Merge pull request ComplianceAsCode#6295 from carlosmmatos/update_jre_content_2

Update jre content with more controls and minor fixes

Author: redhatrises

jre/guide/java/java_jre_deployment_config_configured/java_jre_deployment_config_exists/oval/jre.xml

@@ -1,7 +1,7 @@
 <def-group>
   <definition class="compliance" id="java_jre_deployment_config_exists" version="1">
     <metadata>
-      <title>The Java Configuration File Exists</title>
+      <title>The Java deployment.config File Exists</title>
       <affected family="unix">
         <product>Java Runtime Environment</product>
       </affected>

jre/guide/java/java_jre_deployment_config_configured/java_jre_deployment_config_mandatory/bash/jre.sh

@@ -1,8 +1,8 @@
 # platform = Java Runtime Environment
 JAVA_CONFIG="/etc/.java/deployment/deployment.config"
 
-grep -q "^deployment.system.config.mandatory=false$" ${JAVA_CONFIG} && \
-sed -i "s/deployment.system.config.mandatory=.*/deployment.system.config.mandatory=false/g" ${JAVA_CONFIG}
+grep -q "^deployment.system.config.mandatory=.*" ${JAVA_CONFIG} && \
+sed -i "s/deployment.system.config.mandatory=.*/deployment.system.config.mandatory=true/g" ${JAVA_CONFIG}
 if ! [ $? -eq 0 ] ; then
-  echo "deployment.system.config.mandatory=false" >> ${JAVA_CONFIG}
+  echo "deployment.system.config.mandatory=true" >> ${JAVA_CONFIG}
 fi

jre/guide/java/java_jre_deployment_config_configured/java_jre_deployment_config_mandatory/oval/jre.xml

@@ -18,7 +18,7 @@
   </ind:textfilecontent54_test>
   <ind:textfilecontent54_object id="object_java_jre_deployment_system_config_mandatory" version="1">
     <ind:filepath>/etc/.java/deployment/deployment.config</ind:filepath>
-    <ind:pattern operation="pattern match">^deployment.system.config.mandatory=false$</ind:pattern>
+    <ind:pattern operation="pattern match">^deployment.system.config.mandatory=true$</ind:pattern>
     <ind:instance datatype="int">1</ind:instance>
   </ind:textfilecontent54_object>
 </def-group>

jre/guide/java/java_jre_deployment_config_configured/java_jre_deployment_config_properties/bash/jre.sh

@@ -2,7 +2,7 @@
 JAVA_CONFIG="/etc/.java/deployment/deployment.config"
 JAVA_PROPERTIES="/etc/.java/deployment/deployment.properties"
 
-grep -q "^deployment.system.config=file://${JAVA_CONFIG}$" ${JAVA_CONFIG} && \
+grep -q "^deployment.system.config=.*" ${JAVA_CONFIG} && \
 sed -i "s;deployment.system.config=.*;deployment.system.config=file:\/\/${JAVA_PROPERTIES};g" ${JAVA_CONFIG}
 if ! [ $? -eq 0 ] ; then
   echo "deployment.system.config=file://${JAVA_PROPERTIES}" >> ${JAVA_CONFIG}

jre/guide/java/java_jre_deployment_config_configured/java_jre_deployment_config_properties/oval/jre.xml

@@ -1,7 +1,7 @@
 <def-group>
   <definition class="compliance" id="java_jre_deployment_config_properties" version="1">
     <metadata>
-      <title>Configure the deployment.properties File Path</title>
+      <title>Configure the Path to the deployment.properties File</title>
       <affected family="unix">
         <product>Java Runtime Environment</product>
       </affected>

jre/guide/java/java_jre_deployment_config_configured/java_jre_deployment_config_properties/rule.yml

@@ -30,4 +30,4 @@ ocil: |-
     run the following command:
     <pre>$ grep 'deployment.system.config=file' /etc/.java/deployment/deployment.config</pre>
     If properly configured, the output should return:
-    <pre>deployment.system.config=/etc/.java/deployment/deployment.properties</pre>
+    <pre>deployment.system.config=file:///etc/.java/deployment/deployment.properties</pre>

jre/guide/java/java_jre_deployment_properties_exists/oval/jre.xml

@@ -1,19 +1,19 @@
 <def-group>
   <definition class="compliance" id="java_jre_deployment_properties_exists" version="1">
     <metadata>
-      <title>The Java Properties File Exists</title>
+      <title>The Java deployment.properties File Exists</title>
       <affected family="unix">
         <product>Java Runtime Environment</product>
       </affected>
       <description>A properties file must be present to hold all the keys
       that establish properties within the Java control panel.</description>
     </metadata>
     <criteria>
-      <criterion comment="Check deployment.properties file" test_ref="test_java_jre_deployment_properties" />
+      <criterion comment="Check deployment.properties file exists" test_ref="test_java_jre_deployment_properties" />
     </criteria>
   </definition>
 
