mirror of
https://github.com/Security-Onion-Solutions/securityonion.git
synced 2025-12-06 17:22:49 +01:00
Merge pull request #12206 from Security-Onion-Solutions/reyesj2-patch-sl
Remove need for stig script
This commit is contained in:
Jorge Reyes
GitHub
@@ -13,6 +13,9 @@
|
|||||||
{% from 'allowed_states.map.jinja' import allowed_states %}
|
{% from 'allowed_states.map.jinja' import allowed_states %}
|
||||||
{% if sls.split('.')[0] in allowed_states and GLOBALS.os == 'OEL' %}
|
{% if sls.split('.')[0] in allowed_states and GLOBALS.os == 'OEL' %}
|
||||||
{% if 'stig' in salt['pillar.get']('features', []) %}
|
{% if 'stig' in salt['pillar.get']('features', []) %}
|
||||||
|
{% set OSCAP_PROFILE_NAME = 'xccdf_org.ssgproject.content_profile_stig' %}
|
||||||
|
{% set OSCAP_PROFILE_LOCATION = '/opt/so/conf/stig/sos-oscap.xml' %}
|
||||||
|
{% set OSCAP_OUTPUT_DIR = '/opt/so/log/stig' %}
|
||||||
oscap_packages:
|
oscap_packages:
|
||||||
pkg.installed:
|
pkg.installed:
|
||||||
- skip_suggestions: True
|
- skip_suggestions: True
|
||||||
@@ -43,26 +46,45 @@ update_stig_profile:
|
|||||||
- group: socore
|
- group: socore
|
||||||
- mode: 0644
|
- mode: 0644
|
||||||
|
|
||||||
update_remediation_script:
|
{% if not salt['file.file_exists'](OSCAP_OUTPUT_DIR ~ '/pre-oscap-report.html') %}
|
||||||
file.managed:
|
run_initial_scan:
|
||||||
- name: /usr/sbin/so-stig
|
module.run:
|
||||||
- source: salt://stig/files/so-stig
|
- name: openscap.xccdf
|
||||||
- user: socore
|
- params: 'eval --remediate --profile {{ OSCAP_PROFILE_NAME }} --results {{ OSCAP_OUTPUT_DIR }}/pre-oscap-results.xml --report {{ OSCAP_OUTPUT_DIR }}/pre-oscap-report.html {{ OSCAP_PROFILE_LOCATION }}'
|
||||||
- group: socore
|
{% endif %}
|
||||||
- mode: 0755
|
|
||||||
- template: jinja
|
|
||||||
|
|
||||||
remove_old_stig_log:
|
run_remediate:
|
||||||
file.absent:
|
module.run:
|
||||||
- name: /opt/so/log/stig/stig-remediate.log
|
- name: openscap.xccdf
|
||||||
|
- params: 'eval --remediate --profile {{ OSCAP_PROFILE_NAME }} --results {{ OSCAP_OUTPUT_DIR }}/post-oscap-results.xml --report {{ OSCAP_PROFILE_LOCATION }}'
|
||||||
|
|
||||||
run_remediation_script:
|
{# OSCAP rule id: xccdf_org.ssgproject.content_rule_disable_ctrlaltdel_burstaction #}
|
||||||
cmd.run:
|
disable_ctrl_alt_del_action:
|
||||||
- name: so-stig > /opt/so/log/stig/stig-remediate.log
|
file.replace:
|
||||||
- hide_output: True
|
- name: /etc/systemd/system.conf
|
||||||
- success_retcodes:
|
- pattern: '^#CtrlAltDelBurstAction=none'
|
||||||
- 0
|
- repl: 'CtrlAltDelBurstAction=none'
|
||||||
- 2
|
- backup: '.bak'
|
||||||
|
|
||||||
|
{# OSCAP rule id: xccdf_org.ssgproject.content_rule_no_empty_passwords #}
|
||||||
|
remove_nullok_from_password_auth:
|
||||||
|
file.replace:
|
||||||
|
- name: /etc/pam.d/password-auth
|
||||||
|
- pattern: ' nullok'
|
||||||
|
- repl: ''
|
||||||
|
- backup: '.bak'
|
||||||
|
|
||||||
|
remove_nullok_from_system_auth_auth:
|
||||||
|
file.replace:
|
||||||
|
- name: /etc/pam.d/system-auth
|
||||||
|
- pattern: ' nullok'
|
||||||
|
- repl: ''
|
||||||
|
- backup: '.bak'
|
||||||
|
|
||||||
|
run_post_scan:
|
||||||
|
module.run:
|
||||||
|
- name: openscap.xccdf
|
||||||
|
- params: 'eval --profile {{ OSCAP_PROFILE_NAME }} --results {{ OSCAP_OUTPUT_DIR }}/post-oscap-results.xml --report {{ OSCAP_OUTPUT_DIR }}/post-oscap-report.html {{ OSCAP_PROFILE_LOCATION }}'
|
||||||
|
|
||||||
{% else %}
|
{% else %}
|
||||||
{{sls}}_no_license_detected:
|
{{sls}}_no_license_detected:
|
||||||
|
|||||||
@@ -1,77 +0,0 @@
|
|||||||
#!/bin/bash
|
|
||||||
#
|
|
||||||
# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
|
|
||||||
# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
|
|
||||||
# https://securityonion.net/license; you may not use this file except in compliance with the
|
|
||||||
# Elastic License 2.0.
|
|
||||||
#
|
|
||||||
# Note: Per the Elastic License 2.0, the second limitation states:
|
|
||||||
#
|
|
||||||
# "You may not move, change, disable, or circumvent the license key functionality
|
|
||||||
# in the software, and you may not remove or obscure any functionality in the
|
|
||||||
# software that is protected by the license key."
|
|
||||||
|
|
||||||
stig_conf=/opt/so/conf/stig
|
|
||||||
stig_log=/opt/so/log/stig
|
|
||||||
|
|
||||||
. /usr/sbin/so-common
|
|
||||||
|
|
||||||
logCmd() {
|
|
||||||
cmd=$1
|
|
||||||
echo "Executing command: $cmd"
|
|
||||||
$cmd
|
|
||||||
}
|
|
||||||
|
|
||||||
apply_stigs(){
|
|
||||||
if [ ! -f $stig_log/pre-oscap-report.html ]; then
|
|
||||||
oscap xccdf eval --profile xccdf_org.ssgproject.content_profile_stig --results $stig_log/pre-oscap-results.xml --report $stig_log/pre-oscap-report.html /usr/share/xml/scap/ssg/content/ssg-ol9-ds.xml
|
|
||||||
fi
|
|
||||||
|
|
||||||
echo -e "\nRunning custom OSCAP profile to remediate applicable STIGs\n"
|
|
||||||
logCmd "oscap xccdf eval --remediate --profile xccdf_org.ssgproject.content_profile_stig --results $stig_log/results.xml $stig_conf/sos-oscap.xml"
|
|
||||||
|
|
||||||
# Setting Ctrl-Alt-Del action to none OSCAP rule id: xccdf_org.ssgproject.content_rule_disable_ctrlaltdel_burstaction
|
|
||||||
if ! grep -q "^CtrlAltDelBurstAction=none$" /etc/systemd/system.conf; then
|
|
||||||
sed -i 's/#CtrlAltDelBurstAction=reboot-force/CtrlAltDelBurstAction=none/g' /etc/systemd/system.conf
|
|
||||||
logCmd "grep CtrlAltDelBurstAction /etc/systemd/system.conf"
|
|
||||||
fi
|
|
||||||
|
|
||||||
# Setting ctrl-alt-del.target to masked or /dev/null OSCAP rule id: xccdf_org.ssgproject.content_rule_disable_ctrlaltdel_reboot
|
|
||||||
if systemctl is-enabled ctrl-alt-del.target | grep -q masked; then
|
|
||||||
echo "ctrl-alt-del.target is already masked"
|
|
||||||
else
|
|
||||||
echo "Redirecting ctrl-alt-del.target symlink to /dev/null"
|
|
||||||
logCmd "ln -sf /dev/null /etc/systemd/system/ctrl-alt-del.target"
|
|
||||||
fi
|
|
||||||
|
|
||||||
# Remove nullok from password-auth & system-auth OSCAP rule id: xccdf_org.ssgproject.content_rule_no_empty_passwords
|
|
||||||
sed -i 's/ nullok//g' /etc/pam.d/password-auth
|
|
||||||
sed -i 's/ nullok//g' /etc/pam.d/system-auth
|
|
||||||
|
|
||||||
# Setting PermitEmptyPasswords no in /etc/ssh/sshd_config OSCAP rule id: xccdf_org.ssgproject.content_rule_sshd_disable_empty_passwords
|
|
||||||
if grep -q "^#PermitEmptyPasswords no$" /etc/ssh/sshd_config; then
|
|
||||||
sed -i 's/#PermitEmptyPasswords no/PermitEmptyPasswords no/g' /etc/ssh/sshd_config
|
|
||||||
logCmd "grep PermitEmptyPasswords /etc/ssh/sshd_config"
|
|
||||||
else
|
|
||||||
logCmd "echo 'PermitEmptyPasswords no' >> /etc/ssh/sshd_config"
|
|
||||||
fi
|
|
||||||
|
|
||||||
# Setting PermitUserEnvironment no in /etc/ssh/sshd_config STIG rule id: SV-248650r877377
|
|
||||||
if grep -q "^#PermitUserEnvironment no$" /etc/ssh/sshd_config; then
|
|
||||||
sed -i 's/#PermitUserEnvironment no/PermitUserEnvironment no/g' /etc/ssh/sshd_config
|
|
||||||
logCmd "grep PermitUserEnvironment /etc/ssh/sshd_config"
|
|
||||||
else
|
|
||||||
logCmd "echo 'PermitUserEnvironment no' >> /etc/ssh/sshd_config"
|
|
||||||
fi
|
|
||||||
|
|
||||||
|
|
||||||
echo "Running OSCAP scan to verify application of STIGs"
|
|
||||||
oscap xccdf eval --profile xccdf_org.ssgproject.content_profile_stig --results $stig_log/post-oscap-results.xml --report $stig_log/post-oscap-report.html /usr/share/xml/scap/ssg/content/ssg-ol9-ds.xml > /dev/null 2>&1
|
|
||||||
}
|
|
||||||
|
|
||||||
if is_feature_enabled "stig" >/dev/null 2>&1; then
|
|
||||||
echo -e "---------------------\nApplying STIGs\n---------------------"
|
|
||||||
apply_stigs
|
|
||||||
else
|
|
||||||
echo "The application of STIGs is a feature supported only for customers with a valid license. Contact Security Onion Solutions, LLC via our website at https://securityonionsolutions.com for more information about purchasing a license to enable this feature."
|
|
||||||
fi
|
|
||||||
Reference in New Issue
Block a user