[stabilization] Check for PQC GPG key only on RHEL 10.1 and newer#14476
Merged
vojtapolasek merged 1 commit intoComplianceAsCode:stabilizationfrom Feb 27, 2026
Merged
Conversation
The redhat-release RPM package in RHEL 10.0 won't contain the postquantum OpenGPG key. This key will be present in RHEL 10.1 and newer. Addressing: Failing rule `ensure_redhat_gpgkey_installed` in multiple contest tests `/hardening/host-os/oscap` on RHEL 10.0.
|
This datastream diff is auto generated by the check Click here to see the full diffOVAL for rule 'xccdf_org.ssgproject.content_rule_installed_OS_is_vendor_supported' differs.
--- oval:ssg-installed_OS_is_vendor_supported:def:1
+++ oval:ssg-installed_OS_is_vendor_supported:def:1
@@ -11,5 +11,4 @@
extend_definition oval:ssg-installed_OS_is_sle16:def:1
extend_definition oval:ssg-installed_OS_is_slmicro5:def:1
extend_definition oval:ssg-installed_OS_is_slmicro6:def:1
-extend_definition oval:ssg-installed_OS_is_ubuntu2204:def:1
extend_definition oval:ssg-installed_OS_is_ubuntu2404:def:1
New content has different text for rule 'xccdf_org.ssgproject.content_rule_dconf_gnome_disable_automount'.
--- xccdf_org.ssgproject.content_rule_dconf_gnome_disable_automount
+++ xccdf_org.ssgproject.content_rule_dconf_gnome_disable_automount
@@ -6,12 +6,12 @@
The system's default desktop environment, GNOME3, will mount
devices and removable media (such as DVDs, CDs and USB flash drives) whenever
they are inserted into the system. To disable automount within GNOME3, add or set
-automount to false in /etc/dconf/db/gdm.d/00-security-settings.
+automount to false in /etc/dconf/db/local.d/00-security-settings.
For example:
[org/gnome/desktop/media-handling]
automount=false
Once the settings have been added, add a lock to
-/etc/dconf/db/gdm.d/locks/00-security-settings-lock to prevent user modification.
+/etc/dconf/db/local.d/locks/00-security-settings-lock to prevent user modification.
For example:
/org/gnome/desktop/media-handling/automount
After the settings have been set, run dconf update.
OCIL for rule 'xccdf_org.ssgproject.content_rule_dconf_gnome_disable_automount' differs.
--- ocil:ssg-dconf_gnome_disable_automount_ocil:questionnaire:1
+++ ocil:ssg-dconf_gnome_disable_automount_ocil:questionnaire:1
@@ -2,7 +2,7 @@
$ gsettings get org.gnome.desktop.media-handling automount
If properly configured, the output for automount should be false.
To ensure that users cannot enable automount in GNOME3, run the following:
-$ grep 'automount' /etc/dconf/db/gdm.d/locks/*
+$ grep 'automount' /etc/dconf/db/local.d/locks/*
If properly configured, the output for automount should be /org/gnome/desktop/media-handling/automount
Is it the case that GNOME automounting is not disabled?
bash remediation for rule 'xccdf_org.ssgproject.content_rule_dconf_gnome_disable_automount' differs.
--- xccdf_org.ssgproject.content_rule_dconf_gnome_disable_automount
+++ xccdf_org.ssgproject.content_rule_dconf_gnome_disable_automount
@@ -2,6 +2,7 @@
if rpm --quiet -q gdm; then
# apply fix for enable_dconf_user_profile, OVAL checks it
+
# Check for setting in any of the DConf db directories
# If files contain ibus or distro, ignore them.
New content has different text for rule 'xccdf_org.ssgproject.content_rule_dconf_gnome_disable_automount_open'.
--- xccdf_org.ssgproject.content_rule_dconf_gnome_disable_automount_open
+++ xccdf_org.ssgproject.content_rule_dconf_gnome_disable_automount_open
@@ -6,12 +6,12 @@
The system's default desktop environment, GNOME3, will mount
devices and removable media (such as DVDs, CDs and USB flash drives) whenever
they are inserted into the system. To disable automount-open within GNOME3, add or set
-automount-open to false in /etc/dconf/db/gdm.d/00-security-settings.
