mirror of
https://github.com/Security-Onion-Solutions/securityonion.git
synced 2025-12-06 17:22:49 +01:00
Merge pull request #12206 from Security-Onion-Solutions/reyesj2-patch-sl
Remove need for stig script
This commit is contained in:
Jorge Reyes
GitHub
@@ -13,6 +13,9 @@
|
||||
{% from 'allowed_states.map.jinja' import allowed_states %}
|
||||
{% if sls.split('.')[0] in allowed_states and GLOBALS.os == 'OEL' %}
|
||||
{% if 'stig' in salt['pillar.get']('features', []) %}
|
||||
{% set OSCAP_PROFILE_NAME = 'xccdf_org.ssgproject.content_profile_stig' %}
|
||||
{% set OSCAP_PROFILE_LOCATION = '/opt/so/conf/stig/sos-oscap.xml' %}
|
||||
{% set OSCAP_OUTPUT_DIR = '/opt/so/log/stig' %}
|
||||
oscap_packages:
|
||||
pkg.installed:
|
||||
- skip_suggestions: True
|
||||
@@ -43,26 +46,45 @@ update_stig_profile:
|
||||
- group: socore
|
||||
- mode: 0644
|
||||
|
||||
update_remediation_script:
|
||||
file.managed:
|
||||
- name: /usr/sbin/so-stig
|
||||
- source: salt://stig/files/so-stig
|
||||
- user: socore
|
||||
- group: socore
|
||||
- mode: 0755
|
||||
- template: jinja
|
||||
{% if not salt['file.file_exists'](OSCAP_OUTPUT_DIR ~ '/pre-oscap-report.html') %}
|
||||
run_initial_scan:
|
||||
module.run:
|
||||
- name: openscap.xccdf
|
||||
- params: 'eval --remediate --profile {{ OSCAP_PROFILE_NAME }} --results {{ OSCAP_OUTPUT_DIR }}/pre-oscap-results.xml --report {{ OSCAP_OUTPUT_DIR }}/pre-oscap-report.html {{ OSCAP_PROFILE_LOCATION }}'
|
||||
{% endif %}
|
||||
|
||||
remove_old_stig_log:
|
||||
file.absent:
|
||||
- name: /opt/so/log/stig/stig-remediate.log
|
||||
run_remediate:
|
||||
module.run:
|
||||
- name: openscap.xccdf
|
||||
- params: 'eval --remediate --profile {{ OSCAP_PROFILE_NAME }} --results {{ OSCAP_OUTPUT_DIR }}/post-oscap-results.xml --report {{ OSCAP_PROFILE_LOCATION }}'
|
||||
|
||||
run_remediation_script:
|
||||
cmd.run:
|
||||
- name: so-stig > /opt/so/log/stig/stig-remediate.log
|
||||
- hide_output: True
|
||||
- success_retcodes:
|
||||
- 0
|
||||
- 2
|
||||
{# OSCAP rule id: xccdf_org.ssgproject.content_rule_disable_ctrlaltdel_burstaction #}
|
||||
disable_ctrl_alt_del_action:
|
||||
file.replace:
|
||||
- name: /etc/systemd/system.conf
|
||||
- pattern: '^#CtrlAltDelBurstAction=none'
|
||||
- repl: 'CtrlAltDelBurstAction=none'
|
||||
- backup: '.bak'
|
||||
|
||||
{# OSCAP rule id: xccdf_org.ssgproject.content_rule_no_empty_passwords #}
|
||||
remove_nullok_from_password_auth:
|
||||
file.replace:
|
||||
- name: /etc/pam.d/password-auth
|
||||
- pattern: ' nullok'
|
||||
- repl: ''
|
||||
- backup: '.bak'
|
||||
|
||||
remove_nullok_from_system_auth_auth:
|
||||
file.replace:
|
||||
- name: /etc/pam.d/system-auth
|
||||
- pattern: ' nullok'
|
||||
- repl: ''
|
||||
- backup: '.bak'
|
||||
|
||||
run_post_scan:
|
||||
module.run:
|
||||
- name: openscap.xccdf
|
||||
- params: 'eval --profile {{ OSCAP_PROFILE_NAME }} --results {{ OSCAP_OUTPUT_DIR }}/post-oscap-results.xml --report {{ OSCAP_OUTPUT_DIR }}/post-oscap-report.html {{ OSCAP_PROFILE_LOCATION }}'
|
||||
|
||||
{% else %}
|
||||
{{sls}}_no_license_detected:
