diff --git a/.github/workflows/srg-mapping-table.yaml b/.github/workflows/srg-mapping-table.yaml index 6486ecdfac2..17a048e45d5 100644 --- a/.github/workflows/srg-mapping-table.yaml +++ b/.github/workflows/srg-mapping-table.yaml @@ -32,11 +32,11 @@ jobs: - name: Create data directory run: mkdir -p $PAGES_DIR - name: Generate XLSX for OCP4 - run: python3 utils/create_srg_export.py -c controls/srg_ctr.yml -p ocp4 -m shared/references/disa-ctr-srg-v1r3.xml --out-format xlsx --output $PAGES_DIR/srg-mapping-ocp4.xlsx + run: python3 utils/create_srg_export.py -c controls/srg_ctr.yml -p ocp4 -m shared/references/disa-ctr-srg-v1r3.xml --out-format xlsx --output $PAGES_DIR/srg-mapping-ocp4.xlsx --prefer-controls env: PYTHONPATH: ${{ github.workspace }} - name: Generate HTML for OCP4 - run: python3 utils/create_srg_export.py -c controls/srg_ctr.yml -p ocp4 -m shared/references/disa-ctr-srg-v1r3.xml --out-format html --output $PAGES_DIR/srg-mapping-ocp4.html + run: python3 utils/create_srg_export.py -c controls/srg_ctr.yml -p ocp4 -m shared/references/disa-ctr-srg-v1r3.xml --out-format html --output $PAGES_DIR/srg-mapping-ocp4.html --prefer-controls env: PYTHONPATH: ${{ github.workspace }} - name: Generate XLSX for RHEL9 diff --git a/controls/srg_ctr/SRG-APP-000026-CTR-000070.yml b/controls/srg_ctr/SRG-APP-000026-CTR-000070.yml index 4600d64d19f..01a8def95f4 100644 --- a/controls/srg_ctr/SRG-APP-000026-CTR-000070.yml +++ b/controls/srg_ctr/SRG-APP-000026-CTR-000070.yml @@ -7,4 +7,62 @@ controls: rules: - audit_rules_sysadmin_actions - audit_rules_usergroup_modification + check: |- + Verify Red Hat Enterprise Linux CoreOS (RHCOS) generates audit records for all account creations, modifications, disabling, and termination events that affect "/etc/shadow". + Logging on as administrator, check the auditing rules in "/etc/audit/audit.rules" by executing the following: + + for node in $(oc get node -oname); do oc debug $node -- chroot /host /bin/bash -c 'echo -n "$HOSTNAME: "; grep /etc/shadow /etc/audit/audit.rules /etc/audit/rules.d/*'; done + + (Example output: + -w /etc/shadow -p wa -k identity) + + If the command does not return a line, or the line is commented out, this is a finding. + fixtext: |- + Apply the machine config using the following command: + + for mcpool in $(oc get mcp -oname | sed "s:.*/::" ); do + echo "apiVersion: machineconfiguration.openshift.io/v1 + kind: MachineConfig + metadata: + name: 75-account-modifications-rules-$mcpool + labels: + machineconfiguration.openshift.io/role: $mcpool + spec: + config: + ignition: + version: 3.1.0 + storage: + files: + - contents: + source: data:,-w%20/etc/sudoers.d/%20-p%20wa%20-k%20actions%0A-w%20/etc/sudoers%20-p%20wa%20-k%20actions%0A + mode: 0644 + path: /etc/audit/rules.d/75-audit-sysadmin-actions.rules + overwrite: true + - contents: + source: data:,-w%20/etc/group%20-p%20wa%20-k%20audit_rules_usergroup_modification%0A + mode: 0644 + path: /etc/audit/rules.d/30-etc_group_usergroup_modification.rules + overwrite: true + - contents: + source: data:,-w%20/etc/gshadow%20-p%20wa%20-k%20audit_rules_usergroup_modification%0A + mode: 0644 + path: /etc/audit/rules.d/30-etc_gshadow_usergroup_modification.rules + overwrite: true + - contents: + source: data:,-w%20/etc/security/opasswd%20-p%20wa%20-k%20audit_rules_usergroup_modification%0A + mode: 0644 + path: /etc/audit/rules.d/30-etc_security_opasswd_usergroup_modification.rules + overwrite: true + - contents: + source: data:,-w%20/etc/passwd%20-p%20wa%20-k%20audit_rules_usergroup_modification%0A + mode: 0644 + path: /etc/audit/rules.d/30-etc_passwd_usergroup_modification.rules + overwrite: true + - contents: + source: data:,-w%20/etc/shadow%20-p%20wa%20-k%20audit_rules_usergroup_modification%0A + mode: 0644 + path: /etc/audit/rules.d/30-etc_shadow_usergroup_modification.rules + overwrite: true + " | oc apply -f - + done diff --git a/controls/srg_ctr/SRG-APP-000027-CTR-000075.yml b/controls/srg_ctr/SRG-APP-000027-CTR-000075.yml index ff3a356e306..ad9414b9683 100644 --- a/controls/srg_ctr/SRG-APP-000027-CTR-000075.yml +++ b/controls/srg_ctr/SRG-APP-000027-CTR-000075.yml @@ -7,4 +7,57 @@ controls: rules: - audit_rules_sysadmin_actions - audit_rules_usergroup_modification + check: |- + Verify for each of the files that contain account information the system is configured to emit an audit event in case of a write, by executing the following: + for node in $(oc get node -oname); do oc debug $node -- chroot /host /bin/bash -c 'echo -n "$HOSTNAME "; for f in /etc/passwd /etc/group /etc/gshadow /etc/security/opasswd /etc/shadow /etc/sudoers /etc/sudoers.d/; do grep -q "\-w $f \-p wa \-k" /etc/audit/audit.rules || echo "rule for $f not found"; done' 2>/dev/null; done + + If for any of the files a line saying "rule for $filename not found" is printed, this is a finding. + fixtext: |- + Apply the machine config using the following command: + + for mcpool in $(oc get mcp -oname | sed "s:.*/::" ); do + echo "apiVersion: machineconfiguration.openshift.io/v1 + kind: MachineConfig + metadata: + name: 75-account-modifications-rules-$mcpool + labels: + machineconfiguration.openshift.io/role: $mcpool + spec: + config: + ignition: + version: 3.1.0 + storage: + files: + - contents: + source: data:,-w%20/etc/sudoers.d/%20-p%20wa%20-k%20actions%0A-w%20/etc/sudoers%20-p%20wa%20-k%20actions%0A + mode: 0644 + path: /etc/audit/rules.d/75-audit-sysadmin-actions.rules + overwrite: true + - contents: + source: data:,-w%20/etc/group%20-p%20wa%20-k%20audit_rules_usergroup_modification%0A + mode: 0644 + path: /etc/audit/rules.d/30-etc_group_usergroup_modification.rules + overwrite: true + - contents: + source: data:,-w%20/etc/gshadow%20-p%20wa%20-k%20audit_rules_usergroup_modification%0A + mode: 0644 + path: /etc/audit/rules.d/30-etc_gshadow_usergroup_modification.rules + overwrite: true + - contents: + source: data:,-w%20/etc/security/opasswd%20-p%20wa%20-k%20audit_rules_usergroup_modification%0A + mode: 0644 + path: /etc/audit/rules.d/30-etc_security_opasswd_usergroup_modification.rules + overwrite: true + - contents: + source: data:,-w%20/etc/passwd%20-p%20wa%20-k%20audit_rules_usergroup_modification%0A + mode: 0644 + path: /etc/audit/rules.d/30-etc_passwd_usergroup_modification.rules + overwrite: true + - contents: + source: data:,-w%20/etc/shadow%20-p%20wa%20-k%20audit_rules_usergroup_modification%0A + mode: 0644 + path: /etc/audit/rules.d/30-etc_shadow_usergroup_modification.rules + overwrite: true + " | oc apply -f - + done diff --git a/controls/srg_ctr/SRG-APP-000028-CTR-000080.yml b/controls/srg_ctr/SRG-APP-000028-CTR-000080.yml index 0b7f308a1bb..399b0f2b664 100644 --- a/controls/srg_ctr/SRG-APP-000028-CTR-000080.yml +++ b/controls/srg_ctr/SRG-APP-000028-CTR-000080.yml @@ -2,7 +2,7 @@ controls: - id: SRG-APP-000028-CTR-000080 levels: - medium - title: {{{ full_name }}} must automatically audit account-disabling actions. + title: {{{ full_name }}} must generate audit rules to capture account creation, modification, disabling, removal and enabling actions. related_rules: - idp_is_configured - ocp_idp_no_htpasswd @@ -11,4 +11,64 @@ controls: rules: - audit_rules_sysadmin_actions - audit_rules_usergroup_modification + check: |- + Verify the audit rules capture account creation, modification, disabling, removal and enabling actions by executing the following: + for node in $(oc get node -oname); do oc debug $node -- chroot /host /bin/bash -c 'echo -n "$HOSTNAME "; grep -e user-modify -e group-modify -e