+automount-open to false in /etc/dconf/db/local.d/00-security-settings.
For example:
[org/gnome/desktop/media-handling]
automount-open=false
Once the settings have been added, add a lock to
-/etc/dconf/db/gdm.d/locks/00-security-settings-lock to prevent user modification.
+/etc/dconf/db/local.d/locks/00-security-settings-lock to prevent user modification.
For example:
/org/gnome/desktop/media-handling/automount-open
After the settings have been set, run dconf update.
OCIL for rule 'xccdf_org.ssgproject.content_rule_dconf_gnome_disable_automount_open' differs.
--- ocil:ssg-dconf_gnome_disable_automount_open_ocil:questionnaire:1
+++ ocil:ssg-dconf_gnome_disable_automount_open_ocil:questionnaire:1
@@ -2,7 +2,7 @@
$ gsettings get org.gnome.desktop.media-handling automount-open
If properly configured, the output for automount-openshould be false.
To ensure that users cannot enable automount opening in GNOME3, run the following:
-$ grep 'automount-open' /etc/dconf/db/gdm.d/locks/*
+$ grep 'automount-open' /etc/dconf/db/local.d/locks/*
If properly configured, the output for automount-open should be /org/gnome/desktop/media-handling/automount-open
Is it the case that GNOME automounting is not disabled?
bash remediation for rule 'xccdf_org.ssgproject.content_rule_dconf_gnome_disable_automount_open' differs.
--- xccdf_org.ssgproject.content_rule_dconf_gnome_disable_automount_open
+++ xccdf_org.ssgproject.content_rule_dconf_gnome_disable_automount_open
@@ -2,6 +2,7 @@
if rpm --quiet -q gdm; then
# apply fix for enable_dconf_user_profile, OVAL checks it
+
# Check for setting in any of the DConf db directories
# If files contain ibus or distro, ignore them.
New content has different text for rule 'xccdf_org.ssgproject.content_rule_dconf_gnome_disable_autorun'.
--- xccdf_org.ssgproject.content_rule_dconf_gnome_disable_autorun
+++ xccdf_org.ssgproject.content_rule_dconf_gnome_disable_autorun
@@ -6,12 +6,12 @@
The system's default desktop environment, GNOME3, will mount
devices and removable media (such as DVDs, CDs and USB flash drives) whenever
they are inserted into the system. To disable autorun-never within GNOME3, add or set
-autorun-never to true in /etc/dconf/db/gdm.d/00-security-settings.
+autorun-never to true in /etc/dconf/db/local.d/00-security-settings.
For example:
[org/gnome/desktop/media-handling]
autorun-never=true
Once the settings have been added, add a lock to
-/etc/dconf/db/gdm.d/locks/00-security-settings-lock to prevent user modification.
+/etc/dconf/db/local.d/locks/00-security-settings-lock to prevent user modification.
For example:
/org/gnome/desktop/media-handling/autorun-never
After the settings have been set, run dconf update.
OCIL for rule 'xccdf_org.ssgproject.content_rule_dconf_gnome_disable_autorun' differs.
--- ocil:ssg-dconf_gnome_disable_autorun_ocil:questionnaire:1
+++ ocil:ssg-dconf_gnome_disable_autorun_ocil:questionnaire:1
@@ -2,7 +2,7 @@
$ gsettings get org.gnome.desktop.media-handling autorun-never
If properly configured, the output for autorun-nevershould be true.
To ensure that users cannot enable autorun in GNOME3, run the following:
-$ grep 'autorun-never' /etc/dconf/db/gdm.d/locks/*
+$ grep 'autorun-never' /etc/dconf/db/local.d/locks/*
If properly configured, the output for autorun-never should be /org/gnome/desktop/media-handling/autorun-never
Is it the case that GNOME autorun is not disabled?
New content has different text for rule 'xccdf_org.ssgproject.content_rule_dconf_gnome_remote_access_credential_prompt'.
