diff --git a/docker/images/parabol-ubi/cloudbuild.yml b/docker/images/parabol-ubi/cloudbuild.yml deleted file mode 100644 index 1ba32c91d96..00000000000 --- a/docker/images/parabol-ubi/cloudbuild.yml +++ /dev/null @@ -1,17 +0,0 @@ -steps: -- name: 'docker/compose:1.29.2' - args: ['up', '-d'] - env: - - '_REDIS_VERSION=$_REDIS_VERSION' - - '_RETHINKDB_VERSION=$_RETHINKDB_VERSION' - - '_POSTGRES_VERSION=$_POSTGRES_VERSION' -- name: 'gcr.io/cloud-builders/docker' - args: [ 'build', '--network=cloudbuild', '-t', 'gcr.io/prbl-prod/parabol/parabol-ubi:$_APP_VERSION', '-f', './dockerfiles/parabol.dockerfile', '--build-arg','_PARABOL_GIT_REF=$_PARABOL_GIT_REF', '--build-arg','_NODE_VERSION=$_NODE_VERSION', '.' ] - env: - - '_NODE_VERSION=$_NODE_VERSION' -images: -- 'gcr.io/prbl-prod/parabol/parabol-ubi:$_APP_VERSION' -options: - logging: CLOUD_LOGGING_ONLY - machineType: 'E2_HIGHCPU_32' -timeout: 3600s \ No newline at end of file diff --git a/docker/images/parabol-ubi/docker-compose.yml b/docker/images/parabol-ubi/docker-compose.yml deleted file mode 100644 index 40651aceb39..00000000000 --- a/docker/images/parabol-ubi/docker-compose.yml +++ /dev/null @@ -1,30 +0,0 @@ -version: '3' -services: - redis: - image: redis:$_REDIS_VERSION - network_mode: cloudbuild - container_name: redis - expose: - - 6379 - rethinkdb: - image: rethinkdb:$_RETHINKDB_VERSION - network_mode: cloudbuild - container_name: rethinkdb - expose: - - 8080 - - 29015 - - 28015 - postgres: - image: postgres:$_POSTGRES_VERSION - network_mode: cloudbuild - container_name: postgres - environment: - - POSTGRES_USER=tempuser - - POSTGRES_PASSWORD=temppassword - - POSTGRES_DB=tempdb - expose: - - 5432 -networks: - default: - external: - name: cloudbuild \ No newline at end of file diff --git a/docker/images/parabol-ubi/dockerfiles/parabol.dockerfile b/docker/images/parabol-ubi/dockerfiles/parabol.dockerfile deleted file mode 100644 index 2688d19ee8d..00000000000 --- a/docker/images/parabol-ubi/dockerfiles/parabol.dockerfile +++ /dev/null @@ -1,118 +0,0 @@ -# DO NOT DELETE. Legacy docker file for versions still in use. Delete only when all Parabol instances are using the newest docker image. -ARG _NODE_VERSION=${_NODE_VERSION} -#base build for dev deps -FROM node:${_NODE_VERSION} as base - -ARG _PARABOL_GIT_REF=${_PARABOL_GIT_REF} -ARG _BUILD_ENV_PATH=environments/legacy-build -ENV NPM_CONFIG_PREFIX=/home/node/.npm-global - -WORKDIR /home/node - -ADD ${_BUILD_ENV_PATH} ./.env - -RUN git clone https://github.com/ParabolInc/parabol.git -b ${_PARABOL_GIT_REF} --depth 1 && \ - cd parabol && \ - rm -rf .git/ && \ - mv /home/node/.env ./.env && \ - mkdir -p /home/node/parabol/node_modules && \ - mkdir -p /home/node/.npm-global && \ - apt update -y && \ - apt install systemtap -y && \ - NODE_OPTIONS=--max-old-space-size=20480 && \ - yarn install --frozen-lockfile && \ - yarn cache clean && \ - yarn db:migrate && \ - yarn pg:migrate up && \ - yarn pg:build && \ - yarn build && \ - chown -R node:1000 /home/node/parabol - -#final image - copies in parabol build and applies all security configurations to container -FROM redhat/ubi9:9.2 - -ENV HOME=/home/node \ - USER=node - -RUN groupadd -g 1000 node && \ - useradd -r -u 1000 -m -s /sbin/nologin -g node node - -COPY --from=base /usr/local/bin /usr/local/bin -COPY --from=base /usr/local/include /usr/local/include -COPY --from=base /usr/local/share/man /usr/local/share/man -COPY --from=base /usr/local/share/doc /usr/local/share/doc -COPY --from=base /usr/share/systemtap /usr/local/share/systemtap -COPY --from=base /usr/local/lib/node_modules /usr/local/lib/node_modules -COPY --from=base /opt /opt -COPY --from=base /home/node/parabol/ ${HOME}/parabol -RUN rm -rf ${HOME}/parabol/.env -COPY entrypoints/docker-entrypoint.sh /usr/local/bin/docker-entrypoint.sh -COPY security /security - -COPY ./tools/ip-to-server_id /home/node/tools/ip-to-server_id - -RUN echo Update packages and install security patches && \ - sed -i "s/enabled=1/enabled=0/" /etc/dnf/plugins/subscription-manager.conf && \ - echo "exclude=filesystem-*" >> /etc/dnf/dnf.conf && \ - chmod +x /security/*.sh && \ - dnf repolist && \ - dnf update -y && \ - echo "* hard maxlogins 10" > /etc/security/limits.d/maxlogins.conf && \ - /security/xccdf_org.ssgproject.content_rule_account_disable_post_pw_expiration.sh && \ - /security/xccdf_org.ssgproject.content_rule_accounts_logon_fail_delay.sh && \ - /security/xccdf_org.ssgproject.content_rule_accounts_max_concurrent_login_sessions.sh && \ - /security/xccdf_org.ssgproject.content_rule_accounts_maximum_age_login_defs.sh && \ - /security/xccdf_org.ssgproject.content_rule_accounts_minimum_age_login_defs.sh && \ - /security/xccdf_org.ssgproject.content_rule_accounts_password_minlen_login_defs.sh && \ - /security/xccdf_org.ssgproject.content_rule_accounts_password_pam_dcredit.sh && \ - /security/xccdf_org.ssgproject.content_rule_accounts_password_pam_dictcheck.sh && \ - /security/xccdf_org.ssgproject.content_rule_accounts_password_pam_difok.sh && \ - /security/xccdf_org.ssgproject.content_rule_accounts_password_pam_lcredit.sh && \ - /security/xccdf_org.ssgproject.content_rule_accounts_password_pam_maxclassrepeat.sh && \ - /security/xccdf_org.ssgproject.content_rule_accounts_password_pam_maxrepeat.sh && \ - /security/xccdf_org.ssgproject.content_rule_accounts_password_pam_minclass.sh && \ - /security/xccdf_org.ssgproject.content_rule_accounts_password_pam_minlen.sh && \ - /security/xccdf_org.ssgproject.content_rule_accounts_password_pam_ocredit.sh && \ - /security/xccdf_org.ssgproject.content_rule_accounts_password_pam_pwhistory_remember_password_auth.sh && \ - /security/xccdf_org.ssgproject.content_rule_accounts_password_pam_pwhistory_remember_system_auth.sh && \ - /security/xccdf_org.ssgproject.content_rule_accounts_password_pam_ucredit.sh && \ - /security/xccdf_org.ssgproject.content_rule_accounts_password_pam_unix_remember.sh && \ - /security/xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_deny.sh && \ - /security/xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_deny_root.sh && \ - /security/xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_interval.sh && \ - /security/xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_unlock_time.sh && \ - /security/xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock.sh && \ - /security/xccdf_org.ssgproject.content_rule_accounts_umask_etc_bashrc.sh && \ - /security/xccdf_org.ssgproject.content_rule_accounts_umask_etc_csh_cshrc.sh && \ - /security/xccdf_org.ssgproject.content_rule_accounts_umask_etc_login_defs.sh && \ - /security/xccdf_org.ssgproject.content_rule_accounts_umask_etc_profile.sh && \ - /security/xccdf_org.ssgproject.content_rule_banner_etc_issue.sh && \ - /security/xccdf_org.ssgproject.content_rule_configure_kerberos_crypto_policy.sh && \ - /security/xccdf_org.ssgproject.content_rule_configure_openssl_crypto_policy.sh && \ - /security/xccdf_org.ssgproject.content_rule_coredump_disable_backtraces.sh && \ - /security/xccdf_org.ssgproject.content_rule_coredump_disable_storage.sh && \ - /security/xccdf_org.ssgproject.content_rule_disable_ctrlaltdel_burstaction.sh && \ - /security/xccdf_org.ssgproject.content_rule_disable_users_coredumps.sh && \ - /security/xccdf_org.ssgproject.content_rule_display_login_attempts.sh && \ - /security/xccdf_org.ssgproject.content_rule_ensure_gpgcheck_local_packages.sh && \ - /security/xccdf_org.ssgproject.content_rule_file_groupownership_system_commands_dirs.sh && \ - /security/xccdf_org.ssgproject.content_rule_no_empty_passwords.sh && \ - /security/xccdf_org.ssgproject.content_rule_openssl_use_strong_entropy.sh && \ - /security/xccdf_org.ssgproject.content_rule_package_crypto-policies_installed.sh && \ - /security/xccdf_org.ssgproject.content_rule_package_iptables_installed.sh && \ - dnf clean all && \ - rm -rf /security/ /var/cache/dnf/ /var/tmp/* /tmp/* /var/tmp/.???* /tmp/.???* && \ - chmod 755 /usr/local/bin/docker-entrypoint.sh && \ - chmod g-s /opt/yarn-v*/bin /opt/yarn-v*/lib && \ - chgrp -R root /opt/yarn-v* && \ - chgrp root /opt/yarn-v*/lib/* /opt/yarn-v*/bin/* /opt/yarn-v*/* && \ - mkdir -p /home/node/parabol/self-hosted && \ - chown node:node /home/node/parabol/self-hosted - - -WORKDIR ${HOME}/parabol/ -USER 1000 - -EXPOSE 3000 - -ENTRYPOINT ["docker-entrypoint.sh"] diff --git a/docker/images/parabol-ubi/environments/legacy-build b/docker/images/parabol-ubi/environments/legacy-build deleted file mode 100644 index d3defd290e1..00000000000 --- a/docker/images/parabol-ubi/environments/legacy-build +++ /dev/null @@ -1,54 +0,0 @@ -ATLASSIAN_CLIENT_ID='' -ATLASSIAN_CLIENT_SECRET='' -AWS_ACCESS_KEY_ID='' -AWS_REGION='' -AWS_S3_BUCKET='' -AWS_SECRET_ACCESS_KEY='' -CDN_BASE_URL='' -FILE_STORE_PROVIDER='local' -GITHUB_CLIENT_ID='' -GITHUB_CLIENT_SECRET='' -GITHUB_WEBHOOK_SECRET='' -GITLAB_CLIENT_ID='' -GITLAB_CLIENT_SECRET='' -GOOGLE_CLOUD_CLIENT_EMAIL='' -GOOGLE_CLOUD_PRIVATE_KEY='' -GOOGLE_CLOUD_PRIVATE_KEY_ID='' -GOOGLE_OAUTH_CLIENT_ID='' -GOOGLE_OAUTH_CLIENT_SECRET='' -GOOGLE_TAG_MANAGER_CONTAINER_ID='' -GRAPHQL_HOST='' -GRAPHQL_PROTOCOL='' -HOST='' -INVITATION_SHORTLINK='' -MAIL_PROVIDER='' -MAIL_GOOGLE_USER='' -MAIL_GOOGLE_PASS='' -MAILGUN_API_KEY='' -MAILGUN_DOMAIN='' -MAILGUN_PUBLIC_KEY='' -MAIL_FROM='' -NODE_ENV='production' -NODE_EXTRA_CA_CERTS='' -PROTO='https' -PGADMIN_DEFAULT_EMAIL='' -PGADMIN_DEFAULT_PASSWORD='' -PGSSLMODE='' -PORT='' -POSTGRES_PASSWORD='temppassword' -POSTGRES_USER='tempuser' -POSTGRES_DB='tempdb' -POSTGRES_HOST='postgres' -POSTGRES_PORT='5432' -REDIS_URL='redis://redis:6379' -RETHINKDB_SSL='' -RETHINKDB_URL='rethinkdb://rethinkdb:28015/actionProduction' -SENTRY_DSN='' -SERVER_ID='' -SERVER_SECRET='FAKE_VALUE' -SLACK_CLIENT_ID='' -SLACK_CLIENT_SECRET='' -STRIPE_PUBLISHABLE_KEY='' -STRIPE_SECRET_KEY='' -STRIPE_WEBHOOK_SECRET='' -HUBSPOT_API_KEY='' diff --git a/docker/images/parabol-ubi/security/xccdf_org.ssgproject.content_rule_account_disable_post_pw_expiration.sh b/docker/images/parabol-ubi/security/xccdf_org.ssgproject.content_rule_account_disable_post_pw_expiration.sh deleted file mode 100755 index 4723b62c1c9..00000000000 --- a/docker/images/parabol-ubi/security/xccdf_org.ssgproject.content_rule_account_disable_post_pw_expiration.sh +++ /dev/null @@ -1,93 +0,0 @@ -#!/bin/sh -set -e - -(>&2 echo "Remediating: 'xccdf_org.ssgproject.content_rule_account_disable_post_pw_expiration'") - -# Remediation is applicable only in certain platforms -if rpm --quiet -q shadow-utils; then - - -var_account_disable_post_pw_expiration="35" -# Function to replace configuration setting in config file or add the configuration setting if -# it does not exist. -# -# Expects arguments: -# -# config_file: Configuration file that will be modified -# key: Configuration option to change -# value: Value of the configuration option to change -# cce: The CCE identifier or '@CCENUM@' if no CCE identifier exists -# format: The printf-like format string that will be given stripped key and value as arguments, -# so e.g. '%s=%s' will result in key=value subsitution (i.e. without spaces around =) -# -# Optional arugments: -# -# format: Optional argument to specify the format of how key/value should be -# modified/appended in the configuration file. The default is key = value. -# -# Example Call(s): -# -# With default format of 'key = value': -# replace_or_append '/etc/sysctl.conf' '^kernel.randomize_va_space' '2' '@CCENUM@' -# -# With custom key/value format: -# replace_or_append '/etc/sysconfig/selinux' '^SELINUX=' 'disabled' '@CCENUM@' '%s=%s' -# -# With a variable: -# replace_or_append '/etc/sysconfig/selinux' '^SELINUX=' $var_selinux_state '@CCENUM@' '%s=%s' -# -function replace_or_append { - local default_format='%s = %s' case_insensitive_mode=yes sed_case_insensitive_option='' grep_case_insensitive_option='' - local config_file=$1 - local key=$2 - local value=$3 - local cce=$4 - local format=$5 - - if [ "$case_insensitive_mode" = yes ]; then - sed_case_insensitive_option="i" - grep_case_insensitive_option="-i" - fi - [ -n "$format" ] || format="$default_format" - # Check sanity of the input - [ $# -ge "3" ] || { echo "Usage: replace_or_append [] [printf-like format, default is '$default_format']" >&2; exit 1; } - - # Test if the config_file is a symbolic link. If so, use --follow-symlinks with sed. - # Otherwise, regular sed command will do. - sed_command=('sed' '-i') - if test -L "$config_file"; then - sed_command+=('--follow-symlinks') - fi - - # Test that the cce arg is not empty or does not equal @CCENUM@. - # If @CCENUM@ exists, it means that there is no CCE assigned. - if [ -n "$cce" ] && [ "$cce" != '@CCENUM@' ]; then - cce="${cce}" - else - cce="CCE" - fi - - # Strip any search characters in the key arg so that the key can be replaced without - # adding any search characters to the config file. - stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "$key") - - # shellcheck disable=SC2059 - printf -v formatted_output "$format" "$stripped_key" "$value" - - # If the key exists, change it. Otherwise, add it to the config_file. - # We search for the key string followed by a word boundary (matched by \>), - # so if we search for 'setting', 'setting2' won't match. - if LC_ALL=C grep -q -m 1 $grep_case_insensitive_option -e "${key}\\>" "$config_file"; then - "${sed_command[@]}" "s/${key}\\>.*/$formatted_output/g$sed_case_insensitive_option" "$config_file" - else - # \n is precaution for case where file ends without trailing newline - printf '\n# Per %s: Set %s in %s\n' "$cce" "$formatted_output" "$config_file" >> "$config_file" - printf '%s\n' "$formatted_output" >> "$config_file" - fi -} -replace_or_append '/etc/default/useradd' '^INACTIVE' "$var_account_disable_post_pw_expiration" 'CCE-80954-1' '%s=%s' - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - diff --git a/docker/images/parabol-ubi/security/xccdf_org.ssgproject.content_rule_accounts_logon_fail_delay.sh b/docker/images/parabol-ubi/security/xccdf_org.ssgproject.content_rule_accounts_logon_fail_delay.sh deleted file mode 100755 index 1c48d0c935d..00000000000 --- a/docker/images/parabol-ubi/security/xccdf_org.ssgproject.content_rule_accounts_logon_fail_delay.sh +++ /dev/null @@ -1,95 +0,0 @@ -#!