Merge remote-tracking branch 'origin/master' into u2404_53344

.github/workflows/gate.yaml

@@ -88,7 +88,7 @@ jobs:
     runs-on: ubuntu-20.04
     steps:
       - name: Install Deps
-        run: sudo apt-get update && sudo apt-get install cmake ninja-build libopenscap8 libxml2-utils xsltproc ansible-lint bats python3-github python3-jinja2 python3-pip python3-pytest python3-pytest-cov python3-setuptools python3-yaml shellcheck
+        run: sudo apt-get update && sudo apt-get install -y cmake ninja-build libopenscap8 libxml2-utils xsltproc ansible-lint bats python3-github python3-jinja2 python3-pip python3-pytest python3-pytest-cov python3-setuptools python3-yaml shellcheck
       - name: Checkout
         uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4
       - name: Install deps python
@@ -107,7 +107,7 @@ jobs:
     runs-on: ubuntu-22.04
     steps:
       - name: Install Deps
-        run: sudo apt-get update && sudo apt-get install cmake ninja-build libopenscap8 libxml2-utils xsltproc ansible-lint bats python3-github python3-jinja2 python3-pip python3-pytest python3-pytest-cov python3-setuptools python3-yaml shellcheck
+        run: sudo apt-get update && sudo apt-get install -y cmake ninja-build libopenscap8 libxml2-utils xsltproc ansible-lint bats python3-github python3-jinja2 python3-pip python3-pytest python3-pytest-cov python3-setuptools python3-yaml shellcheck
       - name: Checkout
         uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4
       - name: Install deps python
@@ -126,7 +126,7 @@ jobs:
     runs-on: ubuntu-24.04
     steps:
       - name: Install Deps
-        run: sudo apt-get update && sudo apt-get install cmake ninja-build openscap-utils libxml2-utils xsltproc ansible-lint bats python3-github python3-jinja2 python3-pip python3-pytest python3-pytest-cov python3-setuptools python3-yaml shellcheck
+        run: sudo apt-get update && sudo apt-get install -y cmake ninja-build openscap-utils libxml2-utils xsltproc ansible-lint bats python3-github python3-jinja2 python3-pip python3-pytest python3-pytest-cov python3-setuptools python3-yaml shellcheck
       - name: Checkout
         uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4
       - name: Install deps python
@@ -180,8 +180,8 @@ jobs:
     name: Build on Windows
     runs-on: windows-latest
     env:
-      OPENSCAP_VERSION: "1.4.1"
-      OPENSCAP_ROOT_DIR: "C:\\Program Files\\OpenSCAP 1.4.1"
+      OPENSCAP_VERSION: "1.4.2"
+      OPENSCAP_ROOT_DIR: "C:\\Program Files\\OpenSCAP 1.4.2"
     steps:
         - name: Install Deps
           run: choco install xsltproc

.github/workflows/k8s-content-pr.yaml

@@ -63,7 +63,7 @@ jobs:
           username: ${{ github.actor }}
           password: ${{ secrets.GITHUB_TOKEN }}
       - name: Set up QEMU
-        uses: docker/setup-qemu-action@49b3bc8e6bdd4a60e6116a5414239cba5943d3cf # v3
+        uses: docker/setup-qemu-action@53851d14592bedcffcf25ea515637cff71ef929a # v3
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@6524bf65af31da8d45b59e8c27de4bd072b392f5 # v3
       - name: Docker metadata
@@ -84,7 +84,7 @@ jobs:
             org.opencontainers.image.vendor='Compliance Operator Authors'
       - name: Build container images and push
         id: docker_build
-        uses: docker/build-push-action@48aba3b46d1b1fec4febb7c5d0c644b249a11355 # v6
+        uses: docker/build-push-action@b32b51a8eda65d6793cd0494a773d4f6bcef32dc # v6
         with:
           context: .
           file: ./Dockerfiles/ocp4_content

