Authorization #11455
Conversation
marcusburghardt
added
RHEL7
openshift-ci
bot
added
the
do-not-merge/work-in-progress
|
Skipping CI for Draft Pull Request. |
|
Start a new ephemeral environment with changes proposed in this pull request: rhel8 (from CTF) Environment (using Fedora as testing environment) Fedora Testing Environment Oracle Linux 8 Environment |
marcusburghardt
force-pushed
the
cis_rhel7_v4_s4
branch
from
3384e38 to
6ce7535
Compare
openshift-ci
bot
removed
the
do-not-merge/work-in-progress
marcusburghardt
force-pushed
the
cis_rhel7_v4_s4
branch
from
10e322c to
fdf908b
Compare
|
testing farm for centos7 is failing: This rule is not new to the profile. I have to investigate why it is failing now. |
| levels: | ||
| - l1_server | ||
| - l1_workstation | ||
| status: automated |
There was a problem hiding this comment.
I think this should be partial because the set of rules below does not check the following files:
- /etc/bash.bashrc
- /etc/pam.d/postlogin
- /etc/default/login
There was a problem hiding this comment.
/etc/bash.bashrc is not expected to be used in RHEL 7. Instead is used /etc/bashrc, but the script mentioned in CIS RHEL 7 policy also considers this file. The same case is for /etc/default/login. I will open a ticket in CIS community.
It is indeed missing a rule for /etc/pam.d/postlogin
I identified the issue with I will fix in next commits. |
|
This datastream diff is auto generated by the check Click here to see the full diffNew content has different text for rule 'xccdf_org.ssgproject.content_rule_package_pam_pwquality_installed'.
--- xccdf_org.ssgproject.content_rule_package_pam_pwquality_installed
+++ xccdf_org.ssgproject.content_rule_package_pam_pwquality_installed
@@ -19,3 +19,6 @@
of the effectiveness of a password in resisting attempts at guessing and
brute-force attacks. "pwquality" enforces complex password construction
configuration and has the ability to limit brute-force attacks on the system.
+
+[ident]:
+CCE-86225-0
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_package_pam_pwquality_installed' differs.
--- xccdf_org.ssgproject.content_rule_package_pam_pwquality_installed
+++ xccdf_org.ssgproject.content_rule_package_pam_pwquality_installed
@@ -2,6 +2,7 @@
package_facts:
manager: auto
tags:
+ - CCE-86225-0
- enable_strategy
- low_complexity
- low_disruption
@@ -15,6 +16,7 @@
state: present
when: '"pam" in ansible_facts.packages'
tags:
+ - CCE-86225-0
- enable_strategy
- low_complexity
- low_disruption
bash remediation for rule 'xccdf_org.ssgproject.content_rule_use_pam_wheel_for_su' differs.
--- xccdf_org.ssgproject.content_rule_use_pam_wheel_for_su
+++ xccdf_org.ssgproject.content_rule_use_pam_wheel_for_su
@@ -2,7 +2,7 @@
if rpm --quiet -q pam; then
# uncomment the option if commented
- sed '/^[[:space:]]*#[[:space:]]*auth[[:space:]]\+required[[:space:]]\+pam_wheel\.so[[:space:]]\+use_uid$/s/^[[:space:]]*#//' -i /etc/pam.d/su
+sed '/^[[:space:]]*#[[:space:]]*auth[[:space:]]\+required[[:space:]]\+pam_wheel\.so[[:space:]]\+use_uid$/s/^[[:space:]]*#//' -i /etc/pam.d/su
else
>&2 echo 'Remediation is not applicable, nothing was done'
bash remediation for rule 'xccdf_org.ssgproject.content_rule_use_pam_wheel_group_for_su' differs.