/bin/sh -set -e - -(>&2 echo "Remediating: 'xccdf_org.ssgproject.content_rule_accounts_logon_fail_delay'") - -# Remediation is applicable only in certain platforms -if rpm --quiet -q shadow-utils; then - - - -# Set variables -var_accounts_fail_delay="4" -# Function to replace configuration setting in config file or add the configuration setting if -# it does not exist. -# -# Expects arguments: -# -# config_file: Configuration file that will be modified -# key: Configuration option to change -# value: Value of the configuration option to change -# cce: The CCE identifier or '@CCENUM@' if no CCE identifier exists -# format: The printf-like format string that will be given stripped key and value as arguments, -# so e.g. '%s=%s' will result in key=value subsitution (i.e. without spaces around =) -# -# Optional arugments: -# -# format: Optional argument to specify the format of how key/value should be -# modified/appended in the configuration file. The default is key = value. -# -# Example Call(s): -# -# With default format of 'key = value': -# replace_or_append '/etc/sysctl.conf' '^kernel.randomize_va_space' '2' '@CCENUM@' -# -# With custom key/value format: -# replace_or_append '/etc/sysconfig/selinux' '^SELINUX=' 'disabled' '@CCENUM@' '%s=%s' -# -# With a variable: -# replace_or_append '/etc/sysconfig/selinux' '^SELINUX=' $var_selinux_state '@CCENUM@' '%s=%s' -# -function replace_or_append { - local default_format='%s = %s' case_insensitive_mode=yes sed_case_insensitive_option='' grep_case_insensitive_option='' - local config_file=$1 - local key=$2 - local value=$3 - local cce=$4 - local format=$5 - - if [ "$case_insensitive_mode" = yes ]; then - sed_case_insensitive_option="i" - grep_case_insensitive_option="-i" - fi - [ -n "$format" ] || format="$default_format" - # Check sanity of the input - [ $# -ge "3" ] || { echo "Usage: replace_or_append [] [printf-like format, default is '$default_format']" >&2; exit 1; } - - # Test if the config_file is a symbolic link. If so, use --follow-symlinks with sed. - # Otherwise, regular sed command will do. - sed_command=('sed' '-i') - if test -L "$config_file"; then - sed_command+=('--follow-symlinks') - fi - - # Test that the cce arg is not empty or does not equal @CCENUM@. - # If @CCENUM@ exists, it means that there is no CCE assigned. - if [ -n "$cce" ] && [ "$cce" != '@CCENUM@' ]; then - cce="${cce}" - else - cce="CCE" - fi - - # Strip any search characters in the key arg so that the key can be replaced without - # adding any search characters to the config file. - stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "$key") - - # shellcheck disable=SC2059 - printf -v formatted_output "$format" "$stripped_key" "$value" - - # If the key exists, change it. Otherwise, add it to the config_file. - # We search for the key string followed by a word boundary (matched by \>), - # so if we search for 'setting', 'setting2' won't match. - if LC_ALL=C grep -q -m 1 $grep_case_insensitive_option -e "${key}\\>" "$config_file"; then - "${sed_command[@]}" "s/${key}\\>.*/$formatted_output/g$sed_case_insensitive_option" "$config_file" - else - # \n is precaution for case where file ends without trailing newline - printf '\n# Per %s: Set %s in %s\n' "$cce" "$formatted_output" "$config_file" >> "$config_file" - printf '%s\n' "$formatted_output" >> "$config_file" - fi -} -replace_or_append '/etc/login.defs' '^FAIL_DELAY' "$var_accounts_fail_delay" 'CCE-84037-1' '%s %s' - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - diff --git a/docker/images/parabol-ubi/security/xccdf_org.ssgproject.content_rule_accounts_max_concurrent_login_sessions.sh b/docker/images/parabol-ubi/security/xccdf_org.ssgproject.content_rule_accounts_max_concurrent_login_sessions.sh deleted file mode 100755 index 57c685ff97e..00000000000 --- a/docker/images/parabol-ubi/security/xccdf_org.ssgproject.content_rule_accounts_max_concurrent_login_sessions.sh +++ /dev/null @@ -1,25 +0,0 @@ -#!/bin/sh -set -e - -(>&2 echo "Remediating: 'xccdf_org.ssgproject.content_rule_accounts_max_concurrent_login_sessions'") - -# Remediation is applicable only in certain platforms -if rpm --quiet -q pam; then - - -var_accounts_max_concurrent_login_sessions="10" - - - -if grep -q '^[^#]*\' /etc/security/limits.d/*.conf; then - sed -i "/^[^#]*\/ s/maxlogins.*/maxlogins $var_accounts_max_concurrent_login_sessions/" /etc/security/limits.d/*.conf -elif grep -q '^[^#]*\' /etc/security/limits.conf; then - sed -i "/^[^#]*\/ s/maxlogins.*/maxlogins $var_accounts_max_concurrent_login_sessions/" /etc/security/limits.conf -else - echo "* hard maxlogins $var_accounts_max_concurrent_login_sessions" >> /etc/security/limits.conf -fi - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - diff --git a/docker/images/parabol-ubi/security/xccdf_org.ssgproject.content_rule_accounts_maximum_age_login_defs.sh b/docker/images/parabol-ubi/security/xccdf_org.ssgproject.content_rule_accounts_maximum_age_login_defs.sh deleted file mode 100755 index ee8858697d1..00000000000 --- a/docker/images/parabol-ubi/security/xccdf_org.ssgproject.content_rule_accounts_maximum_age_login_defs.sh +++ /dev/null @@ -1,23 +0,0 @@ -#!/bin/sh -set -e - -(>&2 echo "Remediating: 'xccdf_org.ssgproject.content_rule_accounts_maximum_age_login_defs'") - -# Remediation is applicable only in certain platforms -if rpm --quiet -q shadow-utils; then - - -var_accounts_maximum_age_login_defs="60" - - - -grep -q ^PASS_MAX_DAYS /etc/login.defs && \ - sed -i "s/PASS_MAX_DAYS.*/PASS_MAX_DAYS $var_accounts_maximum_age_login_defs/g" /etc/login.defs -if ! [ $? -eq 0 ]; then - echo "PASS_MAX_DAYS $var_accounts_maximum_age_login_defs" >> /etc/login.defs -fi - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - diff --git a/docker/images/parabol-ubi/security/xccdf_org.ssgproject.content_rule_accounts_minimum_age_login_defs.sh b/docker/images/parabol-ubi/security/xccdf_org.ssgproject.content_rule_accounts_minimum_age_login_defs.sh deleted file mode 100755 index ad5419f5e8b..00000000000 --- a/docker/images/parabol-ubi/security/xccdf_org.ssgproject.content_rule_accounts_minimum_age_login_defs.sh +++ /dev/null @@ -1,23 +0,0 @@ -#!/bin/sh -set -e - -(>&2 echo "Remediating: 'xccdf_org.ssgproject.content_rule_accounts_minimum_age_login_defs'") - -# Remediation is applicable only in certain platforms -if rpm --quiet -q shadow-utils; then - - -var_accounts_minimum_age_login_defs="1" - - - -grep -q ^PASS_MIN_DAYS /etc/login.defs && \ - sed -i "s/PASS_MIN_DAYS.*/PASS_MIN_DAYS $var_accounts_minimum_age_login_defs/g" /etc/login.defs -if ! [ $? -eq 0 ]; then - echo "PASS_MIN_DAYS $var_accounts_minimum_age_login_defs" >> /etc/login.defs -fi - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - diff --git a/docker/images/parabol-ubi/security/xccdf_org.ssgproject.content_rule_accounts_password_all_shadowed_sha512.sh b/docker/images/parabol-ubi/security/xccdf_org.ssgproject.content_rule_accounts_password_all_shadowed_sha512.sh deleted file mode 100755 index 5e794e5eafc..00000000000 --- a/docker/images/parabol-ubi/security/xccdf_org.ssgproject.content_rule_accounts_password_all_shadowed_sha512.sh +++ /dev/null @@ -1,7 +0,0 @@ -#!/bin/sh -set -e - -(>&2 echo "Remediating: 'xccdf_org.ssgproject.content_rule_accounts_password_all_shadowed_sha512'") - -(>&2 echo "FIX FOR THIS RULE 'xccdf_org.ssgproject.content_rule_accounts_password_all_shadowed_sha512' IS MISSING!") - diff --git a/docker/images/parabol-ubi/security/xccdf_org.ssgproject.content_rule_accounts_password_minlen_login_defs.sh b/docker/images/parabol-ubi/security/xccdf_org.ssgproject.content_rule_accounts_password_minlen_login_defs.sh deleted file mode 100755 index ed174d4ac12..00000000000 --- a/docker/images/parabol-ubi/security/xccdf_org.ssgproject.content_rule_accounts_password_minlen_login_defs.sh +++ /dev/null @@ -1,24 +0,0 @@ -#!/bin/sh -set -e - -(>&2 echo "Remediating: 'xccdf_org.ssgproject.content_rule_accounts_password_minlen_login_defs'") - -# Remediation is applicable only in certain platforms -if rpm --quiet -q shadow-utils; then - - -var_accounts_password_minlen_login_defs="15" - - - -grep -q ^PASS_MIN_LEN /etc/login.defs && \ -sed -i "s/PASS_MIN_LEN.*/PASS_MIN_LEN\t$var_accounts_password_minlen_login_defs/g" /etc/login.defs -if ! [ $? -eq 0 ] -then - echo -e "PASS_MIN_LEN\t$var_accounts_password_minlen_login_defs" >> /etc/login.defs -fi - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - diff --git a/docker/images/parabol-ubi/security/xccdf_org.ssgproject.content_rule_accounts_password_pam_dcredit.sh b/docker/images/parabol-ubi/security/xccdf_org.ssgproject.content_rule_accounts_password_pam_dcredit.sh deleted file mode 100755 index 6354fc6c7ab..00000000000 --- a/docker/images/parabol-ubi/security/xccdf_org.ssgproject.content_rule_accounts_password_pam_dcredit.sh +++ /dev/null @@ -1,93 +0,0 @@ -#!/bin/sh -set -e - -(>&2 echo "Remediating: 'xccdf_org.ssgproject.content_rule_accounts_password_pam_dcredit'") - -# Remediation is applicable only in certain platforms -if rpm --quiet -q pam; then - - -var_password_pam_dcredit="-1" -# Function to replace configuration setting in config file or add the configuration setting if -# it does not exist. -# -# Expects arguments: -# -# config_file: Configuration file that will be modified -# key: Configuration option to change -# value: Value of the configuration option to change -# cce: The CCE identifier or '@CCENUM@' if no CCE identifier exists -# format: The printf-like format string that will be given stripped key and value as arguments, -# so e.g. '%s=%s' will result in key=value subsitution (i.e. without spaces around =) -# -# Optional arugments: -# -# format: Optional argument to specify the format of how key/value should be -# modified/appended in the configuration file. The default is key = value. -# -# Example Call(s): -# -# With default format of 'key = value': -# replace_or_append '/etc/sysctl.conf' '^kernel.randomize_va_space' '2' '@CCENUM@' -# -# With custom key/value format: -# replace_or_append '/etc/sysconfig/selinux' '^SELINUX=' 'disabled' '@CCENUM@' '%s=%s' -# -# With a variable: -# replace_or_append '/etc/sysconfig/selinux' '^SELINUX=' $var_selinux_state '@CCENUM@' '%s=%s' -# -function replace_or_append { - local default_format='%s = %s' case_insensitive_mode=yes sed_case_insensitive_option='' grep_case_insensitive_option='' - local config_file=$1 - local key=$2 - local value=$3 - local cce=$4 - local format=$5 - - if [ "$case_insensitive_mode" = yes ]; then - sed_case_insensitive_option="i" - grep_case_insensitive_option="-i" - fi - [ -n "$format" ] || format="$default_format" - # Check sanity of the input - [ $# -ge "3" ] || { echo "Usage: replace_or_append [] [printf-like format, default is '$default_format']" >&2; exit 1; } - - # Test if the config_file is a symbolic link. If so, use --follow-symlinks with sed. - # Otherwise, regular sed command will do. - sed_command=('sed' '-i') - if test -L "$config_file"; then - sed_command+=('--follow-symlinks') - fi - - # Test that the cce arg is not empty or does not equal @CCENUM@. - # If @CCENUM@ exists, it means that there is no CCE assigned. - if [ -n "$cce" ] && [ "$cce" != '@CCENUM@' ]; then - cce="${cce}" - else - cce="CCE" - fi - - # Strip any search characters in the key arg so that the key can be replaced without - # adding any search characters to the config file. - stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "$key") - - # shellcheck disable=SC2059 - printf -v formatted_output "$format" "$stripped_key" "$value" - - # If the key exists, change it. Otherwise, add it to the config_file. - # We search for the key string followed by a word boundary (matched by \>), - # so if we search for 'setting', 'setting2' won't match. - if LC_ALL=C grep -q -m 1 $grep_case_insensitive_option -e "${key}\\>" "$config_file"; then - "${sed_command[@]}" "s/${key}\\>.*/$formatted_output/g$sed_case_insensitive_option" "$config_file" - else - # \n is precaution for case where file ends without trailing newline - printf '\n# Per %s: Set %s in %s\n' "$cce" "$formatted_output" "$config_file" >> "$config_file" - printf '%s\n' "$formatted_output" >> "$config_file" - fi -} -replace_or_append '/etc/security/pwquality.conf' '^dcredit' $var_password_pam_dcredit 'CCE-80653-9' '%s = %s' - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - diff --git a/docker/images/parabol-ubi/security/xccdf_org.ssgproject.content_rule_accounts_password_pam_dictcheck.sh b/docker/images/parabol-ubi/security/xccdf_org.ssgproject.content_rule_accounts_password_pam_dictcheck.sh deleted file mode 100755 index 5267cfe1794..00000000000 --- a/docker/images/parabol-ubi/security/xccdf_org.ssgproject.content_rule_accounts_password_pam_dictcheck.sh +++ /dev/null @@ -1,43 +0,0 @@ -# Remediation is applicable only in certain platforms -if rpm --quiet -q pam; then - - -var_password_pam_dictcheck="1" - - - -# Test if the config_file is a symbolic link. If so, use --follow-symlinks with sed. -# Otherwise, regular sed command will do. -sed_command=('sed' '-i') -if test -L "/etc/security/pwquality.conf"; then - sed_command+=('--follow-symlinks') -fi - -# If the cce arg is empty, CCE is not assigned. -if [ -z "CCE-86233-4" ]; then - cce="CCE" -else - cce="CCE-86233-4" -fi - -# Strip any search characters in the key arg so that the key can be replaced without -# adding any search characters to the config file. -stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^dictcheck") - -# shellcheck disable=SC2059 -printf -v formatted_output "%s = %s" "$stripped_key" "$var_password_pam_dictcheck" - -# If the key exists, change it. Otherwise, add it to the config_file. -# We search for the key string followed by a word boundary (matched by \>), -# so if we search for 'setting', 'setting2' won't match. -if LC_ALL=C grep -q -m 1 -i -e "^dictcheck\\>" "/etc/security/pwquality.conf"; then - "${sed_command[@]}" "s/^dictcheck\\>.*/$formatted_output/gi" "/etc/security/pwquality.conf" -else - # \n is precaution for case where file ends without trailing newline - printf '\n# Per %s: Set %s in %s\n' "$cce" "$formatted_output" "/etc/security/pwquality.conf" >> "/etc/security/pwquality.conf" - printf '%s\n' "$formatted_output" >> "/etc/security/pwquality.conf" -fi - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi diff --git a/docker/images/parabol-ubi/security/xccdf_org.ssgproject.content_rule_accounts_password_pam_difok.sh b/docker/images/parabol-ubi/security/xccdf_org.ssgproject.content_rule_accounts_password_pam_difok.sh deleted file mode 100755 index 60370f10b87..00000000000 --- a/docker/images/parabol-ubi/security/xccdf_org.ssgproject.content_rule_accounts_password_pam_difok.sh +++ /dev/null @@ -1,93 +0,0 @@ -#!