--- xccdf_org.ssgproject.content_rule_dconf_gnome_remote_access_credential_prompt
+++ xccdf_org.ssgproject.content_rule_dconf_gnome_remote_access_credential_prompt
@@ -6,12 +6,12 @@
By default, GNOME does not require credentials when using Vino for
remote access. To configure the system to require remote credentials, add or set
authentication-methods to ['vnc'] in
-/etc/dconf/db/gdm.d/00-security-settings. For example:
+/etc/dconf/db/local.d/00-security-settings. For example:
[org/gnome/Vino]
authentication-methods=['vnc']
Once the settings have been added, add a lock to
-/etc/dconf/db/gdm.d/locks/00-security-settings-lock to prevent user modification.
+/etc/dconf/db/local.d/locks/00-security-settings-lock to prevent user modification.
For example:
/org/gnome/Vino/authentication-methods
After the settings have been set, run dconf update.
OCIL for rule 'xccdf_org.ssgproject.content_rule_dconf_gnome_remote_access_credential_prompt' differs.
--- ocil:ssg-dconf_gnome_remote_access_credential_prompt_ocil:questionnaire:1
+++ ocil:ssg-dconf_gnome_remote_access_credential_prompt_ocil:questionnaire:1
@@ -2,7 +2,7 @@
$ gsettings get org.gnome.Vino authentication-methods
If properly configured, the output should be false.
To ensure that users cannot disable credentials for remote access, run the following:
-$ grep authentication-methods /etc/dconf/db/gdm.d/locks/*
+$ grep authentication-methods /etc/dconf/db/local.d/locks/*
If properly configured, the output should be
/org/gnome/Vino/authentication-methods
Is it the case that wireless network notification is enabled and not disabled?
New content has different text for rule 'xccdf_org.ssgproject.content_rule_dconf_gnome_remote_access_encryption'.
--- xccdf_org.ssgproject.content_rule_dconf_gnome_remote_access_encryption
+++ xccdf_org.ssgproject.content_rule_dconf_gnome_remote_access_encryption
@@ -6,12 +6,12 @@
By default, GNOME requires encryption when using Vino for remote access.
To prevent remote access encryption from being disabled, add or set
require-encryption to true in
-/etc/dconf/db/gdm.d/00-security-settings. For example:
+/etc/dconf/db/local.d/00-security-settings. For example:
[org/gnome/Vino]
require-encryption=true
Once the settings have been added, add a lock to
-/etc/dconf/db/gdm.d/locks/00-security-settings-lock to prevent user modification.
+/etc/dconf/db/local.d/locks/00-security-settings-lock to prevent user modification.
For example:
/org/gnome/Vino/require-encryption
After the settings have been set, run dconf update.
OCIL for rule 'xccdf_org.ssgproject.content_rule_dconf_gnome_remote_access_encryption' differs.
--- ocil:ssg-dconf_gnome_remote_access_encryption_ocil:questionnaire:1
+++ ocil:ssg-dconf_gnome_remote_access_encryption_ocil:questionnaire:1
@@ -2,7 +2,7 @@
$ gsettings get org.gnome.Vino require-encrpytion
If properly configured, the output should be true.
To ensure that users cannot disable encrypted remote connections, run the following:
-$ grep require-encryption /etc/dconf/db/gdm.d/locks/*
+$ grep require-encryption /etc/dconf/db/local.d/locks/*
If properly configured, the output should be
/org/gnome/Vino/require-encryption
Is it the case that remote access connections are not encrypted?
New content has different text for rule 'xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_idle_activation_enabled'.
--- xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_idle_activation_enabled
+++ xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_idle_activation_enabled
@@ -5,11 +5,11 @@
[description]:
To activate the screensaver in the GNOME3 desktop after a period of inactivity,
add or set idle-activation-enabled to true in
-/etc/dconf/db/gdm.d/00-security-settings. For example:
+/etc/dconf/db/local.d/00-security-settings. For example:
[org/gnome/desktop/screensaver]
idle-activation-enabled=true
Once the setting has been added, add a lock to
-/etc/dconf/db/gdm.d/locks/00-security-settings-lock to prevent user modification.
+/etc/dconf/db/local.d/locks/00-security-settings-lock to prevent user modification.
For example:
/org/gnome/desktop/screensaver/idle-activation-enabled
After the settings have been set, run dconf update.
OCIL for rule 'xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_idle_activation_enabled' differs.
