Merge pull request ComplianceAsCode#11588 from jan-cerny/ANSSI_R50

Update ANSSI R50

components/chrony.yml

@@ -6,5 +6,8 @@ rules:
 - chronyd_run_as_chrony_user
 - chronyd_server_directive
 - chronyd_specify_remote_server
+- file_groupowner_etc_chrony_keys
+- file_owner_etc_chrony_keys
+- file_permissions_etc_chrony_keys
 - package_chrony_installed
 - service_chronyd_enabled

components/filesystem.yml

@@ -22,11 +22,15 @@ rules:
 - dir_perms_world_writable_system_owned_group
 - dir_system_commands_group_root_owned
 - dir_system_commands_root_owned
+- directory_groupowner_etc_sysctld
+- directory_owner_etc_sysctld
+- directory_permissions_etc_sysctld
 - file_etc_security_opasswd
 - file_groupowner_backup_etc_group
 - file_groupowner_backup_etc_gshadow
 - file_groupowner_backup_etc_passwd
 - file_groupowner_backup_etc_shadow
+- file_groupowner_etc_crypttab
 - file_groupowner_etc_group
 - file_groupowner_etc_gshadow
 - file_groupowner_etc_passwd
@@ -41,6 +45,7 @@ rules:
 - file_owner_backup_etc_gshadow
 - file_owner_backup_etc_passwd
 - file_owner_backup_etc_shadow
+- file_owner_etc_crypttab
 - file_owner_etc_group
 - file_owner_etc_gshadow
 - file_owner_etc_passwd
@@ -60,6 +65,7 @@ rules:
 - file_permissions_binary_dirs
 - file_permissions_etc_audit_auditd
 - file_permissions_etc_audit_rulesd
+- file_permissions_etc_crypttab
 - file_permissions_etc_group
 - file_permissions_etc_gshadow
 - file_permissions_etc_passwd

components/iptables.yml

@@ -6,6 +6,9 @@ packages:
 - iptables-persistent
 - iptables-services
 rules:
+- directory_groupowner_etc_iptables
+- directory_owner_etc_iptables
+- directory_permissions_etc_iptables
 - package_iptables-nft_installed
 - package_iptables-nft_installed
 - package_iptables-persistent_installed

components/kernel.yml

@@ -20,6 +20,9 @@ rules:
 - coreos_pti_kernel_argument
 - coreos_slub_debug_kernel_argument
 - coreos_vsyscall_kernel_argument
+- directory_groupowner_etc_sysctld
+- directory_owner_etc_sysctld
+- directory_permissions_etc_sysctld
 - grub2_ipv6_disable_argument
 - grub2_kernel_trust_cpu_rng
 - install_PAE_kernel_on_x86-32

components/libreswan.yml

@@ -4,6 +4,15 @@ name: libreswan
 packages:
 - libreswan
 rules:
+- directory_groupowner_etc_ipsecd
+- directory_owner_etc_ipsecd
+- directory_permissions_etc_ipsecd
+- file_groupowner_etc_ipsec_conf
+- file_groupowner_etc_ipsec_secrets
+- file_owner_etc_ipsec_conf
+- file_owner_etc_ipsec_secrets
+- file_permissions_etc_ipsec_conf
+- file_permissions_etc_ipsec_secrets
 - libreswan_approved_tunnels
 - package_libreswan_installed
 - package_strongswan_installed

components/nftables.yml

@@ -4,6 +4,9 @@ name: nftables
 packages:
 - nftables
 rules:
+- directory_groupowner_etc_nftables
+- directory_owner_etc_nftables
+- directory_permissions_etc_nftables
 - nftables_ensure_default_deny_policy
 - nftables_rules_permanent
 - package_nftables_installed

components/ntp.yml

@@ -14,6 +14,9 @@ rules:
 - chronyd_server_directive
 - chronyd_specify_remote_server
 - chronyd_sync_clock
+- file_groupowner_etc_chrony_keys
+- file_owner_etc_chrony_keys
+- file_permissions_etc_chrony_keys
 - ntpd_configure_restrictions
 - ntpd_run_as_ntp_user
 - ntpd_specify_multiple_servers