-  <unix:file_test check="all" comment="Check deployment.properties file" id="test_java_jre_deployment_properties" version="1">
+  <unix:file_test check="all" comment="Check deployment.properties file exists" id="test_java_jre_deployment_properties" version="1">
     <unix:object object_ref="object_java_jre_deployment_properties" />
   </unix:file_test>
   <unix:file_object id="object_java_jre_deployment_properties" version="1">

jre/guide/java/java_jre_untrusted_sources/bash/jre.sh jre/guide/java/java_jre_disable_untrusted_sources/bash/jre.sh

@@ -1,8 +1,8 @@
 # platform = Java Runtime Environment
 JAVA_PROPERTIES="/etc/.java/deployment/deployment.properties"
 
-grep -q "^deployment.security.askgrantdialog.notinca=false$" ${JAVA_PROPERTIES} && \
+grep -q "^deployment.security.askgrantdialog.notinca=.*$" ${JAVA_PROPERTIES} && \
 sed -i "s/deployment.security.askgrantdialog.notinca=.*/deployment.security.askgrantdialog.notinca=false/g" ${JAVA_PROPERTIES}
 if ! [ $? -eq 0 ] ; then
   echo "deployment.security.askgrantdialog.notinca=false" >> ${JAVA_PROPERTIES}
-fi
+fi

jre/guide/java/java_jre_untrusted_sources/oval/jre.xml jre/guide/java/java_jre_disable_untrusted_sources/oval/jre.xml

@@ -1,22 +1,22 @@
 <def-group>
-  <definition class="compliance" id="java_jre_untrusted_sources" version="1">
+  <definition class="compliance" id="java_jre_disable_untrusted_sources" version="1">
     <metadata>
-      <title>Disable Java Execution From Untrusted Sources</title>
+      <title>Disable Execution of Signed Java Applets From Untrusted Sources Feature</title>
       <affected family="unix">
         <product>Java Runtime Environment</product>
       </affected>
-      <description>The dialog to enable users to grant permissions to execute
+      <description>The dialog to enable users to grant permissions to execute 
       signed content from an un-trusted authority must be disabled.</description>
     </metadata>
     <criteria>
-      <criterion comment="Check deployment.security.askgrantdialog.notinca" test_ref="test_java_jre_untrusted_sources" />
+      <criterion comment="Check deployment.security.askgrantdialog.notinca" test_ref="test_java_jre_disable_untrusted_sources" />
     </criteria>
   </definition>
 
-  <ind:textfilecontent54_test check="all" comment="Check deployment.security.askgrantdialog.notinca" id="test_java_jre_untrusted_sources" version="1">
-    <ind:object object_ref="object_java_jre_untrusted_sources" />
+  <ind:textfilecontent54_test check="all" comment="Check deployment.security.askgrantdialog.notinca" id="test_java_jre_disable_untrusted_sources" version="1">
+    <ind:object object_ref="object_java_jre_disable_untrusted_sources" />
   </ind:textfilecontent54_test>
-  <ind:textfilecontent54_object id="object_java_jre_untrusted_sources" version="1">
+  <ind:textfilecontent54_object id="object_java_jre_disable_untrusted_sources" version="1">
     <ind:filepath>/etc/.java/deployment/deployment.properties</ind:filepath>
     <ind:pattern operation="pattern match">^deployment.security.askgrantdialog.notinca=false$</ind:pattern>
     <ind:instance datatype="int">1</ind:instance>

jre/guide/java/java_jre_untrusted_sources/rule.yml jre/guide/java/java_jre_disable_untrusted_sources/rule.yml

@@ -1,22 +1,26 @@
 documentation_complete: true
 
-title: 'Disable Java Execution From Untrusted Sources'
+title: 'Disable Execution of Signed Java Applets From Untrusted Sources Setting'
 
 description: |-
     To ensure that Java cannot execute from untrusted sources, set
     <tt>deployment.security.askgrantdialog.notinca</tt> to equal <tt>false</tt>
     in <tt>/etc/.java/deployment/deployment.properties</tt>.
 
