Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

RHEL 9 STIG Update Q1 2023 #10185

Merged
merged 59 commits into from
Mar 1, 2023
Merged

RHEL 9 STIG Update Q1 2023 #10185

merged 59 commits into from
Mar 1, 2023

Conversation

Mab879
Copy link
Member

@Mab879 Mab879 commented Feb 8, 2023

Description:

Update the RHEL 9 STIG based on latest changes.

Rationale:

Keep the content up to date.

Review Hints:

Use ./utils/srg_diff.py to help compare.

@Mab879 Mab879 added RHEL9 Red Hat Enterprise Linux 9 product related. STIG STIG Benchmark related. labels Feb 8, 2023
@Mab879 Mab879 added this to the 0.1.67 milestone Feb 8, 2023
@openshift-ci openshift-ci bot added the do-not-merge/work-in-progress Used by openshift-ci bot. label Feb 8, 2023
@openshift-ci
Copy link

openshift-ci bot commented Feb 8, 2023

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

@github-actions
Copy link

github-actions bot commented Feb 8, 2023

Start a new ephemeral environment with changes proposed in this pull request:

Fedora Environment
Open in Gitpod

Oracle Linux 8 Environment
Open in Gitpod

@Mab879 Mab879 force-pushed the import_rhel9_stig_feb_2023 branch 2 times, most recently from 184494f to d7fa5cd Compare February 13, 2023 16:18
@Mab879
RHEL 9 STIG Import Whitespace Changes
c27d934 
Various white spaces to remove extra blank lines.
@Mab879
Remove variables from product specific content
cef09e9 
Due to the nature of the import process.
@Mab879
Update SSH key permissions for RHEL 9 STIG
2c38c4c
@Mab879
Escape < and > in product specific content
45f48ce 
Causes some rendering issues if this is not done
@Mab879
Update kernel module disabling product specific content for RHEL 9 STIG
d5f337e 
The install line was missing before and causing issues.
@Mab879
Update crypto policy for policy specific content
c7aa50f 
Updates from the RHEL 9 STIG
@Mab879
Fix capitalization in accounts_passwords_pam_faillock_unlock_time for…
e73aad3 
… PSC
@Mab879
Fix small errors in account_emergency_expire_date policy specifc content
38bde59
@Mab879
Update rules about unauthorized accounts in policy specific content
bbd418a 
Update for all users not just interactive.
@Mab879
Update accounts_password_set_min_life_existing to use passwd
ea2b0c5 
For the RHEL 9 STIG import
@Mab879
Clean up security_patches_up_to_date for policy specifc content
03dfaae
@Mab879
Update SSH crypto rules in policy specific content
e8874f0
@Mab879
Fix up accounts_user_interactive_home_directory_defined for policy sp…
7243f67 
…ecifc content
@Mab879
Update auditd_audispd_configure_sufficiently_large_partition policy s…
98f58d0 
…pecific content
@Mab879
Update file_groupowner_grub2_cfg to use group-owner in PSC
68e140c 
For the RHEL 9 STIG import
@Mab879
Update dconf_gnome_disable_ctrlaltdel_reboot for poliy specific content
92d4194
@Mab879
Remove extraneous text from grub2_password for PSC
99c1f63
@Mab879
More update to network_configure_name_resolution for PSC
7439835 
Import on the RHEL 9 STIG
@Mab879
Add RHEL 9 specific content for installed_OS_is_vendor_supported
4ec187c
@Mab879
Add kernel_module_sctp_disabled to the RHEL 9 STIG
1a13369
@Mab879
Add accounts_password_pam_unix_rounds_* rules to RHEL 9 STIG
f94161f
@Mab879
Add package_audispd-plugins_installed to RHEL 9 STIG
8d6b13f
@Mab879 Mab879 marked this pull request as ready for review February 14, 2023 23:16
@openshift-ci openshift-ci bot removed the do-not-merge/work-in-progress Used by openshift-ci bot. label Feb 14, 2023
@Mab879
Update rules for RHEL 9 SIG
87ef627 
Rules that are staying that are not in the spreadsheet.
* Audit rules are being kept since we don't combine like DISA
* file_*_cron_* are kept due to some wild carding in some rules. We will need to replace these in the future, once everything is finalized.
* There a few rules for FIPS and donf rules that we need for technical reasons
* set_password_hashing_algorithm_* to ensure that CCE-83615-5 CCE-83621-3 are fully covered
@marcusburghardt marcusburghardt self-assigned this Feb 23, 2023
marcusburghardt
marcusburghardt requested changes Feb 28, 2023
View reviewed changes
Copy link
Member