components/selinux.yml

@@ -12,7 +12,13 @@ packages:
 - setroubleshoot-server
 rules:
 - coreos_enable_selinux_kernel_argument
+- directory_owner_etc_selinux
+- directory_groupowner_etc_selinux
+- directory_permissions_etc_selinux
 - grub2_enable_selinux
+- file_groupowner_etc_sestatus_conf
+- file_owner_etc_sestatus_conf
+- file_permissions_etc_sestatus_conf
 - package_libselinux_installed
 - package_mcstrans_removed
 - package_policycoreutils-python-utils_installed

components/sudo.yml

@@ -4,6 +4,12 @@ name: sudo
 packages:
 - sudo
 rules:
+- directory_groupowner_etc_sudoersd
+- directory_owner_etc_sudoersd
+- directory_permissions_etc_sudoersd
+- file_groupowner_etc_sudoers
+- file_owner_etc_sudoers
+- file_permissions_etc_sudoers
 - package_sudo_installed
 - sudo_add_env_reset
 - sudo_add_ignore_dot

components/systemd.yml

@@ -9,8 +9,11 @@ rules:
 - coredump_disable_backtraces
 - coredump_disable_storage
 - disable_ctrlaltdel_burstaction
+- file_groupowner_etc_crypttab
 - file_groupowner_system_journal
+- file_owner_etc_crypttab
 - file_owner_system_journal
+- file_permissions_etc_crypttab
 - file_permissions_system_journal
 - journald_compress
 - journald_forward_to_syslog

controls/anssi.yml

@@ -1027,12 +1027,76 @@ controls:
     status: automated
     rules:
     - file_owner_etc_shadow
+    - file_groupowner_etc_shadow
     - file_permissions_etc_shadow
     - file_owner_etc_gshadow
+    - file_groupowner_etc_gshadow
     - file_permissions_etc_gshadow
+    - file_owner_etc_passwd
+    - file_groupowner_etc_passwd
     - file_permissions_etc_passwd
+    - file_owner_etc_group
+    - file_groupowner_etc_group
     - file_permissions_etc_group
+    - file_owner_etc_shells
+    - file_groupowner_etc_shells
+    - file_permissions_etc_shells
+    - accounts_user_dot_group_ownership
+    - accounts_user_dot_user_ownership
+    - accounts_users_home_files_groupownership
+    - accounts_users_home_files_ownership
+    - accounts_users_home_files_permissions
+    - file_permission_user_init_files
+    - dir_system_commands_group_root_owned
+    - dir_system_commands_root_owned
+    - file_groupownership_system_commands_dirs
+    - file_ownership_binary_dirs
+    - file_permissions_binary_dirs
+    - file_ownership_sshd_private_key
+    - file_groupownership_sshd_private_key
     - file_permissions_sshd_private_key
+    - file_ownership_sshd_pub_key
+    - file_groupownership_sshd_pub_key
+    - file_permissions_sshd_pub_key
+    - file_owner_sshd_config
+    - file_groupowner_sshd_config
+    - file_permissions_sshd_config
+    - directory_owner_etc_selinux
+    - directory_groupowner_etc_selinux
+    - directory_permissions_etc_selinux
+    - file_owner_etc_sestatus_conf
+    - file_groupowner_etc_sestatus_conf
+    - file_permissions_etc_sestatus_conf
+    - directory_owner_etc_ipsecd
+    - directory_groupowner_etc_ipsecd
+    - directory_permissions_etc_ipsecd
+    - file_owner_etc_ipsec_conf
+    - file_groupowner_etc_ipsec_conf
+    - file_permissions_etc_ipsec_conf
+    - file_owner_etc_ipsec_secrets
+    - file_groupowner_etc_ipsec_secrets
+    - file_permissions_etc_ipsec_secrets
+    - directory_owner_etc_iptables
+    - directory_groupowner_etc_iptables
+    - directory_permissions_etc_iptables
+    - directory_owner_etc_nftables
+    - directory_groupowner_etc_nftables
+    - directory_permissions_etc_nftables
+    - directory_owner_etc_sysctld
+    - directory_groupowner_etc_sysctld
+    - directory_permissions_etc_sysctld
+    - file_owner_etc_sudoers
+    - file_groupowner_etc_sudoers
+    - file_permissions_etc_sudoers
+    - directory_owner_etc_sudoersd
+    - directory_groupowner_etc_sudoersd
+    - directory_permissions_etc_sudoersd
+    - file_owner_etc_crypttab
+    - file_groupowner_etc_crypttab
+    - file_permissions_etc_crypttab
+    - file_owner_etc_chrony_keys
+    - file_groupowner_etc_chrony_keys
+    - file_permissions_etc_chrony_keys
 