 rationale: |-
-    Permitting execution of signed Java applets from un-trusted sources
-    may result in acquiring malware, and risks system modification, invasion of
-    privacy, or denial of service.
+    Permitting execution of signed Java applets from un-trusted sources may
+    result in acquiring malware, and risks system modification, invasion of
+    privacy, or denial of service. Block users from granting permissions to
+    certificates that are not issued by a CA in the Root/JSSE CA certificate
+    store.
 
 severity: medium
 
 references:
-    nist: DCBP-1
-    stigid: JRE0001-UX
+    srg: SRG-APP-000112
+    disa: CCI-001695
+    stigid: JRE8-UX-000080
+    nist: SC-18 (3)
 
 ocil_clause: 'it does not exist or is not configured properly'
 

jre/guide/java/java_jre_untrusted_sources_locked/bash/jre.sh jre/guide/java/java_jre_disable_untrusted_sources_locked/bash/jre.sh

@@ -1,8 +1,7 @@
 # platform = Java Runtime Environment
 JAVA_PROPERTIES="/etc/.java/deployment/deployment.properties"
 
-grep -q "^deployment.security.askgrantdialog.notinca.locked$" ${JAVA_PROPERTIES} && \
-sed -i "s/deployment.security.askgrantdialog.notinca\..*/deployment.security.askgrantdialog.notinca.locked/g" ${JAVA_PROPERTIES}
+grep -q "^deployment.security.askgrantdialog.notinca.locked$" ${JAVA_PROPERTIES}
 if ! [ $? -eq 0 ] ; then
   echo "deployment.security.askgrantdialog.notinca.locked" >> ${JAVA_PROPERTIES}
 fi

jre/guide/java/java_jre_untrusted_sources_locked/oval/jre.xml jre/guide/java/java_jre_disable_untrusted_sources_locked/oval/jre.xml

@@ -1,5 +1,5 @@
 <def-group>
-  <definition class="compliance" id="java_jre_untrusted_sources_locked" version="1">
+  <definition class="compliance" id="java_jre_disable_untrusted_sources_locked" version="1">
     <metadata>
       <title>Disable User Access to Untrusted Sources Setting</title>
       <affected family="unix">
@@ -9,14 +9,14 @@
       content from an un-trusted authority must be locked.</description>
     </metadata>
     <criteria>
-      <criterion comment="Check deployment.security.askgrantdialog.notinca.locked" test_ref="test_java_jre_untrusted_sources_locked" />
+      <criterion comment="Check deployment.security.askgrantdialog.notinca.locked" test_ref="test_java_jre_disable_untrusted_sources_locked" />
     </criteria>
   </definition>
 
-  <ind:textfilecontent54_test check="all" comment="Check deployment.security.askgrantdialog.notinca.lock" id="test_java_jre_untrusted_sources_locked" version="1">
-    <ind:object object_ref="object_java_jre_untrusted_sources_locked" />
+  <ind:textfilecontent54_test check="all" comment="Check deployment.security.askgrantdialog.notinca.lock" id="test_java_jre_disable_untrusted_sources_locked" version="1">
+    <ind:object object_ref="object_java_jre_disable_untrusted_sources_locked" />
   </ind:textfilecontent54_test>
-  <ind:textfilecontent54_object id="object_java_jre_untrusted_sources_locked" version="1">
+  <ind:textfilecontent54_object id="object_java_jre_disable_untrusted_sources_locked" version="1">
     <ind:filepath>/etc/.java/deployment/deployment.properties</ind:filepath>
     <ind:pattern operation="pattern match">^deployment.security.askgrantdialog.notinca.locked$</ind:pattern>
     <ind:instance datatype="int">1</ind:instance>

jre/guide/java/java_jre_untrusted_sources_locked/rule.yml jre/guide/java/java_jre_disable_untrusted_sources_locked/rule.yml

@@ -1,6 +1,6 @@
 documentation_complete: true
 
-title: 'Disable User Access to Untrusted Sources Settings'
+title: 'Disable User Access to Disabling Untrusted Sources Setting'
 
 description: |-
     To ensure that users cannot change the untrusted sources settings,
@@ -17,8 +17,10 @@ rationale: |-
 severity: medium
 
 references:
-    nist: DCBP-1
-    stigid: JRE0010-UX
+    srg: SRG-APP-000112
+    disa: CCI-001695
+    stigid: JRE8-UX-000080
+    nist: SC-18 (3)
 
 ocil_clause: 'it does not exist or is not configured properly'
 

