Added JRE update and clean prev version controls

Carlos Matos · Carlos Matos · commit 14e4ba2ca8fe · 2020-10-30T12:37:11.000-04:00
diff --git a/jre/guide/java/java_jre_clean_previous_version/ansible/jre.yml b/jre/guide/java/java_jre_clean_previous_version/ansible/jre.yml
@@ -0,0 +1,12 @@
+# platform = Java Runtime Environment
+# reboot = false
+# strategy = restrict
+# complexity = low
+# disruption = low
+- name: "Ensure YUM Removes Previous Package Versions"
+  lineinfile:
+      dest: /etc/yum.conf
+      regexp: ^#?clean_requirements_on_remove
+      line: clean_requirements_on_remove=1
+      insertafter: '\[main\]'
+      create: yes
diff --git a/jre/guide/java/java_jre_clean_previous_version/bash/jre.sh b/jre/guide/java/java_jre_clean_previous_version/bash/jre.sh
@@ -0,0 +1,8 @@
+# platform = Java Runtime Environment
+
+if grep --silent ^clean_requirements_on_remove /etc/yum.conf ; then
+        sed -i "s/^clean_requirements_on_remove.*/clean_requirements_on_remove=1/g" /etc/yum.conf
+else
+        echo -e "\n# Set clean_requirements_on_remove to 1 per security requirements" >> /etc/yum.conf
+        echo "clean_requirements_on_remove=1" >> /etc/yum.conf
+fi
diff --git a/jre/guide/java/java_jre_clean_previous_version/oval/shared.xml b/jre/guide/java/java_jre_clean_previous_version/oval/shared.xml
@@ -0,0 +1,18 @@
+<def-group oval_version="5.10">
+  <definition class="compliance" id="java_jre_clean_previous_version" version="1">
+    {{{ oval_metadata("The clean_requirements_on_remove option should be used to ensure that old
+      versions of software components are removed after updating.") }}}
+    <criteria>
+      <criterion comment="check value of clean_requirements_on_remove in /etc/yum.conf" test_ref="test_yum_java_jre_clean_previous_version" />
+    </criteria>
+  </definition>
+  <ind:textfilecontent54_test check="all" check_existence="all_exist" comment="check value of clean_requirements_on_remove in /etc/yum.conf" id="test_yum_java_jre_clean_previous_version" version="1">
+    <ind:object object_ref="object_yum_java_jre_clean_previous_version" />
+  </ind:textfilecontent54_test>
+  <ind:textfilecontent54_object id="object_yum_java_jre_clean_previous_version" comment="clean_requirements_on_remove set in /etc/yum.conf" version="1">
+    <ind:filepath>/etc/yum.conf</ind:filepath>
+    <ind:pattern operation="pattern match">^\s*clean_requirements_on_remove\s*=\s*(1|True|yes)\s*$</ind:pattern>
+    <ind:instance datatype="int" operation="equals">1</ind:instance>
+  </ind:textfilecontent54_object>
+
+</def-group>
diff --git a/jre/guide/java/java_jre_clean_previous_version/rule.yml b/jre/guide/java/java_jre_clean_previous_version/rule.yml
@@ -0,0 +1,30 @@
+documentation_complete: true
+
+title: 'Ensure {{{ pkg_manager }}} Removes Previous Package Versions'
+
+description: |-
+    <tt>{{{ pkg_manager }}}</tt> should be configured to remove previous versions of Java after
+    new versions have been installed. To configure <tt>{{{ pkg_manager }}}</tt> to remove the
+    previous versions of Java after updating, set the <tt>clean_requirements_on_remove</tt>
+    to <tt>1</tt> in <tt>{{{ pkg_manager_config_file }}}</tt>.
+
+rationale: |-
+    Previous versions of software components that are not removed from the information
+    system after updates have been installed may be exploited by some adversaries.
+
+severity: medium
+
+references:
+    srg: SRG-APP-000454
+    disa: CCI-002617
+    stigid: JRE8-UX-000190
+    nist: SI-2(6)
+
+ocil_clause: 'clean_requirements_on_remove is not enabled or configured correctly'
+
+ocil: |-
+    To verify that <tt>clean_requirements_on_remove</tt> is configured properly, run the
+    following command:
+    <pre>$ grep clean_requirements_on_remove {{{ pkg_manager_config_file }}}</pre>
+    The output should return something similar to:
+    <pre>clean_requirements_on_remove=1</pre>
diff --git a/jre/guide/java/java_jre_updated/ansible/jre.yml b/jre/guide/java/java_jre_updated/ansible/jre.yml
@@ -0,0 +1,12 @@
+# platform = Java Runtime Environment
+# reboot = true
+# strategy = patch
+# complexity = low
+# disruption = high
+- name: "Security patches are up to date"
+  package:
+    name: "*"
+    state: "latest"
+  tags:
+    - skip_ansible_lint # [ANSIBLE0010] Skipping lint because ANSIBLE0010 is a bad security practice
+
diff --git a/jre/guide/java/java_jre_updated/bash/jre.sh b/jre/guide/java/java_jre_updated/bash/jre.sh
@@ -0,0 +1,7 @@
+# platform = Java Runtime Environment
+
+{{% if pkg_manager == "zypper" %}}
+zypper patch -g security -y
+{{% else %}}
+yum -y update
+{{% endif %}}
diff --git a/jre/guide/java/java_jre_updated/rule.yml b/jre/guide/java/java_jre_updated/rule.yml
@@ -8,16 +8,21 @@ description: |-
     <pre>$ sudo yum update</pre>
     If the system is not configured to use one of these sources, updates (in the form of RPM packages)
     can be manually downloaded and installed using <tt>rpm</tt>.
+    <br /><br />
+    NOTE: U.S. Defense systems are required to be patched within 30 days or sooner as local policy
+    dictates.
 
 rationale: |-
     Running an older version of the JRE can introduce security
     vulnerabilities to the system.
 
-severity: medium
+severity: low
 
 references:
-    nist: DCBP-1
-    stigid: JRE0090-UX
+    srg: SRG-APP-000456
+    disa: CCI-002605
+    stigid: JRE8-UX-000180
+    nist: SI-2(c)
 
 ocil_clause: 'it is not updated'
 
diff --git a/jre/product.yml b/jre/product.yml
@@ -5,3 +5,5 @@ type: product
 benchmark_root: "./guide"
 
 profiles_root: "./profiles"
+
+pkg_manager: "yum"
diff --git a/jre/profiles/stig.profile b/jre/profiles/stig.profile
@@ -36,4 +36,5 @@ selections:
     - java_jre_validation_crl_locked
     - java_jre_validation_ocsp
     - java_jre_validation_ocsp_locked
+    - java_jre_clean_previous_version
     - java_jre_updated