audit_rules_usergroup_modification /etc/audit/rules.d/* /etc/audit/audit.rules' 2>/dev/null; done + + Confirm the following rules exist on each node: + -w /etc/group -p wa -k audit_rules_usergroup_modification + -w /etc/gshadow -p wa -k audit_rules_usergroup_modification + -w /etc/security/opasswd -p wa -k audit_rules_usergroup_modification + -w /etc/passwd -p wa -k audit_rules_usergroup_modification + -w /etc/shadow -p wa -k audit_rules_usergroup_modification + + If the above rules are not listed on each node, this is a finding. + fixtext: |- + Apply the machine config using the following command: + + for mcpool in $(oc get mcp -oname | sed "s:.*/::" ); do + echo "apiVersion: machineconfiguration.openshift.io/v1 + kind: MachineConfig + metadata: + name: 75-account-modifications-rules-$mcpool + labels: + machineconfiguration.openshift.io/role: $mcpool + spec: + config: + ignition: + version: 3.1.0 + storage: + files: + - contents: + source: data:,-w%20/etc/sudoers.d/%20-p%20wa%20-k%20actions%0A-w%20/etc/sudoers%20-p%20wa%20-k%20actions%0A + mode: 0644 + path: /etc/audit/rules.d/75-audit-sysadmin-actions.rules + overwrite: true + - contents: + source: data:,-w%20/etc/group%20-p%20wa%20-k%20audit_rules_usergroup_modification%0A + mode: 0644 + path: /etc/audit/rules.d/30-etc_group_usergroup_modification.rules + overwrite: true + - contents: + source: data:,-w%20/etc/gshadow%20-p%20wa%20-k%20audit_rules_usergroup_modification%0A + mode: 0644 + path: /etc/audit/rules.d/30-etc_gshadow_usergroup_modification.rules + overwrite: true + - contents: + source: data:,-w%20/etc/security/opasswd%20-p%20wa%20-k%20audit_rules_usergroup_modification%0A + mode: 0644 + path: /etc/audit/rules.d/30-etc_security_opasswd_usergroup_modification.rules + overwrite: true + - contents: + source: data:,-w%20/etc/passwd%20-p%20wa%20-k%20audit_rules_usergroup_modification%0A + mode: 0644 + path: /etc/audit/rules.d/30-etc_passwd_usergroup_modification.rules + overwrite: true + - contents: + source: data:,-w%20/etc/shadow%20-p%20wa%20-k%20audit_rules_usergroup_modification%0A + mode: 0644 + path: /etc/audit/rules.d/30-etc_shadow_usergroup_modification.rules + overwrite: true + " | oc apply -f - + done diff --git a/controls/srg_ctr/SRG-APP-000291-CTR-000675.yml b/controls/srg_ctr/SRG-APP-000291-CTR-000675.yml index 1ee0db212c6..7d953163230 100644 --- a/controls/srg_ctr/SRG-APP-000291-CTR-000675.yml +++ b/controls/srg_ctr/SRG-APP-000291-CTR-000675.yml @@ -2,8 +2,7 @@ controls: - id: SRG-APP-000291-CTR-000675 levels: - medium - title: {{{ full_name }}} must notify system administrators and ISSO when accounts - are created. + title: {{{ full_name }}} must generate audit rules to capture account creation, modification, disabling, removal and enabling actions. related_rules: - idp_is_configured - ocp_idp_no_htpasswd @@ -12,4 +11,64 @@ controls: rules: - audit_rules_sysadmin_actions - audit_rules_usergroup_modification + check: |- + Verify the audit rules capture account creation, modification, disabling, removal and enabling actions by executing the following: + for node in $(oc get node -oname); do oc debug $node -- chroot /host /bin/bash -c 'echo -n "$HOSTNAME "; grep -e user-modify -e group-modify -e audit_rules_usergroup_modification /etc/audit/rules.d/* /etc/audit/audit.rules' 2>/dev/null; done + + Confirm the following rules exist on each node: + -w /etc/group -p wa -k audit_rules_usergroup_modification + -w /etc/gshadow -p wa -k audit_rules_usergroup_modification + -w /etc/security/opasswd -p wa -k audit_rules_usergroup_modification + -w /etc/passwd -p wa -k audit_rules_usergroup_modification + -w /etc/shadow -p wa -k audit_rules_usergroup_modification + + If the above rules are not listed on each node, this is a finding. + fixtext: |- + Apply the machine config using the following command: + + for mcpool in $(oc get mcp -oname | sed "s:.