From fa7cdeff5a73f91b34be52fa22bb6f9d116376ad Mon Sep 17 00:00:00 2001 From: Vojtech Polasek Date: Thu, 25 Apr 2024 16:47:29 +0200 Subject: [PATCH] add file_permission_user_init_files_root and associated variable to RHEL7 STIG --- .../file_permission_user_init_files_root/rule.yml | 2 ++ products/rhel7/profiles/stig.profile | 3 ++- shared/references/cce-redhat-avail.txt | 1 - tests/data/profile_stability/rhel7/stig.profile | 3 ++- tests/data/profile_stability/rhel7/stig_gui.profile | 3 ++- 5 files changed, 8 insertions(+), 4 deletions(-) diff --git a/linux_os/guide/system/accounts/accounts-session/file_permission_user_init_files_root/rule.yml b/linux_os/guide/system/accounts/accounts-session/file_permission_user_init_files_root/rule.yml index 0d46a3664730..695a881811ee 100644 --- a/linux_os/guide/system/accounts/accounts-session/file_permission_user_init_files_root/rule.yml +++ b/linux_os/guide/system/accounts/accounts-session/file_permission_user_init_files_root/rule.yml @@ -18,12 +18,14 @@ rationale: |- severity: medium identifiers: + cce@rhel7: CCE-86105-4 cce@rhel8: CCE-86101-3 cce@rhel9: CCE-87087-3 references: disa: CCI-000366 srg: SRG-OS-000480-GPOS-00227 + stigid@rhel7: RHEL-07-020710 stigid@rhel8: RHEL-08-010770 ocil_clause: 'they are not 0740 or more permissive' diff --git a/products/rhel7/profiles/stig.profile b/products/rhel7/profiles/stig.profile index 08b9402fe831..d1dbd4182d40 100644 --- a/products/rhel7/profiles/stig.profile +++ b/products/rhel7/profiles/stig.profile @@ -156,7 +156,8 @@ selections: - accounts_users_home_files_permissions - accounts_user_dot_user_ownership - accounts_user_dot_group_ownership - - file_permission_user_init_files + - file_permission_user_init_files_root + - var_user_initialization_files_regex=all_dotfiles - accounts_user_home_paths_only - accounts_user_dot_no_world_writable_programs - selinux_all_devicefiles_labeled diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt index 4acff1035478..132e9833963b 100644 --- a/shared/references/cce-redhat-avail.txt +++ b/shared/references/cce-redhat-avail.txt @@ -1,4 +1,3 @@ -CCE-86105-4 CCE-86106-2 CCE-86141-9 CCE-86142-7 diff --git a/tests/data/profile_stability/rhel7/stig.profile b/tests/data/profile_stability/rhel7/stig.profile index 14a42c37b1f5..327f019d0dcf 100644 --- a/tests/data/profile_stability/rhel7/stig.profile +++ b/tests/data/profile_stability/rhel7/stig.profile @@ -287,7 +287,7 @@ selections: - package_tftp-server_removed - audit_rules_unsuccessful_file_modification_ftruncate - audit_rules_privileged_commands_postdrop -- file_permission_user_init_files +- file_permission_user_init_files_root - gnome_gdm_disable_automatic_login - uefi_no_removeable_media - audit_rules_kernel_module_loading_init @@ -354,6 +354,7 @@ selections: - var_sshd_set_keepalive=0 - var_auditd_name_format=stig - sssd_ldap_start_tls.severity=medium +- var_user_initialization_files_regex=all_dotfiles unselected_groups: [] platforms: !!set {} cpe_names: !!set {} diff --git a/tests/data/profile_stability/rhel7/stig_gui.profile b/tests/data/profile_stability/rhel7/stig_gui.profile index 4487ba41258c..8002d0688db4 100644 --- a/tests/data/profile_stability/rhel7/stig_gui.profile +++ b/tests/data/profile_stability/rhel7/stig_gui.profile @@ -298,7 +298,7 @@ selections: - package_tftp-server_removed - audit_rules_unsuccessful_file_modification_ftruncate - audit_rules_privileged_commands_postdrop -- file_permission_user_init_files +- file_permission_user_init_files_root - gnome_gdm_disable_automatic_login - uefi_no_removeable_media - audit_rules_kernel_module_loading_init @@ -364,6 +364,7 @@ selections: - var_sshd_set_keepalive=0 - var_auditd_name_format=stig - sssd_ldap_start_tls.severity=medium +- var_user_initialization_files_regex=all_dotfiles unselected_groups: [] platforms: !!set {} cpe_names: !!set {}