.github/workflows/release.yaml

@@ -45,7 +45,7 @@ jobs:
         env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
       - name: Release
-        uses: softprops/action-gh-release@7b4da11513bf3f43f9999e90eabced41ab8bb048 # v2.2.0
+        uses: softprops/action-gh-release@c95fe1489396fe8a9eb87c0abf8aa5b2ef267fda # v2.2.1
         with:
           draft: True
           name: Content ${{ steps.set_version.outputs.ver }}

components/pam.yml

@@ -83,6 +83,7 @@ rules:
 - accounts_passwords_pam_faillock_interval
 - accounts_passwords_pam_faillock_silent
 - accounts_passwords_pam_faillock_unlock_time
+- accounts_passwords_pam_faillock_enabled
 - accounts_passwords_pam_tally2
 - accounts_passwords_pam_tally2_deny_root
 - accounts_passwords_pam_tally2_unlock_time

controls/cis_ubuntu2404.yml

@@ -1863,8 +1863,9 @@ controls:
     levels:
       - l1_server
       - l1_workstation
-    status: planned
-    notes: TODO. Rule does not seem to be implemented, nor does it map to any rules in ubuntu2204 profile.
+    rules:
+      - accounts_passwords_pam_faillock_enabled
+    status: automated
 
   - id: 5.3.2.3
     title: Ensure pam_pwquality module is enabled (Automated)
@@ -1889,15 +1890,10 @@ controls:
     levels:
       - l1_server
       - l1_workstation
-    related_rules:
+    rules:
       - var_accounts_passwords_pam_faillock_deny=4
-      - var_accounts_passwords_pam_faillock_fail_interval=900
-      - var_accounts_passwords_pam_faillock_unlock_time=600
       - accounts_passwords_pam_faillock_deny
-      - accounts_passwords_pam_faillock_interval
-      - accounts_passwords_pam_faillock_unlock_time
-    status: planned
-    notes: TODO. Partial/incorrect implementation exists.See related rules. Analogous to ubuntu2204/5.4.2.
+    status: automated
 
   - id: 5.3.3.1.2
     title: Ensure password unlock time is configured (Automated)
@@ -1997,8 +1993,9 @@ controls:
     levels:
       - l1_server
       - l1_workstation
-    status: planned
-    notes: TODO. Rule does not seem to be implemented, nor does it map to any rules in ubuntu2204 profile.
+    rules:
+      - accounts_password_pam_enforce_root
+    status: automated
 
   - id: 5.3.3.3.1
     title: Ensure password history remember is configured (Automated)
@@ -2048,11 +2045,10 @@ controls:
     levels:
       - l1_server
       - l1_workstation
-    related_rules:
-      - var_password_hashing_algorithm=yescrypt
-      - set_password_hashing_algorithm_logindefs
-    status: planned
-    notes: TODO. Partial/incorrect implementation exists.See related rules. Analogous to ubuntu2204/5.4.4.
+    rules:
+      - var_password_hashing_algorithm_pam=yescrypt
+      - set_password_hashing_algorithm_systemauth
+    status: automated
 
   - id: 5.3.3.4.4
     title: Ensure pam_unix includes use_authtok (Automated)

controls/ism_o.yml

@@ -31,7 +31,7 @@ controls:
             - set_password_hashing_algorithm_passwordauth
             - set_password_hashing_algorithm_systemauth
             - sshd_disable_gssapi_auth
-            - var_password_hashing_algorithm_pam=sha512
+            - var_password_hashing_algorithm_pam=yescrypt
         status: automated
 
     -   id: '0421'

controls/srg_gpos/SRG-OS-000730-GPOS-00190.yml

@@ -10,7 +10,6 @@ controls:
             - var_password_pam_maxclassrepeat=3
             - var_password_pam_dictcheck=1
             - accounts_password_pam_dictcheck
-            - var_password_hashing_algorithm_pam=sha512
-            - var_password_pam_unix_rounds=5000
+            - var_password_pam_unix_rounds=5
             - var_password_pam_remember=5
             - var_password_pam_remember_control_flag=requisite_or_required

