diff --git a/package-lock.json b/package-lock.json index a4fd16a9e..46a67b621 100644 --- a/package-lock.json +++ b/package-lock.json @@ -16,7 +16,7 @@ "cypress-each": "^1.14.0", "flowchart.ts": "^3.0.1", "mermaid": "^11.4.1", - "start-server-and-test": "^2.0.8", + "start-server-and-test": "^2.0.9", "vue": "^3.5.13", "vuepress": "2.0.0-rc.18", "vuepress-theme-hope": "2.0.0-rc.59" @@ -5185,9 +5185,9 @@ "dev": true }, "node_modules/debug": { - "version": "4.3.7", - "resolved": "https://registry.npmjs.org/debug/-/debug-4.3.7.tgz", - "integrity": "sha512-Er2nc/H7RrMXZBFCEim6TCmMk02Z8vLC2Rbi1KEBggpo0fS6l0S1nnapwmIi3yW/+GOJap1Krg4w0Hg80oCqgQ==", + "version": "4.4.0", + "resolved": "https://registry.npmjs.org/debug/-/debug-4.4.0.tgz", + "integrity": "sha512-6WTZ/IxCY/T6BALoZHaE4ctp9xm+Z5kY/pzYaCHRFeyVhojxlrm+46y68HA6hr0TcwEssoxNiDEUJQjfPZ/RYA==", "dev": true, "dependencies": { "ms": "^2.1.3" @@ -8695,15 +8695,15 @@ } }, "node_modules/start-server-and-test": { - "version": "2.0.8", - "resolved": "https://registry.npmjs.org/start-server-and-test/-/start-server-and-test-2.0.8.tgz", - "integrity": "sha512-v2fV6NV2F7tL1ocwfI4Wpait+IKjRbT5l3ZZ+ZikXdMLmxYsS8ynGAsCQAUVXkVyGyS+UibsRnvgHkMvJIvCsw==", + "version": "2.0.9", + "resolved": "https://registry.npmjs.org/start-server-and-test/-/start-server-and-test-2.0.9.tgz", + "integrity": "sha512-DDceIvc4wdpr+z3Aqkot2QMho8TcUBh5qH0wEHDpEexBTzlheOcmh53d3dExABY4J5C7qS2UbSXqRWLtxpbWIQ==", "dev": true, "dependencies": { "arg": "^5.0.2", "bluebird": "3.7.2", "check-more-types": "2.24.0", - "debug": "4.3.7", + "debug": "4.4.0", "execa": "5.1.1", "lazy-ass": "1.6.0", "ps-tree": "1.2.0", @@ -13462,9 +13462,9 @@ "dev": true }, "debug": { - "version": "4.3.7", - "resolved": "https://registry.npmjs.org/debug/-/debug-4.3.7.tgz", - "integrity": "sha512-Er2nc/H7RrMXZBFCEim6TCmMk02Z8vLC2Rbi1KEBggpo0fS6l0S1nnapwmIi3yW/+GOJap1Krg4w0Hg80oCqgQ==", + "version": "4.4.0", + "resolved": "https://registry.npmjs.org/debug/-/debug-4.4.0.tgz", + "integrity": "sha512-6WTZ/IxCY/T6BALoZHaE4ctp9xm+Z5kY/pzYaCHRFeyVhojxlrm+46y68HA6hr0TcwEssoxNiDEUJQjfPZ/RYA==", "dev": true, "requires": { "ms": "^2.1.3" @@ -15817,15 +15817,15 @@ } }, "start-server-and-test": { - "version": "2.0.8", - "resolved": "https://registry.npmjs.org/start-server-and-test/-/start-server-and-test-2.0.8.tgz", - "integrity": "sha512-v2fV6NV2F7tL1ocwfI4Wpait+IKjRbT5l3ZZ+ZikXdMLmxYsS8ynGAsCQAUVXkVyGyS+UibsRnvgHkMvJIvCsw==", + "version": "2.0.9", + "resolved": "https://registry.npmjs.org/start-server-and-test/-/start-server-and-test-2.0.9.tgz", + "integrity": "sha512-DDceIvc4wdpr+z3Aqkot2QMho8TcUBh5qH0wEHDpEexBTzlheOcmh53d3dExABY4J5C7qS2UbSXqRWLtxpbWIQ==", "dev": true, "requires": { "arg": "^5.0.2", "bluebird": "3.7.2", "check-more-types": "2.24.0", - "debug": "4.3.7", + "debug": "4.4.0", "execa": "5.1.1", "lazy-ass": "1.6.0", "ps-tree": "1.2.0", diff --git a/package.json b/package.json index a4c1503b9..580e5c1f6 100644 --- a/package.json +++ b/package.json @@ -22,7 +22,7 @@ "cypress-each": "^1.14.0", "flowchart.ts": "^3.0.1", "mermaid": "^11.4.1", - "start-server-and-test": "^2.0.8", + "start-server-and-test": "^2.0.9", "vue": "^3.5.13", "vuepress": "2.0.0-rc.18", "vuepress-theme-hope": "2.0.0-rc.59" diff --git a/src/courses/beginner/12.md b/src/courses/beginner/12.md index b5305a745..373778d40 100644 --- a/src/courses/beginner/12.md +++ b/src/courses/beginner/12.md @@ -6,7 +6,7 @@ author: Aaron Lippold headerDepth: 3 --- -## Getting Started on the RHEL8 Baseline +## Getting Started on the RHEL9 Baseline Let's practice writing a few 'real' controls using a security guidance document. @@ -25,44 +25,38 @@ Let's go through an example using control SV-230324 to see the above steps in pr 1. **Read the control** - when referencing the control SV-230324 from the stub profile that was generated with the stub generator, look at the control, especially the check text, to understand the intention of the security guidance for this control. **This control** is talking about verifying all local