From 264af69279b71ee2d77e5909418b88e610ab95f9 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= Date: Fri, 4 Oct 2024 13:07:53 +0200 Subject: [PATCH] Create CIS rules for login banners RHEL 8 CIS Benchmark v3.0.0 and RHEL 9 CIS Benchmark v2.0.0 in sections 1.7.1, 1.7.2 and 1.7.3 require to configure login banners. Currently, these requirements are covered in our content by rules `banner_etc_motd`, `banner_etc_issue` and `banner_etc_issue_net`. However, these rules don't exactly align with the CIS requirements. The rules require an exact banner text that can only differ in white space but must be the same. But, the CIS requirements allow custom banner texts with local policy. Moreover, they require not displaying versions and kernels in the banner text, which isn't checked in our rules. Although applying our rules makes the system compliant, many configurations that comply with CIS will not pass the scan. We will replace these rules with new rules that are better aligned with CIS and will pass with custom banners. The new rules are very similar and therefore a new template `cis_banner` has been created to share code among them. Resolves: https://issues.redhat.com/browse/RHEL-59133 --- components/pam.yml | 3 ++ controls/cis_rhel10.yml | 12 +++--- controls/cis_rhel8.yml | 12 +++--- controls/cis_rhel9.yml | 12 +++--- docs/templates/template_reference.md | 14 +++++++ .../banner_etc_issue_cis/rule.yml | 41 +++++++++++++++++++ .../banner_etc_issue_net_cis/rule.yml | 41 +++++++++++++++++++ .../banner_etc_motd_cis/rule.yml | 40 ++++++++++++++++++ .../accounts-banners/cis_banner_text.var | 16 ++++++++ products/rhel8/profiles/default.profile | 2 + shared/macros/10-ocil.jinja | 16 ++++++++ shared/references/cce-redhat-avail.txt | 9 ---- shared/templates/cis_banner/ansible.template | 12 ++++++ shared/templates/cis_banner/bash.template | 7 ++++ shared/templates/cis_banner/oval.template | 37 +++++++++++++++++ shared/templates/cis_banner/template.py | 3 ++ shared/templates/cis_banner/template.yml | 4 ++ .../cis_banner/tests/cis_banner.pass.sh | 2 + .../cis_banner/tests/custom_banner.pass.sh | 5 +++ shared/templates/cis_banner/tests/dne.fail.sh | 6 +++ shared/templates/cis_banner/tests/dne.pass.sh | 6 +++ .../templates/cis_banner/tests/empty.fail.sh | 6 +++ .../templates/cis_banner/tests/empty.pass.sh | 6 +++ .../templates/cis_banner/tests/wrong.fail.sh | 5 +++ .../data/profile_stability/rhel8/cis.profile | 9 ++-- .../rhel8/cis_server_l1.profile | 9 ++-- .../rhel8/cis_workstation_l1.profile | 9 ++-- .../rhel8/cis_workstation_l2.profile | 9 ++-- .../data/profile_stability/rhel9/cis.profile | 9 ++-- .../rhel9/cis_server_l1.profile | 9 ++-- .../rhel9/cis_workstation_l1.profile | 9 ++-- .../rhel9/cis_workstation_l2.profile | 9 ++-- 32 files changed, 322 insertions(+), 67 deletions(-) create mode 100644 linux_os/guide/system/accounts/accounts-banners/banner_etc_issue_cis/rule.yml create mode 100644 linux_os/guide/system/accounts/accounts-banners/banner_etc_issue_net_cis/rule.yml create mode 100644 linux_os/guide/system/accounts/accounts-banners/banner_etc_motd_cis/rule.yml create mode 100644 linux_os/guide/system/accounts/accounts-banners/cis_banner_text.var create mode 100644 shared/templates/cis_banner/ansible.template create mode 100644 shared/templates/cis_banner/bash.template create mode 100644 shared/templates/cis_banner/oval.template create mode 100644 shared/templates/cis_banner/template.py create mode 100644 shared/templates/cis_banner/template.yml create mode 100644 shared/templates/cis_banner/tests/cis_banner.pass.sh create mode 100644 shared/templates/cis_banner/tests/custom_banner.pass.sh create mode 100644 shared/templates/cis_banner/tests/dne.fail.sh create mode 100644 shared/templates/cis_banner/tests/dne.pass.sh create mode 100644 shared/templates/cis_banner/tests/empty.fail.sh