/bin/sh -set -e - -(>&2 echo "Remediating: 'xccdf_org.ssgproject.content_rule_accounts_password_pam_difok'") - -# Remediation is applicable only in certain platforms -if rpm --quiet -q pam; then - - -var_password_pam_difok="8" -# Function to replace configuration setting in config file or add the configuration setting if -# it does not exist. -# -# Expects arguments: -# -# config_file: Configuration file that will be modified -# key: Configuration option to change -# value: Value of the configuration option to change -# cce: The CCE identifier or '@CCENUM@' if no CCE identifier exists -# format: The printf-like format string that will be given stripped key and value as arguments, -# so e.g. '%s=%s' will result in key=value subsitution (i.e. without spaces around =) -# -# Optional arugments: -# -# format: Optional argument to specify the format of how key/value should be -# modified/appended in the configuration file. The default is key = value. -# -# Example Call(s): -# -# With default format of 'key = value': -# replace_or_append '/etc/sysctl.conf' '^kernel.randomize_va_space' '2' '@CCENUM@' -# -# With custom key/value format: -# replace_or_append '/etc/sysconfig/selinux' '^SELINUX=' 'disabled' '@CCENUM@' '%s=%s' -# -# With a variable: -# replace_or_append '/etc/sysconfig/selinux' '^SELINUX=' $var_selinux_state '@CCENUM@' '%s=%s' -# -function replace_or_append { - local default_format='%s = %s' case_insensitive_mode=yes sed_case_insensitive_option='' grep_case_insensitive_option='' - local config_file=$1 - local key=$2 - local value=$3 - local cce=$4 - local format=$5 - - if [ "$case_insensitive_mode" = yes ]; then - sed_case_insensitive_option="i" - grep_case_insensitive_option="-i" - fi - [ -n "$format" ] || format="$default_format" - # Check sanity of the input - [ $# -ge "3" ] || { echo "Usage: replace_or_append [] [printf-like format, default is '$default_format']" >&2; exit 1; } - - # Test if the config_file is a symbolic link. If so, use --follow-symlinks with sed. - # Otherwise, regular sed command will do. - sed_command=('sed' '-i') - if test -L "$config_file"; then - sed_command+=('--follow-symlinks') - fi - - # Test that the cce arg is not empty or does not equal @CCENUM@. - # If @CCENUM@ exists, it means that there is no CCE assigned. - if [ -n "$cce" ] && [ "$cce" != '@CCENUM@' ]; then - cce="${cce}" - else - cce="CCE" - fi - - # Strip any search characters in the key arg so that the key can be replaced without - # adding any search characters to the config file. - stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "$key") - - # shellcheck disable=SC2059 - printf -v formatted_output "$format" "$stripped_key" "$value" - - # If the key exists, change it. Otherwise, add it to the config_file. - # We search for the key string followed by a word boundary (matched by \>), - # so if we search for 'setting', 'setting2' won't match. - if LC_ALL=C grep -q -m 1 $grep_case_insensitive_option -e "${key}\\>" "$config_file"; then - "${sed_command[@]}" "s/${key}\\>.*/$formatted_output/g$sed_case_insensitive_option" "$config_file" - else - # \n is precaution for case where file ends without trailing newline - printf '\n# Per %s: Set %s in %s\n' "$cce" "$formatted_output" "$config_file" >> "$config_file" - printf '%s\n' "$formatted_output" >> "$config_file" - fi -} -replace_or_append '/etc/security/pwquality.conf' '^difok' $var_password_pam_difok 'CCE-80654-7' '%s = %s' - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - diff --git a/docker/images/parabol-ubi/security/xccdf_org.ssgproject.content_rule_accounts_password_pam_lcredit.sh b/docker/images/parabol-ubi/security/xccdf_org.ssgproject.content_rule_accounts_password_pam_lcredit.sh deleted file mode 100755 index d7913195c80..00000000000 --- a/docker/images/parabol-ubi/security/xccdf_org.ssgproject.content_rule_accounts_password_pam_lcredit.sh +++ /dev/null @@ -1,93 +0,0 @@ -#!/bin/sh -set -e - -(>&2 echo "Remediating: 'xccdf_org.ssgproject.content_rule_accounts_password_pam_lcredit'") - -# Remediation is applicable only in certain platforms -if rpm --quiet -q pam; then - - -var_password_pam_lcredit="-1" -# Function to replace configuration setting in config file or add the configuration setting if -# it does not exist. -# -# Expects arguments: -# -# config_file: Configuration file that will be modified -# key: Configuration option to change -# value: Value of the configuration option to change -# cce: The CCE identifier or '@CCENUM@' if no CCE identifier exists -# format: The printf-like format string that will be given stripped key and value as arguments, -# so e.g. '%s=%s' will result in key=value subsitution (i.e. without spaces around =) -# -# Optional arugments: -# -# format: Optional argument to specify the format of how key/value should be -# modified/appended in the configuration file. The default is key = value. -# -# Example Call(s): -# -# With default format of 'key = value': -# replace_or_append '/etc/sysctl.conf' '^kernel.randomize_va_space' '2' '@CCENUM@' -# -# With custom key/value format: -# replace_or_append '/etc/sysconfig/selinux' '^SELINUX=' 'disabled' '@CCENUM@' '%s=%s' -# -# With a variable: -# replace_or_append '/etc/sysconfig/selinux' '^SELINUX=' $var_selinux_state '@CCENUM@' '%s=%s' -# -function replace_or_append { - local default_format='%s = %s' case_insensitive_mode=yes sed_case_insensitive_option='' grep_case_insensitive_option='' - local config_file=$1 - local key=$2 - local value=$3 - local cce=$4 - local format=$5 - - if [ "$case_insensitive_mode" = yes ]; then - sed_case_insensitive_option="i" - grep_case_insensitive_option="-i" - fi - [ -n "$format" ] || format="$default_format" - # Check sanity of the input - [ $# -ge "3" ] || { echo "Usage: replace_or_append [] [printf-like format, default is '$default_format']" >&2; exit 1; } - - # Test if the config_file is a symbolic link. If so, use --follow-symlinks with sed. - # Otherwise, regular sed command will do. - sed_command=('sed' '-i') - if test -L "$config_file"; then - sed_command+=('--follow-symlinks') - fi - - # Test that the cce arg is not empty or does not equal @CCENUM@. - # If @CCENUM@ exists, it means that there is no CCE assigned. - if [ -n "$cce" ] && [ "$cce" != '@CCENUM@' ]; then - cce="${cce}" - else - cce="CCE" - fi - - # Strip any search characters in the key arg so that the key can be replaced without - # adding any search characters to the config file. - stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "$key") - - # shellcheck disable=SC2059 - printf -v formatted_output "$format" "$stripped_key" "$value" - - # If the key exists, change it. Otherwise, add it to the config_file. - # We search for the key string followed by a word boundary (matched by \>), - # so if we search for 'setting', 'setting2' won't match. - if LC_ALL=C grep -q -m 1 $grep_case_insensitive_option -e "${key}\\>" "$config_file"; then - "${sed_command[@]}" "s/${key}\\>.*/$formatted_output/g$sed_case_insensitive_option" "$config_file" - else - # \n is precaution for case where file ends without trailing newline - printf '\n# Per %s: Set %s in %s\n' "$cce" "$formatted_output" "$config_file" >> "$config_file" - printf '%s\n' "$formatted_output" >> "$config_file" - fi -} -replace_or_append '/etc/security/pwquality.conf' '^lcredit' $var_password_pam_lcredit 'CCE-80655-4' '%s = %s' - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - diff --git a/docker/images/parabol-ubi/security/xccdf_org.ssgproject.content_rule_accounts_password_pam_maxclassrepeat.sh b/docker/images/parabol-ubi/security/xccdf_org.ssgproject.content_rule_accounts_password_pam_maxclassrepeat.sh deleted file mode 100755 index aa1efc1002a..00000000000 --- a/docker/images/parabol-ubi/security/xccdf_org.ssgproject.content_rule_accounts_password_pam_maxclassrepeat.sh +++ /dev/null @@ -1,93 +0,0 @@ -#!/bin/sh -set -e - -(>&2 echo "Remediating: 'xccdf_org.ssgproject.content_rule_accounts_password_pam_maxclassrepeat'") - -# Remediation is applicable only in certain platforms -if rpm --quiet -q pam; then - - -var_password_pam_maxclassrepeat="4" -# Function to replace configuration setting in config file or add the configuration setting if -# it does not exist. -# -# Expects arguments: -# -# config_file: Configuration file that will be modified -# key: Configuration option to change -# value: Value of the configuration option to change -# cce: The CCE identifier or '@CCENUM@' if no CCE identifier exists -# format: The printf-like format string that will be given stripped key and value as arguments, -# so e.g. '%s=%s' will result in key=value subsitution (i.e. without spaces around =) -# -# Optional arugments: -# -# format: Optional argument to specify the format of how key/value should be -# modified/appended in the configuration file. The default is key = value. -# -# Example Call(s): -# -# With default format of 'key = value': -# replace_or_append '/etc/sysctl.conf' '^kernel.randomize_va_space' '2' '@CCENUM@' -# -# With custom key/value format: -# replace_or_append '/etc/sysconfig/selinux' '^SELINUX=' 'disabled' '@CCENUM@' '%s=%s' -# -# With a variable: -# replace_or_append '/etc/sysconfig/selinux' '^SELINUX=' $var_selinux_state '@CCENUM@' '%s=%s' -# -function replace_or_append { - local default_format='%s = %s' case_insensitive_mode=yes sed_case_insensitive_option='' grep_case_insensitive_option='' - local config_file=$1 - local key=$2 - local value=$3 - local cce=$4 - local format=$5 - - if [ "$case_insensitive_mode" = yes ]; then - sed_case_insensitive_option="i" - grep_case_insensitive_option="-i" - fi - [ -n "$format" ] || format="$default_format" - # Check sanity of the input - [ $# -ge "3" ] || { echo "Usage: replace_or_append [] [printf-like format, default is '$default_format']" >&2; exit 1; } - - # Test if the config_file is a symbolic link. If so, use --follow-symlinks with sed. - # Otherwise, regular sed command will do. - sed_command=('sed' '-i') - if test -L "$config_file"; then - sed_command+=('--follow-symlinks') - fi - - # Test that the cce arg is not empty or does not equal @CCENUM@. - # If @CCENUM@ exists, it means that there is no CCE assigned. - if [ -n "$cce" ] && [ "$cce" != '@CCENUM@' ]; then - cce="${cce}" - else - cce="CCE" - fi - - # Strip any search characters in the key arg so that the key can be replaced without - # adding any search characters to the config file. - stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "$key") - - # shellcheck disable=SC2059 - printf -v formatted_output "$format" "$stripped_key" "$value" - - # If the key exists, change it. Otherwise, add it to the config_file. - # We search for the key string followed by a word boundary (matched by \>), - # so if we search for 'setting', 'setting2' won't match. - if LC_ALL=C grep -q -m 1 $grep_case_insensitive_option -e "${key}\\>" "$config_file"; then - "${sed_command[@]}" "s/${key}\\>.*/$formatted_output/g$sed_case_insensitive_option" "$config_file" - else - # \n is precaution for case where file ends without trailing newline - printf '\n# Per %s: Set %s in %s\n' "$cce" "$formatted_output" "$config_file" >> "$config_file" - printf '%s\n' "$formatted_output" >> "$config_file" - fi -} -replace_or_append '/etc/security/pwquality.conf' '^maxclassrepeat' $var_password_pam_maxclassrepeat 'CCE-81034-1' '%s = %s' - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - diff --git a/docker/images/parabol-ubi/security/xccdf_org.ssgproject.content_rule_accounts_password_pam_maxrepeat.sh b/docker/images/parabol-ubi/security/xccdf_org.ssgproject.content_rule_accounts_password_pam_maxrepeat.sh deleted file mode 100755 index 970e780f2a0..00000000000 --- a/docker/images/parabol-ubi/security/xccdf_org.ssgproject.content_rule_accounts_password_pam_maxrepeat.sh +++ /dev/null @@ -1,93 +0,0 @@ -#!/bin/sh -set -e - -(>&2 echo "Remediating: 'xccdf_org.ssgproject.content_rule_accounts_password_pam_maxrepeat'") - -# Remediation is applicable only in certain platforms -if rpm --quiet -q pam; then - - -var_password_pam_maxrepeat="3" -# Function to replace configuration setting in config file or add the configuration setting if -# it does not exist. -# -# Expects arguments: -# -# config_file: Configuration file that will be modified -# key: Configuration option to change -# value: Value of the configuration option to change -# cce: The CCE identifier or '@CCENUM@' if no CCE identifier exists -# format: The printf-like format string that will be given stripped key and value as arguments, -# so e.g. '%s=%s' will result in key=value subsitution (i.e. without spaces around =) -# -# Optional arugments: -# -# format: Optional argument to specify the format of how key/value should be -# modified/appended in the configuration file. The default is key = value. -# -# Example Call(s): -# -# With default format of 'key = value': -# replace_or_append '/etc/sysctl.conf' '^kernel.randomize_va_space' '2' '@CCENUM@' -# -# With custom key/value format: -# replace_or_append '/etc/sysconfig/selinux' '^SELINUX=' 'disabled' '@CCENUM@' '%s=%s' -# -# With a variable: -# replace_or_append '/etc/sysconfig/selinux' '^SELINUX=' $var_selinux_state '@CCENUM@' '%s=%s' -# -function replace_or_append { - local default_format='%s = %s' case_insensitive_mode=yes sed_case_insensitive_option='' grep_case_insensitive_option='' - local config_file=$1 - local key=$2 - local value=$3 - local cce=$4 - local format=$5 - - if [ "$case_insensitive_mode" = yes ]; then - sed_case_insensitive_option="i" - grep_case_insensitive_option="-i" - fi - [ -n "$format" ] || format="$default_format" - # Check sanity of the input - [ $# -ge "3" ] || { echo "Usage: replace_or_append [] [printf-like format, default is '$default_format']" >&2; exit 1; } - - # Test if the config_file is a symbolic link. If so, use --follow-symlinks with sed. - # Otherwise, regular sed command will do. - sed_command=('sed' '-i') - if test -L "$config_file"; then - sed_command+=('--follow-symlinks') - fi - - # Test that the cce arg is not empty or does not equal @CCENUM@. - # If @CCENUM@ exists, it means that there is no CCE assigned. - if [ -n "$cce" ] && [ "$cce" != '@CCENUM@' ]; then - cce="${cce}" - else - cce="CCE" - fi - - # Strip any search characters in the key arg so that the key can be replaced without - # adding any search characters to the config file. - stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "$key") - - # shellcheck disable=SC2059 - printf -v formatted_output "$format" "$stripped_key" "$value" - - # If the key exists, change it. Otherwise, add it to the config_file. - # We search for the key string followed by a word boundary (matched by \>), - # so if we search for 'setting', 'setting2' won't match. - if LC_ALL=C grep -q -m 1 $grep_case_insensitive_option -e "${key}\\>" "$config_file"; then - "${sed_command[@]}" "s/${key}\\>.*/$formatted_output/g$sed_case_insensitive_option" "$config_file" - else - # \n is precaution for case where file ends without trailing newline - printf '\n# Per %s: Set %s in %s\n' "$cce" "$formatted_output" "$config_file" >> "$config_file" - printf '%s\n' "$formatted_output" >> "$config_file" - fi -} -replace_or_append '/etc/security/pwquality.conf' '^maxrepeat' $var_password_pam_maxrepeat 'CCE-82066-2' '%s = %s' - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - diff --git a/docker/images/parabol-ubi/security/xccdf_org.ssgproject.content_rule_accounts_password_pam_minclass.sh b/docker/images/parabol-ubi/security/xccdf_org.ssgproject.content_rule_accounts_password_pam_minclass.sh deleted file mode 100755 index 80113e1bc09..00000000000 --- a/docker/images/parabol-ubi/security/xccdf_org.ssgproject.content_rule_accounts_password_pam_minclass.sh +++ /dev/null @@ -1,93 +0,0 @@ -#!