interactive users are assigned a home directory upon creation. -::: code-tabs#shell - -@tab Stub Generated Control ```ruby -control "SV-230324" do - title "All RHEL 8 local interactive user accounts must be assigned a home directory upon creation." - desc "If local interactive users are not assigned a valid home directory, there is no place for the -storage and control of files they should own." - desc "check", "Verify all local interactive users on RHEL 8 are assigned a home directory upon creation with -the following command: +control 'SV-258043' do + title 'All RHEL 9 local interactive user accounts must be assigned a home directory upon creation.' + desc 'If local interactive users are not assigned a valid home directory, there is no place for the storage and control of files they should own.' + desc 'check', 'Verify all local interactive users on RHEL 9 are assigned a home directory upon creation with the following command: -$ sudo grep -i create_home /etc/login.defs +$ grep -i create_home /etc/login.defs CREATE_HOME yes -If -the value for \"CREATE_HOME\" parameter is not set to \"yes\", the line is missing, or the line is -commented out, this is a finding." - desc "fix", "Configure RHEL 8 to assign home directories to all new local interactive users by setting the -\"CREATE_HOME\" parameter in \"/etc/login.defs\" to \"yes\" as follows. +If the value for "CREATE_HOME" parameter is not set to "yes", the line is missing, or the line is commented out, this is a finding.' + desc 'fix', 'Configure RHEL 9 to assign home directories to all new local interactive users by setting the "CREATE_HOME" parameter in "/etc/login.defs" to "yes" as follows. -CREATE_HOME yes" +CREATE_HOME yes' impact 0.5 - tag severity: "medium" - tag gtitle: "SRG-OS-000480-GPOS-00227" - tag gid: "V-230324" - tag rid: "SV-230324r627750_rule" - tag stig_id: "RHEL-08-010760" - tag fix_id: "F-32968r567719_fix" - tag cci: ["CCI-000366"] - tag nist: ["CM-6 b"] + ref 'DPMS Target Red Hat Enterprise Linux 9' + tag check_id: 'C-61784r926114_chk' + tag severity: 'medium' + tag gid: 'V-258043' + tag rid: 'SV-258043r991589_rule' + tag stig_id: 'RHEL-09-411020' + tag gtitle: 'SRG-OS-000480-GPOS-00227' + tag fix_id: 'F-61708r926115_fix' + tag 'documentable' + tag cci: ['CCI-000366'] + tag nist: ['CM-6 b'] end ``` -::: 2. **Look for Key Words and Resources** - Dive more into what key words exist in the check text to determine what InSpec resources to use when writing the test. Most importantly, identify commands that are written in the check test like shown below. Find the _what_ of the command. For this control, `sudo` is not the _what_. `grep` is also not the _what_. `create_home` looks like an attribute of the `/etc/login.defs` file, which looks like the _what_! Look for a resource named `login_defs` in the [resource documentation](https://docs.chef.io/inspec/resources/). ```ruby - desc "check", "Verify all local interactive users on RHEL 8 are assigned a home directory upon creation with + desc "check", "Verify all local interactive users on RHEL 9 are assigned a home directory upon creation with the following command: $ sudo grep -i create_home /etc/login.defs @@ -84,35 +78,32 @@ $ sudo grep -i create_home /etc/login.defs ``` @tab Full Control ```ruby -control 'SV-230324' do - title "All RHEL 8 local interactive user accounts must be assigned a home -directory upon creation." - desc "If local interactive users are not assigned a valid home directory, -there is no place for the storage and control of files they should own." - desc 'rationale', '' - desc 'check', " - Verify all local interactive users on RHEL 8 are assigned a home directory -upon creation with the following command: - $ sudo grep -i create_home /etc/login.defs - CREATE_HOME yes - If the value for \"CREATE_HOME\" parameter is not set to \"yes\", the line -is missing, or the line is commented out, this is a finding. - " - desc 'fix', " - Configure RHEL 8 to assign home directories to all new local interactive -users by