--- ocil:ssg-dconf_gnome_screensaver_idle_activation_enabled_ocil:questionnaire:1
+++ ocil:ssg-dconf_gnome_screensaver_idle_activation_enabled_ocil:questionnaire:1
@@ -2,7 +2,7 @@
$ gsettings get org.gnome.desktop.screensaver idle-activation-enabled
If properly configured, the output should be true.
To ensure that users cannot disable the screensaver idle inactivity setting, run the following:
-$ grep idle-activation-enabled /etc/dconf/db/gdm.d/locks/*
+$ grep idle-activation-enabled /etc/dconf/db/local.d/locks/*
If properly configured, the output should be /org/gnome/desktop/screensaver/idle-activation-enabled
Is it the case that idle-activation-enabled is not enabled or configured?
New content has different text for rule 'xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_idle_delay'.
--- xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_idle_delay
+++ xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_idle_delay
@@ -4,12 +4,12 @@
[description]:
The idle time-out value for inactivity in the GNOME3 desktop is configured via the idle-delay
-setting must be set under an appropriate configuration file(s) in the /etc/dconf/db/gdm.d directory
-and locked in /etc/dconf/db/gdm.d/locks directory to prevent user modification.
+setting must be set under an appropriate configuration file(s) in the /etc/dconf/db/local.d directory
+and locked in /etc/dconf/db/local.d/locks directory to prevent user modification.
For example, to configure the system for a 15 minute delay, add the following to
-/etc/dconf/db/gdm.d/00-security-settings:
+/etc/dconf/db/local.d/00-security-settings:
[org/gnome/desktop/session]
idle-delay=uint32 900
OCIL for rule 'xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_idle_delay' differs.
--- ocil:ssg-dconf_gnome_screensaver_idle_delay_ocil:questionnaire:1
+++ ocil:ssg-dconf_gnome_screensaver_idle_delay_ocil:questionnaire:1
@@ -2,7 +2,7 @@
$ gsettings get org.gnome.desktop.session idle-delay
If properly configured, the output should be 'uint32 '.
To ensure that users cannot change the screensaver inactivity timeout setting, run the following:
-$ grep idle-delay /etc/dconf/db/gdm.d/locks/*
+$ grep idle-delay /etc/dconf/db/local.d/locks/*
If properly configured, the output should be /org/gnome/desktop/session/idle-delay
Is it the case that idle-delay is set to 0 or a value greater than <sub idref="inactivity_timeout_value" />?
bash remediation for rule 'xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_idle_delay' differs.
--- xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_idle_delay
+++ xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_idle_delay
@@ -2,7 +2,6 @@
if rpm --quiet -q gdm; then
inactivity_timeout_value=''
-
# Check for setting in any of the DConf db directories
New content has different text for rule 'xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_lock_delay'.
--- xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_lock_delay
+++ xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_lock_delay
@@ -6,7 +6,7 @@
To activate the locking delay of the screensaver in the GNOME3 desktop when
the screensaver is activated, add or set lock-delay to uint32 'xccdf_org.ssgproject.content_value_var_screensaver_lock_delay'
in
-/etc/dconf/db/gdm.d/00-security-settings. For example:
+/etc/dconf/db/local.d/00-security-settings. For example:
[org/gnome/desktop/screensaver]
lock-delay=uint32 'xccdf_org.ssgproject.content_value_var_screensaver_lock_delay'
bash remediation for rule 'xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_lock_delay' differs.
--- xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_lock_delay
+++ xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_lock_delay
@@ -1,8 +1,10 @@
# Remediation is applicable only in certain platforms
if rpm --quiet -q gdm; then
+# apply fix for enable_dconf_user_profile, OVAL checks it
+
+
var_screensaver_lock_delay=''
-
# Check for setting in any of the DConf db directories
New content has different text for rule 'xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_lock_enabled'.
--- xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_lock_enabled
+++ xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_lock_enabled
@@ -5,12 +5,12 @@
[description]:
To activate locking of the screensaver in the GNOME3 desktop when it is activated,
add or set lock-enabled to true in
-/etc/dconf/db/gdm.d/00-security-settings. For example:
+/etc/dconf/db/local.d/00-security-settings. For example:
[org/gnome/desktop/screensaver]
lock-enabled=true
Once the settings have been added, add a lock to
-/etc/dconf/db/gdm.d/locks/00-security-settings-lock to prevent user modification.
