Merge pull request ComplianceAsCode#11561 from vojtapolasek/fix_bashr…

…c_exec_tmux put exec back to configure_bashrc_exec_tmux
VCTLabs · Feb 8, 2024 · 85d5c88 · 85d5c88
2 parents 17ea373 + ee739c5
commit 85d5c88
Show file tree

Hide file tree

Showing 10 changed files with 18 additions and 17 deletions.
diff --git a/controls/stig_rhel9.yml b/controls/stig_rhel9.yml
@@ -2567,7 +2567,7 @@ controls:
             - medium
         title: RHEL 9 must ensure session control is automatically started at shell initialization.
         rules:
-            - configure_bashrc_exec_tmux
+            - configure_bashrc_tmux
         status: automated
 
     -   id: RHEL-09-412020

diff --git a/...sical/screen_locking/console_screen_locking/configure_bashrc_exec_tmux/ansible/shared.yml b/...sical/screen_locking/console_screen_locking/configure_bashrc_exec_tmux/ansible/shared.yml
@@ -8,14 +8,14 @@
   ansible.builtin.find:
     paths: '/etc'
     patterns: 'bashrc'
-    contains: '.*case "$name" in sshd|login\) tmux ;; esac.*'
+    contains: '.*case "$name" in sshd|login\) exec tmux ;; esac.*'
   register: tmux_in_bashrc
 
 - name: "{{{ rule_title }}}: Determine If the Tmux Launch Script Is Present in /etc/profile.d/*.sh"
   ansible.builtin.find:
     paths: '/etc/profile.d'
     patterns: '*.sh'
-    contains: .*case "$name" in sshd|login\) tmux ;; esac.*
+    contains: .*case "$name" in sshd|login\) exec tmux ;; esac.*
   register: tmux_in_profile_d
 
 - name: "{{{ rule_title }}}: Insert the Correct Script into /etc/profile.d/tmux.sh"
@@ -25,7 +25,7 @@
       if [ "$PS1" ]; then
         parent=$(ps -o ppid= -p $$)
         name=$(ps -o comm= -p $parent)
-        case "$name" in sshd|login) tmux ;; esac
+        case "$name" in sshd|login) exec tmux ;; esac
       fi
     create: true
   when:

diff --git a/...-physical/screen_locking/console_screen_locking/configure_bashrc_exec_tmux/bash/shared.sh b/...-physical/screen_locking/console_screen_locking/configure_bashrc_exec_tmux/bash/shared.sh
@@ -4,12 +4,12 @@
 # complexity = low
 # disruption = low
 
-if ! grep -x '  case "$name" in sshd|login) tmux ;; esac' /etc/bashrc; then
+if ! grep -x '  case "$name" in sshd|login) exec tmux ;; esac' /etc/bashrc; then
     cat >> /etc/profile.d/tmux.sh <<'EOF'
 if [ "$PS1" ]; then
   parent=$(ps -o ppid= -p $$)
   name=$(ps -o comm= -p $parent)
-  case "$name" in sshd|login) tmux ;; esac
+  case "$name" in sshd|login) exec tmux ;; esac
 fi
 EOF
     chmod 0644 /etc/profile.d/tmux.sh

diff --git a/...physical/screen_locking/console_screen_locking/configure_bashrc_exec_tmux/oval/shared.xml b/...physical/screen_locking/console_screen_locking/configure_bashrc_exec_tmux/oval/shared.xml
@@ -1,7 +1,7 @@
 <def-group>
   <definition class="compliance" id="configure_bashrc_exec_tmux" version="1">
     {{{ oval_metadata("Check if tmux is configured to exec at the end of bashrc.") }}}
-    <criteria comment="Check tmux configured at the end of bashrc" operator="AND">
+    <criteria comment="Check exec tmux configured at the end of bashrc" operator="AND">
       <criterion comment="check tmux is configured to exec on the last line of /etc/bashrc"
         test_ref="test_configure_bashrc_exec_tmux" />
     </criteria>
@@ -14,7 +14,7 @@
   <ind:textfilecontent54_object id="obj_configure_bashrc_exec_tmux" version="1">
     <ind:behaviors singleline="true" multiline="false" />
     <ind:filepath operation="pattern match">^/etc/bashrc$|^/etc/profile\.d/.*$</ind:filepath>
-    <ind:pattern operation="pattern match">if \[ "\$PS1" \]; then\n\s+parent=\$\(ps -o ppid= -p \$\$\)\n\s+name=\$\(ps -o comm= -p \$parent\)\n\s+case "\$name" in sshd\|login\) tmux ;; esac\nfi</ind:pattern>
+    <ind:pattern operation="pattern match">if \[ "\$PS1" \]; then\n\s+parent=\$\(ps -o ppid= -p \$\$\)\n\s+name=\$\(ps -o comm= -p \$parent\)\n\s+case "\$name" in sshd\|login\) exec tmux ;; esac\nfi</ind:pattern>
     <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
   </ind:textfilecontent54_object>
 </def-group>
diff --git a/...counts-physical/screen_locking/console_screen_locking/configure_bashrc_exec_tmux/rule.yml b/...counts-physical/screen_locking/console_screen_locking/configure_bashrc_exec_tmux/rule.yml
@@ -26,7 +26,7 @@ references:
     disa: CCI-000056,CCI-000058
     ospp: FMT_SMF_EXT.1,FMT_MOF_EXT.1,FTA_SSL.1
     srg: SRG-OS-000031-GPOS-00012,SRG-OS-000028-GPOS-00009,SRG-OS-000030-GPOS-00011
-    stigid@rhel9: RHEL-09-412015
+
 
 platform: package[tmux]
 