create mode 100644 shared/templates/cis_banner/tests/empty.pass.sh create mode 100644 shared/templates/cis_banner/tests/wrong.fail.sh diff --git a/components/pam.yml b/components/pam.yml index a6cd4669cf9..577d57e6682 100644 --- a/components/pam.yml +++ b/components/pam.yml @@ -107,8 +107,11 @@ rules: - authconfig_config_files_symlinks - banner_etc_gdm_banner - banner_etc_issue +- banner_etc_issue_cis - banner_etc_issue_net +- banner_etc_issue_net_cis - banner_etc_motd +- banner_etc_motd_cis - configure_bashrc_exec_tmux - configure_bashrc_tmux - configure_opensc_card_drivers diff --git a/controls/cis_rhel10.yml b/controls/cis_rhel10.yml index b70d0094dca..7bf09eae699 100644 --- a/controls/cis_rhel10.yml +++ b/controls/cis_rhel10.yml @@ -620,8 +620,8 @@ controls: - l1_workstation status: automated rules: - - banner_etc_motd - - motd_banner_text=cis_banners + - banner_etc_motd_cis + - cis_banner_text=cis - id: 1.7.2 title: Ensure local login warning banner is configured properly (Automated) @@ -630,8 +630,8 @@ controls: - l1_workstation status: automated rules: - - banner_etc_issue - - login_banner_text=cis_banners + - banner_etc_issue_cis + - cis_banner_text=cis - id: 1.7.3 title: Ensure remote login warning banner is configured properly (Automated) @@ -640,8 +640,8 @@ controls: - l1_workstation status: automated rules: - - banner_etc_issue_net - - remote_login_banner_text=cis_banners + - banner_etc_issue_net_cis + - cis_banner_text=cis - id: 1.7.4 title: Ensure access to /etc/motd is configured (Automated) diff --git a/controls/cis_rhel8.yml b/controls/cis_rhel8.yml index 102793f78ca..95b94d22faf 100644 --- a/controls/cis_rhel8.yml +++ b/controls/cis_rhel8.yml @@ -579,8 +579,8 @@ controls: - l1_workstation status: automated rules: - - banner_etc_motd - - motd_banner_text=cis_banners + - banner_etc_motd_cis + - cis_banner_text=cis - id: 1.7.2 title: Ensure local login warning banner is configured properly (Automated) @@ -589,8 +589,8 @@ controls: - l1_workstation status: automated rules: - - banner_etc_issue - - login_banner_text=cis_banners + - banner_etc_issue_cis + - cis_banner_text=cis - id: 1.7.3 title: Ensure remote login warning banner is configured properly (Automated) @@ -599,8 +599,8 @@ controls: - l1_workstation status: automated rules: - - banner_etc_issue_net - - remote_login_banner_text=cis_banners + - banner_etc_issue_net_cis + - cis_banner_text=cis - id: 1.7.4 title: Ensure access to /etc/motd is configured (Automated) diff --git a/controls/cis_rhel9.yml b/controls/cis_rhel9.yml index ffa633298da..487f6a018bb 100644 --- a/controls/cis_rhel9.yml +++ b/controls/cis_rhel9.yml @@ -617,8 +617,8 @@ controls: - l1_workstation status: automated rules: - - banner_etc_motd - - motd_banner_text=cis_banners + - banner_etc_motd_cis + - cis_banner_text=cis - id: 1.7.2 title: Ensure local login warning banner is configured properly (Automated) @@ -627,8 +627,8 @@ controls: - l1_workstation status: automated rules: - - banner_etc_issue - - login_banner_text=cis_banners + - banner_etc_issue_cis + - cis_banner_text=cis - id: 1.7.3 title: Ensure remote login warning banner is configured properly (Automated) @@ -637,8 +637,8 @@ controls: - l1_workstation status: automated rules: - - banner_etc_issue_net - - remote_login_banner_text=cis_banners + - banner_etc_issue_net_cis + - cis_banner_text=cis - id: 1.7.4 title: Ensure access to /etc/motd is configured (Automated) diff --git a/docs/templates/template_reference.md b/docs/templates/template_reference.md index 6ab0dcfaa8b..0315da41e64 100644 --- a/docs/templates/template_reference.md +++ b/docs/templates/template_reference.md @@ -205,6 +205,20 @@ - Languages: OVAL +#### cis_banner +- Verify that the contents of a login banner in the given `filepath` complies + with CIS requirements. + +- Parameters: + + - **filepath** - Path