+/etc/dconf/db/local.d/locks/00-security-settings-lock to prevent user modification.
For example:
/org/gnome/desktop/screensaver/lock-enabled
After the settings have been set, run dconf update.
OCIL for rule 'xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_lock_enabled' differs.
--- ocil:ssg-dconf_gnome_screensaver_lock_enabled_ocil:questionnaire:1
+++ ocil:ssg-dconf_gnome_screensaver_lock_enabled_ocil:questionnaire:1
@@ -3,7 +3,7 @@
$ gsettings get org.gnome.desktop.screensaver lock-enabled
If properly configured, the output should be true.
To ensure that users cannot change how long until the screensaver locks, run the following:
-$ grep lock-enabled /etc/dconf/db/gdm.d/locks/*
+$ grep lock-enabled /etc/dconf/db/local.d/locks/*
If properly configured, the output for lock-enabled should be /org/gnome/desktop/screensaver/lock-enabled
Is it the case that screensaver locking is not enabled and/or has not been set or configured correctly?
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_lock_enabled' differs.
--- xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_lock_enabled
+++ xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_lock_enabled
@@ -76,7 +76,7 @@
- name: Enable GNOME3 Screensaver Lock After Idle Period - Enable GNOME3 Screensaver
Lock After Idle Period
community.general.ini_file:
- dest: /etc/dconf/db/gdm.d/00-security-settings
+ dest: /etc/dconf/db/local.d/00-security-settings
section: org/gnome/desktop/lockdown
option: disable-lock-screen
value: 'false'
@@ -105,7 +105,7 @@
- name: Enable GNOME3 Screensaver Lock After Idle Period - Prevent user modification
of GNOME disable-lock-screen
ansible.builtin.lineinfile:
- path: /etc/dconf/db/gdm.d/locks/00-security-settings-lock
+ path: /etc/dconf/db/local.d/locks/00-security-settings-lock
regexp: ^/org/gnome/desktop/lockdown/disable-lock-screen$
line: /org/gnome/desktop/lockdown/disable-lock-screen
create: true
New content has different text for rule 'xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_mode_blank'.
--- xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_mode_blank
+++ xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_mode_blank
@@ -5,12 +5,12 @@
[description]:
To set the screensaver mode in the GNOME3 desktop to a blank screen,
add or set picture-uri to string '' in
-/etc/dconf/db/gdm.d/00-security-settings. For example:
+/etc/dconf/db/local.d/00-security-settings. For example:
[org/gnome/desktop/screensaver]
picture-uri=string ''
Once the settings have been added, add a lock to
-/etc/dconf/db/gdm.d/locks/00-security-settings-lock to prevent user modification.
+/etc/dconf/db/local.d/locks/00-security-settings-lock to prevent user modification.
For example:
/org/gnome/desktop/screensaver/picture-uri
After the settings have been set, run dconf update.
OCIL for rule 'xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_mode_blank' differs.
--- ocil:ssg-dconf_gnome_screensaver_mode_blank_ocil:questionnaire:1
+++ ocil:ssg-dconf_gnome_screensaver_mode_blank_ocil:questionnaire:1
@@ -3,7 +3,7 @@
If properly configured, the output should be ''.
To ensure that users cannot set the screensaver background, run the following:
-$ grep picture-uri /etc/dconf/db/gdm.d/locks/*
+$ grep picture-uri /etc/dconf/db/local.d/locks/*
If properly configured, the output should be /org/gnome/desktop/screensaver/picture-uri
Is it the case that it is not set or configured properly?
New content has different text for rule 'xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_user_locks'.
--- xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_user_locks
+++ xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_user_locks
@@ -5,7 +5,7 @@
[description]:
If not already configured, ensure that users cannot change GNOME3 screensaver lock settings
by adding /org/gnome/desktop/screensaver/lock-delay
-to /etc/dconf/db/gdm.d/locks/00-security-settings-lock to prevent user modification.
+to /etc/dconf/db/local.d/locks/00-security-settings-lock to prevent user modification.
For example:
/org/gnome/desktop/screensaver/lock-delay
After the settings have been set, run dconf update.
OCIL for rule 'xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_user_locks' differs.
