Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

content_rule_verify_use_mappers regular expression needs improvement #11871

Open
2 of 4 tasks
pfuntner opened this issue Apr 23, 2024 · 0 comments
Open
2 of 4 tasks

content_rule_verify_use_mappers regular expression needs improvement #11871

pfuntner opened this issue Apr 23, 2024 · 0 comments

Comments

@pfuntner
Copy link

pfuntner commented Apr 23, 2024
edited

Description of problem:

We are in the middle of a project to harden an Ubuntu 20 machine according to Canonical Ubuntu 20.04 LTS STIG - Ver 1, Rel 11 and running oscap 1.2.16 with scap-security-guide-0.1.72/ssg-ubuntu2004-ds.xml. We are seeing a failure in xccdf_org.ssgproject.content_rule_verify_use_mappers (UBTU-20-010006) but believe our hardening target satisfies the requirement.

Details:

This content is not aligned with content from Canonical Ubuntu 20.04 LTS STIG - Ver 1, Rel 11

The misalignment affects these profiles:

  • scap-security-guide-0.1.72/ssg-ubuntu2004-ds.xml

The misalignment affects these rules:

  • xccdf_org.ssgproject.content_rule_verify_use_mappers
Report screenshots:

screenshot 1
screenshot 2

Target state:

/etc/pam_pkcs11/pam_pkcs11.conf is basically a copy from /usr/share/doc/libpam-pkcs11/examples/pam_pkcs11.conf.example. The use_mappers statement is not changed because pwent is already present but there are other differences between the two files due to another requirement in the STIG.

root@ip-172-31-62-56:~# md5sum /usr/share/doc/libpam-pkcs11/examples/pam_pkcs11.conf.example /etc/pam_pkcs11/pam_pkcs11.conf
7ab4ed9bd820ee8123f7d41f4a2beb0b  /usr/share/doc/libpam-pkcs11/examples/pam_pkcs11.conf.example
ebe9bddea632ce1dcff4ed87cf6f1bdb  /etc/pam_pkcs11/pam_pkcs11.conf
root@ip-172-31-62-56:~# diff /usr/share/doc/libpam-pkcs11/examples/pam_pkcs11.conf.example /etc/pam_pkcs11/pam_pkcs11.conf
84c84
<     cert_policy = ca,signature;
---
>     cert_policy = ca,signature,ocsp_on,crl_auto;
100c100
<     cert_policy = ca,signature;
---
>     cert_policy = ca,signature,ocsp_on,crl_auto;
117c117
<     cert_policy = none;
---
>     cert_policy = ca,signature,ocsp_on,crl_auto;
root@ip-172-31-62-56:~# grep -Pw '^\s*use_mappers\s+=(\s*\w+\s*,)*\s+pwent(\s*,\s*\w+)*\s*;$' /etc/pam_pkcs11/pam_pkcs11.conf
  use_mappers = digest, cn, pwent, uid, mail, subject, null;
root@ip-172-31-62-56:~#

Outcome:

  • This project's content can be improved:
    • Check needs to be improved.
    • Remediation needs to be improved.
  • The external content's check is faulty - the other party needs to be notified, they have work to do.
Discussion:

The report implies that it is doing:

grep ^use_mappers /etc/pam_pkcs11/pam_pkcs11.conf

Although this is misaligned with the STIG, I don't think oscap is using the above regular expression. From what it looks like, oscap is using:

$ grep -A4 id=\"oval:ssg-obj_verify_use_mappers:obj:1 scap-security-guide-0.1.72/ssg-ubuntu2004-ds.xml
        <ind:textfilecontent54_object id="oval:ssg-obj_verify_use_mappers:obj:1" version="1">
          <ind:filepath>/etc/pam_pkcs11/pam_pkcs11.conf</ind:filepath>
          <ind:pattern operation="pattern match">^[\s]*use_mappers = pwent[\s]*$</ind:pattern>
          <ind:instance operation="greater than or equal" datatype="int">1</ind:instance>
        </ind:textfilecontent54_object>
$

but this is still misaligned with the STIG which states:

Set "use_mappers=pwent" in "/etc/pam_pkcs11/pam_pkcs11.conf" or, if there is already a comma-separated list of mappers, add it to the list, separated by comma, and before the null mapper.

The STIG does not require that pwent appear first. I believe the actual state of the target satisfies the STIG and the check should pass. A better regular expression might be the one in the grep example from the above Target state section.

Additionally, most key = expression; statement end with a semicolon in pam_pkcs11.conf.example but the semicolon is not a part of the regular expression. It looks like it might be optional but there are 93 total key = expression statements in the default and only five of them don't end with a semicolon. The default pwent = value; statement ends with a semicolon.

Suggested change:

When I changed the regular expression to:

        <ind:textfilecontent54_object id="oval:ssg-obj_verify_use_mappers:obj:1" version="1">
          <ind:filepath>/etc/pam_pkcs11/pam_pkcs11.conf</ind:filepath>
          <ind:pattern operation="pattern match">^\s*use_mappers\s+=(\s*\w+\s*,)*\s+pwent(\s*,\s*\w+)*\s*;$</ind:pattern>
          <ind:instance operation="greater than or equal" datatype="int">1</ind:instance>
        </ind:textfilecontent54_object>

the content_rule_verify_use_mappers check was successful.

SCAP Security Guide Version:

https://github.com/ComplianceAsCode/content/releases/download/v0.1.72/scap-security-guide-0.1.72.zip

External Content's Version:

https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_CAN_Ubuntu_20-04_LTS_V1R11_STIG.zip
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@pfuntner