   - id: R51
     title: Sensitive and trusted files

linux_os/guide/services/ntp/file_groupowner_etc_chrony_keys/rule.yml

@@ -0,0 +1,33 @@
+documentation_complete: true
+
+title: Verify Group Who Owns /etc/chrony.keys File
+
+description: '{{{ describe_file_group_owner(file="/etc/chrony.keys", group="root") }}}'
+
+rationale: |-
+    The ownership of the /etc/chrony.keys file by the root group is important
+    because this file hosts chrony cryptographic keys. Protection
+    of this file is critical for system security. Assigning the ownership to
+    root ensures exclusive control of the chrony cryptography keys.
+
+severity: medium
+
+identifiers:
+    cce@rhel7: CCE-86371-2
+    cce@rhel8: CCE-86373-8
+    cce@rhel9: CCE-86374-6
+
+ocil_clause: '{{{ ocil_clause_file_group_owner(file="/etc/chrony.keys", group="root") }}}'
+
+ocil: |-
+    {{{ ocil_file_group_owner(file="/etc/chrony.keys", group="root") }}}
+
+fixtext: '{{{ fixtext_file_group_owner(file="/etc/chrony.keys", group="root") }}}'
+
+srg_requirement: '{{{ srg_requirement_file_group_owner(file="/etc/chrony.keys", group="root") }}}'
+
+template:
+    name: file_groupowner
+    vars:
+        filepath: /etc/chrony.keys
+        gid_or_name: root

linux_os/guide/services/ntp/file_owner_etc_chrony_keys/rule.yml

@@ -0,0 +1,33 @@
+documentation_complete: true
+
+title: Verify User Who Owns /etc/chrony.keys File
+
+description: '{{{ describe_file_owner(file="/etc/chrony.keys", owner="root") }}}'
+
+rationale: |-
+    The ownership of the /etc/chrony.keys file by the root user is important
+    because this file hosts chrony cryptographic keys. Protection
+    of this file is critical for system security. Assigning the ownership to
+    root ensures exclusive control of the chrony cryptographic keys.
+
+severity: medium
+
+identifiers:
+    cce@rhel7: CCE-86375-3
+    cce@rhel8: CCE-86379-5
+    cce@rhel9: CCE-86380-3
+
+ocil_clause: '{{{ ocil_clause_file_owner(file="/etc/chrony.keys", owner="root") }}}'
+
+ocil: |-
+    {{{ ocil_file_owner(file="/etc/chrony.keys", owner="root") }}}
+
+fixtext: '{{{ fixtext_file_owner(file="/etc/chrony.keys", owner="root") }}}'
+
+srg_requirement: '{{{ srg_requirement_file_owner(file="/etc/chrony.keys", owner="root") }}}'
+
+template:
+    name: file_owner
+    vars:
+        filepath: /etc/chrony.keys
+        fileuid: '0'

