v1.13.2 (#15)

* resolving #14

Signed-off-by: wdower <[email protected]>

* updates to kernel checks to catch edge cases where grep returns a blank filename

Signed-off-by: Will Dower <[email protected]>

* resolves #17

Signed-off-by: wdower <[email protected]>

* adding disable_slow_controls to 230318

Signed-off-by: wdower <[email protected]>

* another slow control

Signed-off-by: wdower <[email protected]>

* lint, oh lint

Signed-off-by: wdower <[email protected]>

* backdating parser to non-buggy versioj

Signed-off-by: wdower <[email protected]>

* fixing heimdall key

Signed-off-by: wdower <[email protected]>

* adding missing resource to 251714,5

Signed-off-by: wdower <[email protected]>

* apparently you have to lint a Gemfile, who knew?

Signed-off-by: wdower <[email protected]>

* retriggering linter

Signed-off-by: wdower <[email protected]>

* adding newline back into Gemfile

Signed-off-by: wdower <[email protected]>

* removing pipeline trigger for every branch push

Signed-off-by: wdower <[email protected]>

* removing unneeded gem

Signed-off-by: wdower <[email protected]>

* Update Gemfile

* linting once more for the gipper

Signed-off-by: wdower <[email protected]>

---------

Signed-off-by: wdower <[email protected]>
Signed-off-by: Will Dower <[email protected]>
Signed-off-by: wdower <[email protected]>
Co-authored-by: Will Dower <[email protected]>

.github/workflows/verify-container.yml

@@ -1,9 +1,9 @@
 name: UBI8 Testing Matrix
 
 on:
-  push:
-    branches-ignore:
-      - none
+  # push:
+  #   branches-ignore:
+  #     - none
   pull_request:
 
 jobs:
@@ -92,7 +92,7 @@ jobs:
         if: ${{ !contains(steps.commit.outputs.message, 'only-validate-profile') }}
         continue-on-error: true
         run: |
-          curl -# -s -F data=@spec/results/${{ env.PLATFORM }}_${{ matrix.suite }}.json -F "filename=${{ env.COMMIT_SHORT_SHA }}-${{ env.PLATFORM }}_${{ matrix.suite }}" -F "public=true" -F "evaluationTags=${{ env.COMMIT_SHORT_SHA }},${{ github.repository }},${{ github.workflow }}" -H "Authorization: Api-Key ${{ secrets.HEIMDALL_UPLOAD_GROUP_KEY }}" "${{ vars.SAF_HEIMDALL_URL }}/evaluations"
+          curl -# -s -F data=@spec/results/${{ env.PLATFORM }}_${{ matrix.suite }}.json -F "filename=${{ env.COMMIT_SHORT_SHA }}-${{ env.PLATFORM }}_${{ matrix.suite }}" -F "public=true" -F "evaluationTags=${{ env.COMMIT_SHORT_SHA }},${{ github.repository }},${{ github.workflow }}" -H "Authorization: Api-Key ${{ secrets.SAF_HEIMDALL_UPLOAD_KEY }}" "${{ vars.SAF_HEIMDALL_URL }}/evaluations"
 
       - name: Display our ${{ matrix.suite }} results summary
         if: ${{ !contains(steps.commit.outputs.message, 'only-validate-profile') }}

.github/workflows/verify-disa-hardened-ec2.yml

@@ -1,9 +1,9 @@
 name: DISA Hardened EC2 Testing Matrix
 
 on:
-  push:
-    branches-ignore:
-      - none
+  # push:
+  #   branches-ignore:
+  #     - none
   pull_request:
 
 jobs:

.github/workflows/verify-ec2.yml

@@ -1,9 +1,9 @@
 name: EC2 Testing Matrix
 
 on:
-  push:
-    branches-ignore:
-      - none
+  # push:
+  #   branches-ignore:
+  #     - none
   pull_request:
 