linux_os/guide/services/ntp/file_groupowner_etc_chrony_keys/oval/shared.xml

@@ -0,0 +1,72 @@
+<def-group>
+
+  <definition class="compliance" id="{{{ rule_id }}}" version="1">
+    {{{ oval_metadata("/etc/chrony.keys should be owned by chrony group") }}}
+    <criteria operator="OR">
+      <criteria operator="AND">
+        <criterion test_ref="test_file_groupowner_etc_chrony_keys_nsswitch_uses_altfiles" negate="true"
+          comment="The /etc/nsswitch.conf does not use nss-altfiles"/>
+        <criterion test_ref="test_file_groupowner_etc_chrony_keys"
+          comment="Check group ownership of /etc/chrony.keys"/>
+      </criteria>
+      <criteria operator="AND">
+        <criterion test_ref="test_file_groupowner_etc_chrony_keys_nsswitch_uses_altfiles"
+          comment="The /etc/nsswitch.conf uses nss-altfiles"/>
+        <criterion test_ref="test_file_groupowner_etc_chrony_keys_with_usrlib"
+          comment="Check group ownership of /etc/chrony.keys"/>
+      </criteria>
+    </criteria>
+  </definition>
+
+{{{ oval_test_nsswitch_uses_altfiles() }}}
+
+  <unix:file_test id="test_file_groupowner_etc_chrony_keys" version="1" check="all" comment="Testing group ownership of /etc/chrony.keys" check_existence="none_exist" state_operator="AND">
+    <unix:object object_ref="object_file_groupowner_etc_chrony_keys" />
+  </unix:file_test>
+  <unix:file_object id="object_file_groupowner_etc_chrony_keys" version="1" comment="/etc/chrony.keys">
+    <unix:filepath>/etc/chrony.keys</unix:filepath>
+    <filter action="exclude">state_file_groupowner_etc_chrony_keys_uid_chrony</filter>
+    <filter action="exclude">state_file_groupowner_etc_chrony_keys_gid_chrony</filter>
+  </unix:file_object>
+  <ind:textfilecontent54_object id="object_file_groupowner_etc_chrony_keys_etc_group" version="1" comment="gid of the dedicated chrony group">
+    <ind:filepath>/etc/group</ind:filepath>
+    <ind:pattern operation="pattern match">^chrony:\w+:(\w+):.*</ind:pattern>
+    <ind:instance datatype="int" operation="equals">1</ind:instance>
+  </ind:textfilecontent54_object>
+  <unix:file_state id="state_file_groupowner_etc_chrony_keys_gid_chrony" version="1" operator="AND">
+    <unix:group_id datatype="int" var_ref="var_dedicated_groupowner_etc_chrony_keys_uid_chrony" />
+  </unix:file_state>
+  <unix:file_state id="state_file_groupowner_etc_chrony_keys_uid_chrony" version="1" operator="AND">
+    <unix:type operation="equals">symbolic link</unix:type>
+  </unix:file_state>
+  <local_variable id="var_dedicated_groupowner_etc_chrony_keys_uid_chrony" version="1" datatype="int" comment="gid of the dedicated chrony group">
+    <object_component item_field="subexpression" object_ref="object_file_groupowner_etc_chrony_keys_etc_group" />
+  </local_variable>
+
+  <unix:file_test id="test_file_groupowner_etc_chrony_keys_with_usrlib" version="1" check="all" comment="Testing group ownership of /etc/chrony.keys" check_existence="none_exist" state_operator="AND">
+    <unix:object object_ref="object_file_groupowner_etc_chrony_keys_with_usrlib" />
+  </unix:file_test>
+  <unix:file_object id="object_file_groupowner_etc_chrony_keys_with_usrlib" version="1" comment="/etc/chrony.keys">
+    <unix:filepath>/etc/chrony.keys</unix:filepath>
+    <filter action="exclude">state_file_groupowner_etc_chrony_keys_uid_chrony</filter>
+    <filter action="exclude">state_file_groupowner_etc_chrony_keys_gid_chrony_with_usrlib</filter>
+  </unix:file_object>
+  <ind:textfilecontent54_object id="object_file_groupowner_etc_chrony_keys_etc_group_with_usrlib" version="1" comment="gid of the dedicated chrony group">
+    <set>
+      <object_reference>object_file_groupowner_etc_chrony_keys_etc_group</object_reference>
+      <object_reference>object_file_groupowner_etc_chrony_keys_usr_lib_group</object_reference>
+    </set>
+  </ind:textfilecontent54_object>
+  <ind:textfilecontent54_object id="object_file_groupowner_etc_chrony_keys_usr_lib_group" version="1">
+    <ind:filepath>/usr/lib/group</ind:filepath>
+    <ind:pattern operation="pattern match">^chrony:\w+:(\w+):.*</ind:pattern>
+    <ind:instance operation="greater than or equal" datatype="int">1</ind:instance>
+  </ind:textfilecontent54_object>
+  <unix:file_state id="state_file_groupowner_etc_chrony_keys_gid_chrony_with_usrlib" version="1" operator="AND">
+    <unix:group_id datatype="int" var_ref="var_dedicated_groupowner_etc_chrony_keys_uid_chrony_with_usrlib" />
+  </unix:file_state>
+  <local_variable id="var_dedicated_groupowner_etc_chrony_keys_uid_chrony_with_usrlib" version="1" datatype="int" comment="gid of the dedicated chrony group">
+    <object_component item_field="subexpression" object_ref="object_file_groupowner_etc_chrony_keys_etc_group_with_usrlib" />
+  </local_variable>
+
+</def-group>

linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember_password_auth/rule.yml

@@ -54,7 +54,6 @@ references:
     nist@sle15: IA-5(1)(e),IA-5(1).1(v)
     pcidss: Req-8.2.5
     srg: SRG-OS-000077-GPOS-00045
-    stigid@rhel8: RHEL-08-020220
 
 ocil_clause: |-
     the pam_pwhistory.so module is not used, the "remember" module option is not set in

linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember_system_auth/rule.yml

@@ -54,7 +54,6 @@ references:
     nist@sle15: IA-5(1)(e),IA-5(1).1(v)
     pcidss: Req-8.2.5
     srg: SRG-OS-000077-GPOS-00045
-    stigid@rhel8: RHEL-08-020221
 
 ocil_clause: |-
     the pam_pwhistory.so module is not used, the "remember" module option is not set in

linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_enabled/bash/shared.sh

@@ -0,0 +1,3 @@
+# platform = multi_platform_ubuntu
+
+{{{ bash_pam_faillock_enable() }}}

linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_enabled/oval/shared.xml

@@ -0,0 +1,116 @@
+<def-group>
+  <definition class="compliance" id="{{{ rule_id }}}" version="6">
+    {{{ oval_metadata(description) }}}
+    <criteria operator="AND" comment="Check the proper configuration of pam_faillock.so">
+      <!-- pam_unix.so is a control module present in all realistic scenarios and also used
+           as reference for the correct position of pam_faillock.so in auth section. If the
+           system is properly configured, it must appear only once in auth section. -->
+      <criterion test_ref="test_accounts_passwords_pam_faillock_common_pam_unix_auth"
+		  comment="pam_unix.so appears only once in auth section of common-auth"/>
+      <criterion test_ref="test_accounts_passwords_pam_faillock_common_pam_faillock_auth"
+		  comment="pam_faillock.so is properly defined in auth section of common-auth"/>
+      <criterion test_ref="test_accounts_passwords_pam_faillock_common_pam_faillock_account"
+		  comment="pam_faillock.so is properly defined in common-account"/>
+    </criteria>
+  </definition>
+
+  <!-- The following tests demand complex regex which are necessary more than once.
+       These variables make simpler the usage of regex patterns. -->
+  <constant_variable id="var_accounts_passwords_pam_faillock_pam_unix_regex"
+                     datatype="string" version="2"
+                     comment="regex to identify pam_unix.so in auth section of pam files">
+    <value>^\s*auth\N+pam_unix\.so</value>
+  </constant_variable>
+
+  <constant_variable
+      id="var_accounts_passwords_pam_faillock_pam_faillock_auth_regex"
+      datatype="string" version="2"
+      comment="regex to identify pam_faillock.so entries in auth section of pam files">
+    {{% if 'debian' in product %}}
+    <value>^\s*auth\s+required\s+pam_faillock\.so.*preauth.*[\s\S]*^\s*auth.*pam_unix\.so[\s\S]*^\s*auth\s+\[default=die\]\s+pam_faillock\.so\s+authfail[\s\S]*^\s*auth\s+sufficient\s+pam_faillock\.so\s+authsucc</value>
+    {{% elif 'ubuntu' in product %}}
