>From 0f5328e949a50f289d8ec2ec8b1bad96d865155a Mon Sep 17 00:00:00 2001 From: Shawn Wells <[email protected]> Date: Wed, 11 Sep 2013 20:21:57 -0400 Subject: [PATCH 10/22] OVAL signoff + remediation: require_singleuser_auth - Updated OVAL to match XCCDF namings - Created remediation - Resignoff on OVAL due to changes
TESTING: [root@SSG-RHEL6 checks]# ./testcheck.[root@SSG-RHEL6 checks]# ./testcheck.py require_singleuser_auth.xml Evaluating with OVAL tempfile : /tmp/require_singleuser_authHRJ0Tp.xml Writing results to : /tmp/require_singleuser_authHRJ0Tp.xml-results Definition oval:scap-security-guide.testing:def:152: false Evaluation done. [root@SSG-RHEL6 checks]# bash ../fixes/bash/require_singleuser_auth.sh [root@SSG-RHEL6 checks]# ./testcheck.py require_singleuser_auth.xml Evaluating with OVAL tempfile : /tmp/require_singleuser_authj9Tf3W.xml Writing results to : /tmp/require_singleuser_authj9Tf3W.xml-results Definition oval:scap-security-guide.testing:def:152: true Evaluation done. --- RHEL6/input/checks/require_singleuser_auth.xml | 27 +++++++++++++++++++ RHEL6/input/checks/singleuser_password.xml | 28 -------------------- .../fixes/bash/password_require_minimum_class.sh | 6 ++++ .../fixes/bash/password_require_minimun_class.sh | 6 ---- RHEL6/input/fixes/bash/require_singleuser_auth.sh | 5 +++ RHEL6/input/system/accounts/physical.xml | 2 +- 6 files changed, 39 insertions(+), 35 deletions(-) create mode 100644 RHEL6/input/checks/require_singleuser_auth.xml delete mode 100644 RHEL6/input/checks/singleuser_password.xml create mode 100644 RHEL6/input/fixes/bash/password_require_minimum_class.sh delete mode 100644 RHEL6/input/fixes/bash/password_require_minimun_class.sh create mode 100644 RHEL6/input/fixes/bash/require_singleuser_auth.sh diff --git a/RHEL6/input/checks/require_singleuser_auth.xml b/RHEL6/input/checks/require_singleuser_auth.xml new file mode 100644 index 0000000..6db03ef --- /dev/null +++ b/RHEL6/input/checks/require_singleuser_auth.xml @@ -0,0 +1,27 @@ +<def-group> + <definition class="compliance" id="require_singleuser_auth" version="1"> + <metadata> + <title>Require Authentication for Single-User Mode</title> + <affected family="unix"> + <platform>Red Hat Enterprise Linux 6</platform> + </affected> + <description>The requirement for a password to boot into single-user mode + should be configured correctly.</description> + <reference source="swells" ref_id="20131014" ref_url="test_attestation" /> + </metadata> + <criteria> + <criterion comment="Conditions are satisfied" + test_ref="test_require_singleuser_auth" /> + </criteria> + </definition> + <ind:textfilecontent54_test check="all" check_existence="all_exist" + comment="Tests that the SINGLE variable in the /etc/sysconfig/init file is set to /sbin/sulogin, to ensure that a password must be entered to access single user mode" + id="test_require_singleuser_auth" version="1"> + <ind:object object_ref="obj_require_singleuser_auth" /> + </ind:textfilecontent54_test> + <ind:textfilecontent54_object id="obj_require_singleuser_auth" version="1"> + <ind:filepath>/etc/sysconfig/init</ind:filepath> + <ind:pattern operation="pattern match">^SINGLE=/sbin/sulogin[\s]*</ind:pattern> + <ind:instance datatype="int">1</ind:instance> + </ind:textfilecontent54_object> +</def-group> diff --git a/RHEL6/input/checks/singleuser_password.xml b/RHEL6/input/checks/singleuser_password.xml deleted file mode 100644 index 31441ee..0000000 --- a/RHEL6/input/checks/singleuser_password.xml +++ /dev/null @@ -1,28 +0,0 @@ -<def-group> - <definition class="compliance" id="singleuser_password" version="1"> - <metadata> - <title>Require Authentication for Single-User Mode</title> - <affected family="unix"> - <platform>Red Hat Enterprise Linux 6</platform> - </affected> - <description>The requirement for a password to boot into single-user mode - should be configured correctly.