rewrite of SV-204392

.github/workflows/verify-ec2.yml

@@ -49,11 +49,11 @@ jobs:
       - name: Run kitchen test
         run: bundle exec kitchen test --destroy=always ${{ matrix.suite }}-rhel-7 || true
       - name: Display our ${{ matrix.suite }} results summary
-        uses: mitre/saf_action@v1
+        uses: mitre/saf_action@main
         with:
           command_string: 'view summary -i spec/results/ec2_rhel-7_${{ matrix.suite }}.json'
       - name: Ensure the scan meets our ${{ matrix.suite }} results threshold
-        uses: mitre/saf_action@v1
+        uses: mitre/saf_action@main
         with:
           command_string: 'validate threshold -i spec/results/ec2_rhel-7_${{ matrix.suite }}.json -F ${{ matrix.suite }}.threshold.yml'
       - name: Save Test Result JSON

.github/workflows/verify-vagrant.yml

@@ -40,11 +40,11 @@ jobs:
       - name: Run kitchen test
         run: bundle exec kitchen test --destroy=always ${{ matrix.suite }}-rhel-7 || true
       - name: Display our ${{ matrix.suite }} results summary
-        uses: mitre/saf_action@v1
+        uses: mitre/saf_action@main
         with:
           command_string: 'view summary -i spec/results/rhel-7_${{ matrix.suite }}.json'
       - name: Ensure the scan meets our ${{ matrix.suite }} results threshold
-        uses: mitre/saf_action@v1
+        uses: mitre/saf_action@main
         with:
           command_string: 'validate threshold -i spec/results/rhel-7_${{ matrix.suite }}.json -F ${{ matrix.suite }}.threshold.yml'
       - name: Save Test Result JSON

README.md

@@ -1,6 +1,6 @@
 # red-hat-enterprise-linux-7-stig-baseline
 
-InSpec profile to validate the secure configuration of Red Hat Enterprise Linux 7 against [DISA's](https://iase.disa.mil/stigs/Pages/index.aspx) Red Hat Enterprise Linux 7 STIG Version 3 Release 6.
+InSpec profile to validate the secure configuration of Red Hat Enterprise Linux 7 against [DISA's](https://public.cyber.mil/stigs/downloads/) Red Hat Enterprise Linux 7 STIG Version 3 Release 10.
 