/bin/sh -set -e - -(>&2 echo "Remediating: 'xccdf_org.ssgproject.content_rule_accounts_password_pam_minclass'") - -# Remediation is applicable only in certain platforms -if rpm --quiet -q pam; then - - -var_password_pam_minclass="4" -# Function to replace configuration setting in config file or add the configuration setting if -# it does not exist. -# -# Expects arguments: -# -# config_file: Configuration file that will be modified -# key: Configuration option to change -# value: Value of the configuration option to change -# cce: The CCE identifier or '@CCENUM@' if no CCE identifier exists -# format: The printf-like format string that will be given stripped key and value as arguments, -# so e.g. '%s=%s' will result in key=value subsitution (i.e. without spaces around =) -# -# Optional arugments: -# -# format: Optional argument to specify the format of how key/value should be -# modified/appended in the configuration file. The default is key = value. -# -# Example Call(s): -# -# With default format of 'key = value': -# replace_or_append '/etc/sysctl.conf' '^kernel.randomize_va_space' '2' '@CCENUM@' -# -# With custom key/value format: -# replace_or_append '/etc/sysconfig/selinux' '^SELINUX=' 'disabled' '@CCENUM@' '%s=%s' -# -# With a variable: -# replace_or_append '/etc/sysconfig/selinux' '^SELINUX=' $var_selinux_state '@CCENUM@' '%s=%s' -# -function replace_or_append { - local default_format='%s = %s' case_insensitive_mode=yes sed_case_insensitive_option='' grep_case_insensitive_option='' - local config_file=$1 - local key=$2 - local value=$3 - local cce=$4 - local format=$5 - - if [ "$case_insensitive_mode" = yes ]; then - sed_case_insensitive_option="i" - grep_case_insensitive_option="-i" - fi - [ -n "$format" ] || format="$default_format" - # Check sanity of the input - [ $# -ge "3" ] || { echo "Usage: replace_or_append [] [printf-like format, default is '$default_format']" >&2; exit 1; } - - # Test if the config_file is a symbolic link. If so, use --follow-symlinks with sed. - # Otherwise, regular sed command will do. - sed_command=('sed' '-i') - if test -L "$config_file"; then - sed_command+=('--follow-symlinks') - fi - - # Test that the cce arg is not empty or does not equal @CCENUM@. - # If @CCENUM@ exists, it means that there is no CCE assigned. - if [ -n "$cce" ] && [ "$cce" != '@CCENUM@' ]; then - cce="${cce}" - else - cce="CCE" - fi - - # Strip any search characters in the key arg so that the key can be replaced without - # adding any search characters to the config file. - stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "$key") - - # shellcheck disable=SC2059 - printf -v formatted_output "$format" "$stripped_key" "$value" - - # If the key exists, change it. Otherwise, add it to the config_file. - # We search for the key string followed by a word boundary (matched by \>), - # so if we search for 'setting', 'setting2' won't match. - if LC_ALL=C grep -q -m 1 $grep_case_insensitive_option -e "${key}\\>" "$config_file"; then - "${sed_command[@]}" "s/${key}\\>.*/$formatted_output/g$sed_case_insensitive_option" "$config_file" - else - # \n is precaution for case where file ends without trailing newline - printf '\n# Per %s: Set %s in %s\n' "$cce" "$formatted_output" "$config_file" >> "$config_file" - printf '%s\n' "$formatted_output" >> "$config_file" - fi -} -replace_or_append '/etc/security/pwquality.conf' '^minclass' $var_password_pam_minclass 'CCE-82046-4' '%s = %s' - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - diff --git a/docker/images/parabol-ubi/security/xccdf_org.ssgproject.content_rule_accounts_password_pam_minlen.sh b/docker/images/parabol-ubi/security/xccdf_org.ssgproject.content_rule_accounts_password_pam_minlen.sh deleted file mode 100755 index 10fd7a99b5b..00000000000 --- a/docker/images/parabol-ubi/security/xccdf_org.ssgproject.content_rule_accounts_password_pam_minlen.sh +++ /dev/null @@ -1,93 +0,0 @@ -#!/bin/sh -set -e - -(>&2 echo "Remediating: 'xccdf_org.ssgproject.content_rule_accounts_password_pam_minlen'") - -# Remediation is applicable only in certain platforms -if rpm --quiet -q pam; then - - -var_password_pam_minlen="15" -# Function to replace configuration setting in config file or add the configuration setting if -# it does not exist. -# -# Expects arguments: -# -# config_file: Configuration file that will be modified -# key: Configuration option to change -# value: Value of the configuration option to change -# cce: The CCE identifier or '@CCENUM@' if no CCE identifier exists -# format: The printf-like format string that will be given stripped key and value as arguments, -# so e.g. '%s=%s' will result in key=value subsitution (i.e. without spaces around =) -# -# Optional arugments: -# -# format: Optional argument to specify the format of how key/value should be -# modified/appended in the configuration file. The default is key = value. -# -# Example Call(s): -# -# With default format of 'key = value': -# replace_or_append '/etc/sysctl.conf' '^kernel.randomize_va_space' '2' '@CCENUM@' -# -# With custom key/value format: -# replace_or_append '/etc/sysconfig/selinux' '^SELINUX=' 'disabled' '@CCENUM@' '%s=%s' -# -# With a variable: -# replace_or_append '/etc/sysconfig/selinux' '^SELINUX=' $var_selinux_state '@CCENUM@' '%s=%s' -# -function replace_or_append { - local default_format='%s = %s' case_insensitive_mode=yes sed_case_insensitive_option='' grep_case_insensitive_option='' - local config_file=$1 - local key=$2 - local value=$3 - local cce=$4 - local format=$5 - - if [ "$case_insensitive_mode" = yes ]; then - sed_case_insensitive_option="i" - grep_case_insensitive_option="-i" - fi - [ -n "$format" ] || format="$default_format" - # Check sanity of the input - [ $# -ge "3" ] || { echo "Usage: replace_or_append [] [printf-like format, default is '$default_format']" >&2; exit 1; } - - # Test if the config_file is a symbolic link. If so, use --follow-symlinks with sed. - # Otherwise, regular sed command will do. - sed_command=('sed' '-i') - if test -L "$config_file"; then - sed_command+=('--follow-symlinks') - fi - - # Test that the cce arg is not empty or does not equal @CCENUM@. - # If @CCENUM@ exists, it means that there is no CCE assigned. - if [ -n "$cce" ] && [ "$cce" != '@CCENUM@' ]; then - cce="${cce}" - else - cce="CCE" - fi - - # Strip any search characters in the key arg so that the key can be replaced without - # adding any search characters to the config file. - stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "$key") - - # shellcheck disable=SC2059 - printf -v formatted_output "$format" "$stripped_key" "$value" - - # If the key exists, change it. Otherwise, add it to the config_file. - # We search for the key string followed by a word boundary (matched by \>), - # so if we search for 'setting', 'setting2' won't match. - if LC_ALL=C grep -q -m 1 $grep_case_insensitive_option -e "${key}\\>" "$config_file"; then - "${sed_command[@]}" "s/${key}\\>.*/$formatted_output/g$sed_case_insensitive_option" "$config_file" - else - # \n is precaution for case where file ends without trailing newline - printf '\n# Per %s: Set %s in %s\n' "$cce" "$formatted_output" "$config_file" >> "$config_file" - printf '%s\n' "$formatted_output" >> "$config_file" - fi -} -replace_or_append '/etc/security/pwquality.conf' '^minlen' $var_password_pam_minlen 'CCE-80656-2' '%s = %s' - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - diff --git a/docker/images/parabol-ubi/security/xccdf_org.ssgproject.content_rule_accounts_password_pam_ocredit.sh b/docker/images/parabol-ubi/security/xccdf_org.ssgproject.content_rule_accounts_password_pam_ocredit.sh deleted file mode 100755 index 36e295f5539..00000000000 --- a/docker/images/parabol-ubi/security/xccdf_org.ssgproject.content_rule_accounts_password_pam_ocredit.sh +++ /dev/null @@ -1,93 +0,0 @@ -#!/bin/sh -set -e - -(>&2 echo "Remediating: 'xccdf_org.ssgproject.content_rule_accounts_password_pam_ocredit'") - -# Remediation is applicable only in certain platforms -if rpm --quiet -q pam; then - - -var_password_pam_ocredit="-1" -# Function to replace configuration setting in config file or add the configuration setting if -# it does not exist. -# -# Expects arguments: -# -# config_file: Configuration file that will be modified -# key: Configuration option to change -# value: Value of the configuration option to change -# cce: The CCE identifier or '@CCENUM@' if no CCE identifier exists -# format: The printf-like format string that will be given stripped key and value as arguments, -# so e.g. '%s=%s' will result in key=value subsitution (i.e. without spaces around =) -# -# Optional arugments: -# -# format: Optional argument to specify the format of how key/value should be -# modified/appended in the configuration file. The default is key = value. -# -# Example Call(s): -# -# With default format of 'key = value': -# replace_or_append '/etc/sysctl.conf' '^kernel.randomize_va_space' '2' '@CCENUM@' -# -# With custom key/value format: -# replace_or_append '/etc/sysconfig/selinux' '^SELINUX=' 'disabled' '@CCENUM@' '%s=%s' -# -# With a variable: -# replace_or_append '/etc/sysconfig/selinux' '^SELINUX=' $var_selinux_state '@CCENUM@' '%s=%s' -# -function replace_or_append { - local default_format='%s = %s' case_insensitive_mode=yes sed_case_insensitive_option='' grep_case_insensitive_option='' - local config_file=$1 - local key=$2 - local value=$3 - local cce=$4 - local format=$5 - - if [ "$case_insensitive_mode" = yes ]; then - sed_case_insensitive_option="i" - grep_case_insensitive_option="-i" - fi - [ -n "$format" ] || format="$default_format" - # Check sanity of the input - [ $# -ge "3" ] || { echo "Usage: replace_or_append [] [printf-like format, default is '$default_format']" >&2; exit 1; } - - # Test if the config_file is a symbolic link. If so, use --follow-symlinks with sed. - # Otherwise, regular sed command will do. - sed_command=('sed' '-i') - if test -L "$config_file"; then - sed_command+=('--follow-symlinks') - fi - - # Test that the cce arg is not empty or does not equal @CCENUM@. - # If @CCENUM@ exists, it means that there is no CCE assigned. - if [ -n "$cce" ] && [ "$cce" != '@CCENUM@' ]; then - cce="${cce}" - else - cce="CCE" - fi - - # Strip any search characters in the key arg so that the key can be replaced without - # adding any search characters to the config file. - stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "$key") - - # shellcheck disable=SC2059 - printf -v formatted_output "$format" "$stripped_key" "$value" - - # If the key exists, change it. Otherwise, add it to the config_file. - # We search for the key string followed by a word boundary (matched by \>), - # so if we search for 'setting', 'setting2' won't match. - if LC_ALL=C grep -q -m 1 $grep_case_insensitive_option -e "${key}\\>" "$config_file"; then - "${sed_command[@]}" "s/${key}\\>.*/$formatted_output/g$sed_case_insensitive_option" "$config_file" - else - # \n is precaution for case where file ends without trailing newline - printf '\n# Per %s: Set %s in %s\n' "$cce" "$formatted_output" "$config_file" >> "$config_file" - printf '%s\n' "$formatted_output" >> "$config_file" - fi -} -replace_or_append '/etc/security/pwquality.conf' '^ocredit' $var_password_pam_ocredit 'CCE-80663-8' '%s = %s' - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - diff --git a/docker/images/parabol-ubi/security/xccdf_org.ssgproject.content_rule_accounts_password_pam_pwhistory_remember_password_auth.sh b/docker/images/parabol-ubi/security/xccdf_org.ssgproject.content_rule_accounts_password_pam_pwhistory_remember_password_auth.sh deleted file mode 100755 index 4587873627d..00000000000 --- a/docker/images/parabol-ubi/security/xccdf_org.ssgproject.content_rule_accounts_password_pam_pwhistory_remember_password_auth.sh +++ /dev/null @@ -1,48 +0,0 @@ -#!/bin/sh -set -e - -(>&2 echo "Remediating: 'xccdf_org.ssgproject.content_rule_accounts_password_pam_pwhistory_remember_password_auth'") - -# Remediation is applicable only in certain platforms -if rpm --quiet -q pam; then - - -var_password_pam_remember="5" - -var_password_pam_remember_control_flag="required" - - - -pamFile="/etc/pam.d/password-auth" -# control required is for rhel8, while requisite is for other distros -CONTROL=${var_password_pam_remember_control_flag} - -if [ ! -f $pamFile ]; then - continue -fi - -# is 'password required|requisite pam_pwhistory.so' here? -if grep -q "^password.*pam_pwhistory.so.*" $pamFile; then - # is the remember option set? - option=$(sed -rn 's/^(.*pam_pwhistory\.so.*)(remember=[0-9]+)(.*)$/\2/p' $pamFile) - if [[ -z $option ]]; then - # option is not set, append to module - sed -i --follow-symlinks "/pam_pwhistory.so/ s/$/ remember=$var_password_pam_remember/" - else - # option is set, replace value - sed -r -i --follow-symlinks "s/^(.*pam_pwhistory\.so.*)(remember=[0-9]+)(.*)$/\1remember=$var_password_pam_remember\3/" $pamFile - fi - # ensure corect control is being used per os requirement - if ! grep -q "^password.*$CONTROL.*pam_pwhistory.so.*" $pamFile; then - #replace incorrect value - sed -r -i --follow-symlinks "s/(^password.*)(required|requisite)(.*pam_pwhistory\.so.*)$/\1$CONTROL\3/" $pamFile - fi -else - # no 'password required|requisite pam_pwhistory.so', add it - sed -i --follow-symlinks "/^password.*pam_unix.so.*/i password $CONTROL pam_pwhistory.so use_authtok remember=$var_password_pam_remember" $pamFile -fi - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - diff --git a/docker/images/parabol-ubi/security/xccdf_org.ssgproject.content_rule_accounts_password_pam_pwhistory_remember_system_auth.sh b/docker/images/parabol-ubi/security/xccdf_org.ssgproject.content_rule_accounts_password_pam_pwhistory_remember_system_auth.sh deleted file mode 100755 index 399cc9bf4b9..00000000000 --- a/docker/images/parabol-ubi/security/xccdf_org.ssgproject.content_rule_accounts_password_pam_pwhistory_remember_system_auth.sh +++ /dev/null @@ -1,48 +0,0 @@ -#!/bin/sh -set -e - -(>&2 echo "Remediating: 'xccdf_org.ssgproject.content_rule_accounts_password_pam_pwhistory_remember_system_auth'") - -# Remediation is applicable only in certain platforms -if rpm --quiet -q pam; then - - -var_password_pam_remember="5" - -var_password_pam_remember_control_flag="required" - - - -pamFile="/etc/pam.d/system-auth" -# control required is for rhel8, while requisite is for other distros -CONTROL=${var_password_pam_remember_control_flag} - -if [ ! -f $pamFile ]; then - continue -fi - -# is 'password required|requisite pam_pwhistory.so' here? -if grep -q "^password.*pam_pwhistory.so.*" $pamFile; then - # is the remember option set? - option=$(sed -rn 's/^(.*pam_pwhistory\.so.*)(remember=[0-9]+)(.*)$/\2/p' $pamFile) - if [[ -z $option ]]; then - # option is not set, append to module - sed -i --follow-symlinks "/pam_pwhistory.so/ s/$/ remember=$var_password_pam_remember/" - else - # option is set, replace value - sed -r -i --follow-symlinks "s/^(.*pam_pwhistory\.so.*)(remember=[0-9]+)(.*)$/\1remember=$var_password_pam_remember\3/" $pamFile - fi - # ensure corect control is being used per os requirement - if ! grep -q "^password.*$CONTROL.*pam_pwhistory.so.*" $pamFile; then - #replace incorrect value - sed -r -i --follow-symlinks "s/(^password.*)(required|requisite)(.*pam_pwhistory\.so.*)$/\1$CONTROL\3/" $pamFile - fi -else - # no 'password required|requisite pam_pwhistory.so', add it - sed -i --follow-symlinks "/^password.*pam_unix.so.*/i password $CONTROL pam_pwhistory.so use_authtok remember=$var_password_pam_remember" $pamFile -fi - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - diff --git a/docker/images/parabol-ubi/security/xccdf_org.ssgproject.content_rule_accounts_password_pam_ucredit.sh b/docker/images/parabol-ubi/security/xccdf_org.ssgproject.content_rule_accounts_password_pam_ucredit.sh deleted file mode 100755 index 3b81606b8b4..00000000000 --- a/docker/images/parabol-ubi/security/xccdf_org.ssgproject.content_rule_accounts_password_pam_ucredit.sh +++ /dev/null @@ -1,93 +0,0 @@ -#!