--- ocil:ssg-dconf_gnome_screensaver_user_locks_ocil:questionnaire:1
+++ ocil:ssg-dconf_gnome_screensaver_user_locks_ocil:questionnaire:1
@@ -1,5 +1,5 @@
To ensure that users cannot change session idle and lock settings, run the following:
-$ grep 'lock-delay' /etc/dconf/db/gdm.d/locks/*
+$ grep 'lock-delay' /etc/dconf/db/local.d/locks/*
If properly configured, the output should return:
/org/gnome/desktop/screensaver/lock-delay
Is it the case that GNOME3 session settings are not locked or configured properly?
New content has different text for rule 'xccdf_org.ssgproject.content_rule_dconf_gnome_session_idle_user_locks'.
--- xccdf_org.ssgproject.content_rule_dconf_gnome_session_idle_user_locks
+++ xccdf_org.ssgproject.content_rule_dconf_gnome_session_idle_user_locks
@@ -5,7 +5,7 @@
[description]:
If not already configured, ensure that users cannot change GNOME3 session idle settings
by adding /org/gnome/desktop/session/idle-delay
-to /etc/dconf/db/gdm.d/locks/00-security-settings-lock to prevent user modification.
+to /etc/dconf/db/local.d/locks/00-security-settings-lock to prevent user modification.
For example:
/org/gnome/desktop/session/idle-delay
After the settings have been set, run dconf update.
OCIL for rule 'xccdf_org.ssgproject.content_rule_dconf_gnome_session_idle_user_locks' differs.
--- ocil:ssg-dconf_gnome_session_idle_user_locks_ocil:questionnaire:1
+++ ocil:ssg-dconf_gnome_session_idle_user_locks_ocil:questionnaire:1
@@ -1,5 +1,5 @@
To ensure that users cannot change session idle and lock settings, run the following:
-$ grep 'idle-delay' /etc/dconf/db/gdm.d/locks/*
+$ grep 'idle-delay' /etc/dconf/db/local.d/locks/*
If properly configured, the output should return:
/org/gnome/desktop/session/idle-delay
Is it the case that idle-delay is not locked?
New content has different text for rule 'xccdf_org.ssgproject.content_rule_accounts_no_uid_except_zero'.
--- xccdf_org.ssgproject.content_rule_accounts_no_uid_except_zero
+++ xccdf_org.ssgproject.content_rule_accounts_no_uid_except_zero
@@ -4,8 +4,8 @@
[description]:
If any account other than root has a UID of 0, this misconfiguration should
-be investigated and the accounts other than root should be removed, locked
-or have their UID changed.
+be investigated and the accounts other than root should be removed or have
+their UID changed.
If the account is associated with system commands or applications the UID
should be changed to one greater than "0" but less than "1000."
OCIL for rule 'xccdf_org.ssgproject.content_rule_accounts_no_uid_except_zero' differs.
--- ocil:ssg-accounts_no_uid_except_zero_ocil:questionnaire:1
+++ ocil:ssg-accounts_no_uid_except_zero_ocil:questionnaire:1
@@ -2,7 +2,5 @@
following command:
$ awk -F: '$3 == 0 {print $1}' /etc/passwd
root
-Also make sure that if non-root account with UID "0" exist, it is locked:
-$ grep -E '^[^:]+:[!*][^:]*:.*$' /etc/shadow
Is it the case that any accounts other than "root" have a UID of "0"?
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_accounts_no_uid_except_zero' differs.
--- xccdf_org.ssgproject.content_rule_accounts_no_uid_except_zero
+++ xccdf_org.ssgproject.content_rule_accounts_no_uid_except_zero
@@ -44,7 +44,7 @@
- name: Lock the password of the user accounts other than root with uid 0
ansible.builtin.command: passwd -l {{ item.key }}
- loop: '{{ getent_passwd | dict2items | rejectattr(''key'', ''equalto'', ''root'')
+ loop: '{{ getent_passwd | dict2items | rejectattr(''key'', ''search'', ''root'')
| list }}'
when:
- '"kernel-core" in ansible_facts.packages'
OCIL for rule 'xccdf_org.ssgproject.content_rule_file_groupownership_system_commands_dirs' differs.