@marcusburghardt marcusburghardt left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nice. I saw only some minor details.

...sword_attempts/accounts_password_pam_pwhistory_remember_password_auth/policy/stig/shared.yml Outdated Show resolved Hide resolved
...assword_attempts/accounts_password_pam_pwhistory_remember_system_auth/policy/stig/shared.yml Outdated Show resolved Hide resolved
linux_os/guide/services/ssh/file_permissions_sshd_private_key/policy/stig/shared.yml Outdated Show resolved Hide resolved
...accounts/accounts-session/user_umask/accounts_umask_interactive_users/policy/stig/shared.yml Show resolved Hide resolved
...permissions/restrictions/enable_nx/bios_enable_execution_restrictions/policy/stig/shared.yml Outdated Show resolved Hide resolved
...permissions/restrictions/enable_nx/bios_enable_execution_restrictions/policy/stig/shared.yml Show resolved Hide resolved
...ions/password_storage/accounts_password_pam_unix_rounds_password_auth/policy/stig/shared.yml Outdated Show resolved Hide resolved
...ctions/password_storage/accounts_password_pam_unix_rounds_system_auth/policy/stig/shared.yml Outdated Show resolved Hide resolved
linux_os/guide/system/auditing/package_audispd-plugins_installed/policy/stig/shared.yml Outdated Show resolved Hide resolved
..._os/guide/system/network/network-uncommon/kernel_module_sctp_disabled/policy/stig/shared.yml Show resolved Hide resolved
Mab879 added a commit to Mab879/content that referenced this pull request Feb 28, 2023
@Mab879
Resolve issues found in review of ComplianceAsCode#10185
c5f7ad7
Mab879 added a commit to Mab879/content that referenced this pull request Feb 28, 2023
@Mab879
Resolve issues found in review of ComplianceAsCode#10185
de1c7a4
@codeclimate
Copy link

codeclimate bot commented Mar 1, 2023

Code Climate has analyzed commit d9fb321 and detected 0 issues on this pull request.

The test coverage on the diff in this pull request is 100.0% (50% is the threshold).

This pull request will bring the total coverage in the repository to 51.7% (0.0% change).

View more on Code Climate.

marcusburghardt
marcusburghardt approved these changes Mar 1, 2023
View reviewed changes
Copy link
Member

@marcusburghardt marcusburghardt left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I have checked all the changes and the are sane. Nice work @Mab879 .

@marcusburghardt marcusburghardt added the Highlight This PR/Issue should make it to the featured changelog. label Mar 1, 2023
@marcusburghardt marcusburghardt merged commit 3acc3ea into ComplianceAsCode:master Mar 1, 2023
@Mab879 Mab879 deleted the import_rhel9_stig_feb_2023 branch March 1, 2023 17:25
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@marcusburghardt marcusburghardt marcusburghardt approved these changes

Assignees

@marcusburghardt marcusburghardt

Labels
Highlight This PR/Issue should make it to the featured changelog. RHEL9 Red Hat Enterprise Linux 9 product related. STIG STIG Benchmark related.
Projects
None yet
Milestone
0.1.67
Development

Successfully merging this pull request may close these issues.
2 participants
@Mab879 @marcusburghardt