Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add Variable-based CPE and UFW rules for Ubuntu 20.04 STIG #7635

Closed
wants to merge 32 commits into from
Closed

Add Variable-based CPE and UFW rules for Ubuntu 20.04 STIG #7635

wants to merge 32 commits into from

Commits on Feb 10, 2022

  1. Add macro for shared variable<->value checks 

    This allows us to easily create shared checks for whether or not a
(string) variable presently takes on a given value. This will be used as
part of applicability checks based around variables.

Signed-off-by: Alexander Scheel <[email protected]>
    @cipherboy @dodys
    cipherboy authored and dodys committed Feb 10, 2022
    Configuration menu
    Copy the full SHA
    638e1be View commit details
    Browse the repository at this point in the history

  2. Add applicability checks against variables 

    Signed-off-by: Alexander Scheel <[email protected]>
    @cipherboy @dodys
    cipherboy authored and dodys committed Feb 10, 2022
    Configuration menu
    Copy the full SHA
    d995d24 View commit details
    Browse the repository at this point in the history

  3. Add removed form to complete_ocil_entry_package 

    Signed-off-by: Alexander Scheel <[email protected]>
    @cipherboy @dodys
    cipherboy authored and dodys committed Feb 10, 2022
    Configuration menu
    Copy the full SHA
    bfe6cac View commit details
    Browse the repository at this point in the history

  4. Start tracking var_applicability separately 

    Signed-off-by: Alexander Scheel <[email protected]>
    @cipherboy @dodys
    cipherboy authored and dodys committed Feb 10, 2022
    Configuration menu
    Copy the full SHA
    93007f4 View commit details
    Browse the repository at this point in the history

  5. Update remediation to understand variable-based applicability 

    Signed-off-by: Alexander Scheel <[email protected]>
    @cipherboy @dodys
    cipherboy authored and dodys committed Feb 10, 2022
    Configuration menu
    Copy the full SHA
    9c8da6f View commit details
    Browse the repository at this point in the history

  6. Prevent generation of var_ based CPEs 

    These are pseudo-CPEs that don't actually land in the CPE list, but need
to be known by portions of the build system that expect CPEs.

Signed-off-by: Alexander Scheel <[email protected]>
    @cipherboy @dodys
    cipherboy authored and dodys committed Feb 10, 2022
    Configuration menu
    Copy the full SHA
    6139f93 View commit details
    Browse the repository at this point in the history

  7. Add variable-based CPEs into hand-written OVALs 

    This adds variable-based "CPEs" (where the check passes if the variable
is not of the correct value) into the definition of hand-written
elements. We use an extend_definition for this purpose.

Signed-off-by: Alexander Scheel <[email protected]>
    @cipherboy @dodys
    cipherboy authored and dodys committed Feb 10, 2022
    Configuration menu
    Copy the full SHA
    1bb6428 View commit details
    Browse the repository at this point in the history

  8. Update templated OVALs to obey variable-based CPE checks 

    Signed-off-by: Alexander Scheel <[email protected]>
    @cipherboy @dodys
    cipherboy authored and dodys committed Feb 10, 2022
    Configuration menu
    Copy the full SHA
    f091c67 View commit details
    Browse the repository at this point in the history

  9. Support variable-based CPE platforms 

    When we generate pseudo-CPEs based off of variables, we load (and then
re-write) the XML of OVAL checks. The rewriting (via ElementTree) causes
an oval: namespace prefix to be added into all platform elements. This
causes later steps (which operate strictly on strings and not on parsed
element trees) to fail.

Update them to use the correct namespace.

Signed-off-by: Alexander Scheel <[email protected]>
    @cipherboy @dodys
    cipherboy authored and dodys committed Feb 10, 2022
    Configuration menu
    Copy the full SHA
    f088275 View commit details
    Browse the repository at this point in the history

  10. Add sub-namespaces to oval parsing 

    This fixes a bug whereby the proper namespaces (and sub-namespaces)
weren't added into the OVAL parsing.

This resulted in namespaces such as linux not being detected correctly
(thus becoming ns1), breaking XML parsing later. Additionally, the
oval definition namespace must be empty (default namespace) rather than
being explicitly referenced.

Signed-off-by: Alexander Scheel <[email protected]>
    @cipherboy @dodys
    cipherboy authored and dodys committed Feb 10, 2022
    Configuration menu
    Copy the full SHA
    7be752e View commit details
    Browse the repository at this point in the history

  11. Add pseudo variable-based CPEs land to templates 

    When build remediations, all content--both templated and rule directory
based--is processed by ssg/build_remediations.py, allowing us to add
pseudo variable-based CPEs there. However, when building OVALs (in
ssg/build_oval.py), we only process shared and rule directory OVALs;
templated OVALs are written directly by the template system and not
processed as a group afterwards.

Signed-off-by: Alexander Scheel <[email protected]>
    @cipherboy @dodys
    cipherboy authored and dodys committed Feb 10, 2022
    Configuration menu
    Copy the full SHA
    f4934bc View commit details
    Browse the repository at this point in the history

  12. Correctly handle negation for pseudo-CPEs 

    When negating the variable pseudo-CPEs, we need to ensure the variable
has taken a value and is non-empty. Otherwise, we run into the situation
that all negations conflictingly activate when the variable is left
empty. This occurs when scap-workbench generates a remediation to apply
from a given profile.