+    <value>^\s*auth\s+(requisite|required)\s+pam_faillock\.so.*preauth.*[\s\S]*^\s*auth.*pam_unix\.so[\s\S]*^\s*auth\s+\[default=die\]\s+pam_faillock\.so\s+authfail</value>
+    {{% elif 'openeuler' in product or 'kylinserver' in product %}}
+    <value>^[\s]*auth[\s]+(required|\[(?=.*?\bsuccess=ok\b)?(?=.*?\bnew_authtok_reqd=ok\b)?(?=.*?\bignore=ignore\b)?(?=.*?\bdefault=bad\b)?.*\])[\s]+pam_faillock\.so[\s\w\d=]+preauth[\s\S]*^[\s]*auth[\s]+(sufficient|\[(?=.*\bsuccess=done\b)?(?=.*?\bnew_authtok_reqd=done\b)?(?=.*?\bdefault=ignore\b)?.*\])[\s]+pam_unix\.so[\s\S]*^[\s]*auth[\s]+(required|\[(?=.*?\bsuccess=ok\b)?(?=.*?\bnew_authtok_reqd=ok\b)?(?=.*?\bignore=ignore\b)?(?=.*?\bdefault=die\b)?.*\])[\s]+pam_faillock\.so[\s\w\d=]+authfail</value>
+    {{% else %}}
+    <value>^[\s]*auth[\s]+(required|\[(?=.*?\bsuccess=ok\b)(?=.*?\bnew_authtok_reqd=ok\b)(?=.*?\bignore=ignore\b)(?=.*?\bdefault=bad\b).*\])[\s]+pam_faillock\.so[\s\w\d=]+preauth[\s\S]*^[\s]*auth[\s]+(sufficient|\[(?=.*\bsuccess=done\b)(?=.*?\bnew_authtok_reqd=done\b)(?=.*?\bdefault=ignore\b).*\])[\s]+pam_unix\.so[\s\S]*^[\s]*auth[\s]+(required|\[(?=.*?\bsuccess=ok\b)(?=.*?\bnew_authtok_reqd=ok\b)(?=.*?\bignore=ignore\b)(?=.*?\bdefault=bad\b).*\])[\s]+pam_faillock\.so[\s\w\d=]+authfail</value>
+    {{% endif %}}
+  </constant_variable>
+
+  <constant_variable
+      id="var_accounts_passwords_pam_faillock_pam_faillock_account_regex"
+      datatype="string" version="2"
+      comment="regex to identify pam_faillock.so entry in account section of pam files">
+    {{% if 'debian' in product or 'ubuntu' in product %}}
+    <value>^\s*account\s+required\s+pam_faillock\.so\s*(#.*)?$</value>
+    {{% elif 'openeuler' in product or 'kylinserver' in product %}}
+    <value>^[\s]*account[\s]+(required|\[(?=.*?\bsuccess=ok\b)?(?=.*?\bnew_authtok_reqd=ok\b)?(?=.*?\bignore=ignore\b)?(?=.*?\bdefault=bad\b)?.*\])[\s]+pam_unix\.so[\s\S]*^[\s]*account[\s]+(required|\[(?=.*?\bsuccess=ok\b)?(?=.*?\bnew_authtok_reqd=ok\b)?(?=.*?\bignore=ignore\b)?(?=.*?\bdefault=bad\b)?.*\])[\s]+pam_faillock\.so</value>
+    {{% else %}}
+    <value>^[\s]*account[\s]+(required|\[(?=.*?\bsuccess=ok\b)(?=.*?\bnew_authtok_reqd=ok\b)(?=.*?\bignore=ignore\b)(?=.*?\bdefault=bad\b).*\])[\s]+pam_faillock\.so[\s\S]*^[\s]*account[\s]+(required|\[(?=.*?\bsuccess=ok\b)(?=.*?\bnew_authtok_reqd=ok\b)(?=.*?\bignore=ignore\b)(?=.*?\bdefault=bad\b).*\])[\s]+pam_unix\.so</value>
+    {{% endif %}}
+  </constant_variable>
+
+  {{% macro generate_test_faillock_enabled(file_stem) %}}
+  <!-- Check occurences of pam_unix.so in auth section of {{{ file_stem }}}-auth file -->
+  <ind:textfilecontent54_test
+      check="all" check_existence="none_exist" version="2"
+      id="test_accounts_passwords_pam_faillock_{{{ file_stem }}}_pam_unix_auth"
+      comment="no more that one pam_unix.so is expected in auth section of {{{ file_stem }}}-auth">
+    <ind:object object_ref="object_accounts_passwords_pam_faillock_{{{ file_stem }}}_pam_unix_auth"/>