setting the \"CREATE_HOME\" parameter in \"/etc/login.defs\" to -\"yes\" as follows. - CREATE_HOME yes - " +control 'SV-258043' do + title 'All RHEL 9 local interactive user accounts must be assigned a home directory upon creation.' + desc 'If local interactive users are not assigned a valid home directory, +there is no place for the storage and control of files they should own.' + desc 'check', 'Verify all local interactive users on RHEL 9 are assigned a home directory upon creation with the following command: + +$ grep -i create_home /etc/login.defs + +CREATE_HOME yes + +If the value for "CREATE_HOME" parameter is not set to "yes", the line is missing, or the line is commented out, this is a finding.' + desc 'fix', 'Configure RHEL 9 to assign home directories to all new local interactive users by setting the "CREATE_HOME" parameter in "/etc/login.defs" to "yes" as follows. + +CREATE_HOME yes' impact 0.5 + ref 'DPMS Target Red Hat Enterprise Linux 9' tag severity: 'medium' tag gtitle: 'SRG-OS-000480-GPOS-00227' - tag gid: 'V-230324' - tag rid: 'SV-230324r627750_rule' - tag stig_id: 'RHEL-08-010760' - tag fix_id: 'F-32968r567719_fix' + tag gid: 'V-258043' + tag rid: 'SV-258043r926116_rule' + tag stig_id: 'RHEL-09-411020' + tag fix_id: 'F-61708r926115_fix' tag cci: ['CCI-000366'] tag nist: ['CM-6 b'] + tag 'host' + tag 'container' describe login_defs do its('CREATE_HOME') { should eq 'yes' } @@ -127,7 +118,7 @@ Here, the login_defs resource shows examples using the `includes` and `eq` match 5. **Run the test!** ```bash -inspec exec rhel8-baseline-stubs -t docker://redhat8 +inspec exec my_rhel9_stig_profile -t docker://redhat9 ``` 6. **Troubleshoot errors** - If you have syntax errors or unexpected results, it's time to troubleshoot. The best first step in troubleshooting is to read the error message from the command line. @@ -136,27 +127,26 @@ inspec exec rhel8-baseline-stubs -t docker://redhat8 | Control | Resource Used | | --- | --- | -| SV-230324 | login_defs resource | -| SV-230250 | directory resource | -| SV-230243 | directory looping & file resource | -| SV-230505 | non applicable use case & package resource | +| SV-258043 | login_defs resource | +| SV-257915 | directory resource | +| SV-257929 | directory looping & file resource | +| SV-257936 | non applicable use case & package resource | ### Suggested Level 1 Controls | Control | Resource Used | | --- | --- | -| SV-230383 | login_defs resource | -| SV-230249 | directory resource | -| SV-230471 | directory looping & file resource | -| SV-230241 | non applicable use case & package resource | +| SV-258074 | login_defs resource | +| SV-257914 | directory resource | +| SV-258171 | directory looping & file resource | +| SV-258081 | non applicable use case & package resource | ### Suggested Level 2 Controls | Control | Resource Used | | --- | --- | -| SV-230281 | parse config file | -| SV-230365 | login_defs resource | -| SV-230264 | file content | +| SV-257824 | parse config file | +| SV-258104 | login_defs resource | :::info Strings Single quotes are dumb strings. Double quotes are smart strings. Smart strings means they allow [interpolation](http://ruby-for-beginners.rubymonstas.org/bonus/string_interpolation.html). @@ -171,11 +161,11 @@ Single quotes are dumb strings. Double quotes are smart strings. Smart strings m - [package](https://www.inspec.io/docs/reference/resources/package/) - [login_defs](https://docs.chef.io/inspec/resources/login_defs/) -## Completed RHEL8 Profile for Reference +## Completed RHEL9 Profile for Reference -Below is the url to the completed RHEL8 Inspec Profile for reference, and a few things to take note of. +Below is the url to the completed RHEL9 Inspec Profile for reference, and a few things to take note of. -1. [redhat-enterprise-linux-8-stig-baseline](https://github.com/mitre/redhat-enterprise-linux-8-stig-baseline) +1. [redhat-enterprise-linux-9-stig-baseline](https://github.com/mitre/redhat-enterprise-linux-9-stig-baseline) ::: tip Key Elements in this Profile