/bin/sh -set -e - -(>&2 echo "Remediating: 'xccdf_org.ssgproject.content_rule_accounts_password_pam_ucredit'") - -# Remediation is applicable only in certain platforms -if rpm --quiet -q pam; then - - -var_password_pam_ucredit="-1" -# Function to replace configuration setting in config file or add the configuration setting if -# it does not exist. -# -# Expects arguments: -# -# config_file: Configuration file that will be modified -# key: Configuration option to change -# value: Value of the configuration option to change -# cce: The CCE identifier or '@CCENUM@' if no CCE identifier exists -# format: The printf-like format string that will be given stripped key and value as arguments, -# so e.g. '%s=%s' will result in key=value subsitution (i.e. without spaces around =) -# -# Optional arugments: -# -# format: Optional argument to specify the format of how key/value should be -# modified/appended in the configuration file. The default is key = value. -# -# Example Call(s): -# -# With default format of 'key = value': -# replace_or_append '/etc/sysctl.conf' '^kernel.randomize_va_space' '2' '@CCENUM@' -# -# With custom key/value format: -# replace_or_append '/etc/sysconfig/selinux' '^SELINUX=' 'disabled' '@CCENUM@' '%s=%s' -# -# With a variable: -# replace_or_append '/etc/sysconfig/selinux' '^SELINUX=' $var_selinux_state '@CCENUM@' '%s=%s' -# -function replace_or_append { - local default_format='%s = %s' case_insensitive_mode=yes sed_case_insensitive_option='' grep_case_insensitive_option='' - local config_file=$1 - local key=$2 - local value=$3 - local cce=$4 - local format=$5 - - if [ "$case_insensitive_mode" = yes ]; then - sed_case_insensitive_option="i" - grep_case_insensitive_option="-i" - fi - [ -n "$format" ] || format="$default_format" - # Check sanity of the input - [ $# -ge "3" ] || { echo "Usage: replace_or_append [] [printf-like format, default is '$default_format']" >&2; exit 1; } - - # Test if the config_file is a symbolic link. If so, use --follow-symlinks with sed. - # Otherwise, regular sed command will do. - sed_command=('sed' '-i') - if test -L "$config_file"; then - sed_command+=('--follow-symlinks') - fi - - # Test that the cce arg is not empty or does not equal @CCENUM@. - # If @CCENUM@ exists, it means that there is no CCE assigned. - if [ -n "$cce" ] && [ "$cce" != '@CCENUM@' ]; then - cce="${cce}" - else - cce="CCE" - fi - - # Strip any search characters in the key arg so that the key can be replaced without - # adding any search characters to the config file. - stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "$key") - - # shellcheck disable=SC2059 - printf -v formatted_output "$format" "$stripped_key" "$value" - - # If the key exists, change it. Otherwise, add it to the config_file. - # We search for the key string followed by a word boundary (matched by \>), - # so if we search for 'setting', 'setting2' won't match. - if LC_ALL=C grep -q -m 1 $grep_case_insensitive_option -e "${key}\\>" "$config_file"; then - "${sed_command[@]}" "s/${key}\\>.*/$formatted_output/g$sed_case_insensitive_option" "$config_file" - else - # \n is precaution for case where file ends without trailing newline - printf '\n# Per %s: Set %s in %s\n' "$cce" "$formatted_output" "$config_file" >> "$config_file" - printf '%s\n' "$formatted_output" >> "$config_file" - fi -} -replace_or_append '/etc/security/pwquality.conf' '^ucredit' $var_password_pam_ucredit 'CCE-80665-3' '%s = %s' - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - diff --git a/docker/images/parabol-ubi/security/xccdf_org.ssgproject.content_rule_accounts_password_pam_unix_remember.sh b/docker/images/parabol-ubi/security/xccdf_org.ssgproject.content_rule_accounts_password_pam_unix_remember.sh deleted file mode 100755 index 28686ba4d22..00000000000 --- a/docker/images/parabol-ubi/security/xccdf_org.ssgproject.content_rule_accounts_password_pam_unix_remember.sh +++ /dev/null @@ -1,18 +0,0 @@ -#!/bin/sh -set -e - -(>&2 echo "Remediating: 'xccdf_org.ssgproject.content_rule_accounts_password_pam_unix_remember'") - -var_password_pam_unix_remember="5" - -AUTH_FILES[0]="/etc/pam.d/system-auth" -AUTH_FILES[1]="/etc/pam.d/password-auth" - -for pamFile in "${AUTH_FILES[@]}" -do - if grep -q "remember=" $pamFile; then - sed -i --follow-symlinks "s/\(^password.*sufficient.*pam_unix.so.*\)\(\(remember *= *\)[^ $]*\)/\1remember=$var_password_pam_unix_remember/" $pamFile - else - sed -i --follow-symlinks "/^password[[:space:]]\+sufficient[[:space:]]\+pam_unix.so/ s/$/ remember=$var_password_pam_unix_remember/" $pamFile - fi -done diff --git a/docker/images/parabol-ubi/security/xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock.sh b/docker/images/parabol-ubi/security/xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock.sh deleted file mode 100755 index 914fff33156..00000000000 --- a/docker/images/parabol-ubi/security/xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock.sh +++ /dev/null @@ -1,25 +0,0 @@ -# Remediation is applicable only in certain platforms -if rpm --quiet -q pam; then - -AUTH_FILES=("/etc/pam.d/system-auth" "/etc/pam.d/password-auth") - -for pam_file in "${AUTH_FILES[@]}" -do - # is auth required pam_faillock.so preauth present? - if ! grep -qE '^\s*auth\s+required\s+pam_faillock\.so\s+preauth.*$' "$pam_file" ; then - sed -i --follow-symlinks '/^auth.*sufficient.*pam_unix.so.*/i auth required pam_faillock.so preauth silent' "$pam_file" - fi - - # is auth default pam_faillock.so authfail present? - if ! grep -qE '^\s*auth\s+(\[default=die\])\s+pam_faillock\.so\s+authfail.*$' "$pam_file" ; then - sed -i --follow-symlinks '/^auth.*sufficient.*pam_unix.so.*/a auth [success=ok new_authtok_reqd=ok ignore=ignore default=bad] pam_faillock.so authfail' "$pam_file" - fi - - if ! grep -qE '^\s*account\s+required\s+pam_faillock\.so.*$' "$pam_file" ; then - sed -E -i --follow-symlinks '/^\s*account\s*required\s*pam_unix.so/i account required pam_faillock.so' "$pam_file" - fi -done - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi diff --git a/docker/images/parabol-ubi/security/xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_deny.sh b/docker/images/parabol-ubi/security/xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_deny.sh deleted file mode 100755 index 64b35a0da96..00000000000 --- a/docker/images/parabol-ubi/security/xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_deny.sh +++ /dev/null @@ -1,78 +0,0 @@ -#!/bin/sh -set -e - -(>&2 echo "Remediating: 'xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_deny'") - -# Remediation is applicable only in certain platforms -if rpm --quiet -q pam; then - -var_accounts_passwords_pam_faillock_deny='3' - - -if [ -f /usr/sbin/authconfig ]; then - authconfig --enablefaillock --update -elif [ -f /usr/bin/authselect ]; then - if authselect check; then - authselect enable-feature with-faillock - authselect apply-changes - else - echo " -authselect integrity check failed. Remediation aborted! -This remediation could not be applied because the authselect profile is not intact. -It is not recommended to manually edit the PAM files when authselect is available -In cases where the default authselect profile does not cover a specific demand, a custom authselect profile is recommended." - false - fi -fi - -FAILLOCK_CONF="/etc/security/faillock.conf" -if [ -f $FAILLOCK_CONF ]; then - if $(grep -q '^\s*deny\s*=' $FAILLOCK_CONF); then - sed -i --follow-symlinks "s/^\s*\(deny\s*\)=.*$/\1 = $var_accounts_passwords_pam_faillock_deny/g" $FAILLOCK_CONF - else - echo "deny = $var_accounts_passwords_pam_faillock_deny" >> $FAILLOCK_CONF - fi -else - AUTH_FILES=("/etc/pam.d/system-auth" "/etc/pam.d/password-auth") - -for pam_file in "${AUTH_FILES[@]}" -do - # is auth required pam_faillock.so preauth present? - if grep -qE '^\s*auth\s+required\s+pam_faillock\.so\s+preauth.*$' "$pam_file" ; then - # is the option set? - if grep -qE '^\s*auth\s+required\s+pam_faillock\.so\s+preauth.*'"deny"'=([0-9]*).*$' "$pam_file" ; then - # just change the value of option to a correct value - sed -i --follow-symlinks 's/\(^auth.*required.*pam_faillock.so.*preauth.*silent.*\)\('"deny"' *= *\).*/\1\2'"$var_accounts_passwords_pam_faillock_deny"'/' "$pam_file" - # the option is not set. - else - # append the option - sed -i --follow-symlinks '/^auth.*required.*pam_faillock.so.*preauth.*silent.*/ s/$/ '"deny"'='"$var_accounts_passwords_pam_faillock_deny"'/' "$pam_file" - fi - # auth required pam_faillock.so preauth is not present, insert the whole line - else - sed -i --follow-symlinks '/^auth.*sufficient.*pam_unix.so.*/i auth required pam_faillock.so preauth silent '"deny"'='"$var_accounts_passwords_pam_faillock_deny" "$pam_file" - fi - # is auth default pam_faillock.so authfail present? - if grep -qE '^\s*auth\s+(\[default=die\])\s+pam_faillock\.so\s+authfail.*$' "$pam_file" ; then - # is the option set? - if grep -qE '^\s*auth\s+(\[default=die\])\s+pam_faillock\.so\s+authfail.*'"deny"'=([0-9]*).*$' "$pam_file" ; then - # just change the value of option to a correct value - sed -i --follow-symlinks 's/\(^auth.*[default=die].*pam_faillock.so.*authfail.*\)\('"deny"' *= *\).*/\1\2'"$var_accounts_passwords_pam_faillock_deny"'/' "$pam_file" - # the option is not set. - else - # append the option - sed -i --follow-symlinks '/^auth.*[default=die].*pam_faillock.so.*authfail.*/ s/$/ '"deny"'='"$var_accounts_passwords_pam_faillock_deny"'/' "$pam_file" - fi - # auth default pam_faillock.so authfail is not present, insert the whole line - else - sed -i --follow-symlinks '/^auth.*sufficient.*pam_unix.so.*/a auth [default=die] pam_faillock.so authfail '"deny"'='"$var_accounts_passwords_pam_faillock_deny" "$pam_file" - fi - if ! grep -qE '^\s*account\s+required\s+pam_faillock\.so.*$' "$pam_file" ; then - sed -E -i --follow-symlinks '/^\s*account\s*required\s*pam_unix.so/i account required pam_faillock.so' "$pam_file" - fi -done -fi - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi diff --git a/docker/images/parabol-ubi/security/xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_deny_root.sh b/docker/images/parabol-ubi/security/xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_deny_root.sh deleted file mode 100755 index 374c546fb06..00000000000 --- a/docker/images/parabol-ubi/security/xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_deny_root.sh +++ /dev/null @@ -1,42 +0,0 @@ -#!/bin/sh -set -e - -(>&2 echo "Remediating: 'xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_deny_root'") - -# Remediation is applicable only in certain platforms -if rpm --quiet -q pam; then - -if [ -f /usr/sbin/authconfig ]; then - authconfig --enablefaillock --update -elif [ -f /usr/bin/authselect ]; then - if authselect check; then - authselect enable-feature with-faillock - authselect apply-changes - else - echo " -authselect integrity check failed. Remediation aborted! -This remediation could not be applied because the authselect profile is not intact. -It is not recommended to manually edit the PAM files when authselect is available -In cases where the default authselect profile does not cover a specific demand, a custom authselect profile is recommended." - false - fi -fi - -FAILLOCK_CONF="/etc/security/faillock.conf" -if [ -f $FAILLOCK_CONF ]; then - if [ ! $(grep -q '^\s*even_deny_root' $FAILLOCK_CONF) ]; then - echo "even_deny_root" >> $FAILLOCK_CONF - fi -else - SYSTEM_AUTH="/etc/pam.d/system-auth" - PASSWORD_AUTH="/etc/pam.d/password-auth" - for file in $SYSTEM_AUTH $PASSWORD_AUTH; do - if ! grep -q "^auth.*pam_faillock.so \(preauth silent\|authfail\).*even_deny_root" $file; then - sed -i --follow-symlinks 's/\(pam_faillock.so \(preauth silent\|authfail\).*\)$/\1 even_deny_root/g' $file - fi - done -fi - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi diff --git a/docker/images/parabol-ubi/security/xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_interval.sh b/docker/images/parabol-ubi/security/xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_interval.sh deleted file mode 100755 index 12eeb916ca9..00000000000 --- a/docker/images/parabol-ubi/security/xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_interval.sh +++ /dev/null @@ -1,78 +0,0 @@ -#!/bin/sh -set -e - -(>&2 echo "Remediating: 'xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_interval'") - -# Remediation is applicable only in certain platforms -if rpm --quiet -q pam; then - -var_accounts_passwords_pam_faillock_fail_interval='900' - - -if [ -f /usr/sbin/authconfig ]; then - authconfig --enablefaillock --update -elif [ -f /usr/bin/authselect ]; then - if authselect check; then - authselect enable-feature with-faillock - authselect apply-changes - else - echo " -authselect integrity check failed. Remediation aborted! -This remediation could not be applied because the authselect profile is not intact. -It is not recommended to manually edit the PAM files when authselect is available -In cases where the default authselect profile does not cover a specific demand, a custom authselect profile is recommended." - false - fi -fi - -FAILLOCK_CONF="/etc/security/faillock.conf" -if [ -f $FAILLOCK_CONF ]; then - if $(grep -q '^\s*fail_interval\s*=' $FAILLOCK_CONF); then - sed -i --follow-symlinks "s/^\s*\(fail_interval\s*\)=.*$/\1 = $var_accounts_passwords_pam_faillock_fail_interval/g" $FAILLOCK_CONF - else - echo "fail_interval = $var_accounts_passwords_pam_faillock_fail_interval" >> $FAILLOCK_CONF - fi -else - AUTH_FILES=("/etc/pam.d/system-auth" "/etc/pam.d/password-auth") - -for pam_file in "${AUTH_FILES[@]}" -do - # is auth required pam_faillock.so preauth present? - if grep -qE '^\s*auth\s+required\s+pam_faillock\.so\s+preauth.*$' "$pam_file" ; then - # is the option set? - if grep -qE '^\s*auth\s+required\s+pam_faillock\.so\s+preauth.*'"fail_interval"'=([0-9]*).*$' "$pam_file" ; then - # just change the value of option to a correct value - sed -i --follow-symlinks 's/\(^auth.*required.*pam_faillock.so.*preauth.*silent.*\)\('"fail_interval"' *= *\).*/\1\2'"$var_accounts_passwords_pam_faillock_fail_interval"'/' "$pam_file" - # the option is not set. - else - # append the option - sed -i --follow-symlinks '/^auth.*required.*pam_faillock.so.*preauth.*silent.*/ s/$/ '"fail_interval"'='"$var_accounts_passwords_pam_faillock_fail_interval"'/' "$pam_file" - fi - # auth required pam_faillock.so preauth is not present, insert the whole line - else - sed -i --follow-symlinks '/^auth.*sufficient.*pam_unix.so.*/i auth required pam_faillock.so preauth silent '"fail_interval"'='"$var_accounts_passwords_pam_faillock_fail_interval" "$pam_file" - fi - # is auth default pam_faillock.so authfail present? - if grep -qE '^\s*auth\s+(\[default=die\])\s+pam_faillock\.so\s+authfail.*$' "$pam_file" ; then - # is the option set? - if grep -qE '^\s*auth\s+(\[default=die\])\s+pam_faillock\.so\s+authfail.*'"fail_interval"'=([0-9]*).*$' "$pam_file" ; then - # just change the value of option to a correct value - sed -i --follow-symlinks 's/\(^auth.*[default=die].*pam_faillock.so.*authfail.*\)\('"fail_interval"' *= *\).*/\1\2'"$var_accounts_passwords_pam_faillock_fail_interval"'/' "$pam_file" - # the option is not set. - else - # append the option - sed -i --follow-symlinks '/^auth.*[default=die].*pam_faillock.so.*authfail.