jre/guide/java/java_jre_enable_jws/bash/jre.sh

@@ -0,0 +1,8 @@
+# platform = Java Runtime Environment
+JAVA_PROPERTIES="/etc/.java/deployment/deployment.properties"
+
+grep -q "^deployment.webjava.enabled=.*$" ${JAVA_PROPERTIES} && \
+sed -i "s/deployment.webjava.enabled=.*/deployment.webjava.enabled=true/g" ${JAVA_PROPERTIES}
+if ! [ $? -eq 0 ] ; then
+  echo "deployment.webjava.enabled=true" >> ${JAVA_PROPERTIES}
+fi

jre/guide/java/java_jre_enable_jws/oval/jre.xml

@@ -0,0 +1,24 @@
+<def-group>
+  <definition class="compliance" id="java_jre_enable_jws" version="1">
+    <metadata>
+      <title>Enable Java Web Start Applications to Run</title>
+      <affected family="unix">
+        <product>Java Runtime Environment</product>
+      </affected>
+      <description>Configure setting to ensure Java allows 
+      Java Web Start (JWS) applications to run.</description>
+    </metadata>
+    <criteria>
+      <criterion comment="Check deployment.webjava.enabled" test_ref="test_java_jre_enable_jws" />
+    </criteria>
+  </definition>
+
+  <ind:textfilecontent54_test check="all" comment="Check deployment.webjava.enabled" id="test_java_jre_enable_jws" version="1">
+    <ind:object object_ref="object_java_jre_enable_jws" />
+  </ind:textfilecontent54_test>
+  <ind:textfilecontent54_object id="object_java_jre_enable_jws" version="1">
+    <ind:filepath>/etc/.java/deployment/deployment.properties</ind:filepath>
+   <ind:pattern operation="pattern match">^deployment.webjava.enabled=true$</ind:pattern>
+    <ind:instance datatype="int">1</ind:instance>
+  </ind:textfilecontent54_object>
+</def-group>

jre/guide/java/java_jre_enable_jws_locked/bash/jre.sh

@@ -0,0 +1,7 @@
+# platform = Java Runtime Environment
+JAVA_PROPERTIES="/etc/.java/deployment/deployment.properties"
+
+grep -q "^deployment.webjava.enabled.locked$" ${JAVA_PROPERTIES}
+if ! [ $? -eq 0 ] ; then
+  echo "deployment.webjava.enabled.locked" >> ${JAVA_PROPERTIES}
+fi

jre/guide/java/java_jre_enable_jws_locked/oval/jre.xml

@@ -0,0 +1,24 @@
+<def-group>
+  <definition class="compliance" id="java_jre_enable_jws_locked" version="1">
+    <metadata>
+      <title>Disable User Access to Java Web Start Application Setting</title>
+      <affected family="unix">
+        <product>Java Runtime Environment</product>
+      </affected>
+      <description>The setting that ensures Java allows Java 
+      Web Start applications to run must be locked.</description>
+    </metadata>
+    <criteria>
+      <criterion comment="Check deployment.webjava.enabled.locked" test_ref="test_java_jre_enable_jws_locked" />
+    </criteria>
+  </definition>
+
+  <ind:textfilecontent54_test check="all" comment="Check deployment.webjava.enabled.locked" id="test_java_jre_enable_jws_locked" version="1">
+    <ind:object object_ref="object_java_jre_enable_jws_locked" />
+  </ind:textfilecontent54_test>
+  <ind:textfilecontent54_object id="object_java_jre_enable_jws_locked" version="1">
+    <ind:filepath>/etc/.java/deployment/deployment.properties</ind:filepath>
+   <ind:pattern operation="pattern match">^deployment.webjava.enabled.locked$</ind:pattern>
+    <ind:instance datatype="int">1</ind:instance>
+  </ind:textfilecontent54_object>
+</def-group>

jre/guide/java/java_jre_lock_untrusted_sources/bash/jre.sh

@@ -0,0 +1,8 @@
+# platform = Java Runtime Environment
+JAVA_PROPERTIES="/etc/.java/deployment/deployment.properties"
+
+grep -q "^deployment.security.askgrantdialog.show=.*$" ${JAVA_PROPERTIES} && \
+sed -i "s/deployment.security.askgrantdialog.show=.*/deployment.security.askgrantdialog.show=false/g" ${JAVA_PROPERTIES}
+if ! [ $? -eq 0 ] ; then
+  echo "deployment.security.askgrantdialog.show=false" >> ${JAVA_PROPERTIES}
+fi