*/::" ); do + echo "apiVersion: machineconfiguration.openshift.io/v1 + kind: MachineConfig + metadata: + name: 75-account-modifications-rules-$mcpool + labels: + machineconfiguration.openshift.io/role: $mcpool + spec: + config: + ignition: + version: 3.1.0 + storage: + files: + - contents: + source: data:,-w%20/etc/sudoers.d/%20-p%20wa%20-k%20actions%0A-w%20/etc/sudoers%20-p%20wa%20-k%20actions%0A + mode: 0644 + path: /etc/audit/rules.d/75-audit-sysadmin-actions.rules + overwrite: true + - contents: + source: data:,-w%20/etc/group%20-p%20wa%20-k%20audit_rules_usergroup_modification%0A + mode: 0644 + path: /etc/audit/rules.d/30-etc_group_usergroup_modification.rules + overwrite: true + - contents: + source: data:,-w%20/etc/gshadow%20-p%20wa%20-k%20audit_rules_usergroup_modification%0A + mode: 0644 + path: /etc/audit/rules.d/30-etc_gshadow_usergroup_modification.rules + overwrite: true + - contents: + source: data:,-w%20/etc/security/opasswd%20-p%20wa%20-k%20audit_rules_usergroup_modification%0A + mode: 0644 + path: /etc/audit/rules.d/30-etc_security_opasswd_usergroup_modification.rules + overwrite: true + - contents: + source: data:,-w%20/etc/passwd%20-p%20wa%20-k%20audit_rules_usergroup_modification%0A + mode: 0644 + path: /etc/audit/rules.d/30-etc_passwd_usergroup_modification.rules + overwrite: true + - contents: + source: data:,-w%20/etc/shadow%20-p%20wa%20-k%20audit_rules_usergroup_modification%0A + mode: 0644 + path: /etc/audit/rules.d/30-etc_shadow_usergroup_modification.rules + overwrite: true + " | oc apply -f - + done diff --git a/controls/srg_ctr/SRG-APP-000292-CTR-000680.yml b/controls/srg_ctr/SRG-APP-000292-CTR-000680.yml index 2578b4772b8..1ca17e91d50 100644 --- a/controls/srg_ctr/SRG-APP-000292-CTR-000680.yml +++ b/controls/srg_ctr/SRG-APP-000292-CTR-000680.yml @@ -2,8 +2,7 @@ controls: - id: SRG-APP-000292-CTR-000680 levels: - medium - title: {{{ full_name }}} must notify system administrators and ISSO when accounts - are modified. + title: {{{ full_name }}} must generate audit rules to capture account creation, modification, disabling, removal and enabling actions. related_rules: - idp_is_configured - ocp_idp_no_htpasswd @@ -12,4 +11,64 @@ controls: rules: - audit_rules_sysadmin_actions - audit_rules_usergroup_modification + check: |- + Verify the audit rules capture account creation, modification, disabling, removal and enabling actions by executing the following: + for node in $(oc get node -oname); do oc debug $node -- chroot /host /bin/bash -c 'echo -n "$HOSTNAME "; grep -e user-modify -e group-modify -e audit_rules_usergroup_modification /etc/audit/rules.d/* /etc/audit/audit.rules' 2>/dev/null; done + + Confirm the following rules exist on each node: + -w /etc/group -p wa -k audit_rules_usergroup_modification + -w /etc/gshadow -p wa -k audit_rules_usergroup_modification + -w /etc/security/opasswd -p wa -k audit_rules_usergroup_modification + -w /etc/passwd -p wa -k audit_rules_usergroup_modification + -w /etc/shadow -p wa -k audit_rules_usergroup_modification + + If the above rules are not listed on each node, this is a finding. + fixtext: |- + Apply the machine config using the following command: + + for mcpool in $(oc get mcp -oname | sed "s:.