 ## Getting Started  
 It is intended and recommended that InSpec and this profile be run from a __"runner"__ host (such as a DevOps orchestration server, an administrative management system, or a developer's workstation/laptop) against the target remotely over __ssh__.
@@ -14,8 +14,8 @@ Latest versions and installation options are available at the [InSpec](http://in
 The following inputs may be configured in an inputs ".yml" file for the profile to run correctly for your specific environment. More information about InSpec inputs can be found in the [InSpec Profile Documentation](https://www.inspec.io/docs/reference/profiles/).
 
 ```yaml
-# Used by InSpec checks V-71849, V-71855, V-72037
-# InSpec Tests that are known to consistently have long run times (V-71849, V-71855, V-72037) can be disabled with this attribute
+# Used by InSpec checks SV-204392, SV-204478, SV-214799
+# InSpec Tests that are known to consistently have long run times can be disabled with this attribute
 # Acceptable values: false, true
 # (default: false)
 disable_slow_controls: 
@@ -24,27 +24,23 @@ disable_slow_controls:
 # (default: true)
 monitor_kernel_log: 
 
-# Used by InSpec check V-71849
+# Used by InSpec check SV-204392
 # list of system files that should be allowed to change from an rpm verify point of view
 rpm_verify_perms_except: []
 
-# Used by InSpec check V-71855
+# Used by InSpec check SV-214799
 # list of system files that should be allowed to change from an rpm verify point of view
 rpm_verify_integrity_except: []
 
 # Set to 'true' if the login banner message should be enabled
 # (default: true)
 banner_message_enabled: 
 
-# Used by InSpec check V-72211 (default: false)
+# Used by InSpec check SV-204575 (default: false)
 # Do NOT set to 'true' UNLESS the server is documented as being used as a log aggregation server. 
 log_aggregation_server: 
 
-# Used by InSpec check V-72047 (default: [])
-# Known application groups that are allowed to have world-writeable files or directories
-application_groups: []
-
-# Used by InSpec check V-72307 (default: false)
+# Used by InSpec check SV-204624 (default: false)
 # Do NOT set to 'true' UNLESS use of X Windows System is documented and approved. 
 x11_enabled: 
 
@@ -84,9 +80,6 @@ difok: 8
 # Number of reuse generations
 min_reuse_generations: 5
 
-# Number of characters
-min_len: 15
-
 # Number of days
 days_of_inactivity: 0
 
@@ -105,54 +98,47 @@ file_integrity_tool: ''
 # Interval to run the file integrity tool (monthly, weekly, or daily).
 file_integrity_interval: ''
 
+# Used by InSpec checks SV-204498 SV-204499 SV-204500 (default: "/etc/aide.conf")
+# Path to the aide.conf file
+aide_conf_path:
+
 # System activity timeout (time in seconds).
 system_activity_timeout: 600
 
 # Client alive interval (time in seconds).
 client_alive_interval: 600
 
-# V-71965, V-72417, V-72433
+# SV-204441, SV-204631, SV-204633
 # (enabled or disabled)
 smart_card_status: "enabled"
 
-# V-72051/V-72209
+# SV-204489, SV-204574
 # The path to the logging package
 log_pkg_path: "/etc/rsyslog.conf"
 
-# V-72011, V-72015, V-72017, V-72019, V-72021, V-72023, V-72025
-# V-72027, V-72029, V-72031, V-72033, V-72035, V-72037, V-72059
-# Users exempt from home directory-based controls in array
-# format
+# SV-204467, SV-204468, SV-204469, SV-204470, SV-204471, SV-204472, SV-204473
+# SV-204474, SV-204475, SV-204476, SV-204477, SV-204478, SV-204493
+# Users exempt from home directory-based controls in array format
 exempt_home_users: []
 
-# V-71961
+# SV-244557
 # main grub boot config file
 grub_main_cfg: ""
 
 # Main grub boot config file
 grub_uefi_main_cfg: ''
 
-# superusers for grub boot ( array )
-grub_superusers: ''
-
 # grub boot config files
 grub_user_boot_files: []
 
-# V-71963
-# superusers for efi boot ( array )
-efi_superusers: []
-
-# V-71971
+# SV-204444
 # system accounts that support approved system activities
 admin_logins: []
 
-# Maximum number of times to prompt user for new password
-max_rety: 3
-
 # The list of packages needed for MFA on RHEL
 mfa_pkg_list: []
 
-# V-77819
+# SV-204397
 # should dconf have smart card authentication (e.g., true or false <- no quotes!)
 multifactor_enabled: true
 
@@ -165,12 +151,12 @@ randomize_va_space: 2
 # File systems that don't correspond to removable media
 non_removable_media_fs: []
 
-# V-72317
+# SV-204629
 # approved configured tunnels prepended with word 'conn'
 # Example: ['conn myTunnel']
 approved_tunnels: []
 
-# V-72039
+# SV-204479
 # Is the target expected to be a virtual machine
 virtual_machine: false
 