 jobs:
@@ -92,7 +92,7 @@ jobs:
         if: ${{ !contains(steps.commit.outputs.message, 'only-validate-profile') }}
         continue-on-error: true
         run: |
-          curl -# -s -F data=@spec/results/${{ env.PLATFORM }}_${{ matrix.suite }}.json -F "filename=${{ env.COMMIT_SHORT_SHA }}-${{ env.PLATFORM }}_${{ matrix.suite }}" -F "public=true" -F "evaluationTags=${{ env.COMMIT_SHORT_SHA }},${{ github.repository }},${{ github.workflow }}" -H "Authorization: Api-Key ${{ secrets.HEIMDALL_UPLOAD_GROUP_KEY }}" "${{ vars.SAF_HEIMDALL_URL }}/evaluations"
+          curl -# -s -F data=@spec/results/${{ env.PLATFORM }}_${{ matrix.suite }}.json -F "filename=${{ env.COMMIT_SHORT_SHA }}-${{ env.PLATFORM }}_${{ matrix.suite }}" -F "public=true" -F "evaluationTags=${{ env.COMMIT_SHORT_SHA }},${{ github.repository }},${{ github.workflow }}" -H "Authorization: Api-Key ${{ secrets.SAF_HEIMDALL_UPLOAD_KEY }}" "${{ vars.SAF_HEIMDALL_URL }}/evaluations"
 
       - name: Display our ${{ matrix.suite }} results summary
         if: ${{ !contains(steps.commit.outputs.message, 'only-validate-profile') }}

.github/workflows/verify-rhel-official-hardened-ec2.yml

@@ -1,9 +1,9 @@
 name: RHEL-Official Hardened EC2 Testing Matrix
 
 on:
-  push:
-    branches-ignore:
-      - none
+  # push:
+  #   branches-ignore:
+  #     - none
   pull_request:
 
 jobs:
@@ -91,7 +91,7 @@ jobs:
         if: ${{ !contains(steps.commit.outputs.message, 'only-validate-profile') }}
         continue-on-error: true
         run: |
-          curl -# -s -F data=@spec/results/${{ env.PLATFORM }}_${{ matrix.suite }}.json -F "filename=${{ env.COMMIT_SHORT_SHA }}-${{ env.PLATFORM }}_${{ matrix.suite }}" -F "public=true" -F "evaluationTags=${{ env.COMMIT_SHORT_SHA }},${{ github.repository }},${{ github.workflow }},'Supplemental Automation Content v1r12'" -H "Authorization: Api-Key ${{ secrets.HEIMDALL_UPLOAD_GROUP_KEY }}" "${{ vars.SAF_HEIMDALL_URL }}/evaluations"
+          curl -# -s -F data=@spec/results/${{ env.PLATFORM }}_${{ matrix.suite }}.json -F "filename=${{ env.COMMIT_SHORT_SHA }}-${{ env.PLATFORM }}_${{ matrix.suite }}" -F "public=true" -F "evaluationTags=${{ env.COMMIT_SHORT_SHA }},${{ github.repository }},${{ github.workflow }},'Supplemental Automation Content v1r12'" -H "Authorization: Api-Key ${{ secrets.SAF_HEIMDALL_UPLOAD_KEY }}" "${{ vars.SAF_HEIMDALL_URL }}/evaluations"
 
       - name: Display our ${{ matrix.suite }} results summary
         if: ${{ !contains(steps.commit.outputs.message, 'only-validate-profile') }}

Gemfile

@@ -15,10 +15,8 @@ gem 'kitchen-inspec'
 gem 'kitchen-sync'
 gem 'kitchen-vagrant'
 gem 'parser', '< 3.3.1.0'
-gem 'pry-byebug'
 gem 'rake'
 gem 'rubocop'
 gem 'rubocop-rake'
 gem 'test-kitchen'
 gem 'train-awsssm'
-

controls/SV-230226.rb

@@ -83,7 +83,9 @@
   only_if("The system does not have GNOME installed; this requirement is Not
         Applicable.", impact: 0.0) { package('gnome-desktop3').installed? }
 
-  banner = command('grep ^banner-message-text /etc/dconf/db/local.d/*').stdout.gsub(/[\r\n\s]/, '')
+  banner_message_db = input('banner_message_db')
+
+  banner = command("grep ^banner-message-text /etc/dconf/db/#{banner_message_db}.d/*").stdout.gsub(/[\r\n\s]/, '')
   expected_banner = input('banner_message_text_gui').gsub(/[\r\n\s]/, '')
 
   describe 'The GUI Banner ' do

controls/SV-230257.rb

@@ -36,7 +36,7 @@
   system_command_dirs = input('system_command_dirs').join(' ')
 
   failing_files = command("find -L #{system_command_dirs} -perm /0022 -exec ls -l '{}' \\;").stdout.split("\n")
-  
+
   # failing_files = command("find -L #{input('system_command_dirs').join(' ')} -perm /0022 -exec ls -d '{}'' \\;").stdout.split("\n")
 
   describe 'System commands' do

controls/SV-230318.rb

@@ -35,14 +35,21 @@
   tag 'host'
   tag 'container'
 