@@ -39,7 +39,7 @@ ocil: |-
 
     <pre>$ sudo grep tmux /etc/bashrc /etc/profile.d/*
 
-    /etc/profile.d/tmux.sh:  case "$name" in (sshd|login) tmux ;; esac</pre>
+    /etc/profile.d/tmux.sh:  case "$name" in (sshd|login) exec tmux ;; esac</pre>
 
     Review the tmux script by using the following example:
 
@@ -48,7 +48,7 @@ ocil: |-
     if [ "$PS1" ]; then
     parent=$(ps -o ppid= -p $$)
     name=$(ps -o comm= -p $parent)
-    case "$name" in (sshd|login) tmux ;; esac
+    case "$name" in (sshd|login) exec tmux ;; esac
     fi</pre>
 
     If the shell file is not configured as the example above, is commented out, or is missing, this is a finding.
@@ -63,7 +63,7 @@ fixtext: |-
     if [ "$PS1" ]; then
         parent=$(ps -o ppid= -p $$)
         name=$(ps -o comm= -p $parent)
-        case "$name" in sshd|login) tmux ;; esac
+        case "$name" in sshd|login) exec tmux ;; esac
     fi
 
     Then, ensure a correct mode of /etc/profile.d/tmux.sh using this command:

diff --git a/...een_locking/console_screen_locking/configure_bashrc_exec_tmux/tests/correct_value.pass.sh b/...een_locking/console_screen_locking/configure_bashrc_exec_tmux/tests/correct_value.pass.sh
@@ -5,7 +5,7 @@ cat >> /etc/bashrc <<'EOF'
 if [ "$PS1" ]; then
   parent=$(ps -o ppid= -p $$)
   name=$(ps -o comm= -p $parent)
-  case "$name" in sshd|login) tmux ;; esac
+  case "$name" in sshd|login) exec tmux ;; esac
 fi
 EOF
 
diff --git a/...console_screen_locking/configure_bashrc_exec_tmux/tests/correct_value_d_directory.pass.sh b/...console_screen_locking/configure_bashrc_exec_tmux/tests/correct_value_d_directory.pass.sh
@@ -6,7 +6,7 @@ cat >> /etc/profile.d/00-complianceascode.conf <<'EOF'
 if [ "$PS1" ]; then
   parent=$(ps -o ppid= -p $$)
   name=$(ps -o comm= -p $parent)
-  case "$name" in sshd|login) tmux ;; esac
+  case "$name" in sshd|login) exec tmux ;; esac
 fi
 EOF
 
diff --git a/...le_screen_locking/configure_bashrc_exec_tmux/tests/duplicate_value_multiple_files.pass.sh b/...le_screen_locking/configure_bashrc_exec_tmux/tests/duplicate_value_multiple_files.pass.sh
@@ -5,15 +5,15 @@ cat >> /etc/profile.d/00-complianceascode.conf <<'EOF'
 if [ "$PS1" ]; then
   parent=$(ps -o ppid= -p $$)
   name=$(ps -o comm= -p $parent)
-  case "$name" in sshd|login) tmux ;; esac
+  case "$name" in sshd|login) exec tmux ;; esac
 fi
 EOF
 
 cat >> /etc/bashrc <<'EOF'
 if [ "$PS1" ]; then
   parent=$(ps -o ppid= -p $$)
   name=$(ps -o comm= -p $parent)
-  case "$name" in sshd|login) tmux ;; esac
+  case "$name" in sshd|login) exec tmux ;; esac
 fi
 EOF
 
diff --git a/...ts/accounts-physical/screen_locking/console_screen_locking/configure_bashrc_tmux/rule.yml b/...ts/accounts-physical/screen_locking/console_screen_locking/configure_bashrc_tmux/rule.yml
@@ -20,13 +20,15 @@ severity: medium
 
 identifiers:
     cce@rhel8: CCE-90782-4
+    cce@rhel9: CCE-86073-4
 
 
 references:
     disa: CCI-000056,CCI-000058
     srg: SRG-OS-000031-GPOS-00012,SRG-OS-000028-GPOS-00009,SRG-OS-000030-GPOS-00011
     stigid@ol8: OL08-00-020041
     stigid@rhel8: RHEL-08-020041
+    stigid@rhel9: RHEL-09-412015
 
 platform: package[tmux]
 

diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt
@@ -1,4 +1,3 @@
-CCE-86073-4
 CCE-86074-2
 CCE-86076-7
 CCE-86078-3