to the login banner file, eg. `/etc/motd`. + + - **banner_must_be_set** - If set to `"true"`, the rule will fail if no + banner is configured in that file. Otherwise, the rule will pass if + the banner isn't configured. + +- Languages: Ansible, Bash, OVAL + #### coreos_kernel_option - Checks that `argument=value` pair is present in the kernel arguments. Note that this applies to Red Hat CoreOS. diff --git a/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue_cis/rule.yml b/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue_cis/rule.yml new file mode 100644 index 00000000000..d95f63cfec6 --- /dev/null +++ b/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue_cis/rule.yml @@ -0,0 +1,41 @@ +documentation_complete: true + +title: Ensure Local Login Warning Banner Is Configured Properly + +description: |- + To configure the system local login warning banner edit the /etc/issue file. + The contents of this file is displayed to users prior to login to local terminals. + Replace the default text with a message compliant with the local site policy. + The message should not contain information about operating system version, + release, kernel version or patch level. + + The recommended banner text can be tailored in the XCCDF Value xccdf_org.ssgproject.content_value_cis_banner_text: + 
+    {{{ xccdf_value("cis_banner_text") }}}
+
+ +rationale: |- + Warning messages inform users who are attempting to login to the system of their legal + status regarding the system and must include the name of the organization that owns + the system and any monitoring policies that are in place. Displaying OS and patch level + information in login banners also has the side effect of providing detailed system + information to attackers attempting to target specific exploits of a system. Authorized + users can easily get this information by running the uname -a command once they + have logged in. + +severity: medium + +identifiers: + cce@rhel8: CCE-86160-9 + cce@rhel9: CCE-86142-7 + cce@rhel10: CCE-86165-8 + +{{{ ocil_cis_banner("/etc/issue") }}} + +platform: machine + +template: + name: cis_banner + vars: + filepath: /etc/issue + banner_must_be_set: "true" diff --git a/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue_net_cis/rule.yml b/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue_net_cis/rule.yml new file mode 100644 index 00000000000..45b9d4a082f --- /dev/null +++ b/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue_net_cis/rule.yml @@ -0,0 +1,41 @@ +documentation_complete: true + +title: Ensure Remote Login Warning Banner Is Configured Properly + +description: |- + To configure the system remote login warning banner edit the /etc/issue.net file. + The contents of this file is displayed to users prior to login from remote connections. + Replace the default text with a message compliant with the local site policy. + The message should not contain information about operating system version, + release, kernel version or patch level. + + The recommended banner text can be tailored in the XCCDF Value xccdf_org.ssgproject.content_value_cis_banner_text: + 
+    {{{ xccdf_value("cis_banner_text") }}}
+
+ +rationale: |- + Warning messages inform users who are attempting to login to the system of their legal + status regarding the system and must include the name of the organization that owns + the system and any monitoring policies that are in place. Displaying OS and patch level + information in login banners also has the side effect of providing detailed system + information to attackers attempting to target specific exploits of a system. Authorized + users can easily get this information by running the uname -a command once they + have logged in. + +severity: medium + +identifiers: + cce@rhel8: CCE-86167-4 + cce@rhel9: CCE-86143-5 + cce@rhel10: CCE-86169-0 + +{{{ ocil_cis_banner("/etc/issue.net") }}} + +platform: machine + +template: + name: cis_banner + vars: + filepath: /etc/issue.net + banner_must_be_set: "true" diff --git a/linux_os/guide/system/accounts/accounts-banners/banner_etc_motd_cis/rule.yml b/linux_os/guide/system/accounts/accounts-banners/banner_etc_motd_cis/rule.yml new file mode 100644 index 00000000000..748193ce880 --- /dev/null +++ b/linux_os/guide/system/accounts/accounts-banners/banner_etc_motd_cis/rule.yml @@ -0,0 +1,40 @@ +documentation_complete: true + +title: Ensure Message Of The Day Is Configured Properly + +description: |- + To configure the system message of the day banner edit the /etc/motd file. + Replace the default text with a message compliant with the local site policy. + The message should not contain information about operating system version, + release, kernel version or patch level. + + The recommended banner text can be tailored in the XCCDF Value xccdf_org.ssgproject.content_value_cis_banner_text: + 
+    {{{ xccdf_value("cis_banner_text") }}}
+
+ +rationale: |- + Warning messages inform users who are attempting to login to the system of their legal + status regarding the system and must include the name of the organization that owns + the system and any monitoring policies that are in place. Displaying OS and patch level + information in login banners also has the side effect of providing detailed system + information to attackers attempting to target specific exploits of a system. Authorized + users can easily get this information by running the uname -a command once they + have logged in. + +severity: medium + +identifiers: + cce@rhel8: CCE-86145-0 + cce@rhel9: CCE-86141-9 + cce@rhel10: CCE-86150-0 + +{{{ ocil_cis_banner("/etc/motd") }}} + +platform: machine + +template: + name: cis_banner + vars: + filepath: /etc/motd + banner_must_be_set: "false" diff --git a/linux_os/guide/system/accounts/accounts-banners/cis_banner_text.var b/linux_os/guide/system/accounts/accounts-banners/cis_banner_text.var new file mode 100644 index 00000000000..0039caeb1dd --- /dev/null +++ b/linux_os/guide/system/accounts/accounts-banners/cis_banner_text.var @@ -0,0 +1,16 @@ +documentation_complete: true + +title: 'CIS Login Banner Verbiage' + +description: |- + Enter an appropriate login banner for your organization according to the local policy. + +type: string + +operator: equals + +interactive: true + +options: + default: "Authorized users only. All activity may be monitored and reported." + cis: "Authorized users only. All activity may be monitored and reported." diff --git a/products/rhel8/profiles/default.profile b/products/rhel8/profiles/default.profile index 7c49ef106be..2a09c7909fa 100644 --- a/products/rhel8/profiles/default.profile +++ b/products/rhel8/profiles/default.profile @@ -710,3 +710,5 @@ selections: - sebool_cluster_manage_all_files - iptables_rules_for_open_ports - dovecot_configure_ssl_key + - banner_etc_motd + - banner_etc_issue_net diff --git a/shared/macros/10-ocil.jinja b/shared/macros/10-ocil.jinja index c0507a34edc..926ea786348 100644 --- a/shared/macros/10-ocil.jinja +++ b/shared/macros/10-ocil.jinja @@ -1282,3 +1282,19 @@ oc describe rolebinding.rbac If these results show users with privileged access that do not require that access, this is a finding. {{%- endmacro %}} +{{# +OCIL macro to check CIS requirements on command line warning banners. +The macro provides both check and clause. + +:param filepath: filepath to be checked +:type filepath: str +#}} + +{{%- macro ocil_cis_banner(filepath) -%}} +ocil_clause: any results are returned + +ocil: |- + Run the following command and verify no results are returned: + + $ grep -E -i "(\\\v|\\\r|\\\m|\\\s|$(grep '^ID=' /etc/os-release | cut -d= -f2 | sed -e 's/"//g'))" {{{ filepath }}} +{{%- endmacro %}} diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt index 33debb230d4..0ff564b4ebd 100644 --- a/shared/references/cce-redhat-avail.txt +++ b/shared/references/cce-redhat-avail.txt @@ -1,12 +1,3 @@ -CCE-86141-9 -CCE-86142-7 -CCE-86143-5 -CCE-86145-0 -CCE-86150-0 -CCE-86160-9 -CCE-86165-8 -CCE-86167-4 -CCE-86169-0 CCE-86170-8 CCE-86178-1 CCE-86179-9 diff --git a/shared/templates/cis_banner/ansible.template b/shared/templates/cis_banner/ansible.template new file mode 100644 index 00000000000..f0bae88df26 --- /dev/null +++ b/shared/templates/cis_banner/ansible.template @@ -0,0 +1,12 @@ +# platform = multi_platform_all +# reboot = false +# strategy = restrict +# complexity = low +# disruption = low + +{{{ ansible_instantiate_variables("cis_banner_text") }}} + +- name: {{{ rule_title }}} - Copy using inline content + ansible.builtin.copy: + content: "{{ cis_banner_text }}" + dest: {{{ FILEPATH }}} diff --git a/shared/templates/cis_banner/bash.template b/shared/templates/cis_banner/bash.template new file mode 100644 index 00000000000..24b4d49cc9f --- /dev/null +++ b/shared/templates/cis_banner/bash.template @@ -0,0 +1,7 @@ +# platform = multi_platform_all +# reboot = false +# strategy = restrict +# complexity = low +# disruption = low +{{{ bash_instantiate_variables("cis_banner_text") }}} +echo "$cis_banner_text" > "{{{ FILEPATH }}}" diff --git a/shared/templates/cis_banner/oval.template b/shared/templates/cis_banner/oval.template new file mode 100644 index 00000000000..d5e1d3f43d9 --- /dev/null +++ b/shared/templates/cis_banner/oval.template @@ -0,0 +1,37 @@ + + + {{{ oval_metadata("Check that " + FILEPATH + " does not contain OS and version information") }}} + + {{% if BANNER_MUST_BE_SET == "true" %}} + + {{% endif %}} + + + + +{{% if BANNER_MUST_BE_SET == "true" %}} + + + + + + {{{ FILEPATH }}} + ^.+$ + 1 + +{{% endif %}} + + + + + + + {{{ FILEPATH }}} + (\\v|\\r|\\m|\\s|{{{ product }}}) + 1 + + diff --git a/shared/templates/cis_banner/template.py b/shared/templates/cis_banner/template.py new file mode 100644 index 00000000000..e93ea5d5254 --- /dev/null +++ b/shared/templates/cis_banner/template.py @@ -0,0 +1,3 @@ + +def preprocess(data, lang): + return data diff --git a/shared/templates/cis_banner/template.yml b/shared/templates/cis_banner/template.yml new file mode 100644 index 00000000000..b57de6fbb63 --- /dev/null +++ b/shared/templates/cis_banner/template.yml @@ -0,0 +1,4 @@ +supported_languages: + - ansible + - bash + - oval diff --git a/shared/templates/cis_banner/tests/cis_banner.pass.sh b/shared/templates/cis_banner/tests/cis_banner.pass.sh new file mode 100644 index 00000000000..edcd5e35307 --- /dev/null +++ b/shared/templates/cis_banner/tests/cis_banner.pass.sh @@ -0,0 +1,2 @@ +#!/bin/bash +echo "Authorized users only. All activity may be monitored and reported." > {{{ FILEPATH }}} diff --git a/shared/templates/cis_banner/tests/custom_banner.pass.sh b/shared/templates/cis_banner/tests/custom_banner.pass.sh new file mode 100644 index 00000000000..f13750c1c37 --- /dev/null +++ b/shared/templates/cis_banner/tests/custom_banner.pass.sh @@ -0,0 +1,5 @@ +#!/bin/bash +cat > "{{{ FILEPATH }}}" < "{{{ FILEPATH }}}" +{{% endif %}} diff --git a/shared/templates/cis_banner/tests/empty.pass.sh b/shared/templates/cis_banner/tests/empty.pass.sh new file mode 100644 index 00000000000..fe031bab9bf --- /dev/null +++ b/shared/templates/cis_banner/tests/empty.pass.sh @@ -0,0 +1,6 @@ +#!/bin/bash +{{% if BANNER_MUST_BE_SET == "true" %}} +# platform = Not Applicable +{{% else %}} +echo > "{{{ FILEPATH }}}" +{{% endif %}} diff --git a/shared/templates/cis_banner/tests/wrong.fail.sh b/shared/templates/cis_banner/tests/wrong.fail.sh new file mode 100644 index 00000000000..e9ecb802490 --- /dev/null +++ b/shared/templates/cis_banner/tests/wrong.fail.sh @@ -0,0 +1,5 @@ +#!/bin/bash +cat > "{{{ FILEPATH }}}" <