*/ s/$/ '"fail_interval"'='"$var_accounts_passwords_pam_faillock_fail_interval"'/' "$pam_file" - fi - # auth default pam_faillock.so authfail is not present, insert the whole line - else - sed -i --follow-symlinks '/^auth.*sufficient.*pam_unix.so.*/a auth [default=die] pam_faillock.so authfail '"fail_interval"'='"$var_accounts_passwords_pam_faillock_fail_interval" "$pam_file" - fi - if ! grep -qE '^\s*account\s+required\s+pam_faillock\.so.*$' "$pam_file" ; then - sed -E -i --follow-symlinks '/^\s*account\s*required\s*pam_unix.so/i account required pam_faillock.so' "$pam_file" - fi -done -fi - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi diff --git a/docker/images/parabol-ubi/security/xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_unlock_time.sh b/docker/images/parabol-ubi/security/xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_unlock_time.sh deleted file mode 100755 index e373b26c49d..00000000000 --- a/docker/images/parabol-ubi/security/xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_unlock_time.sh +++ /dev/null @@ -1,78 +0,0 @@ -#!/bin/sh -set -e - -(>&2 echo "Remediating: 'xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_unlock_time'") - -# Remediation is applicable only in certain platforms -if rpm --quiet -q pam; then - -var_accounts_passwords_pam_faillock_unlock_time='0' - - -if [ -f /usr/sbin/authconfig ]; then - authconfig --enablefaillock --update -elif [ -f /usr/bin/authselect ]; then - if authselect check; then - authselect enable-feature with-faillock - authselect apply-changes - else - echo " -authselect integrity check failed. Remediation aborted! -This remediation could not be applied because the authselect profile is not intact. -It is not recommended to manually edit the PAM files when authselect is available -In cases where the default authselect profile does not cover a specific demand, a custom authselect profile is recommended." - false - fi -fi - -FAILLOCK_CONF="/etc/security/faillock.conf" -if [ -f $FAILLOCK_CONF ]; then - if $(grep -q '^\s*unlock_time\s*=' $FAILLOCK_CONF); then - sed -i --follow-symlinks "s/^\s*\(unlock_time\s*\)=.*$/\1 = $var_accounts_passwords_pam_faillock_unlock_time/g" $FAILLOCK_CONF - else - echo "unlock_time = $var_accounts_passwords_pam_faillock_unlock_time" >> $FAILLOCK_CONF - fi -else - AUTH_FILES=("/etc/pam.d/system-auth" "/etc/pam.d/password-auth") - -for pam_file in "${AUTH_FILES[@]}" -do - # is auth required pam_faillock.so preauth present? - if grep -qE '^\s*auth\s+required\s+pam_faillock\.so\s+preauth.*$' "$pam_file" ; then - # is the option set? - if grep -qE '^\s*auth\s+required\s+pam_faillock\.so\s+preauth.*'"unlock_time"'=([0-9]*).*$' "$pam_file" ; then - # just change the value of option to a correct value - sed -i --follow-symlinks 's/\(^auth.*required.*pam_faillock.so.*preauth.*silent.*\)\('"unlock_time"' *= *\).*/\1\2'"$var_accounts_passwords_pam_faillock_unlock_time"'/' "$pam_file" - # the option is not set. - else - # append the option - sed -i --follow-symlinks '/^auth.*required.*pam_faillock.so.*preauth.*silent.*/ s/$/ '"unlock_time"'='"$var_accounts_passwords_pam_faillock_unlock_time"'/' "$pam_file" - fi - # auth required pam_faillock.so preauth is not present, insert the whole line - else - sed -i --follow-symlinks '/^auth.*sufficient.*pam_unix.so.*/i auth required pam_faillock.so preauth silent '"unlock_time"'='"$var_accounts_passwords_pam_faillock_unlock_time" "$pam_file" - fi - # is auth default pam_faillock.so authfail present? - if grep -qE '^\s*auth\s+(\[default=die\])\s+pam_faillock\.so\s+authfail.*$' "$pam_file" ; then - # is the option set? - if grep -qE '^\s*auth\s+(\[default=die\])\s+pam_faillock\.so\s+authfail.*'"unlock_time"'=([0-9]*).*$' "$pam_file" ; then - # just change the value of option to a correct value - sed -i --follow-symlinks 's/\(^auth.*[default=die].*pam_faillock.so.*authfail.*\)\('"unlock_time"' *= *\).*/\1\2'"$var_accounts_passwords_pam_faillock_unlock_time"'/' "$pam_file" - # the option is not set. - else - # append the option - sed -i --follow-symlinks '/^auth.*[default=die].*pam_faillock.so.*authfail.*/ s/$/ '"unlock_time"'='"$var_accounts_passwords_pam_faillock_unlock_time"'/' "$pam_file" - fi - # auth default pam_faillock.so authfail is not present, insert the whole line - else - sed -i --follow-symlinks '/^auth.*sufficient.*pam_unix.so.*/a auth [default=die] pam_faillock.so authfail '"unlock_time"'='"$var_accounts_passwords_pam_faillock_unlock_time" "$pam_file" - fi - if ! grep -qE '^\s*account\s+required\s+pam_faillock\.so.*$' "$pam_file" ; then - sed -E -i --follow-symlinks '/^\s*account\s*required\s*pam_unix.so/i account required pam_faillock.so' "$pam_file" - fi -done -fi - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi diff --git a/docker/images/parabol-ubi/security/xccdf_org.ssgproject.content_rule_accounts_umask_etc_bashrc.sh b/docker/images/parabol-ubi/security/xccdf_org.ssgproject.content_rule_accounts_umask_etc_bashrc.sh deleted file mode 100755 index c1ed6b04660..00000000000 --- a/docker/images/parabol-ubi/security/xccdf_org.ssgproject.content_rule_accounts_umask_etc_bashrc.sh +++ /dev/null @@ -1,16 +0,0 @@ -#!/bin/sh -set -e - -(>&2 echo "Remediating: 'xccdf_org.ssgproject.content_rule_accounts_umask_etc_bashrc'") - - -var_accounts_user_umask="077" - - - -grep -q umask /etc/bashrc && \ - sed -i "s/umask.*/umask $var_accounts_user_umask/g" /etc/bashrc -if ! [ $? -eq 0 ]; then - echo "umask $var_accounts_user_umask" >> /etc/bashrc -fi - diff --git a/docker/images/parabol-ubi/security/xccdf_org.ssgproject.content_rule_accounts_umask_etc_csh_cshrc.sh b/docker/images/parabol-ubi/security/xccdf_org.ssgproject.content_rule_accounts_umask_etc_csh_cshrc.sh deleted file mode 100755 index 3c5083cf84b..00000000000 --- a/docker/images/parabol-ubi/security/xccdf_org.ssgproject.content_rule_accounts_umask_etc_csh_cshrc.sh +++ /dev/null @@ -1,12 +0,0 @@ -#!/bin/sh -set -e - -(>&2 echo "Remediating: 'xccdf_org.ssgproject.content_rule_accounts_umask_etc_csh_cshrc'") - -var_accounts_user_umask='077' - -grep -q umask /etc/csh.cshrc && \ - sed -i "s/umask.*/umask $var_accounts_user_umask/g" /etc/csh.cshrc -if ! [ $? -eq 0 ]; then - echo "umask $var_accounts_user_umask" >> /etc/csh.cshrc -fi diff --git a/docker/images/parabol-ubi/security/xccdf_org.ssgproject.content_rule_accounts_umask_etc_login_defs.sh b/docker/images/parabol-ubi/security/xccdf_org.ssgproject.content_rule_accounts_umask_etc_login_defs.sh deleted file mode 100755 index ea460bd249f..00000000000 --- a/docker/images/parabol-ubi/security/xccdf_org.ssgproject.content_rule_accounts_umask_etc_login_defs.sh +++ /dev/null @@ -1,93 +0,0 @@ -#!/bin/sh -set -e - -(>&2 echo "Remediating: 'xccdf_org.ssgproject.content_rule_accounts_umask_etc_login_defs'") - -# Remediation is applicable only in certain platforms -if rpm --quiet -q shadow-utils; then - - -var_accounts_user_umask="077" -# Function to replace configuration setting in config file or add the configuration setting if -# it does not exist. -# -# Expects arguments: -# -# config_file: Configuration file that will be modified -# key: Configuration option to change -# value: Value of the configuration option to change -# cce: The CCE identifier or '@CCENUM@' if no CCE identifier exists -# format: The printf-like format string that will be given stripped key and value as arguments, -# so e.g. '%s=%s' will result in key=value subsitution (i.e. without spaces around =) -# -# Optional arugments: -# -# format: Optional argument to specify the format of how key/value should be -# modified/appended in the configuration file. The default is key = value. -# -# Example Call(s): -# -# With default format of 'key = value': -# replace_or_append '/etc/sysctl.conf' '^kernel.randomize_va_space' '2' '@CCENUM@' -# -# With custom key/value format: -# replace_or_append '/etc/sysconfig/selinux' '^SELINUX=' 'disabled' '@CCENUM@' '%s=%s' -# -# With a variable: -# replace_or_append '/etc/sysconfig/selinux' '^SELINUX=' $var_selinux_state '@CCENUM@' '%s=%s' -# -function replace_or_append { - local default_format='%s = %s' case_insensitive_mode=yes sed_case_insensitive_option='' grep_case_insensitive_option='' - local config_file=$1 - local key=$2 - local value=$3 - local cce=$4 - local format=$5 - - if [ "$case_insensitive_mode" = yes ]; then - sed_case_insensitive_option="i" - grep_case_insensitive_option="-i" - fi - [ -n "$format" ] || format="$default_format" - # Check sanity of the input - [ $# -ge "3" ] || { echo "Usage: replace_or_append [] [printf-like format, default is '$default_format']" >&2; exit 1; } - - # Test if the config_file is a symbolic link. If so, use --follow-symlinks with sed. - # Otherwise, regular sed command will do. - sed_command=('sed' '-i') - if test -L "$config_file"; then - sed_command+=('--follow-symlinks') - fi - - # Test that the cce arg is not empty or does not equal @CCENUM@. - # If @CCENUM@ exists, it means that there is no CCE assigned. - if [ -n "$cce" ] && [ "$cce" != '@CCENUM@' ]; then - cce="${cce}" - else - cce="CCE" - fi - - # Strip any search characters in the key arg so that the key can be replaced without - # adding any search characters to the config file. - stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "$key") - - # shellcheck disable=SC2059 - printf -v formatted_output "$format" "$stripped_key" "$value" - - # If the key exists, change it. Otherwise, add it to the config_file. - # We search for the key string followed by a word boundary (matched by \>), - # so if we search for 'setting', 'setting2' won't match. - if LC_ALL=C grep -q -m 1 $grep_case_insensitive_option -e "${key}\\>" "$config_file"; then - "${sed_command[@]}" "s/${key}\\>.*/$formatted_output/g$sed_case_insensitive_option" "$config_file" - else - # \n is precaution for case where file ends without trailing newline - printf '\n# Per %s: Set %s in %s\n' "$cce" "$formatted_output" "$config_file" >> "$config_file" - printf '%s\n' "$formatted_output" >> "$config_file" - fi -} -replace_or_append '/etc/login.defs' '^UMASK' "$var_accounts_user_umask" 'CCE-82888-9' '%s %s' - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - diff --git a/docker/images/parabol-ubi/security/xccdf_org.ssgproject.content_rule_accounts_umask_etc_profile.sh b/docker/images/parabol-ubi/security/xccdf_org.ssgproject.content_rule_accounts_umask_etc_profile.sh deleted file mode 100755 index 2b0f4e8c501..00000000000 --- a/docker/images/parabol-ubi/security/xccdf_org.ssgproject.content_rule_accounts_umask_etc_profile.sh +++ /dev/null @@ -1,12 +0,0 @@ -#!/bin/sh -set -e - -(>&2 echo "Remediating: 'xccdf_org.ssgproject.content_rule_accounts_umask_etc_profile'") - -var_accounts_user_umask='077' - -grep -q umask /etc/profile && \ - sed -i "s/umask.*/umask $var_accounts_user_umask/g" /etc/profile -if ! [ $? -eq 0 ]; then - echo "umask $var_accounts_user_umask" >> /etc/profile -fi diff --git a/docker/images/parabol-ubi/security/xccdf_org.ssgproject.content_rule_banner_etc_issue.sh b/docker/images/parabol-ubi/security/xccdf_org.ssgproject.content_rule_banner_etc_issue.sh deleted file mode 100755 index cac66fc1767..00000000000 --- a/docker/images/parabol-ubi/security/xccdf_org.ssgproject.content_rule_banner_etc_issue.sh +++ /dev/null @@ -1,16 +0,0 @@ -#!/bin/sh -set -e - -(>&2 echo "Remediating: 'xccdf_org.ssgproject.content_rule_banner_etc_issue'") - -login_banner_text="(^You[\s\n]+are[\s\n]+accessing[\s\n]+a[\s\n]+U.S.[\s\n]+Government[\s\n]+\(USG\)[\s\n]+Information[\s\n]+System[\s\n]+\(IS\)[\s\n]+that[\s\n]+is[\s\n]+provided[\s\n]+for[\s\n]+USG-authorized[\s\n]+use[\s\n]+only.[\s\n]*By[\s\n]+using[\s\n]+this[\s\n]+IS[\s\n]+\(which[\s\n]+includes[\s\n]+any[\s\n]+device[\s\n]+attached[\s\n]+to[\s\n]+this[\s\n]+IS\),[\s\n]+you[\s\n]+consent[\s\n]+to[\s\n]+the[\s\n]+following[\s\n]+conditions\:(\\n)*(\n)*-[\s\n]*The[\s\n]+USG[\s\n]+routinely[\s\n]+intercepts[\s\n]+and[\s\n]+monitors[\s\n]+communications[\s\n]+on[\s\n]+this[\s\n]+IS[\s\n]+for[\s\n]+purposes[\s\n]+including,[\s\n]+but[\s\n]+not[\s\n]+limited[\s\n]+to,[\s\n]+penetration[\s\n]+testing,[\s\n]+COMSEC[\s\n]+monitoring,[\s\n]+network[\s\n]+operations[\s\n]+and[\s\n]+defense,[\s\n]+personnel[\s\n]+misconduct[\s\n]+\(PM\),[\s\n]+law[\s\n]+enforcement[\s\n]+\(LE\),[\s\n]+and[\s\n]+counterintelligence[\s\n]+\(CI\)[\s\n]+investigations.(\\n)*(\n)*-[\s\n]*At[\s\n]+any[\s\n]+time,[\s\n]+the[\s\n]+USG[\s\n]+may[\s\n]+inspect[\s\n]+and[\s\n]+seize[\s\n]+data[\s\n]+stored[\s\n]+on[\s\n]+this[\s\n]+IS.(\\n)*(\n)*-[\s\n]*Communications[\s\n]+using,[\s\n]+or[\s\n]+data[\s\n]+stored[\s\n]+on,[\s\n]+this[\s\n]+IS[\s\n]+are[\s\n]+not[\s\n]+private,[\s\n]+are[\s\n]+subject[\s\n]+to[\s\n]+routine[\s\n]+monitoring,[\s\n]+interception,[\s\n]+and[\s\n]+search,[\s\n]+and[\s\n]+may[\s\n]+be[\s\n]+disclosed[\s\n]+or[\s\n]+used[\s\n]+for[\s\n]+any[\s\n]+USG-authorized[\s\n]+purpose.(\\n)*(\n)*-[\s\n]*This[\s\n]+IS[\s\n]+includes[\s\n]+security[\s\n]+measures[\s\n]+\(e.g.,[\s\n]+authentication[\s\n]+and[\s\n]+access[\s\n]+controls\)[\s\n]+to[\s\n]+protect[\s\n]+USG[\s\n]+interests--not[\s\n]+for[\s\n]+your[\s\n]+personal[\s\n]+benefit[\s\n]+or[\s\n]+privacy.(\\n)*(\n)*-[\s\n]*Notwithstanding[\s\n]+the[\s\n]+above,[\s\n]+using[\s\n]+this[\s\n]+IS[\s\n]+does[\s\n]+not[\s\n]+constitute[\s\n]+consent[\s\n]+to[\s\n]+PM,[\s\n]+LE[\s\n]+or[\s\n]+CI[\s\n]+investigative[\s\n]+searching[\s\n]+or[\s\n]+monitoring[\s\n]+of[\s\n]+the[\s\n]+content[\s\n]+of[\s\n]+privileged[\s\n]+communications,[\s\n]+or[\s\n]+work[\s\n]+product,[\s\n]+related[\s\n]+to[\s\n]+personal[\s\n]+representation[\s\n]+or[\s\n]+services[\s\n]+by[\s\n]+attorneys,[\s\n]+psychotherapists,[\s\n]+or[\s\n]+clergy,[\s\n]+and[\s\n]+their[\s\n]+assistants.[\s\n]+Such[\s\n]+communications[\s\n]+and[\s\n]+work[\s\n]+product[\s\n]+are[\s\n]+private[\s\n]+and[\s\n]+confidential.[\s\n]+See[\s\n]+User[\s\n]+Agreement[\s\n]+for[\s\n]+details.$|^I\'ve[\s\n]+read[\s\n]+\&[\s\n]+consent[\s\n]+to[\s\n]+terms[\s\n]+in[\s\n]+IS[\s\n]+user[\s\n]+agreem\'t$)" - -# There was a regular-expression matching various banners, needs to be expanded -expanded=$(echo "$login_banner_text" | sed 's/(\\\\\x27)\*/\\\x27/g;s/(\\\x27)\*//g;s/(\^\(.*\)\$|.*$/\1/g;s/\[\\s\\n\][+*]/ /g;s/\\//g;s/[^-]- /\n\n-/g;s/(n)\**//g') -formatted=$(echo "$expanded" | fold -sw 80) - -cat </etc/issue -$formatted -EOF - -printf "\n" >> /etc/issue diff --git a/docker/images/parabol-ubi/security/xccdf_org.ssgproject.content_rule_configure_crypto_policy.sh b/docker/images/parabol-ubi/security/xccdf_org.ssgproject.content_rule_configure_crypto_policy.sh deleted file mode 100755 index ffc9df011c8..00000000000 --- a/docker/images/parabol-ubi/security/xccdf_org.ssgproject.content_rule_configure_crypto_policy.sh +++ /dev/null @@ -1,27 +0,0 @@ -#!