-  partitions = etc_fstab.params.map { |partition| partition['mount_point'] }.uniq
+  if input('disable_slow_controls')
+    describe 'This control consistently takes a long to run and has been disabled using the disable_slow_controls attribute.' do
+      skip 'This control consistently takes a long to run and has been disabled using the disable_slow_controls attribute. You must enable this control for a full accredidation for production.'
+    end
+  else
+
+    partitions = etc_fstab.params.map { |partition| partition['mount_point'] }.uniq
 
-  cmd = "find #{partitions.join(' ')} -xdev -type d -perm -0002 -uid +999 -print"
-  failing_dirs = command(cmd).stdout.split("\n").uniq
+    cmd = "find #{partitions.join(' ')} -xdev -type d -perm -0002 -uid +999 -print"
+    failing_dirs = command(cmd).stdout.split("\n").uniq
 
-  describe 'Any world-writeable directories' do
-    it 'should be owned by system accounts' do
-      expect(failing_dirs).to be_empty, "Failing directories:\n\t- #{failing_dirs.join("\n\t- ")}"
+    describe 'Any world-writeable directories' do
+      it 'should be owned by system accounts' do
+        expect(failing_dirs).to be_empty, "Failing directories:\n\t- #{failing_dirs.join("\n\t- ")}"
+      end
     end
   end
 end

controls/SV-230319.rb

@@ -35,14 +35,21 @@
   tag 'host'
   tag 'container'
 
-  partitions = etc_fstab.params.map { |partition| partition['mount_point'] }.uniq
+  if input('disable_slow_controls')
+    describe 'This control consistently takes a long to run and has been disabled using the disable_slow_controls attribute.' do
+      skip 'This control consistently takes a long to run and has been disabled using the disable_slow_controls attribute. You must enable this control for a full accredidation for production.'
+    end
+  else
+
+    partitions = etc_fstab.params.map { |partition| partition['mount_point'] }.uniq
 
-  cmd = "find #{partitions.join(' ')} -xdev -type d -perm -0002 -gid +999 -print"
-  failing_dirs = command(cmd).stdout.split("\n").uniq
+    cmd = "find #{partitions.join(' ')} -xdev -type d -perm -0002 -gid +999 -print"
+    failing_dirs = command(cmd).stdout.split("\n").uniq
 
-  describe 'Any world-writeable directories' do
-    it 'should be group-owned by system accounts' do
-      expect(failing_dirs).to be_empty, "Failing directories:\n\t- #{failing_dirs.join("\n\t- ")}"
+    describe 'Any world-writeable directories' do
+      it 'should be group-owned by system accounts' do
+        expect(failing_dirs).to be_empty, "Failing directories:\n\t- #{failing_dirs.join("\n\t- ")}"
+      end
     end
   end
 end

controls/SV-230530.rb

@@ -51,8 +51,8 @@
   }
 
   if package('gnome-desktop3').installed?
-    describe command('grep logout /etc/dconf/db/local.d/*') do
-      its('stdout.strip') { should cmp "logout=''" }
+    describe command('grep ^logout /etc/dconf/db/local.d/*') do
+      its('stdout.strip') { should match(/logout=''/) }
     end
   else
     impact 0.0

controls/SV-230535.rb

@@ -95,11 +95,13 @@
     sysctl_config_files = input('sysctl_conf_files').map(&:strip).join(' ')
 
     # Search for the kernel parameter in the configuration files
-    search_results = command("grep -r #{parameter} #{sysctl_config_files} {} \;").stdout.split("\n")
+    search_results = command("grep -r ^#{parameter} #{sysctl_config_files} {} \;").stdout.split("\n")
 
     # Parse the search results into a hash
     config_values = search_results.each_with_object({}) do |item, results|
       file, setting = item.split(':')
+      file = 'grep did not return filename' if file.empty?
+
       results[file] ||= []
       results[file] << setting.split('=').last
     end

controls/SV-230536.rb

@@ -95,11 +95,13 @@
     sysctl_config_files = input('sysctl_conf_files').map(&:strip).join(' ')
 