--- xccdf_org.ssgproject.content_rule_use_pam_wheel_group_for_su
+++ xccdf_org.ssgproject.content_rule_use_pam_wheel_group_for_su
@@ -9,7 +9,7 @@
pamstr=$(grep -P '^auth\s+required\s+pam_wheel\.so\s+(?=[^#]*\buse_uid\b)(?=[^#]*\bgroup=)' ${PAM_CONF})
if [ -z "$pamstr" ]; then
sed -Ei '/^auth\b.*\brequired\b.*\bpam_wheel\.so/d' ${PAM_CONF} # remove any remaining uncommented pam_wheel.so line
- sed -Ei "/^auth\s+sufficient\s+pam_rootok\.so.*$/a auth required pam_wheel.so use_uid group=${var_pam_wheel_group_for_su}" ${PAM_CONF}
+ sed -Ei "/^auth\s+sufficient\s+pam_rootok\.so.*$/a auth required pam_wheel.so use_uid group=${var_pam_wheel_group_for_su}" ${PAM_CONF}
else
group_val=$(echo -n "$pamstr" | grep -Eo '\bgroup=[_a-z][-0-9_a-z]*' | cut -d '=' -f 2)
if [ -z "${group_val}" ] || [ ${group_val} != ${var_pam_wheel_group_for_su} ]; then |
Fixed |
4.1.1 - Configure cron Requirements were just moved from section 5 to section 4.
References were updated in related rules.
4.1.2 - Configure at Requirement was just moved from section 5 to section 4.
References were updated in related rules.
4.2 - Configure SSH Server Basically requirements from section 5 were moved to section 4. Some requirements were dropped and others included. This section is very similar to CIS RHEL8.
References were updated in related rules. Two variables were also updated.
4.3 - Configure privilege escalation Some requirements were moved from section 5 to section 3 while others were included.
References were updated in related rules.
4.4.1 - Configure PAM software packages
4.4.2.2 - Configure pam_pwquality module
References were updated in related rules.
This rule satisfies the CIS RHEL7 requirement 4.4.2.2.7.
4.4.2.4 - Configure pam_unix module
References were updated in related rules.
4.5.1 - Configure shadow password suite parameters 4.5.2 - Configure root and system accounts and environment
References were updated in related rules.
This rule satisfies the CIS RHEL7 requirement 4.5.2.4.
4.5.3 - Configure user default environment
References were updated in related rules.
In alignment to the policy changelog, rules related to dropped requirements in section 4 were updated to no longer include a referece for cis rhel7.
From 3.1.1 to 4.0.0
The intention was to change the reference for rhel7 but it was actually changed the line for rhel8. rhel7 is fixed and rhel8 reverted.
During the PR review it was noticed that new rules would be necessary to more precisely satisfy some requirements. These requirements were moved from automated to partial and notes were included.
Made the variable selection explicit in the control file and updated the cis_rhel7 value. Thanks Vojtech.
Made the variable var_sudo_timestamp_timeout explicitly selected in the control file. It was also included a note about improvements in OVAL.
Moved accounts_umask_interactive_users to related_rules since the policy is now allowing the users to override the system default via initiatization files.
Some files mentioned in the policy scripts doesn't seem relevant for RHEL7. It has to be discussed in CIS Community.
This commit is just to preserve the original format of /etc/pam.d/su file. No technical impact.
The regex used in OVAL was not expecting additional options configured on the same line and assumed the use_uid was the last option. This commit makes the regex more flexible and robust.
marcusburghardt
force-pushed
the
cis_rhel7_v4_s4
branch
from
756ba46 to
dc5ad44
Compare
|
I rebased it and resolved the conflicts after the merge of #11456 |
|
Code Climate has analyzed commit dc5ad44 and detected 0 issues on this pull request. The test coverage on the diff in this pull request is 100.0% (50% is the threshold). This pull request will bring the total coverage in the repository to 58.5% (0.0% change). View more on Code Climate. |
|
Hello @marcusburghardt and thank you. I think all my feedback was incorporated into the PR. |
Description:
Review the cis_rhel7.yml control file and update the following section in alignment to CIS RHEL 7 v4.0.0:
Also update references in related rules.
Rationale:
Keep RHEL 7 profiles updated with CIS RHEL 7 last version.
Review Hints:
The easiest way is to open the CIS RHEL8 v3.0.0 policy and compare the changes in commits with the respective requirements.