content icon indicating copy to clipboard operation
content copied to clipboard
verified publisher icon ComplianceAsCode

content_rule_verify_use_mappers regular expression needs improvement

Open pfuntner opened this issue 1 year ago • 0 comments

Description of problem:

We are in the middle of a project to harden an Ubuntu 20 machine according to Canonical Ubuntu 20.04 LTS STIG - Ver 1, Rel 11 and running oscap 1.2.16 with scap-security-guide-0.1.72/ssg-ubuntu2004-ds.xml. We are seeing a failure in xccdf_org.ssgproject.content_rule_verify_use_mappers (UBTU-20-010006) but believe our hardening target satisfies the requirement.

Details:

This content is not aligned with content from Canonical Ubuntu 20.04 LTS STIG - Ver 1, Rel 11

The misalignment affects these profiles:

  • scap-security-guide-0.1.72/ssg-ubuntu2004-ds.xml

The misalignment affects these rules:

  • xccdf_org.ssgproject.content_rule_verify_use_mappers
Report screenshots:

screenshot 1 screenshot 2

Target state:

/etc/pam_pkcs11/pam_pkcs11.conf is basically a copy from /usr/share/doc/libpam-pkcs11/examples/pam_pkcs11.conf.example. The use_mappers statement is not changed because pwent is already present but there are other differences between the two files due to another requirement in the STIG.

root@ip-172-31-62-56:~# md5sum /usr/share/doc/libpam-pkcs11/examples/pam_pkcs11.conf.example /etc/pam_pkcs11/pam_pkcs11.conf
7ab4ed9bd820ee8123f7d41f4a2beb0b  /usr/share/doc/libpam-pkcs11/examples/pam_pkcs11.conf.example
ebe9bddea632ce1dcff4ed87cf6f1bdb  /etc/pam_pkcs11/pam_pkcs11.conf
root@ip-172-31-62-56:~# diff /usr/share/doc/libpam-pkcs11/examples/pam_pkcs11.conf.example /etc/pam_pkcs11/pam_pkcs11.conf
84c84
<     cert_policy = ca,signature;
---
>     cert_policy = ca,signature,ocsp_on,crl_auto;
100c100
<     cert_policy = ca,signature;
---
>     cert_policy = ca,signature,ocsp_on,crl_auto;
117c117
<     cert_policy = none;
---
>     cert_policy = ca,signature,ocsp_on,crl_auto;
root@ip-172-31-62-56:~# grep -Pw '^\s*use_mappers\s+=(\s*\w+\s*,)*\s+pwent(\s*,\s*\w+)*\s*;$' /etc/pam_pkcs11/pam_pkcs11.conf
  use_mappers = digest, cn, pwent, uid, mail, subject, null;
root@ip-172-31-62-56:~#

Outcome:

  • [ ] This project's content can be improved:
    • [ ] Check needs to be improved.
    • [ ] Remediation needs to be improved.
  • [ ] The external content's check is faulty - the other party needs to be notified, they have work to do.
Discussion:

The report implies that it is doing:

grep ^use_mappers /etc/pam_pkcs11/pam_pkcs11.conf

Although this is misaligned with the STIG, I don't think oscap is using the above regular expression. From what it looks like, oscap is using:

$ grep -A4 id=\"oval:ssg-obj_verify_use_mappers:obj:1 scap-security-guide-0.1.72/ssg-ubuntu2004-ds.xml
        <ind:textfilecontent54_object id="oval:ssg-obj_verify_use_mappers:obj:1" version="1">
          <ind:filepath>/etc/pam_pkcs11/pam_pkcs11.conf</ind:filepath>
          <ind:pattern operation="pattern match">^[\s]*use_mappers = pwent[\s]*$</ind:pattern>
          <ind:instance operation="greater than or equal" datatype="int">1</ind:instance>
        </ind:textfilecontent54_object>
$

but this is still misaligned with the STIG which states:

Set "use_mappers=pwent" in "/etc/pam_pkcs11/pam_pkcs11.conf" or, if there is already a comma-separated list of mappers, add it to the list, separated by comma, and before the null mapper.

The STIG does not require that pwent appear first. I believe the actual state of the target satisfies the STIG and the check should pass. A better regular expression might be the one in the grep example from the above Target state section.

Additionally, most key = expression; statement end with a semicolon in pam_pkcs11.conf.example but the semicolon is not a part of the regular expression. It looks like it might be optional but there are 93 total key = expression statements in the default and only five of them don't end with a semicolon. The default pwent = value; statement ends with a semicolon.

Suggested change:

When I changed the regular expression to:

        <ind:textfilecontent54_object id="oval:ssg-obj_verify_use_mappers:obj:1" version="1">
          <ind:filepath>/etc/pam_pkcs11/pam_pkcs11.conf</ind:filepath>
          <ind:pattern operation="pattern match">^\s*use_mappers\s+=(\s*\w+\s*,)*\s+pwent(\s*,\s*\w+)*\s*;$</ind:pattern>
          <ind:instance operation="greater than or equal" datatype="int">1</ind:instance>
        </ind:textfilecontent54_object>

the content_rule_verify_use_mappers check was successful.

SCAP Security Guide Version:

https://github.com/ComplianceAsCode/content/releases/download/v0.1.72/scap-security-guide-0.1.72.zip

External Content's Version:

https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_CAN_Ubuntu_20-04_LTS_V1R11_STIG.zip

pfuntner avatar Apr 23 '24 13:04 pfuntner