     # Search for the kernel parameter in the configuration files
-    search_results = command("grep -r #{parameter} #{sysctl_config_files} {} \;").stdout.split("\n")
+    search_results = command("grep -r ^#{parameter} #{sysctl_config_files} {} \;").stdout.split("\n")
 
     # Parse the search results into a hash
     config_values = search_results.each_with_object({}) do |item, results|
       file, setting = item.split(':')
+      file = 'grep did not return filename' if file.empty?
+
       results[file] ||= []
       results[file] << setting.split('=').last
     end

controls/SV-230537.rb

@@ -94,11 +94,13 @@
     sysctl_config_files = input('sysctl_conf_files').map(&:strip).join(' ')
 
     # Search for the kernel parameter in the configuration files
-    search_results = command("grep -r #{parameter} #{sysctl_config_files} {} \;").stdout.split("\n")
+    search_results = command("grep -r ^#{parameter} #{sysctl_config_files} {} \;").stdout.split("\n")
 
     # Parse the search results into a hash
     config_values = search_results.each_with_object({}) do |item, results|
       file, setting = item.split(':')
+      file = 'grep did not return filename' if file.empty?
+
       results[file] ||= []
       results[file] << setting.split('=').last
     end

controls/SV-230538.rb

@@ -94,11 +94,13 @@
     sysctl_config_files = input('sysctl_conf_files').map(&:strip).join(' ')
 
     # Search for the kernel parameter in the configuration files
-    search_results = command("grep -r #{parameter} #{sysctl_config_files} {} \;").stdout.split("\n")
+    search_results = command("grep -r ^#{parameter} #{sysctl_config_files} {} \;").stdout.split("\n")
 
     # Parse the search results into a hash
     config_values = search_results.each_with_object({}) do |item, results|
       file, setting = item.split(':')
+      file = 'grep did not return filename' if file.empty?
+
       results[file] ||= []
       results[file] << setting.split('=').last
     end

controls/SV-230539.rb

@@ -94,11 +94,13 @@
     sysctl_config_files = input('sysctl_conf_files').map(&:strip).join(' ')
 
     # Search for the kernel parameter in the configuration files
-    search_results = command("grep -r #{parameter} #{sysctl_config_files} {} \;").stdout.split("\n")
+    search_results = command("grep -r ^#{parameter} #{sysctl_config_files} {} \;").stdout.split("\n")
 
     # Parse the search results into a hash
     config_values = search_results.each_with_object({}) do |item, results|
       file, setting = item.split(':')
+      file = 'grep did not return filename' if file.empty?
+
       results[file] ||= []
       results[file] << setting.split('=').last
     end

controls/SV-230540.rb

@@ -94,11 +94,13 @@
     sysctl_config_files = input('sysctl_conf_files').map(&:strip).join(' ')
 
     # Search for the kernel parameter in the configuration files
-    search_results = command("grep -r #{parameter} #{sysctl_config_files} {} \;").stdout.split("\n")
+    search_results = command("grep -r ^#{parameter} #{sysctl_config_files} {} \;").stdout.split("\n")
 
     # Parse the search results into a hash
     config_values = search_results.each_with_object({}) do |item, results|
       file, setting = item.split(':')
+      file = 'grep did not return filename' if file.empty?
+
       results[file] ||= []
       results[file] << setting.split('=').last
     end

controls/SV-230541.rb

@@ -96,11 +96,13 @@
     sysctl_config_files = input('sysctl_conf_files').map(&:strip).join(' ')
 
     # Search for the kernel parameter in the configuration files
-    search_results = command("grep -r #{parameter} #{sysctl_config_files} {} \;").stdout.split("\n")
+    search_results = command("grep -r ^#{parameter} #{sysctl_config_files} {} \;").stdout.split("\n")
 
     # Parse the search results into a hash
     config_values = search_results.each_with_object({}) do |item, results|
       file, setting = item.split(':')
+      file = 'grep did not return filename' if file.empty?
+
       results[file] ||= []
       results[file] << setting.split('=').last
     end

controls/SV-230542.rb

@@ -97,11 +97,13 @@
     sysctl_config_files = input('sysctl_conf_files').map(&:strip).join(' ')
 
     # Search for the kernel parameter in the configuration files
-    search_results = command("grep -r #{parameter} #{sysctl_config_files} {} \;").stdout.split("\n")
+    search_results = command("grep -r ^#{parameter} #{sysctl_config_files} {} \;").stdout.split("\n")
 