</description> - <reference source="MED" ref_id="20130819" ref_url="test_attestation" /> - </metadata> - <criteria> - <criterion comment="Conditions are satisfied" - test_ref="test_singleuser_password" /> - </criteria> - </definition> - <ind:textfilecontent54_test check="all" check_existence="all_exist" - comment="Tests that the SINGLE variable in the /etc/sysconfig/init file is set to /sbin/sulogin, to ensure that a password must be entered to access single user mode" - id="test_singleuser_password" version="1"> - <ind:object object_ref="obj_singleuser_password" /> - </ind:textfilecontent54_test> - <ind:textfilecontent54_object id="obj_singleuser_password" version="1"> - <ind:path>/etc/sysconfig</ind:path> - <ind:filename>init</ind:filename> - <ind:pattern operation="pattern match">^SINGLE=/sbin/sulogin[\s]*</ind:pattern> - <ind:instance datatype="int">1</ind:instance> - </ind:textfilecontent54_object> -</def-group> diff --git a/RHEL6/input/fixes/bash/password_require_minimum_class.sh b/RHEL6/input/fixes/bash/password_require_minimum_class.sh new file mode 100644 index 0000000..127c004 --- /dev/null +++ b/RHEL6/input/fixes/bash/password_require_minimum_class.sh @@ -0,0 +1,6 @@ +grep -q minclass /etc/pam.d/system-auth +if [ $? = "0" ]; then + sed --follow-symlinks -i "/pam_cracklib.so/s/minclass=[0-4]/minclass=3/" /etc/pam.d/system-auth +else + sed --follow-symlinks -i "/pam_cracklib.so/s/pam_cracklib.so /pam_cracklib.so minclass=3 /" /etc/pam.d/system-auth +fi diff --git a/RHEL6/input/fixes/bash/password_require_minimun_class.sh b/RHEL6/input/fixes/bash/password_require_minimun_class.sh deleted file mode 100644 index 127c004..0000000 --- a/RHEL6/input/fixes/bash/password_require_minimun_class.sh +++ /dev/null @@ -1,6 +0,0 @@ -grep -q minclass /etc/pam.d/system-auth -if [ $? = "0" ]; then - sed --follow-symlinks -i "/pam_cracklib.so/s/minclass=[0-4]/minclass=3/" /etc/pam.d/system-auth -else - sed --follow-symlinks -i "/pam_cracklib.so/s/pam_cracklib.so /pam_cracklib.so minclass=3 /" /etc/pam.d/system-auth -fi diff --git a/RHEL6/input/fixes/bash/require_singleuser_auth.sh b/RHEL6/input/fixes/bash/require_singleuser_auth.sh new file mode 100644 index 0000000..d020bee --- /dev/null +++ b/RHEL6/input/fixes/bash/require_singleuser_auth.sh @@ -0,0 +1,5 @@ +grep -q ^SINGLE /etc/sysconfig/init && \ + sed -i "s/SINGLE.*/SINGLE=\/sbin\/sulogin/g" /etc/sysconfig/init +if ! [ $? -eq 0 ]; then + echo "SINGLE=/sbin/sulogin" >> /etc/sysconfig/init +fi diff --git a/RHEL6/input/system/accounts/physical.xml b/RHEL6/input/system/accounts/physical.xml index 390a953..1631797 100644 --- a/RHEL6/input/system/accounts/physical.xml +++ b/RHEL6/input/system/accounts/physical.xml @@ -135,7 +135,7 @@ on the machine and gaining root access. Such accesses are further prevented by configuring the bootloader password. </rationale> <ident cce="27040-5" /> -<oval id="singleuser_password" /> +<oval id="require_singleuser_auth" /> <ref nist="IA-2(1)" disa="213" /> <tested by="DS" on="20121024"/> </Rule> -- 1.7.1
_______________________________________________ scap-security-guide mailing list [email protected] https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