jre/guide/java/java_jre_lock_untrusted_sources/oval/jre.xml

@@ -0,0 +1,24 @@
+<def-group>
+  <definition class="compliance" id="java_jre_lock_untrusted_sources" version="1">
+    <metadata>
+      <title>Lock Execution of Signed Java Applets From Untrusted Sources Setting</title>
+      <affected family="unix">
+        <product>Java Runtime Environment</product>
+      </affected>
+      <description>The dialog to enable users to grant permissions to execute 
+      signed content from an un-trusted authority must be locked.</description>
+    </metadata>
+    <criteria>
+      <criterion comment="Check deployment.security.askgrantdialog.show" test_ref="test_java_jre_lock_untrusted_sources" />
+    </criteria>
+  </definition>
+
+  <ind:textfilecontent54_test check="all" comment="Check deployment.security.askgrantdialog.show" id="test_java_jre_lock_untrusted_sources" version="1">
+    <ind:object object_ref="object_java_jre_lock_untrusted_sources" />
+  </ind:textfilecontent54_test>
+  <ind:textfilecontent54_object id="object_java_jre_lock_untrusted_sources" version="1">
+    <ind:filepath>/etc/.java/deployment/deployment.properties</ind:filepath>
+    <ind:pattern operation="pattern match">^deployment.security.askgrantdialog.show=false$</ind:pattern>
+    <ind:instance datatype="int">1</ind:instance>
+  </ind:textfilecontent54_object>
+</def-group>

jre/guide/java/java_jre_lock_untrusted_sources/rule.yml

@@ -0,0 +1,31 @@
+documentation_complete: true
+
+title: 'Lock Execution of Signed Java Applets From Untrusted Sources Setting'
+
+description: |-
+    To ensure that Java cannot execute from untrusted sources, set
+    <tt>deployment.security.askgrantdialog.show</tt> to equal <tt>false</tt>
+    in <tt>/etc/.java/deployment/deployment.properties</tt>.
+
+rationale: |-
+    Permitting execution of signed Java applets from un-trusted sources may
+    result in acquiring malware, and risks system modification, invasion of
+    privacy, or denial of service. Block users from granting permissions to
+    applets and JWS applications.
+
+severity: medium
+
+references:
+    srg: SRG-APP-000112
+    disa: CCI-001695
+    stigid: JRE8-UX-000090
+    nist: SC-18 (3)
+
+ocil_clause: 'it does not exist or is not configured properly'
+
+ocil: |-
+    To verify that Java cannot execute from untrusted sources,
+    run the following command:
+    <pre>$ grep 'askgrantdialog.show=false' /etc/.java/deployment/deployment.properties</pre>
+    If properly configured, the output should return:
+    <pre>deployment.security.askgrantdialog.show=false</pre>

jre/guide/java/java_jre_lock_untrusted_sources_locked/bash/jre.sh

@@ -0,0 +1,7 @@
+# platform = Java Runtime Environment
+JAVA_PROPERTIES="/etc/.java/deployment/deployment.properties"
+
+grep -q "^deployment.security.askgrantdialog.show.locked$" ${JAVA_PROPERTIES}
+if ! [ $? -eq 0 ] ; then
+  echo "deployment.security.askgrantdialog.show.locked" >> ${JAVA_PROPERTIES}
+fi

jre/guide/java/java_jre_lock_untrusted_sources_locked/oval/jre.xml

@@ -0,0 +1,24 @@
+<def-group>
+  <definition class="compliance" id="java_jre_lock_untrusted_sources_locked" version="1">
+    <metadata>
+      <title>Disable User Access to Locking Untrusted Sources Setting</title>
+      <affected family="unix">
+        <product>Java Runtime Environment</product>
+      </affected>
+      <description>The dialog enabling users to grant permissions to execute signed
+      content from an un-trusted authority must be locked.</description>
+    </metadata>
+    <criteria>
+      <criterion comment="Check deployment.security.askgrantdialog.show.locked" test_ref="test_java_jre_lock_untrusted_sources_locked" />
+    </criteria>
+  </definition>
+
+  <ind:textfilecontent54_test check="all" comment="Check deployment.security.askgrantdialog.show.lock" id="test_java_jre_lock_untrusted_sources_locked" version="1">
+    <ind:object object_ref="object_java_jre_lock_untrusted_sources_locked" />
+  </ind:textfilecontent54_test>
+  <ind:textfilecontent54_object id="object_java_jre_lock_untrusted_sources_locked" version="1">
+    <ind:filepath>/etc/.java/deployment/deployment.properties</ind:filepath>
+    <ind:pattern operation="pattern match">^deployment.security.askgrantdialog.show.locked$</ind:pattern>
+    <ind:instance datatype="int">1</ind:instance>
+  </ind:textfilecontent54_object>
+</def-group>