Skip to content

Update RHEL 9 STIG to V1R2#11479

Merged
jan-cerny merged 7 commits into
ComplianceAsCode:masterfrom
Mab879:update_rhel9_v1r2
Jan 26, 2024
Merged

Update RHEL 9 STIG to V1R2#11479
jan-cerny merged 7 commits into
ComplianceAsCode:masterfrom
Mab879:update_rhel9_v1r2

Conversation

@Mab879
Copy link
Copy Markdown
Member

@Mab879 Mab879 commented Jan 25, 2024

Description:

  • Update RHEL 9 STIG to V1R2
  • Adjust a few rules based V1R2

Rationale:

Keep the STIG up-to-date.

@Mab879 Mab879 added RHEL9 Red Hat Enterprise Linux 9 product related. Update Rule Issues or pull requests related to Rules updates. Update Profile Issues or pull requests related to Profiles updates. STIG STIG Benchmark related. labels Jan 25, 2024
@Mab879 Mab879 added this to the 0.1.72 milestone Jan 25, 2024
@Mab879 Mab879 requested a review from a team as a code owner January 25, 2024 03:21
@github-actions
Copy link
Copy Markdown

github-actions Bot commented Jan 25, 2024

Start a new ephemeral environment with changes proposed in this pull request:

rhel8 (from CTF) Environment (using Fedora as testing environment)
Open in Gitpod

Fedora Testing Environment
Open in Gitpod

Oracle Linux 8 Environment
Open in Gitpod

@github-actions
Copy link
Copy Markdown

github-actions Bot commented Jan 25, 2024

This datastream diff is auto generated by the check Compare DS/Generate Diff

Click here to see the full diff 
OCIL for rule 'xccdf_org.ssgproject.content_rule_aide_check_audit_tools' differs.
--- ocil:ssg-aide_check_audit_tools_ocil:questionnaire:1
+++ ocil:ssg-aide_check_audit_tools_ocil:questionnaire:1
@@ -10,7 +10,6 @@
 /usr/sbin/autrace p+i+n+u+g+s+b+acl+xattrs+sha512
 
 
-
 /usr/sbin/augenrules p+i+n+u+g+s+b+acl+xattrs+sha512
 
 

OCIL for rule 'xccdf_org.ssgproject.content_rule_configure_bashrc_exec_tmux' differs.
--- ocil:ssg-configure_bashrc_exec_tmux_ocil:questionnaire:1
+++ ocil:ssg-configure_bashrc_exec_tmux_ocil:questionnaire:1
@@ -4,7 +4,7 @@
 
 $ sudo grep tmux /etc/bashrc /etc/profile.d/*
 
-/etc/profile.d/tmux.sh:  case "$name" in (sshd|login) exec tmux ;; esac
+/etc/profile.d/tmux.sh:  case "$name" in (sshd|login) tmux ;; esac
 
 Review the tmux script by using the following example:
 
@@ -13,7 +13,7 @@
 if [ "$PS1" ]; then
 parent=$(ps -o ppid= -p $$)
 name=$(ps -o comm= -p $parent)
-case "$name" in (sshd|login) exec tmux ;; esac
+case "$name" in (sshd|login) tmux ;; esac
 fi
 
 If the shell file is not configured as the example above, is commented out, or is missing, this is a finding.

bash remediation for rule 'xccdf_org.ssgproject.content_rule_configure_bashrc_exec_tmux' differs.
--- xccdf_org.ssgproject.content_rule_configure_bashrc_exec_tmux
+++ xccdf_org.ssgproject.content_rule_configure_bashrc_exec_tmux
@@ -1,12 +1,12 @@
 # Remediation is applicable only in certain platforms
 if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && { rpm --quiet -q tmux; }; then
 
-if ! grep -x '  case "$name" in sshd|login) exec tmux ;; esac' /etc/bashrc; then
+if ! grep -x '  case "$name" in sshd|login) tmux ;; esac' /etc/bashrc; then
     cat >> /etc/profile.d/tmux.sh <<'EOF'
 if [ "$PS1" ]; then
   parent=$(ps -o ppid= -p $$)
   name=$(ps -o comm= -p $parent)
-  case "$name" in sshd|login) exec tmux ;; esac
+  case "$name" in sshd|login) tmux ;; esac
 fi
 EOF
     chmod 0644 /etc/profile.d/tmux.sh

