Adds EL9 hardening-content per Issue 496

.github/dependabot.yml

@@ -1,14 +1,13 @@
 ---
 version: 2
 updates:
-  - package-ecosystem: docker
-    directory: "/tests/docker/centos7"
+  - package-ecosystem: github-actions
+    directory: /
     schedule:
-      interval: daily
-    open-pull-requests-limit: 10
+      interval: weekly
+  # Maintain dependencies for root dockerfile
   - package-ecosystem: docker
-    directory: "/tests/docker/centos8"
+    directory: /
     schedule:
-      interval: daily
-    open-pull-requests-limit: 10
+      interval: weekly
 ...

.github/workflows/test.yml

@@ -8,12 +8,12 @@ concurrency:
 
 jobs:
   test:
-    uses: plus3it/actions-workflows/.github/workflows/test-salt-linux.yml@b1b7bdb32125ccb05afa36909954a75b9f2ab431
+    uses: plus3it/actions-workflows/.github/workflows/test-salt-linux.yml@72a8659c8716b3fbf6e9ea01b53b2f83c0b6d6d8
     strategy:
       matrix:
         os_version:
-          - 7
           - 8
+          - 9
         salt_state:
           - ash-linux.iavm
           - ash-linux.stig

ash-linux/el8/STIGbyID/init.sls

@@ -7,5 +7,13 @@ include:
 Print ash-linux el8 stig baseline help:
   test.show_notification:
     - text: |
-        The full, item-by-item `ash-linux.stig` baseline for EL8 is in beta.
+        The full, item-by-item `ash-linux.stig` baseline for EL8 is known to
+        "over-harden" some systems to the point that they cannot be used for
+        their intended workloads.
+
         Use this content at your own risk.
+
+        If you choose to use this content and it causes issues for you, you can
+        block the configuration of some items by setting up exclusions in the
+        Pillar-content for this project. See the `skip-stigs` setting in the
+        project's `pillar.example` file.

ash-linux/el9/Nessus/init.sls

@@ -0,0 +1,7 @@
+Print ash-linux el9 Nessus baseline help:
+  test.show_notification:
+    - text: |
+        The ash-linux Nessus baseline for EL9 has no current known findings or
+        remediation actions. This state is provided only as a notification
+        message and a placeholder. On its own, this state does not modify the
+        system in any way.

ash-linux/el9/RuleById/common/grub2_info.jinja

@@ -0,0 +1,12 @@
+{%- set grubUser = salt.pillar.get('ash-linux:lookup:grub-user', 'grubuser') %}
+{%- set grubClearPass = salt.pillar.get('ash-linux:lookup:grub-passwd', 'AR34llyB4dP4ssw*rd') %}
+
+{%-
+    set grubEncryptedPass = salt.cmd.shell(
+        'printf "%s\n%s\n" "' + grubClearPass + '" "' + grubClearPass + '" |
+        /bin/grub2-mkpasswd-pbkdf2 |
+        grep "hash of" |
+        sed "s/^.* is //"',
+        ignore_retcode=True
+    )
+%}