+  </ind:textfilecontent54_test>
+
+  <ind:textfilecontent54_object
+      version="2"
+      id="object_accounts_passwords_pam_faillock_{{{ file_stem }}}_pam_unix_auth"
+      comment="Get the second and subsequent occurrences of pam_unix.so in auth section of {{{ file_stem}}}-auth">
+    <ind:filepath>/etc/pam.d/{{{file_stem}}}-auth</ind:filepath>
+    <ind:pattern operation="pattern match" var_ref="var_accounts_passwords_pam_faillock_pam_unix_regex"/>
+    <ind:instance datatype="int" operation="greater than">1</ind:instance>
+  </ind:textfilecontent54_object>
+
+  <!-- Check common definition of pam_faillock.so in {{{ file_stem }}}-auth file -->
+  <ind:textfilecontent54_test
+      check="all" check_existence="only_one_exists" version="2"
+      id="test_accounts_passwords_pam_faillock_{{{ file_stem }}}_pam_faillock_auth"
+      comment="One and only one occurrence is expected in auth section of {{{ file_stem }}}-auth">
+    <ind:object
+	object_ref="object_accounts_passwords_pam_faillock_{{{ file_stem }}}_pam_faillock_auth"/>
+  </ind:textfilecontent54_test>
+
+  <ind:textfilecontent54_object
+      version="2"
+      id="object_accounts_passwords_pam_faillock_{{{ file_stem }}}_pam_faillock_auth"
+      comment="Check common definition of pam_faillock.so in auth section of common-auth">
+    <ind:filepath>/etc/pam.d/{{{ file_stem }}}-auth</ind:filepath>
+    <ind:pattern operation="pattern match"
+		 var_ref="var_accounts_passwords_pam_faillock_pam_faillock_auth_regex"/>
+    <ind:instance datatype="int" operation="equals">1</ind:instance>
+  </ind:textfilecontent54_object>
+  {{% endmacro %}}
+
+  {{{ generate_test_faillock_enabled (file_stem="common")   }}}
+
+  {{% macro generate_test_faillock_account(file_stem, file) %}}
+  <!-- Check common definition of pam_faillock.so in {{{ file_stem }}}-account -->
+  <ind:textfilecontent54_test
+      check="all" check_existence="only_one_exists" version="2"
+      id="test_accounts_passwords_pam_faillock_{{{ file_stem }}}_pam_faillock_account"
+      comment="One and only one occurrence is expected in {{{ file }}}">
+    <ind:object
+	object_ref="object_accounts_passwords_pam_faillock_{{{ file_stem }}}_pam_faillock_account"/>
+  </ind:textfilecontent54_test>
+
+  <ind:textfilecontent54_object
+      version="2"
+      id="object_accounts_passwords_pam_faillock_{{{ file_stem }}}_pam_faillock_account"
+      comment="Check common definition of pam_faillock.so in account section of {{{ file }}}">
+    <ind:filepath>/etc/pam.d/{{{ file }}}</ind:filepath>
+    <ind:pattern operation="pattern match"
+                 var_ref="var_accounts_passwords_pam_faillock_pam_faillock_account_regex"/>
+    <ind:instance datatype="int" operation="equals">1</ind:instance>
+  </ind:textfilecontent54_object>
+  {{% endmacro %}}
+
+  {{{ generate_test_faillock_account (file_stem="common",   file="common-account") }}}
+
+</def-group>