ansible remediation for rule 'xccdf_org.ssgproject.content_rule_configure_bashrc_exec_tmux' differs.
--- xccdf_org.ssgproject.content_rule_configure_bashrc_exec_tmux
+++ xccdf_org.ssgproject.content_rule_configure_bashrc_exec_tmux
@@ -15,7 +15,7 @@
   ansible.builtin.find:
     paths: /etc
     patterns: bashrc
-    contains: .*case "$name" in sshd|login\) exec tmux ;; esac.*
+    contains: .*case "$name" in sshd|login\) tmux ;; esac.*
   register: tmux_in_bashrc
   when:
   - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
@@ -34,7 +34,7 @@
   ansible.builtin.find:
     paths: /etc/profile.d
     patterns: '*.sh'
-    contains: .*case "$name" in sshd|login\) exec tmux ;; esac.*
+    contains: .*case "$name" in sshd|login\) tmux ;; esac.*
   register: tmux_in_profile_d
   when:
   - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
@@ -55,7 +55,7 @@
       if [ "$PS1" ]; then
         parent=$(ps -o ppid= -p $$)
         name=$(ps -o comm= -p $parent)
-        case "$name" in sshd|login) exec tmux ;; esac
+        case "$name" in sshd|login) tmux ;; esac
       fi
     create: true
   when:

@jan-cerny jan-cerny self-assigned this Jan 25, 2024
jan-cerny
jan-cerny requested changes Jan 25, 2024
View reviewed changes
Copy link
Copy Markdown
Collaborator

@jan-cerny jan-cerny left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The tests pass locally:

jcerny@fedora:~/work/git/scap-security-guide (pr/11479)$ python3 tests/automatus.py rule --libvirt qemu:///system ssgts_rhel9 configure_bashrc_exec_tmux
Setting console output to log level INFO
INFO - The base image option has not been specified, choosing libvirt-based test environment.
INFO - Logging into /home/jcerny/work/git/scap-security-guide/logs/rule-custom-2024-01-25-1006/test_suite.log
INFO - xccdf_org.ssgproject.content_rule_configure_bashrc_exec_tmux
INFO - Script wrong_value.fail.sh using profile (all) OK
INFO - Script correct_value.pass.sh using profile (all) OK
INFO - Script correct_value_d_directory.pass.sh using profile (all) OK
INFO - Script duplicate_value_multiple_files.pass.sh using profile (all) OK
jcerny@fedora:~/work/git/scap-security-guide (pr/11479)$ python3 tests/automatus.py rule --libvirt qemu:///system ssgts_rhel9 --remediate-using ansible configure_bashrc_exec_tmux
Setting console output to log level INFO
INFO - The base image option has not been specified, choosing libvirt-based test environment.
INFO - Logging into /home/jcerny/work/git/scap-security-guide/logs/rule-custom-2024-01-25-1010/test_suite.log
INFO - xccdf_org.ssgproject.content_rule_configure_bashrc_exec_tmux
INFO - Script wrong_value.fail.sh using profile (all) OK
INFO - Script correct_value.pass.sh using profile (all) OK
INFO - Script correct_value_d_directory.pass.sh using profile (all) OK
INFO - Script duplicate_value_multiple_files.pass.sh using profile (all) OK

Comment thread ...ts-physical/screen_locking/console_screen_locking/configure_bashrc_exec_tmux/oval/shared.xml Outdated
@Mab879 Mab879 force-pushed the update_rhel9_v1r2 branch from 5ec1dfa to 5dbd892 Compare January 25, 2024 13:03
@Mab879 Mab879 requested a review from jan-cerny January 25, 2024 14:04
@Mab879 Mab879 force-pushed the update_rhel9_v1r2 branch from 5dbd892 to 7a27f80 Compare January 25, 2024 15:59
@qlty-cloud-legacy
Copy link
Copy Markdown

qlty-cloud-legacy Bot commented Jan 25, 2024

Code Climate has analyzed commit 7a27f80 and detected 0 issues on this pull request.

The test coverage on the diff in this pull request is 100.0% (50% is the threshold).

This pull request will bring the total coverage in the repository to 58.5% (0.0% change).

View more on Code Climate.

@jan-cerny
Copy link
Copy Markdown
Collaborator

jan-cerny commented Jan 26, 2024

/packit retest-failed

@jan-cerny
Copy link
Copy Markdown
Collaborator

jan-cerny commented Jan 26, 2024

/packit retest-failed

@jan-cerny jan-cerny merged commit c375bea into ComplianceAsCode:master Jan 26, 2024
@Mab879 Mab879 deleted the update_rhel9_v1r2 branch January 26, 2024 14:08
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@jan-cerny jan-cerny jan-cerny approved these changes

Assignees

@jan-cerny jan-cerny

Labels

RHEL9 Red Hat Enterprise Linux 9 product related. STIG STIG Benchmark related. Update Profile Issues or pull requests related to Profiles updates. Update Rule Issues or pull requests related to Rules updates.

Projects

None yet

Milestone

0.1.72

Development

Successfully merging this pull request may close these issues.

2 participants

@Mab879 @jan-cerny