Signed-off-by: Alexander Scheel <[email protected]>
    @cipherboy @dodys
    cipherboy authored and dodys committed Feb 10, 2022
    Configuration menu
    Copy the full SHA
    1aeda0b View commit details
    Browse the repository at this point in the history

  13. Fix variable population 

    When using a variable-based pseudo-CPE, we need to source the shared
remediation functions. Otherwise, the variable substitution will not
occur and our variables will not be populated.

Signed-off-by: Alexander Scheel <[email protected]>
    @cipherboy @dodys
    cipherboy authored and dodys committed Feb 10, 2022
    Configuration menu
    Copy the full SHA
    41da952 View commit details
    Browse the repository at this point in the history

  14. Add var_firewall_package for selecting which firewall to use 

    Signed-off-by: Alexander Scheel <[email protected]>
    @cipherboy @dodys
    cipherboy authored and dodys committed Feb 10, 2022
    Configuration menu
    Copy the full SHA
    0635ed0 View commit details
    Browse the repository at this point in the history

  15. Add firewall-based CPE variables 

    Signed-off-by: Alexander Scheel <[email protected]>
    @cipherboy @dodys
    cipherboy authored and dodys committed Feb 10, 2022
    Configuration menu
    Copy the full SHA
    10d57dc View commit details
    Browse the repository at this point in the history

  16. Add OVAL checks for all variable CPEs 

    Signed-off-by: Alexander Scheel <[email protected]>
    @cipherboy @dodys
    cipherboy authored and dodys committed Feb 10, 2022
    Configuration menu
    Copy the full SHA
    dc2b376 View commit details
    Browse the repository at this point in the history

  17. Add Uncomplicated Firewall (ufw) group 

    Signed-off-by: Alexander Scheel <[email protected]>
    @cipherboy @dodys
    cipherboy authored and dodys committed Feb 10, 2022
    Configuration menu
    Copy the full SHA
    b25f410 View commit details
    Browse the repository at this point in the history

  18. Add package_ufw_installed for CIS 3.5.1.1 

    Signed-off-by: Alexander Scheel <[email protected]>
    @cipherboy @dodys
    cipherboy authored and dodys committed Feb 10, 2022
    Configuration menu
    Copy the full SHA
    8c76e05 View commit details
    Browse the repository at this point in the history

  19. Add platforms for package_ufw_installed 

    Signed-off-by: Alexander Scheel <[email protected]>
    @cipherboy @dodys
    cipherboy authored and dodys committed Feb 10, 2022
    Configuration menu
    Copy the full SHA
    6665385 View commit details
    Browse the repository at this point in the history

  20. Add stigid, disa and srg references to package_ufw_installed

    @dodys
    dodys committed Feb 10, 2022
    Configuration menu
    Copy the full SHA
    3e88930 View commit details
    Browse the repository at this point in the history

  21. Add package_ufw_installed to Ubuntu 20.04 STIG profile

    @dodys
    dodys committed Feb 10, 2022
    Configuration menu
    Copy the full SHA
    d7c1e69 View commit details
    Browse the repository at this point in the history

  22. Add service_ufw_enabled for CIS 3.5.1.3 

    Signed-off-by: Alexander Scheel <[email protected]>
    @cipherboy @dodys
    cipherboy authored and dodys committed Feb 10, 2022
    Configuration menu
    Copy the full SHA
    d9545da View commit details
    Browse the repository at this point in the history

  23. Add platforms for service_ufw_enabled 

    Signed-off-by: Alexander Scheel <[email protected]>
    @cipherboy @dodys
    cipherboy authored and dodys committed Feb 10, 2022
    Configuration menu
    Copy the full SHA
    8eb3392 View commit details
    Browse the repository at this point in the history

  24. Add stigid, disa and srg to service_ufw_enabled

    @dodys
    dodys committed Feb 10, 2022
    Configuration menu
    Copy the full SHA
    6f0a9c1 View commit details
    Browse the repository at this point in the history

  25. Add service_ufw_enabled to Ubuntu 20.04 STIG profile

    @dodys
    dodys committed Feb 10, 2022
    Configuration menu
    Copy the full SHA
    a67154f View commit details
    Browse the repository at this point in the history

  26. Add rule ufw_rate_limit

    @dodys
    dodys committed Feb 10, 2022
    Configuration menu
    Copy the full SHA
    f95387d View commit details
    Browse the repository at this point in the history

  27. Add ufw_rate_limit to Ubuntu 20.04 STIG profile

    @dodys
    dodys committed Feb 10, 2022
    Configuration menu
    Copy the full SHA
    2b2a420 View commit details
    Browse the repository at this point in the history

  28. Add rule ufw_only_required_services

    @dodys
    dodys committed Feb 10, 2022
    Configuration menu
    Copy the full SHA
    f7327c5 View commit details
    Browse the repository at this point in the history

  29. Add ufw_only_required_services to Ubuntu 20.04 STIG profile

    @dodys
    dodys committed Feb 10, 2022
    Configuration menu
    Copy the full SHA
    33871dc View commit details
    Browse the repository at this point in the history

  30. Fix pep8 issue

    @dodys
    dodys committed Feb 10, 2022
    Configuration menu
    Copy the full SHA
    db29da6 View commit details
    Browse the repository at this point in the history

  31. Replace populate with bash-populate in build_remediations

    @dodys
    dodys committed Feb 10, 2022
    Configuration menu
    Copy the full SHA
    fa91678 View commit details
    Browse the repository at this point in the history

  32. Define default firewall for Ubuntu 20.04 STIG profile

    @dodys
    dodys committed Feb 10, 2022
    Configuration menu
    Copy the full SHA
    c5b263f View commit details
    Browse the repository at this point in the history