     # Parse the search results into a hash
     config_values = search_results.each_with_object({}) do |item, results|
       file, setting = item.split(':')
+      file = 'grep did not return filename' if file.empty?
+
       results[file] ||= []
       results[file] << setting.split('=').last
     end

controls/SV-230543.rb

@@ -95,11 +95,13 @@
     sysctl_config_files = input('sysctl_conf_files').map(&:strip).join(' ')
 
     # Search for the kernel parameter in the configuration files
-    search_results = command("grep -r #{parameter} #{sysctl_config_files} {} \;").stdout.split("\n")
+    search_results = command("grep -r ^#{parameter} #{sysctl_config_files} {} \;").stdout.split("\n")
 
     # Parse the search results into a hash
     config_values = search_results.each_with_object({}) do |item, results|
       file, setting = item.split(':')
+      file = 'grep did not return filename' if file.empty?
+
       results[file] ||= []
       results[file] << setting.split('=').last
     end

controls/SV-230544.rb

@@ -95,11 +95,13 @@
     sysctl_config_files = input('sysctl_conf_files').map(&:strip).join(' ')
 
     # Search for the kernel parameter in the configuration files
-    search_results = command("grep -r #{parameter} #{sysctl_config_files} {} \;").stdout.split("\n")
+    search_results = command("grep -r ^#{parameter} #{sysctl_config_files} {} \;").stdout.split("\n")
 
     # Parse the search results into a hash
     config_values = search_results.each_with_object({}) do |item, results|
       file, setting = item.split(':')
+      file = 'grep did not return filename' if file.empty?
+
       results[file] ||= []
       results[file] << setting.split('=').last
     end

controls/SV-230545.rb

@@ -84,11 +84,13 @@
     sysctl_config_files = input('sysctl_conf_files').map(&:strip).join(' ')
 
     # Search for the kernel parameter in the configuration files
-    search_results = command("grep -r #{parameter} #{sysctl_config_files} {} \;").stdout.split("\n")
+    search_results = command("grep -r ^#{parameter} #{sysctl_config_files} {} \;").stdout.split("\n")
 
     # Parse the search results into a hash
     config_values = search_results.each_with_object({}) do |item, results|
       file, setting = item.split(':')
+      file = 'grep did not return filename' if file.empty?
+
       results[file] ||= []
       results[file] << setting.split('=').last
     end

controls/SV-230546.rb

@@ -83,11 +83,13 @@
     sysctl_config_files = input('sysctl_conf_files').map(&:strip).join(' ')
 
     # Search for the kernel parameter in the configuration files
-    search_results = command("grep -r #{parameter} #{sysctl_config_files} {} \;").stdout.split("\n")
+    search_results = command("grep -r ^#{parameter} #{sysctl_config_files} {} \;").stdout.split("\n")
 
     # Parse the search results into a hash
     config_values = search_results.each_with_object({}) do |item, results|
       file, setting = item.split(':')
+      file = 'grep did not return filename' if file.empty?
+
       results[file] ||= []
       results[file] << setting.split('=').last
     end

controls/SV-230547.rb

@@ -83,11 +83,13 @@
     sysctl_config_files = input('sysctl_conf_files').map(&:strip).join(' ')
 
     # Search for the kernel parameter in the configuration files
-    search_results = command("grep -r #{parameter} #{sysctl_config_files} {} \;").stdout.split("\n")
+    search_results = command("grep -r ^#{parameter} #{sysctl_config_files} {} \;").stdout.split("\n")
 
     # Parse the search results into a hash
     config_values = search_results.each_with_object({}) do |item, results|
       file, setting = item.split(':')
+      file = 'grep did not return filename' if file.empty?
+
       results[file] ||= []
       results[file] << setting.split('=').last
     end

controls/SV-230548.rb

@@ -87,11 +87,13 @@
     sysctl_config_files = input('sysctl_conf_files').map(&:strip).join(' ')
 
     # Search for the kernel parameter in the configuration files
-    search_results = command("grep -r #{parameter} #{sysctl_config_files} {} \;").stdout.split("\n")
+    search_results = command("grep -r ^#{parameter} #{sysctl_config_files} {} \;").stdout.split("\n")
 
     # Parse the search results into a hash
     config_values = search_results.each_with_object({}) do |item, results|
       file, setting = item.split(':')
+      file = 'grep did not return filename' if file.empty?
+
       results[file] ||= []
       results[file] << setting.split('=').last
     end