@@ -216,30 +202,15 @@ custom_antivirus: false
 # Description of custom antivirus solution, when in use.
 custom_antivirus_description: ''
 
-# Whether an HIPS solution, other than HBSS, is in use.
-custom_hips: false
-
-# Description of custom HIPS solution, when in use.
-custom_hips_description: ''
-
-# Restrict the number of returned processes to account for invalid inputs, such as nil(~), that will match all processes while allowing for 3rd party software that may spawn multiple similarly named processes.
-max_daemon_processes: 1
-
 # It is reasonable and advisable to skip checksum on frequently changing files
 aide_exclude_patterns: []
 
-# A list of acceptable terminal multiplexers
-terminal_mux_pkgs: []
-
 # Required PAM rules
 required_rules: []
 
 # Alternate PAM rules
 alternate_rules: []
 
-# is an HBSS with a Device Control Module and a Data Loss Prevention mechanism
-data_loss_prevention_installed: true
-
 # An alternate method is used for logs than rsyslog
 alternate_logs: false
 

controls/SV-204392.rb

@@ -1,28 +1,31 @@
+require 'shellwords'
+
 control 'SV-204392' do
   title 'The Red Hat Enterprise Linux operating system must be configured so that the file permissions, ownership,
     and group membership of system files and commands match the vendor values.'
   desc 'Discretionary access control is weakened if a user or group has access permissions to system files and
     directories greater than the default.'
-  desc 'rationale', ''
-  desc 'check', %q{Verify the file permissions, ownership, and group membership of system files and commands match the
-    vendor values.
-    Check the default file permissions, ownership, and group membership of system files and commands with the following
-    command:
-    # for i in `rpm -Va | egrep '^.{1}M|^.{5}U|^.{6}G' | cut -d " " -f 4,5`;do for j in `rpm -qf $i`;do rpm -ql $j
-    --dump | cut -d " " -f 1,5,6,7 | grep $i;done;done
-    /var/log/gdm 040755 root root
-    /etc/audisp/audisp-remote.conf 0100640 root root
-    /usr/bin/passwd 0104755 root root
-    For each file returned, verify the current permissions, ownership, and group membership:
-    # ls -la <filename>
-    -rw-------. 1 root root 133 Jan 11 13:25 /etc/audisp/audisp-remote.conf
-    If the file is more permissive than the default permissions, this is a finding.
-    If the file is not owned by the default owner and is not documented with the Information System Security Officer
-    (ISSO), this is a finding.
-    If the file is not a member of the default group and is not documented with the Information System Security Officer
-    (ISSO), this is a finding.}
-  desc  'fix', "
-    Run the following command to determine which package owns the file:
+  desc 'check', %q(Verify the file permissions, ownership, and group membership of system files and commands match the vendor values.
+
+Check the default file permissions, ownership, and group membership of system files and commands with the following command:
+
+     # for i in `rpm -Va | grep -E '^.{1}M|^.{5}U|^.{6}G' | cut -d " " -f 4,5`;do for j in `rpm -qf $i`;do rpm -ql $j --dump | cut -d " " -f 1,5,6,7 | grep $i;done;done
+
+     /var/log/gdm 040755 root root
+     /etc/audisp/audisp-remote.conf 0100640 root root
+     /usr/bin/passwd 0104755 root root
+
+For each file returned, verify the current permissions, ownership, and group membership:
+     # ls -la <filename>
+
+     -rw-------. 1 root root 2017 Nov 1 10:03 /etc/audisp/audisp-remote.conf
+
+If the file is more permissive than the default permissions, this is a finding.
+
+If the file is not owned by the default owner and is not documented with the Information System Security Officer (ISSO), this is a finding.
+
+If the file is not a member of the default group and is not documented with the Information System Security Officer (ISSO), this is a finding.)
+  desc 'fix', 'Run the following command to determine which package owns the file:
 
     # rpm -qf <filename>
 
@@ -34,21 +37,21 @@
 
     Reset the permissions of files within a package with the following command:
 
-    #rpm --setperms <packagename>
-  "
+    #rpm --setperms <packagename>'
   impact 0.7
-  tag 'legacy': ['V-71849', 'SV-86473']
-  tag 'severity': 'high'
-  tag 'gtitle': 'SRG-OS-000257-GPOS-00098'
-  tag 'satisfies': ['SRG-OS-000257-GPOS-00098', 'SRG-OS-000278-GPOS-00108']
-  tag 'gid': 'V-204392'
-  tag 'rid': 'SV-204392r646841_rule'
-  tag 'stig_id': 'RHEL-07-010010'
-  tag 'fix_id': 'F-36302r646840_fix'
-  tag 'cci': ['CCI-001494', 'CCI-001496', 'CCI-002165', 'CCI-002235']