/bin/sh -set -e - -(>&2 echo "Remediating: 'xccdf_org.ssgproject.content_rule_configure_crypto_policy'") - - -# include remediation functions library - -var_system_crypto_policy="FIPS" - - - -stderr_of_call=$(update-crypto-policies --set ${var_system_crypto_policy} 2>&1 > /dev/null) -rc=$? - -if test "$rc" = 127; then - echo "$stderr_of_call" >&2 - echo "Make sure that the script is installed on the remediated system." >&2 - echo "See output of the 'dnf provides update-crypto-policies' command" >&2 - echo "to see what package to (re)install" >&2 - - false # end with an error code -elif test "$rc" != 0; then - echo "Error invoking the update-crypto-policies script: $stderr_of_call" >&2 - false # end with an error code -fi - diff --git a/docker/images/parabol-ubi/security/xccdf_org.ssgproject.content_rule_configure_kerberos_crypto_policy.sh b/docker/images/parabol-ubi/security/xccdf_org.ssgproject.content_rule_configure_kerberos_crypto_policy.sh deleted file mode 100755 index ae51972a936..00000000000 --- a/docker/images/parabol-ubi/security/xccdf_org.ssgproject.content_rule_configure_kerberos_crypto_policy.sh +++ /dev/null @@ -1,7 +0,0 @@ -#!/bin/sh -set -e - -(>&2 echo "Remediating: 'xccdf_org.ssgproject.content_rule_configure_kerberos_crypto_policy'") - -rm -f /etc/krb5.conf.d/crypto-policies -ln -s /etc/crypto-policies/back-ends/krb5.config /etc/krb5.conf.d/crypto-policies diff --git a/docker/images/parabol-ubi/security/xccdf_org.ssgproject.content_rule_configure_openssl_crypto_policy.sh b/docker/images/parabol-ubi/security/xccdf_org.ssgproject.content_rule_configure_openssl_crypto_policy.sh deleted file mode 100755 index 4836e373bae..00000000000 --- a/docker/images/parabol-ubi/security/xccdf_org.ssgproject.content_rule_configure_openssl_crypto_policy.sh +++ /dev/null @@ -1,27 +0,0 @@ -#!/bin/sh -set -e - -(>&2 echo "Remediating: 'xccdf_org.ssgproject.content_rule_configure_openssl_crypto_policy'") - -OPENSSL_CRYPTO_POLICY_SECTION='[ crypto_policy ]' -OPENSSL_CRYPTO_POLICY_SECTION_REGEX='\[\s*crypto_policy\s*\]' -OPENSSL_CRYPTO_POLICY_INCLUSION='.include /etc/crypto-policies/back-ends/opensslcnf.config' -OPENSSL_CRYPTO_POLICY_INCLUSION_REGEX='^\s*\.include\s*/etc/crypto-policies/back-ends/opensslcnf.config$' - -function remediate_openssl_crypto_policy() { - CONFIG_FILE="/etc/pki/tls/openssl.cnf" - if test -f "$CONFIG_FILE"; then - if ! grep -q "^\\s*$OPENSSL_CRYPTO_POLICY_SECTION_REGEX" "$CONFIG_FILE"; then - printf '\n%s\n\n%s' "$OPENSSL_CRYPTO_POLICY_SECTION" "$OPENSSL_CRYPTO_POLICY_INCLUSION" >> "$CONFIG_FILE" - return 0 - elif ! grep -q "$OPENSSL_CRYPTO_POLICY_INCLUSION_REGEX" "$CONFIG_FILE"; then - sed -i "s|$OPENSSL_CRYPTO_POLICY_SECTION_REGEX|&\\n\\n$OPENSSL_CRYPTO_POLICY_INCLUSION\\n|" "$CONFIG_FILE" - return 0 - fi - else - echo "Aborting remediation as '$CONFIG_FILE' was not even found." >&2 - return 1 - fi -} - -remediate_openssl_crypto_policy diff --git a/docker/images/parabol-ubi/security/xccdf_org.ssgproject.content_rule_configure_usbguard_auditbackend.sh b/docker/images/parabol-ubi/security/xccdf_org.ssgproject.content_rule_configure_usbguard_auditbackend.sh deleted file mode 100755 index e5359044ac7..00000000000 --- a/docker/images/parabol-ubi/security/xccdf_org.ssgproject.content_rule_configure_usbguard_auditbackend.sh +++ /dev/null @@ -1,17 +0,0 @@ -#!/bin/sh -set -e - -(>&2 echo "Remediating: 'xccdf_org.ssgproject.content_rule_configure_usbguard_auditbackend'") - -if [ -e "/etc/usbguard/usbguard-daemon.conf" ] ; then - - LC_ALL=C sed -i "/^\s*AuditBackend=/d" "/etc/usbguard/usbguard-daemon.conf" -else - touch "/etc/usbguard/usbguard-daemon.conf" -fi -cp "/etc/usbguard/usbguard-daemon.conf" "/etc/usbguard/usbguard-daemon.conf.bak" -# Insert at the end of the file -printf '%s\n' "AuditBackend=LinuxAudit" >> "/etc/usbguard/usbguard-daemon.conf" -# Clean up after ourselves. -rm "/etc/usbguard/usbguard-daemon.conf.bak" - diff --git a/docker/images/parabol-ubi/security/xccdf_org.ssgproject.content_rule_coredump_disable_backtraces.sh b/docker/images/parabol-ubi/security/xccdf_org.ssgproject.content_rule_coredump_disable_backtraces.sh deleted file mode 100755 index 87e5bdc325b..00000000000 --- a/docker/images/parabol-ubi/security/xccdf_org.ssgproject.content_rule_coredump_disable_backtraces.sh +++ /dev/null @@ -1,17 +0,0 @@ -#!/bin/sh -set -e - -(>&2 echo "Remediating: 'xccdf_org.ssgproject.content_rule_coredump_disable_backtraces'") - -if [ -e "/etc/systemd/coredump.conf" ] ; then - - LC_ALL=C sed -i "/^\s*ProcessSizeMax\s*=\s*/Id" "/etc/systemd/coredump.conf" -else - touch "/etc/systemd/coredump.conf" -fi -cp "/etc/systemd/coredump.conf" "/etc/systemd/coredump.conf.bak" -# Insert at the end of the file -printf '%s\n' "ProcessSizeMax=0" >> "/etc/systemd/coredump.conf" -# Clean up after ourselves. -rm "/etc/systemd/coredump.conf.bak" - diff --git a/docker/images/parabol-ubi/security/xccdf_org.ssgproject.content_rule_coredump_disable_storage.sh b/docker/images/parabol-ubi/security/xccdf_org.ssgproject.content_rule_coredump_disable_storage.sh deleted file mode 100755 index f0af8c7d1dd..00000000000 --- a/docker/images/parabol-ubi/security/xccdf_org.ssgproject.content_rule_coredump_disable_storage.sh +++ /dev/null @@ -1,17 +0,0 @@ -#!/bin/sh -set -e - -(>&2 echo "Remediating: 'xccdf_org.ssgproject.content_rule_coredump_disable_storage'") - -if [ -e "/etc/systemd/coredump.conf" ] ; then - - LC_ALL=C sed -i "/^\s*Storage\s*=\s*/Id" "/etc/systemd/coredump.conf" -else - touch "/etc/systemd/coredump.conf" -fi -cp "/etc/systemd/coredump.conf" "/etc/systemd/coredump.conf.bak" -# Insert at the end of the file -printf '%s\n' "Storage=none" >> "/etc/systemd/coredump.conf" -# Clean up after ourselves. -rm "/etc/systemd/coredump.conf.bak" - diff --git a/docker/images/parabol-ubi/security/xccdf_org.ssgproject.content_rule_disable_ctrlaltdel_burstaction.sh b/docker/images/parabol-ubi/security/xccdf_org.ssgproject.content_rule_disable_ctrlaltdel_burstaction.sh deleted file mode 100755 index 63c48fb3623..00000000000 --- a/docker/images/parabol-ubi/security/xccdf_org.ssgproject.content_rule_disable_ctrlaltdel_burstaction.sh +++ /dev/null @@ -1,91 +0,0 @@ -#!/bin/sh -set -e - -(>&2 echo "Remediating: 'xccdf_org.ssgproject.content_rule_disable_ctrlaltdel_burstaction'") - -# Remediation is applicable only in certain platforms -if rpm --quiet -q systemd; then - -# Function to replace configuration setting in config file or add the configuration setting if -# it does not exist. -# -# Expects arguments: -# -# config_file: Configuration file that will be modified -# key: Configuration option to change -# value: Value of the configuration option to change -# cce: The CCE identifier or '@CCENUM@' if no CCE identifier exists -# format: The printf-like format string that will be given stripped key and value as arguments, -# so e.g. '%s=%s' will result in key=value subsitution (i.e. without spaces around =) -# -# Optional arugments: -# -# format: Optional argument to specify the format of how key/value should be -# modified/appended in the configuration file. The default is key = value. -# -# Example Call(s): -# -# With default format of 'key = value': -# replace_or_append '/etc/sysctl.conf' '^kernel.randomize_va_space' '2' '@CCENUM@' -# -# With custom key/value format: -# replace_or_append '/etc/sysconfig/selinux' '^SELINUX=' 'disabled' '@CCENUM@' '%s=%s' -# -# With a variable: -# replace_or_append '/etc/sysconfig/selinux' '^SELINUX=' $var_selinux_state '@CCENUM@' '%s=%s' -# -function replace_or_append { - local default_format='%s = %s' case_insensitive_mode=yes sed_case_insensitive_option='' grep_case_insensitive_option='' - local config_file=$1 - local key=$2 - local value=$3 - local cce=$4 - local format=$5 - - if [ "$case_insensitive_mode" = yes ]; then - sed_case_insensitive_option="i" - grep_case_insensitive_option="-i" - fi - [ -n "$format" ] || format="$default_format" - # Check sanity of the input - [ $# -ge "3" ] || { echo "Usage: replace_or_append [] [printf-like format, default is '$default_format']" >&2; exit 1; } - - # Test if the config_file is a symbolic link. If so, use --follow-symlinks with sed. - # Otherwise, regular sed command will do. - sed_command=('sed' '-i') - if test -L "$config_file"; then - sed_command+=('--follow-symlinks') - fi - - # Test that the cce arg is not empty or does not equal @CCENUM@. - # If @CCENUM@ exists, it means that there is no CCE assigned. - if [ -n "$cce" ] && [ "$cce" != '@CCENUM@' ]; then - cce="${cce}" - else - cce="CCE" - fi - - # Strip any search characters in the key arg so that the key can be replaced without - # adding any search characters to the config file. - stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "$key") - - # shellcheck disable=SC2059 - printf -v formatted_output "$format" "$stripped_key" "$value" - - # If the key exists, change it. Otherwise, add it to the config_file. - # We search for the key string followed by a word boundary (matched by \>), - # so if we search for 'setting', 'setting2' won't match. - if LC_ALL=C grep -q -m 1 $grep_case_insensitive_option -e "${key}\\>" "$config_file"; then - "${sed_command[@]}" "s/${key}\\>.*/$formatted_output/g$sed_case_insensitive_option" "$config_file" - else - # \n is precaution for case where file ends without trailing newline - printf '\n# Per %s: Set %s in %s\n' "$cce" "$formatted_output" "$config_file" >> "$config_file" - printf '%s\n' "$formatted_output" >> "$config_file" - fi -} -replace_or_append '/etc/systemd/system.conf' '^CtrlAltDelBurstAction=' 'none' 'CCE-80784-2' '%s=%s' - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - diff --git a/docker/images/parabol-ubi/security/xccdf_org.ssgproject.content_rule_disable_users_coredumps.sh b/docker/images/parabol-ubi/security/xccdf_org.ssgproject.content_rule_disable_users_coredumps.sh deleted file mode 100755 index a5d2240323e..00000000000 --- a/docker/images/parabol-ubi/security/xccdf_org.ssgproject.content_rule_disable_users_coredumps.sh +++ /dev/null @@ -1,20 +0,0 @@ -#!/bin/sh -set -e - -(>&2 echo "Remediating: 'xccdf_org.ssgproject.content_rule_disable_users_coredumps'") - -# Remediation is applicable only in certain platforms -if rpm --quiet -q pam; then - -SECURITY_LIMITS_FILE="/etc/security/limits.conf" - -if grep -qE '\*\s+hard\s+core' $SECURITY_LIMITS_FILE; then - sed -ri 's/(hard\s+core\s+)[[:digit:]]+/\1 0/' $SECURITY_LIMITS_FILE -else - echo "* hard core 0" >> $SECURITY_LIMITS_FILE -fi - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - diff --git a/docker/images/parabol-ubi/security/xccdf_org.ssgproject.content_rule_display_login_attempts.sh b/docker/images/parabol-ubi/security/xccdf_org.ssgproject.content_rule_display_login_attempts.sh deleted file mode 100755 index cb7a7652c5a..00000000000 --- a/docker/images/parabol-ubi/security/xccdf_org.ssgproject.content_rule_display_login_attempts.sh +++ /dev/null @@ -1,73 +0,0 @@ -#!/bin/sh -set -e - -(>&2 echo "Remediating: 'xccdf_org.ssgproject.content_rule_display_login_attempts'") - -# Remediation is applicable only in certain platforms -if rpm --quiet -q pam; then - -function ensure_pam_module_options { - if [ $# -lt 7 ] || [ $# -gt 8 ] ; then - echo "$0 requires seven or eight arguments" >&2 - exit 1 - fi - local _pamFile="$1" _type="$2" _control="$3" _module="$4" _option="$5" _valueRegex="$6" _defaultValue="$7" - local _remove_argument="" - if [ $# -eq 8 ] ; then - _remove_argument="$8" - # convert it to lowercase - _remove_argument=${_remove_argument,,} - fi - - # make sure that we have a line like this in ${_pamFile} (additional options are left as-is): - # ${_type} ${_control} ${_module} ${_option}=${_valueRegex} - - if ! [ -e "$_pamFile" ] ; then - echo "$_pamFile doesn't exist" >&2 - exit 1 - fi - - # if remove argument only - if [ "${_remove_argument}" = "yes" -o "${_remove_argument}" = "true" ] ; then - sed --follow-symlinks -i -E -e "s/^(\\s*${_type}\\s+\\S+\\s+${_module}(\\s.+)?)\\s${_option}(=\\S+)?/\\1/" "${_pamFile}" - exit 0 - fi - - # non-empty values need to be preceded by an equals sign - [ -n "${_valueRegex}" ] && _valueRegex="=${_valueRegex}" - # add an equals sign to non-empty values - [ -n "${_defaultValue}" ] && _defaultValue="=${_defaultValue}" - - # fix 'type' if it's wrong - if grep -q -P "^\\s*(?"'!'"${_type}\\s)[[:alnum:]]+\\s+[[:alnum:]]+\\s+${_module}" < "${_pamFile}" ; then - sed --follow-symlinks -i -E -e "s/^(\\s*)[[:alnum:]]+(\\s+[[:alnum:]]+\\s+${_module})/\\1${_type}\\2/" "${_pamFile}" - fi - - # fix 'control' if it's wrong - if grep -q -P "^\\s*${_type}\\s+(?"'!'"${_control})[[:alnum:]]+\\s+${_module}" < "${_pamFile}" ; then - sed --follow-symlinks -i -E -e "s/^(\\s*${_type}\\s+)[[:alnum:]]+(\\s+${_module})/\\1${_control}\\2/" "${_pamFile}" - fi - - # fix the value for 'option' if one exists but does not match '_valueRegex' - if grep -q -P "^\\s*${_type}\\s+${_control}\\s+${_module}(\\s.+)?\\s+${_option}(?"'!'"${_valueRegex}(\\s|\$))" < "${_pamFile}" ; then - sed --follow-symlinks -i -E -e "s/^(\\s*${_type}\\s+${_control}\\s+${_module}(\\s.+)?\\s)${_option}=[^[:space:]]*/\\1${_option}${_defaultValue}/" "${_pamFile}" - - # add 'option=default' if option is not set - elif grep -q -E "^\\s*${_type}\\s+${_control}\\s+${_module}" < "${_pamFile}" && - grep -E "^\\s*${_type}\\s+${_control}\\s+${_module}" < "${_pamFile}" | grep -q -E -v "\\s${_option}(=|\\s|\$)" ; then - - sed --follow-symlinks -i -E -e "s/^(\\s*${_type}\\s+${_control}\\s+${_module}[^\\n]*)/\\1 ${_option}${_defaultValue}/" "${_pamFile}" - # add a new entry if none exists - elif ! grep -q -P "^\\s*${_type}\\s+${_control}\\s+${_module}(\\s.+)?\\s+${_option}${_valueRegex}(\\s|\$)" < "${_pamFile}" ; then - echo "${_type} ${_control} ${_module} ${_option}${_defaultValue}" >> "${_pamFile}" - fi -} -ensure_pam_module_options '/etc/pam.d/postlogin' 'session' 'required' 'pam_lastlog.so' 'showfailed' "" "" - -# remove 'silent' option -sed -i --follow-symlinks -E -e 's/^([^#]+pam_lastlog\.so[^#]*)\ssilent/\1/' '/etc/pam.d/postlogin' - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - diff --git a/docker/images/parabol-ubi/security/xccdf_org.ssgproject.content_rule_ensure_gpgcheck_local_packages.sh b/docker/images/parabol-ubi/security/xccdf_org.ssgproject.content_rule_ensure_gpgcheck_local_packages.sh deleted file mode 100755 index 83cae433b4e..00000000000 --- a/docker/images/parabol-ubi/security/xccdf_org.ssgproject.content_rule_ensure_gpgcheck_local_packages.sh +++ /dev/null @@ -1,91 +0,0 @@ -#!