|
||||
|
||||
@@ -1,77 +0,0 @@
|
||||
#!/bin/bash
|
||||
#
|
||||
# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
|
||||
# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
|
||||
# https://securityonion.net/license; you may not use this file except in compliance with the
|
||||
# Elastic License 2.0.
|
||||
#
|
||||
# Note: Per the Elastic License 2.0, the second limitation states:
|
||||
#
|
||||
# "You may not move, change, disable, or circumvent the license key functionality
|
||||
# in the software, and you may not remove or obscure any functionality in the
|
||||
# software that is protected by the license key."
|
||||
|
||||
stig_conf=/opt/so/conf/stig
|
||||
stig_log=/opt/so/log/stig
|
||||
|
||||
. /usr/sbin/so-common
|
||||
|
||||
logCmd() {
|
||||
cmd=$1
|
||||
echo "Executing command: $cmd"
|
||||
$cmd
|
||||
}
|
||||
|
||||
apply_stigs(){
|
||||
if [ ! -f $stig_log/pre-oscap-report.html ]; then
|
||||
oscap xccdf eval --profile xccdf_org.ssgproject.content_profile_stig --results $stig_log/pre-oscap-results.xml --report $stig_log/pre-oscap-report.html /usr/share/xml/scap/ssg/content/ssg-ol9-ds.xml
|
||||
fi
|
||||
|
||||
echo -e "\nRunning custom OSCAP profile to remediate applicable STIGs\n"
|
||||
logCmd "oscap xccdf eval --remediate --profile xccdf_org.ssgproject.content_profile_stig --results $stig_log/results.xml $stig_conf/sos-oscap.xml"
|
||||
|
||||
# Setting Ctrl-Alt-Del action to none OSCAP rule id: xccdf_org.ssgproject.content_rule_disable_ctrlaltdel_burstaction
|
||||
if ! grep -q "^CtrlAltDelBurstAction=none$" /etc/systemd/system.conf; then
|
||||
sed -i 's/#CtrlAltDelBurstAction=reboot-force/CtrlAltDelBurstAction=none/g' /etc/systemd/system.conf
|
||||
logCmd "grep CtrlAltDelBurstAction /etc/systemd/system.conf"
|
||||
fi
|
||||
|
||||
# Setting ctrl-alt-del.target to masked or /dev/null OSCAP rule id: xccdf_org.ssgproject.content_rule_disable_ctrlaltdel_reboot
|
||||
if systemctl is-enabled ctrl-alt-del.target | grep -q masked; then
|
||||
echo "ctrl-alt-del.target is already masked"
|
||||
else
|
||||
echo "Redirecting ctrl-alt-del.target symlink to /dev/null"
|
||||
logCmd "ln -sf /dev/null /etc/systemd/system/ctrl-alt-del.target"
|
||||
fi
|
||||
|
||||
# Remove nullok from password-auth & system-auth OSCAP rule id: xccdf_org.ssgproject.content_rule_no_empty_passwords
|
||||
sed -i 's/ nullok//g' /etc/pam.d/password-auth
|
||||
sed -i 's/ nullok//g' /etc/pam.d/system-auth
|
||||
|
||||
# Setting PermitEmptyPasswords no in /etc/ssh/sshd_config OSCAP rule id: xccdf_org.ssgproject.content_rule_sshd_disable_empty_passwords
|
||||
if grep -q "^#PermitEmptyPasswords no$" /etc/ssh/sshd_config; then
|
||||
sed -i 's/#PermitEmptyPasswords no/PermitEmptyPasswords no/g' /etc/ssh/sshd_config
|
||||
logCmd "grep PermitEmptyPasswords /etc/ssh/sshd_config"
|
||||
else
|
||||
logCmd "echo 'PermitEmptyPasswords no' >> /etc/ssh/sshd_config"
|
||||
fi
|
||||
|
||||
# Setting PermitUserEnvironment no in /etc/ssh/sshd_config STIG rule id: SV-248650r877377
|
||||
if grep -q "^#PermitUserEnvironment no$" /etc/ssh/sshd_config; then
|
||||
sed -i 's/#PermitUserEnvironment no/PermitUserEnvironment no/g' /etc/ssh/sshd_config
|
||||
logCmd "grep PermitUserEnvironment /etc/ssh/sshd_config"
|
||||
else
|
||||
logCmd "echo 'PermitUserEnvironment no' >> /etc/ssh/sshd_config"
|
||||
fi
|
||||
|
||||
|
||||
echo "Running OSCAP scan to verify application of STIGs"
|
||||
oscap xccdf eval --profile xccdf_org.ssgproject.content_profile_stig --results $stig_log/post-oscap-results.xml --report $stig_log/post-oscap-report.html /usr/share/xml/scap/ssg/content/ssg-ol9-ds.xml > /dev/null 2>&1
|
||||
}
|
||||
|
||||
if is_feature_enabled "stig" >/dev/null 2>&1; then
|
||||
echo -e "---------------------\nApplying STIGs\n---------------------"
|
||||
apply_stigs
|
||||
else
|
||||
echo "The application of STIGs is a feature supported only for customers with a valid license. Contact Security Onion Solutions, LLC via our website at https://securityonionsolutions.com for more information about purchasing a license to enable this feature."
|
||||
fi
|
||||
Reference in New Issue
Block a user