--- ocil:ssg-file_groupownership_system_commands_dirs_ocil:questionnaire:1
+++ ocil:ssg-file_groupownership_system_commands_dirs_ocil:questionnaire:1
@@ -1,4 +1,5 @@
Verify the system commands contained in the following directories are group-owned by "root", or a required system account, with the following command:
+
$ sudo find -L /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin ! -group root -exec ls -l {} \;
Is it the case that any system commands are returned and is not group-owned by a required system account?
New content has different text for rule 'xccdf_org.ssgproject.content_rule_selinux_not_disabled'.
--- xccdf_org.ssgproject.content_rule_selinux_not_disabled
+++ xccdf_org.ssgproject.content_rule_selinux_not_disabled
@@ -9,18 +9,15 @@
SELINUX=enforcing
OR
SELINUX=permissive
-If SELinux is currently disabled or not configured, ensure that all files have correct SELinux
-labels by running:
+Ensure that all files have correct SELinux labels by running:
fixfiles onboot
Then reboot the system.
[warning]:
-The automated remediation checks the SELinux configuration in /etc/selinux/config.
-If SELinux is already set to "enforcing" or "permissive", the current state is preserved
-and no changes are made. If SELinux is "disabled" or not configured, the remediation will
-adopt a conservative approach and set it to "permissive" in order to avoid any system
-disruption and give the administrator the opportunity to assess the impact and necessary
-efforts before setting it to "enforcing", which is strongly recommended.
+In case the SELinux is "disabled", the automated remediation will adopt a more
+conservative approach and set it to "permissive" in order to avoid any system disruption
+and give the administrator the opportunity to assess the impact and necessary efforts
+before setting it to "enforcing", which is strongly recommended.
[reference]:
1.3.1.4
bash remediation for rule 'xccdf_org.ssgproject.content_rule_selinux_not_disabled' differs.
--- xccdf_org.ssgproject.content_rule_selinux_not_disabled
+++ xccdf_org.ssgproject.content_rule_selinux_not_disabled
@@ -1,17 +1,7 @@
# Remediation is applicable only in certain platforms
if rpm --quiet -q kernel-core; then
-# Check current SELinux state in config file
-selinux_current_state=""
-if [ -f "/etc/selinux/config" ]; then
- selinux_current_state=$(grep -oP '^\s*SELINUX=\K(enforcing|permissive|disabled)' /etc/selinux/config || true)
-fi
-
-# Only remediate if SELinux is disabled or not configured
-# If already set to enforcing or permissive, it's compliant - preserve the current state
-if [ "$selinux_current_state" != "enforcing" ] && [ "$selinux_current_state" != "permissive" ]; then
- # SELinux is disabled or not configured, set to permissive as a conservative approach
- if [ -e "/etc/selinux/config" ] ; then
+if [ -e "/etc/selinux/config" ] ; then
LC_ALL=C sed -i "/^SELINUX=/Id" "/etc/selinux/config"
else
@@ -25,8 +15,8 @@
printf '%s\n' "SELINUX=permissive" >> "/etc/selinux/config"
# Clean up after ourselves.
rm "/etc/selinux/config.bak"
- fixfiles onboot
-fi
+
+fixfiles onboot
else
>&2 echo 'Remediation is not applicable, nothing was done'
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_selinux_not_disabled' differs.