ash-linux/el9/RuleById/high/content_rule_grub2_uefi_password.sls

@@ -0,0 +1,181 @@
+# Rule ID:              content_rule_grub2_uefi_password
+# Finding Level:        high
+#
+# Rule Summary:
+#       The grub2 boot loader should have a superuser account and password
+#       protection enabled to protect boot-time settings.
+#
+# Identifiers:
+#   - content_rule_grub2_uefi_password
+#
+# References:
+#   - ANSSI
+#     - BP28(R17)
+#   - CIS-CSC
+#     - 11
+#     - 12
+#     - 14
+#     - 15
+#     - 16
+#     - 18
+#     - 3
+#     - 5
+#   - COBIT5
+#     - DSS05.02
+#     - DSS05.04
+#     - DSS05.05
+#     - DSS05.07
+#     - DSS06.03
+#     - DSS06.06
+#   - CUI
+#     - 3.4.5
+#   - DISA
+#     - CCI-000213
+#   - HIPAA
+#     - 164.308(A)(1)(II)(B)
+#     - 164.308(a)(7)(i)
+#     - 164.308(a)(7)(ii)(A)
+#     - 164.310(a)(1)
+#     - 164.310(a)(2)(i)
+#     - 164.310(a)(2)(ii)
+#     - 164.310(a)(2)(iii)
+#     - 164.310(b)
+#     - 164.310(c)
+#     - 164.310(d)(1)
+#     - 164.310(d)(2)(iii)
+#   - ISA-62443-2009
+#     - 4.3.3.2.2
+#     - 4.3.3.5.1
+#     - 4.3.3.5.2
+#     - 4.3.3.5.3
+#     - 4.3.3.5.4
+#     - 4.3.3.5.5
+#     - 4.3.3.5.6
+#     - 4.3.3.5.7
+#     - 4.3.3.5.8
+#     - 4.3.3.6.1
+#     - 4.3.3.6.2
+#     - 4.3.3.6.3
+#     - 4.3.3.6.4
+#     - 4.3.3.6.5
+#     - 4.3.3.6.6
+#     - 4.3.3.6.7
+#     - 4.3.3.6.8
+#     - 4.3.3.6.9
+#     - 4.3.3.7.1
+#     - 4.3.3.7.2
+#     - 4.3.3.7.3
+#     - 4.3.3.7.4
+#   - ISA-62443-2013
+#     - SR 1.1
+#     - SR 1.10
+#     - SR 1.11
+#     - SR 1.12
+#     - SR 1.13
+#     - SR 1.2
+#     - SR 1.3
+#     - SR 1.4
+#     - SR 1.5
+#     - SR 1.6
+#     - SR 1.7
+#     - SR 1.8
+#     - SR 1.9
+#     - SR 2.1
+#     - SR 2.2
+#     - SR 2.3
+#     - SR 2.4
+#     - SR 2.5
+#     - SR 2.6
+#     - SR 2.7
+#   - ISO27001-2013
+#     - A.6.1.2
+#     - A.7.1.1
+#     - A.9.1.2
+#     - A.9.2.1
+#     - A.9.2.3
+#     - A.9.4.1
+#     - A.9.4.4
+#     - A.9.4.5
+#   - NIST
+#     - CM-6(A)
+#   - NIST-CSF
+#     - PR.AC-4
+#     - PR.AC-6
+#     - PR.PT-3
+#   - OSPP
+#     - FIA_UAU.1
+#   - OS-SRG
+#     - SRG-OS-000080-GPOS-00048
+#
+################################################################################
+{%- set stig_id = 'grub2_uefi_password' %}
+{%- set helperLoc = tpldir ~ '/files' %}
+{#- Get the `tplroot` from `tpldir` #}
+{%- set tplroot = tpldir.split('/')[0] %}
+{%- from tplroot ~ '/el9/RuleById/common/grub2_info.jinja' import grubEncryptedPass with context %}
+{%- from tplroot ~ '/el9/RuleById/common/grub2_info.jinja' import grubUser with context %}
+{%- set skipIt = salt.pillar.get('ash-linux:lookup:skip-stigs', []) %}
+{%- set mustSet = salt.pillar.get('ash-linux:lookup:grub-passwd', '') %}
+{%- set grubUserFile = '/etc/grub.d/01_users' %}
+{%- set grubPassFile = '/boot/grub2/user.cfg' %}
+{%- set grubUtil = '/bin/grub2-mkpasswd-pbkdf2' %}
+
+{{ stig_id }}-description:
+  test.show_notification:
+    - text: |
+        --------------------------------------------
+        STIG Finding ID: {{ stig_id }}
+           The grub2 boot loader should have a
+           superuser account and password protection
+           enabled to protect boot-time settings.
+        --------------------------------------------
+
+{%- if stig_id in skipIt %}
+notify_{{ stig_id }}-skipSet:
+  test.show_notification:
+    - text: |
+        Handler for {{ stig_id }} has been selected for skip.
+{%- elif salt.file.directory_exists('/sys/firmware/efi') %}
+
+# Ensure password-containing file exists
+user_cfg_exists-{{ stig_id }}:
+  file.touch:
+    - name: '{{ grubPassFile }}'
+    - makedirs: True
+    - unless:
+      - '[[ -e {{ grubPassFile }} ]]'
+
+# Add password to user password file
+user_cfg_content-{{ stig_id }}-present:
+  file.replace:
+    - name: '{{ grubPassFile }}'
+    - append_if_not_found: True
+    - not_found_content: |-
+        GRUB2_PASSWORD={{ grubEncryptedPass }}
+    - pattern: '^(\s*GRUB2_PASSWORD=).*$'
+    - repl: 'GRUB2_PASSWORD={{ grubEncryptedPass }}'
+    - require:
+      - file: user_cfg_exists-{{ stig_id }}
+
+# Ensure proper permissions (etc.)
+user_cfg_content-{{ stig_id }}-secmode:
+  file.managed:
+    - name: '{{ grubPassFile }}'
+    - group: 'root'
+    - require:
+      - file: user_cfg_content-{{ stig_id }}-present
+    - selinux:
+        serange: 's0'
+        serole: 'object_r'
+        setype: 'boot_t'
+        seuser: 'system_u'
+
+{%- else %}
+Why Skip ({{ stig_id }}) - No EFI Support:
+notify_{{ stig_id }}-skipSet:
+  test.show_notification:
+    - text: |
+        ---------------------------------------
+        This system does not support UEFI-boot
+        ---------------------------------------
+{%- endif %}

ash-linux/el9/RuleById/high/init.sls

@@ -0,0 +1,2 @@
+include:
+  - ash-linux.el9.RuleById.high.content_rule_grub2_uefi_password

ash-linux/el9/RuleById/init.sls

@@ -0,0 +1,4 @@
+include:
+  - ash-linux.el9.RuleById.high
+  - ash-linux.el9.RuleById.medium
+  - ash-linux.el9.RuleById.low