/bin/sh -set -e - -(>&2 echo "Remediating: 'xccdf_org.ssgproject.content_rule_ensure_gpgcheck_local_packages'") - -# Remediation is applicable only in certain platforms -if rpm --quiet -q yum; then - -# Function to replace configuration setting in config file or add the configuration setting if -# it does not exist. -# -# Expects arguments: -# -# config_file: Configuration file that will be modified -# key: Configuration option to change -# value: Value of the configuration option to change -# cce: The CCE identifier or '@CCENUM@' if no CCE identifier exists -# format: The printf-like format string that will be given stripped key and value as arguments, -# so e.g. '%s=%s' will result in key=value subsitution (i.e. without spaces around =) -# -# Optional arugments: -# -# format: Optional argument to specify the format of how key/value should be -# modified/appended in the configuration file. The default is key = value. -# -# Example Call(s): -# -# With default format of 'key = value': -# replace_or_append '/etc/sysctl.conf' '^kernel.randomize_va_space' '2' '@CCENUM@' -# -# With custom key/value format: -# replace_or_append '/etc/sysconfig/selinux' '^SELINUX=' 'disabled' '@CCENUM@' '%s=%s' -# -# With a variable: -# replace_or_append '/etc/sysconfig/selinux' '^SELINUX=' $var_selinux_state '@CCENUM@' '%s=%s' -# -function replace_or_append { - local default_format='%s = %s' case_insensitive_mode=yes sed_case_insensitive_option='' grep_case_insensitive_option='' - local config_file=$1 - local key=$2 - local value=$3 - local cce=$4 - local format=$5 - - if [ "$case_insensitive_mode" = yes ]; then - sed_case_insensitive_option="i" - grep_case_insensitive_option="-i" - fi - [ -n "$format" ] || format="$default_format" - # Check sanity of the input - [ $# -ge "3" ] || { echo "Usage: replace_or_append [] [printf-like format, default is '$default_format']" >&2; exit 1; } - - # Test if the config_file is a symbolic link. If so, use --follow-symlinks with sed. - # Otherwise, regular sed command will do. - sed_command=('sed' '-i') - if test -L "$config_file"; then - sed_command+=('--follow-symlinks') - fi - - # Test that the cce arg is not empty or does not equal @CCENUM@. - # If @CCENUM@ exists, it means that there is no CCE assigned. - if [ -n "$cce" ] && [ "$cce" != '@CCENUM@' ]; then - cce="${cce}" - else - cce="CCE" - fi - - # Strip any search characters in the key arg so that the key can be replaced without - # adding any search characters to the config file. - stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "$key") - - # shellcheck disable=SC2059 - printf -v formatted_output "$format" "$stripped_key" "$value" - - # If the key exists, change it. Otherwise, add it to the config_file. - # We search for the key string followed by a word boundary (matched by \>), - # so if we search for 'setting', 'setting2' won't match. - if LC_ALL=C grep -q -m 1 $grep_case_insensitive_option -e "${key}\\>" "$config_file"; then - "${sed_command[@]}" "s/${key}\\>.*/$formatted_output/g$sed_case_insensitive_option" "$config_file" - else - # \n is precaution for case where file ends without trailing newline - printf '\n# Per %s: Set %s in %s\n' "$cce" "$formatted_output" "$config_file" >> "$config_file" - printf '%s\n' "$formatted_output" >> "$config_file" - fi -} -replace_or_append '/etc/yum.conf' '^localpkg_gpgcheck' '1' 'CCE-80791-7' - -else - >&2 echo 'Remediation is not applicable, nothing was done' -fi - diff --git a/docker/images/parabol-ubi/security/xccdf_org.ssgproject.content_rule_file_groupowner_var_log_messages.sh b/docker/images/parabol-ubi/security/xccdf_org.ssgproject.content_rule_file_groupowner_var_log_messages.sh deleted file mode 100755 index 987dd0e7063..00000000000 --- a/docker/images/parabol-ubi/security/xccdf_org.ssgproject.content_rule_file_groupowner_var_log_messages.sh +++ /dev/null @@ -1,9 +0,0 @@ -#!/bin/sh -set -e - -(>&2 echo "Remediating: 'xccdf_org.ssgproject.content_rule_file_groupowner_var_log_messages'") - - - -chgrp 0 /var/log/messages - diff --git a/docker/images/parabol-ubi/security/xccdf_org.ssgproject.content_rule_file_groupownership_system_commands_dirs.sh b/docker/images/parabol-ubi/security/xccdf_org.ssgproject.content_rule_file_groupownership_system_commands_dirs.sh deleted file mode 100755 index 6542b2e74a2..00000000000 --- a/docker/images/parabol-ubi/security/xccdf_org.ssgproject.content_rule_file_groupownership_system_commands_dirs.sh +++ /dev/null @@ -1,11 +0,0 @@ -#!/bin/sh -set -e - -(>&2 echo "Remediating: 'xccdf_org.ssgproject.content_rule_file_groupownership_system_commands_dirs'") - - -for SYSCMDFILES in /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin -do - find -L $SYSCMDFILES \! -group root -type f -exec chgrp root '{}' \; -done - diff --git a/docker/images/parabol-ubi/security/xccdf_org.ssgproject.content_rule_file_owner_var_log_messages.sh b/docker/images/parabol-ubi/security/xccdf_org.ssgproject.content_rule_file_owner_var_log_messages.sh deleted file mode 100755 index e579359e520..00000000000 --- a/docker/images/parabol-ubi/security/xccdf_org.ssgproject.content_rule_file_owner_var_log_messages.sh +++ /dev/null @@ -1,9 +0,0 @@ -#!/bin/sh -set -e - -(>&2 echo "Remediating: 'xccdf_org.ssgproject.content_rule_file_owner_var_log_messages'") - - - -chown 0 /var/log/messages - diff --git a/docker/images/parabol-ubi/security/xccdf_org.ssgproject.content_rule_kernel_module_atm_disabled.sh b/docker/images/parabol-ubi/security/xccdf_org.ssgproject.content_rule_kernel_module_atm_disabled.sh deleted file mode 100755 index ac7a70a4c12..00000000000 --- a/docker/images/parabol-ubi/security/xccdf_org.ssgproject.content_rule_kernel_module_atm_disabled.sh +++ /dev/null @@ -1,3 +0,0 @@ -touch /etc/modprobe.d/blacklist.conf -echo "install atm /bin/true" >> /etc/modprobe.d/blacklist.conf -echo "blacklist atm" >> /etc/modprobe.d/blacklist.conf diff --git a/docker/images/parabol-ubi/security/xccdf_org.ssgproject.content_rule_kernel_module_can_disabled.sh b/docker/images/parabol-ubi/security/xccdf_org.ssgproject.content_rule_kernel_module_can_disabled.sh deleted file mode 100755 index 71b0848f11c..00000000000 --- a/docker/images/parabol-ubi/security/xccdf_org.ssgproject.content_rule_kernel_module_can_disabled.sh +++ /dev/null @@ -1,2 +0,0 @@ -echo "install can /bin/true" >> /etc/modprobe.d/blacklist.conf -echo "blacklist can" >> /etc/modprobe.d/blacklist.conf diff --git a/docker/images/parabol-ubi/security/xccdf_org.ssgproject.content_rule_kernel_module_cramfs_disabled.sh b/docker/images/parabol-ubi/security/xccdf_org.ssgproject.content_rule_kernel_module_cramfs_disabled.sh deleted file mode 100755 index 49745c5a50d..00000000000 --- a/docker/images/parabol-ubi/security/xccdf_org.ssgproject.content_rule_kernel_module_cramfs_disabled.sh +++ /dev/null @@ -1,2 +0,0 @@ -echo "install cramfs /bin/true" >> /etc/modprobe.d/blacklist.conf -echo "blacklist cramfs" >> /etc/modprobe.d/blacklist.conf diff --git a/docker/images/parabol-ubi/security/xccdf_org.ssgproject.content_rule_kernel_module_firewire-core_disabled.sh b/docker/images/parabol-ubi/security/xccdf_org.ssgproject.content_rule_kernel_module_firewire-core_disabled.sh deleted file mode 100755 index 7347678924b..00000000000 --- a/docker/images/parabol-ubi/security/xccdf_org.ssgproject.content_rule_kernel_module_firewire-core_disabled.sh +++ /dev/null @@ -1,2 +0,0 @@ -echo "install firewire-core /bin/true" >> /etc/modprobe.d/blacklist.conf -echo "blacklist firewire-core" >> /etc/modprobe.d/blacklist.conf diff --git a/docker/images/parabol-ubi/security/xccdf_org.ssgproject.content_rule_kernel_module_sctp_disabled.sh b/docker/images/parabol-ubi/security/xccdf_org.ssgproject.content_rule_kernel_module_sctp_disabled.sh deleted file mode 100755 index 14e72551b88..00000000000 --- a/docker/images/parabol-ubi/security/xccdf_org.ssgproject.content_rule_kernel_module_sctp_disabled.sh +++ /dev/null @@ -1,2 +0,0 @@ -echo "install sctp /bin/true" >> /etc/modprobe.d/blacklist.conf -echo "blacklist sctp" >> /etc/modprobe.d/blacklist.conf diff --git a/docker/images/parabol-ubi/security/xccdf_org.ssgproject.content_rule_kernel_module_tipc_disabled.sh b/docker/images/parabol-ubi/security/xccdf_org.ssgproject.content_rule_kernel_module_tipc_disabled.sh deleted file mode 100755 index e5bac79988a..00000000000 --- a/docker/images/parabol-ubi/security/xccdf_org.ssgproject.content_rule_kernel_module_tipc_disabled.sh +++ /dev/null @@ -1,2 +0,0 @@ -echo "install tipc /bin/true" >> /etc/modprobe.d/blacklist.conf -echo "blacklist tipc" >> /etc/modprobe.d/blacklist.conf diff --git a/docker/images/parabol-ubi/security/xccdf_org.ssgproject.content_rule_no_empty_passwords.sh b/docker/images/parabol-ubi/security/xccdf_org.ssgproject.content_rule_no_empty_passwords.sh deleted file mode 100755 index 37bbac9c375..00000000000 --- a/docker/images/parabol-ubi/security/xccdf_org.ssgproject.content_rule_no_empty_passwords.sh +++ /dev/null @@ -1,6 +0,0 @@ -#!/bin/sh -set -e - -(>&2 echo "Remediating: 'xccdf_org.ssgproject.content_rule_no_empty_passwords'") -sed --follow-symlinks -i 's/\//g' /etc/pam.d/system-auth -sed --follow-symlinks -i 's/\//g' /etc/pam.d/password-auth diff --git a/docker/images/parabol-ubi/security/xccdf_org.ssgproject.content_rule_openssl_use_strong_entropy.sh b/docker/images/parabol-ubi/security/xccdf_org.ssgproject.content_rule_openssl_use_strong_entropy.sh deleted file mode 100755 index 7122b9855f4..00000000000 --- a/docker/images/parabol-ubi/security/xccdf_org.ssgproject.content_rule_openssl_use_strong_entropy.sh +++ /dev/null @@ -1,35 +0,0 @@ -#!/bin/sh -set -e - -(>&2 echo "Remediating: 'xccdf_org.ssgproject.content_rule_openssl_use_strong_entropy'") - -cat > /etc/profile.d/openssl-rand.sh <<- 'EOM' -# provide a default -rand /dev/random option to openssl commands that -# support it - -# written inefficiently for maximum shell compatibility -openssl() -( - openssl_bin=/usr/bin/openssl - - case "$*" in - # if user specified -rand, honor it - *\ -rand\ *|*\ -help*) exec $openssl_bin "$@" ;; - esac - - cmds=`$openssl_bin list -digest-commands -cipher-commands | tr '\n' ' '` - for i in `$openssl_bin list -commands`; do - if $openssl_bin list -options "$i" | grep -q '^rand '; then - cmds=" $i $cmds" - fi - done - - case "$cmds" in - *\ "$1"\ *) - cmd="$1"; shift - exec $openssl_bin "$cmd" -rand /dev/random "$@" ;; - esac - - exec $openssl_bin "$@" -) -EOM diff --git a/docker/images/parabol-ubi/security/xccdf_org.ssgproject.content_rule_package_crypto-policies_installed.sh b/docker/images/parabol-ubi/security/xccdf_org.ssgproject.content_rule_package_crypto-policies_installed.sh deleted file mode 100755 index ed77897d4ff..00000000000 --- a/docker/images/parabol-ubi/security/xccdf_org.ssgproject.content_rule_package_crypto-policies_installed.sh +++ /dev/null @@ -1,8 +0,0 @@ -#!/bin/sh -set -e - -(>&2 echo "Remediating: 'xccdf_org.ssgproject.content_rule_package_crypto-policies_installed'") - -if ! rpm -q --quiet "crypto-policies" ; then - dnf install -y "crypto-policies" -fi diff --git a/docker/images/parabol-ubi/security/xccdf_org.ssgproject.content_rule_package_iptables_installed.sh b/docker/images/parabol-ubi/security/xccdf_org.ssgproject.content_rule_package_iptables_installed.sh deleted file mode 100755 index 8ac78de0f9e..00000000000 --- a/docker/images/parabol-ubi/security/xccdf_org.ssgproject.content_rule_package_iptables_installed.sh +++ /dev/null @@ -1,8 +0,0 @@ -#!/bin/sh -set -e - -(>&2 echo "Remediating: 'xccdf_org.ssgproject.content_rule_package_iptables_installed'") - -if ! rpm -q --quiet "iptables" ; then - dnf install -y "iptables" -fi diff --git a/docker/images/parabol-ubi/security/xccdf_org.ssgproject.content_rule_package_rng-tools_installed.sh b/docker/images/parabol-ubi/security/xccdf_org.ssgproject.content_rule_package_rng-tools_installed.sh deleted file mode 100755 index e3e6e90c173..00000000000 --- a/docker/images/parabol-ubi/security/xccdf_org.ssgproject.content_rule_package_rng-tools_installed.sh +++ /dev/null @@ -1,10 +0,0 @@ -#!/bin/sh -set -e - -(>&2 echo "Remediating: 'xccdf_org.ssgproject.content_rule_package_rng-tools_installed'") - - -if ! rpm -q --quiet "rng-tools" ; then - yum install -y "rng-tools" -fi - diff --git a/docker/images/parabol-ubi/security/xccdf_org.ssgproject.content_rule_package_sudo_installed.sh b/docker/images/parabol-ubi/security/xccdf_org.ssgproject.content_rule_package_sudo_installed.sh deleted file mode 100755 index 6b216782441..00000000000 --- a/docker/images/parabol-ubi/security/xccdf_org.ssgproject.content_rule_package_sudo_installed.sh +++ /dev/null @@ -1,8 +0,0 @@ -#!/bin/sh -set -e - -(>&2 echo "Remediating: 'xccdf_org.ssgproject.content_rule_package_sudo_installed'") - -if ! rpm -q --quiet "sudo" ; then - dnf install -y "sudo" -fi diff --git a/docker/images/parabol-ubi/security/xccdf_org.ssgproject.content_rule_package_usbguard_installed.sh b/docker/images/parabol-ubi/security/xccdf_org.ssgproject.content_rule_package_usbguard_installed.sh deleted file mode 100755 index dcc8b170c93..00000000000 --- a/docker/images/parabol-ubi/security/xccdf_org.ssgproject.content_rule_package_usbguard_installed.sh +++ /dev/null @@ -1,10 +0,0 @@ -#!/bin/sh -set -e - -(>&2 echo "Remediating: 'xccdf_org.ssgproject.content_rule_package_usbguard_installed'") - - -if ! rpm -q --quiet "usbguard" ; then - yum install -y "usbguard" -fi - diff --git a/docker/images/parabol-ubi/security/xccdf_org.ssgproject.content_rule_sudo_require_reauthentication.sh b/docker/images/parabol-ubi/security/xccdf_org.ssgproject.content_rule_sudo_require_reauthentication.sh deleted file mode 100755 index 07c1fd8950a..00000000000 --- a/docker/images/parabol-ubi/security/xccdf_org.ssgproject.content_rule_sudo_require_reauthentication.sh +++ /dev/null @@ -1,37 +0,0 @@ -#!/bin/sh -set -e - -(>&2 echo "Remediating: 'xccdf_org.ssgproject.content_rule_sudo_require_reauthentication'") - - - -var_sudo_timestamp_timeout="0" - - - -if /usr/sbin/visudo -qcf /etc/sudoers; then - cp /etc/sudoers /etc/sudoers.bak - if ! grep -P '^[\s]*Defaults.*\btimestamp_timeout=[-]?\w+\b\b.*$' /etc/sudoers; then - # sudoers file doesn't define Option timestamp_timeout - echo "Defaults timestamp_timeout=${var_sudo_timestamp_timeout}" >> /etc/sudoers - else - # sudoers file defines Option timestamp_timeout, remediate if appropriate value is not set - if ! grep -P "^[\s]*Defaults.*\btimestamp_timeout=${var_sudo_timestamp_timeout}\b.*$" /etc/sudoers; then - - sed -Ei "s/(^[\s]*Defaults.*\btimestamp_timeout=)[-]?\w+(\b.*$)/\1${var_sudo_timestamp_timeout}\2/" /etc/sudoers - fi - fi - - # Check validity of sudoers and cleanup bak - if /usr/sbin/visudo -qcf /etc/sudoers; then - rm -f /etc/sudoers.bak - else - echo "Fail to validate remediated /etc/sudoers, reverting to original file." - mv /etc/sudoers.bak /etc/sudoers - false - fi -else - echo "Skipping remediation, /etc/sudoers failed to validate" - false -fi - diff --git a/docker/images/parabol-ubi/security/xccdf_org.ssgproject.content_rule_sudoers_validate_passwd.sh b/docker/images/parabol-ubi/security/xccdf_org.ssgproject.content_rule_sudoers_validate_passwd.sh deleted file mode 100755 index 721dbd4c157..00000000000 --- a/docker/images/parabol-ubi/security/xccdf_org.ssgproject.content_rule_sudoers_validate_passwd.sh +++ /dev/null @@ -1,40 +0,0 @@ -#!/bin/sh -set -e - -(>&2 echo "Remediating: 'xccdf_org.ssgproject.content_rule_sudoers_validate_passwd'") - - -if [ -e "/etc/sudoers" ] ; then - - LC_ALL=C sed -i "/Defaults !targetpw/d" "/etc/sudoers" -else - touch "/etc/sudoers" -fi -cp "/etc/sudoers" "/etc/sudoers.bak" -# Insert at the end of the file -printf '%s\n' "Defaults !targetpw" >> "/etc/sudoers" -# Clean up after ourselves. -rm "/etc/sudoers.bak" -if [ -e "/etc/sudoers" ] ; then - - LC_ALL=C sed -i "/Defaults !rootpw/d" "/etc/sudoers" -else - touch "/etc/sudoers" -fi -cp "/etc/sudoers" "/etc/sudoers.bak" -# Insert at the end of the file -printf '%s\n' "Defaults !rootpw" >> "/etc/sudoers" -# Clean up after ourselves. -rm "/etc/sudoers.bak" -if [ -e "/etc/sudoers" ] ; then - - LC_ALL=C sed -i "/Defaults !runaspw/d" "/etc/sudoers" -else - touch "/etc/sudoers" -fi -cp "/etc/sudoers" "/etc/sudoers.bak" -# Insert at the end of the file -printf '%s\n' "Defaults !runaspw" >> "/etc/sudoers" -# Clean up after ourselves. -rm "/etc/sudoers.bak" -