+  tag legacy: ['V-71849', 'SV-86473']
+  tag severity: 'high'
+  tag gtitle: 'SRG-OS-000257-GPOS-00098'
+  tag satisfies: ['SRG-OS-000257-GPOS-00098', 'SRG-OS-000278-GPOS-00108']
+  tag gid: 'V-204392'
+  tag rid: 'SV-204392r880752_rule'
+  tag stig_id: 'RHEL-07-010010'
+  tag fix_id: 'F-36302r880751_fix'
+  tag cci: ['CCI-001494', 'CCI-001496', 'CCI-002165', 'CCI-002235']
   tag nist: ['AU-9', 'AU-9 (3)', 'AC-3 (4)', 'AC-6 (10)']
   tag subsystems: ['permissions', 'package', 'rpm']
-  tag 'host', 'container'
+  tag 'host'
+  tag 'container'
 
   if input('disable_slow_controls')
     describe "This control consistently takes a long time to run and has been disabled
@@ -58,23 +61,31 @@
             full accredidation for production."
     end
   else
+    ownership_allowlist = input('rpm_verify_ownership_except')
+    group_membership_allowlist = input('rpm_verify_group_membership_except')
 
-    allowlist = input('rpm_verify_perms_except')
-
-    misconfigured_packages = command('rpm -Va').stdout.split("\n")
-                                               .select { |package| package[0..7].match(/M|U|G/) }
-                                               .map { |package| package.match(/\S+$/)[0] }
+    identified_files = command('rpm -Va | awk \'/^.{1}M|^.{5}U|^.{6}G/ {print $NF}\'').stdout.split("\n")
 
-    if misconfigured_packages.empty?
-      describe 'The list of rpm packages with permissions changed from the vendor values' do
-        subject { misconfigured_packages }
+    if identified_files.empty?
+      describe 'The list of system files and commands with permissions, ownership, or group membership changed from the vendor values' do
+        subject { identified_files }
         it { should be_empty }
       end
     else
-      describe 'The list of rpm packages with permissions changed from the vendor values' do
-        fail_msg = "Files that have been modified from vendor-approved permissions but are not in the allowlist: #{(misconfigured_packages - allowlist).join(', ')}"
-        it 'should all appear in the allowlist' do
-          expect(misconfigured_packages).to all(be_in allowlist), fail_msg
+      misconfigured_packages = identified_files.flat_map { |f| command("rpm -qf #{f}").stdout.split("\n") }.uniq
+      potentially_misconfigured_files = misconfigured_packages.flat_map { |p| command("rpm -ql #{p} --dump").stdout.split("\n") }.uniq.map(&:shellsplit)
+      potentially_misconfigured_files.each do |path, size, mtime, digest, mode, owner, group, isconfig, isdoc, rdev, symlink|
+        file_obj = file(path)
+        if file_obj.exist?
+          describe file_obj do
+            it { should_not be_more_permissive_than(mode) }
+            unless ownership_allowlist.include? path
+              it { should be_owned_by owner }
+            end
+            unless group_membership_allowlist.include? path
+              it { should be_grouped_into group }
+            end
+          end
         end
       end
     end

controls/SV-204393.rb

@@ -22,7 +22,6 @@
     monitoring of the content of privileged communications, or work product, related to personal representation or
     services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are
     private and confidential. See User Agreement for details."'
-  desc 'rationale', ''
   desc 'check', 'Verify the operating system displays the Standard Mandatory DoD Notice and Consent Banner before
     granting access to the operating system via a graphical user logon.
     Note: If the system does not have GNOME installed, this requirement is Not Applicable.
@@ -43,16 +42,15 @@
     # dconf update
     Users must log out and back in again before the system-wide settings take effect.'
   impact 0.5
-  tag 'legacy': ['V-71859', 'SV-86483']
-  tag 'severity': 'medium'
-  tag 'gtitle': 'SRG-OS-000023-GPOS-00006'
-  tag 'satisfies': ['SRG-OS-000023-GPOS-00006', 'SRG-OS-000024-GPOS-00007',
-                    'SRG-OS-000228-GPOS-00088']
-  tag 'gid': 'V-204393'
-  tag 'rid': 'SV-204393r603261_rule'
-  tag 'stig_id': 'RHEL-07-010030'
-  tag 'fix_id': 'F-4517r88372_fix'
-  tag 'cci': ['CCI-000048']
+  tag legacy: ['V-71859', 'SV-86483']
+  tag severity: 'medium'
+  tag gtitle: 'SRG-OS-000023-GPOS-00006'
+  tag satisfies: ['SRG-OS-000023-GPOS-00006', 'SRG-OS-000024-GPOS-00007', 'SRG-OS-000228-GPOS-00088']
+  tag gid: 'V-204393'
+  tag rid: 'SV-204393r603261_rule'
+  tag stig_id: 'RHEL-07-010030'
+  tag fix_id: 'F-4517r88372_fix'
+  tag cci: ['CCI-000048']
   tag nist: ['AC-8 a']
   tag subsystems: ['gui', 'banner']