linux_os/guide/services/ntp/file_permissions_etc_chrony_keys/rule.yml

@@ -0,0 +1,33 @@
+documentation_complete: true
+
+title: Verify Permissions On /etc/chrony.keys File
+
+description: '{{{ describe_file_permissions(file="/etc/chrony.keys", perms="0600") }}}'
+
+rationale: |-
+    Setting correct permissions on the /etc/chrony.keys file is important
+    because this file hosts chrony cryptographic keys. Protection
+    of this file is critical for system security. Assigning the correct mode
+    ensures exclusive control of the chrony cryptographic keys.
+
+severity: medium
+
+identifiers:
+    cce@rhel7: CCE-86381-1
+    cce@rhel8: CCE-86383-7
+    cce@rhel9: CCE-86384-5
+
+ocil_clause: '{{{ ocil_clause_file_permissions(file="/etc/chrony.keys", perms="0600") }}}'
+
+ocil: |-
+    {{{ ocil_file_permissions(file="/etc/chrony.keys", perms="0600") }}}
+
+fixtext: '{{{ fixtext_file_permissions(file="/etc/chrony.keys", mode="0600") }}}'
+
+srg_requirement: '{{{ srg_requirement_file_permission(file="/etc/chrony.keys", mode="0600") }}}'
+
+template:
+    name: file_permissions
+    vars:
+        filepath: /etc/chrony.keys
+        filemode: '0600'

linux_os/guide/system/accounts/accounts-session/accounts_user_dot_group_ownership/rule.yml

@@ -22,6 +22,7 @@ severity: medium
 identifiers:
     cce@rhel7: CCE-80526-7
     cce@rhel8: CCE-86314-2
+    cce@rhel9: CCE-87037-8
     cce@sle12: CCE-92295-5
     cce@sle15: CCE-91408-5
 

linux_os/guide/system/accounts/accounts-session/accounts_user_dot_user_ownership/rule.yml

@@ -21,6 +21,7 @@ severity: medium
 identifiers:
     cce@rhel7: CCE-80527-5
     cce@rhel8: CCE-86316-7
+    cce@rhel9: CCE-87038-6
     cce@sle12: CCE-92296-3
     cce@sle15: CCE-91409-3
 

linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_groupownership/rule.yml

@@ -21,6 +21,7 @@ severity: medium
 identifiers:
     cce@rhel7: CCE-80534-1
     cce@rhel8: CCE-86534-5
+    cce@rhel9: CCE-87039-4
     cce@sle12: CCE-92292-2
     cce@sle15: CCE-91405-1
 

linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_ownership/rule.yml

@@ -22,6 +22,8 @@ severity: medium
 
 identifiers:
     cce@rhel7: CCE-80533-3
+    cce@rhel8: CCE-87040-2
+    cce@rhel9: CCE-87041-0
     cce@sle12: CCE-92293-0
     cce@sle15: CCE-91406-9
 

linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_permissions/rule.yml

@@ -18,6 +18,7 @@ severity: medium
 identifiers:
     cce@rhel7: CCE-80535-8
     cce@rhel8: CCE-85888-6
+    cce@rhel9: CCE-87042-8
     cce@sle12: CCE-92290-6
     cce@sle15: CCE-91403-6
 

linux_os/guide/system/network/network-ipsec/directory_groupowner_etc_ipsecd/rule.yml

@@ -0,0 +1,35 @@
+documentation_complete: true
+
+title: Verify Group Who Owns /etc/ipsec.d Directory
+
+description: '{{{ describe_file_group_owner(file="/etc/ipsec.d", group="root") }}}'
+
+rationale: |-
+    The ownership of the /etc/ipsec.d directory by the root group is important
+    because this directory hosts Libreswan configuration. Protection of this
+    file is critical for system security. Assigning the ownership to root
+    ensures exclusive control of the Libreswan configuration.
+
+severity: medium
+
+identifiers:
+    cce@rhel7: CCE-86437-1
+    cce@rhel8: CCE-86438-9
+    cce@rhel9: CCE-86439-7
+
+ocil_clause: '{{{ ocil_clause_file_group_owner(file="/etc/ipsec.d", group="root") }}}'
+
+ocil: |-
+    {{{ ocil_file_group_owner(file="/etc/ipsec.d", group="root") }}}
+
+platform: package[libreswan]
+
+fixtext: '{{{ fixtext_file_group_owner(file="/etc/ipsec.d", group="root") }}}'
+
+srg_requirement: '{{{ srg_requirement_file_group_owner(file="/etc/ipsec.d", group="root") }}}'
+
+template:
+    name: file_groupowner
+    vars:
+        filepath: /etc/ipsec.d/
+        gid_or_name: root