ash-linux/el9/RuleById/low/content_rule_configure_usbguard_auditbackend.sls

@@ -0,0 +1,77 @@
+# Rule ID:              content_rule_configure_usbguard_auditbackend
+# Finding Level:        low
+#
+# Rule Summary:
+#       Configure USBGuard daemon to log via Linux Audit service by setting the
+#       `AuditBackend` option in the `/etc/usbguard/usbguard-daemon.conf`
+#       file to `LinuxAudit`
+#
+# Identifiers:
+#   - content_rule_configure_usbguard_auditbackend
+#
+# References:
+#   - DISA
+#     - CCI-000169
+#     - CCI-000172
+#   - NIST
+#     - AU-2
+#     - CM-8(3)
+#     - IA-3
+#   - OSPP
+#     - FMT_SMF_EXT.1
+#   - OS-SRG
+#     - SRG-OS-000062-GPOS-00031
+#     - SRG-OS-000471-GPOS-00215
+#   - APP-SRG
+#     - SRG-APP-000141-CTR-000315
+#
+#################################################################
+{%- set stig_id = 'configure_usbguard_auditbackend' %}
+{%- set helperLoc = tpldir ~ '/files' %}
+{%- set skipIt = salt.pillar.get('ash-linux:lookup:skip-stigs', []) %}
+{%- set cfgFile = '/etc/usbguard/usbguard-daemon.conf' %}
+
+{{ stig_id }}-description:
+  test.show_notification:
+    - text: |
+        --------------------------------------
+        STIG Finding ID: {{ stig_id }}:
+          Configure USBGuard daemon to log via
+          Linux Audit service
+        --------------------------------------
+
+{%- if stig_id in skipIt %}
+notify_{{ stig_id }}-skipSet:
+  test.show_notification:
+    - text: |
+        Handler for {{ stig_id }} has been selected for skip.
+{%- else %}
+# Ensure file-protections
+{{ cfgFile }} - Exists:
+  file.managed:
+    - name: '{{ cfgFile }}'
+    - mode: '0600'
+    - user: 'root'
+    - group: 'root'
+    - selinux:
+        serange: 's0'
+        serole: 'object_r'
+        setype: 'usbguard_conf_t'
+        seuser: 'system_u'
+
+# Make config-change
+{{ cfgFile }} - Update content:
+  file.replace:
+    - name: '{{ cfgFile }}'
+    - append_if_not_found: True
+    - not_found_content: |-
+        # Set per rule '{{ stig_id }}'
+        AuditBackend=LinuxAudit
+    - pattern: '^(|\s*)(AuditBackend)=.*$'
+    - repl: '# Set per rule "{{ stig_id }}"\n\2=LinuxAudit'
+    - require:
+      - file: {{ cfgFile }} - Exists
+    - unless:
+      - '[[ $( grep AuditBackend=LinuxAudit {{ cfgFile }} ) ]]'
+
+{%- endif %}

ash-linux/el9/RuleById/low/content_rule_no_tmux_in_shells.sls

@@ -0,0 +1,52 @@
+# Rule ID:              content_rule_no_tmux_in_shells
+# Finding Level:        low
+#
+# Rule Summary:
+#       The tmux terminal multiplexer is used to implement automatic session
+#       locking. It should not be listed in /etc/shells.
+#
+# Identifiers:
+#   - content_rule_no_tmux_in_shells
+#
+# References:
+#   - DISA
+#     - CCI-000056
+#     - CCI-000058
+#   - NIST
+#     - CM-6
+#   - OSPP
+#     - FMT_SMF_EXT.1
+#     - FMT_MOF_EXT.1
+#     - FTA_SSL.1
+#   - OS-SRG
+#     - SRG-OS-000324-GPOS-00125
+#     - SRG-OS-000028-GPOS-00009
+#     - SRG-OS-000030-GPOS-00011
+#
+#################################################################
+{%- set stig_id = 'no_tmux_in_shells' %}
+{%- set helperLoc = tpldir ~ '/files' %}
+{%- set skipIt = salt.pillar.get('ash-linux:lookup:skip-stigs', []) %}
+{%- set cfgFile = '/etc/shells' %}
+
+{{ stig_id }}-description:
+  test.show_notification:
+    - text: |
+        --------------------------------------
+        STIG Finding ID: {{ stig_id }}:
+          `tmux` should not exist in the
+          `/etc/shells` file
+        --------------------------------------
+
+{%- if stig_id in skipIt %}
+notify_{{ stig_id }}-skipSet:
+  test.show_notification:
+    - text: |
+        Handler for {{ stig_id }} has been selected for skip.
+{%- else %}
+Ensure tmux not in {{ cfgFile }}:
+  file.replace:
+    - name: '{{ cfgFile }}'
+    - pattern: '^.*/tmux\n'
+    - repl: ''
+{%- endif %}

ash-linux/el9/RuleById/low/init.sls

@@ -0,0 +1,3 @@
+include:
+  - ash-linux.el9.RuleById.low.content_rule_configure_usbguard_auditbackend
+  - ash-linux.el9.RuleById.low.content_rule_no_tmux_in_shells