--- xccdf_org.ssgproject.content_rule_selinux_not_disabled
+++ xccdf_org.ssgproject.content_rule_selinux_not_disabled
@@ -10,13 +10,12 @@
- restrict_strategy
- selinux_not_disabled
-- name: Ensure SELinux is Not Disabled - Check current SELinux configuration
+- name: Ensure SELinux is Not Disabled - Check current SELinux state
ansible.builtin.command:
- cmd: grep -oP '^\s*SELINUX=\K(enforcing|permissive|disabled)' /etc/selinux/config
- register: selinux_config_state
+ cmd: getenforce
+ register: current_selinux_state
check_mode: false
changed_when: false
- failed_when: false
when: '"kernel-core" in ansible_facts.packages'
tags:
- CCE-86151-8
@@ -27,49 +26,35 @@
- restrict_strategy
- selinux_not_disabled
-- name: Ensure SELinux is Not Disabled - Set SELinux state to permissive if disabled
- or not configured
+- name: Ensure SELinux is Not Disabled
block:
- - name: Ensure SELinux is Not Disabled
- block:
+ - name: Check for duplicate values
+ ansible.builtin.lineinfile:
+ path: /etc/selinux/config
+ create: true
+ regexp: (?i)^SELINUX=
+ state: absent
+ check_mode: true
+ changed_when: false
+ register: dupes
- - name: Check for duplicate values
- ansible.builtin.lineinfile:
- path: /etc/selinux/config
- create: true
- regexp: (?i)^SELINUX=
- state: absent
- check_mode: true
- changed_when: false
- register: dupes
+ - name: Deduplicate values from /etc/selinux/config
+ ansible.builtin.lineinfile:
+ path: /etc/selinux/config
+ create: true
+ regexp: (?i)^SELINUX=
+ state: absent
+ when: dupes.found is defined and dupes.found > 1
- - name: Deduplicate values from /etc/selinux/config
- ansible.builtin.lineinfile:
- path: /etc/selinux/config
- create: true
- regexp: (?i)^SELINUX=
- state: absent
- when: dupes.found is defined and dupes.found > 1
-
- - name: Insert correct line to /etc/selinux/config
- ansible.builtin.lineinfile:
- path: /etc/selinux/config
- create: true
- regexp: (?i)^SELINUX=
- line: SELINUX=permissive
- state: present
-
- - name: Ensure SELinux is Not Disabled - Mark system to relabel SELinux on next
- boot
- ansible.builtin.file:
- path: /.autorelabel
- state: touch
- access_time: preserve
- modification_time: preserve
- when:
- - '"kernel-core" in ansible_facts.packages'
- - selinux_config_state.stdout not in ['enforcing', 'permissive']
+ - name: Insert correct line to /etc/selinux/config
+ ansible.builtin.lineinfile:
+ path: /etc/selinux/config
+ create: true
+ regexp: (?i)^SELINUX=
+ line: SELINUX=permissive
+ state: present
+ when: '"kernel-core" in ansible_facts.packages'
tags:
- CCE-86151-8
- high_severity
@@ -78,3 +63,21 @@
- reboot_required
- restrict_strategy
- selinux_not_disabled
+
+- name: Ensure SELinux is Not Disabled - Mark system to relabel SELinux on next boot
+ ansible.builtin.file:
+ path: /.autorelabel
+ state: touch
+ access_time: preserve
+ modification_time: preserve
+ when:
+ - '"kernel-core" in ansible_facts.packages'
+ - current_selinux_state.stdout | lower != "permissive"
+ tags:
+ - CCE-86151-8
+ - high_severity
+ - low_complexity
+ - low_disruption
+ - reboot_required
+ - restrict_strategy
+ - selinux_not_disabled
bash remediation for rule 'xccdf_org.ssgproject.content_rule_audit_rules_suid_privilege_function' differs.
--- xccdf_org.ssgproject.content_rule_audit_rules_suid_privilege_function
+++ xccdf_org.ssgproject.content_rule_audit_rules_suid_privilege_function
@@ -8,7 +8,9 @@
for ARCH in "${RULE_ARCHS[@]}"
do
ACTION_ARCH_FILTERS="-a always,exit -F arch=$ARCH"
+
OTHER_FILTERS="-C uid!=euid -F euid=0"
+
AUID_FILTERS=""
SYSCALL="execve"
@@ -326,7 +328,9 @@
for ARCH in "${RULE_ARCHS[@]}"
do
ACTION_ARCH_FILTERS="-a always,exit -F arch=$ARCH"
+
OTHER_FILTERS="-C gid!=egid -F egid=0"
+
AUID_FILTERS=""
SYSCALL="execve"
|
vojtapolasek
merged commit 7dc45af
into
ComplianceAsCode:stabilization
46 of 49 checks passed
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
The redhat-release RPM package in RHEL 10.0 won't contain the postquantum OpenGPG key. This key will be present in RHEL 10.1 and newer.
Addressing:
Failing rule
ensure_redhat_gpgkey_installedin multiple contest tests/hardening/host-os/oscapon RHEL 10.0.This PR is a backport of PR #14462 to the stabilization branch.