*/::" ); do + echo "apiVersion: machineconfiguration.openshift.io/v1 + kind: MachineConfig + metadata: + name: 75-account-modifications-rules-$mcpool + labels: + machineconfiguration.openshift.io/role: $mcpool + spec: + config: + ignition: + version: 3.1.0 + storage: + files: + - contents: + source: data:,-w%20/etc/sudoers.d/%20-p%20wa%20-k%20actions%0A-w%20/etc/sudoers%20-p%20wa%20-k%20actions%0A + mode: 0644 + path: /etc/audit/rules.d/75-audit-sysadmin-actions.rules + overwrite: true + - contents: + source: data:,-w%20/etc/group%20-p%20wa%20-k%20audit_rules_usergroup_modification%0A + mode: 0644 + path: /etc/audit/rules.d/30-etc_group_usergroup_modification.rules + overwrite: true + - contents: + source: data:,-w%20/etc/gshadow%20-p%20wa%20-k%20audit_rules_usergroup_modification%0A + mode: 0644 + path: /etc/audit/rules.d/30-etc_gshadow_usergroup_modification.rules + overwrite: true + - contents: + source: data:,-w%20/etc/security/opasswd%20-p%20wa%20-k%20audit_rules_usergroup_modification%0A + mode: 0644 + path: /etc/audit/rules.d/30-etc_security_opasswd_usergroup_modification.rules + overwrite: true + - contents: + source: data:,-w%20/etc/passwd%20-p%20wa%20-k%20audit_rules_usergroup_modification%0A + mode: 0644 + path: /etc/audit/rules.d/30-etc_passwd_usergroup_modification.rules + overwrite: true + - contents: + source: data:,-w%20/etc/shadow%20-p%20wa%20-k%20audit_rules_usergroup_modification%0A + mode: 0644 + path: /etc/audit/rules.d/30-etc_shadow_usergroup_modification.rules + overwrite: true + " | oc apply -f - + done diff --git a/controls/srg_ctr/SRG-APP-000293-CTR-000685.yml b/controls/srg_ctr/SRG-APP-000293-CTR-000685.yml index dd7a3788211..5800ba9b671 100644 --- a/controls/srg_ctr/SRG-APP-000293-CTR-000685.yml +++ b/controls/srg_ctr/SRG-APP-000293-CTR-000685.yml @@ -2,8 +2,7 @@ controls: - id: SRG-APP-000293-CTR-000685 levels: - medium - title: {{{ full_name }}} must notify system administrators and ISSO for account - disabling actions. + title: {{{ full_name }}} must generate audit rules to capture account creation, modification, disabling, removal and enabling actions. related_rules: - idp_is_configured - ocp_idp_no_htpasswd @@ -12,4 +11,64 @@ controls: rules: - audit_rules_sysadmin_actions - audit_rules_usergroup_modification + check: |- + Verify the audit rules capture account creation, modification, disabling, removal and enabling actions by executing the following: + for node in $(oc get node -oname); do oc debug $node -- chroot /host /bin/bash -c 'echo -n "$HOSTNAME "; grep -e user-modify -e group-modify -e audit_rules_usergroup_modification /etc/audit/rules.d/* /etc/audit/audit.rules' 2>/dev/null; done + + Confirm the following rules exist on each node: + -w /etc/group -p wa -k audit_rules_usergroup_modification + -w /etc/gshadow -p wa -k audit_rules_usergroup_modification + -w /etc/security/opasswd -p wa -k audit_rules_usergroup_modification + -w /etc/passwd -p wa -k audit_rules_usergroup_modification + -w /etc/shadow -p wa -k audit_rules_usergroup_modification + + If the above rules are not listed on each node, this is a finding. + fixtext: |- + Apply the machine config using the following command: + + for mcpool in $(oc get mcp -oname | sed "s:.*/::" ); do + echo "apiVersion: machineconfiguration.openshift.io/v1 + kind: MachineConfig + metadata: + name: 75-account-modifications-rules-$mcpool + labels: + machineconfiguration.openshift.io/role: $mcpool + spec: + config: + ignition: + version: 3.1.0 + storage: + files: + - contents: + source: data:,-w%20/etc/sudoers.d/%20-p%20wa%20-k%20actions%0A-w%20/etc/sudoers%20-p%20wa%20-k%20actions%0A + mode: 0644 + path: /etc/audit/rules.d/75-audit-sysadmin-actions.rules + overwrite: true + - contents: + source: data:,-w%20/etc/group%20-p%20wa%20-k%20audit_rules_usergroup_modification%0A + mode: 0644 + path: /etc/audit/rules.d/30-etc_group_usergroup_modification.rules + overwrite: true + - contents: + source: data:,-w%20/etc/gshadow%20-p%20wa%20-k%20audit_rules_usergroup_modification%0A + mode: 0644 + path: /etc/audit/rules.d/30-etc_gshadow_usergroup_modification.rules + overwrite: true + - contents: + source: data:,-w%20/etc/security/opasswd%20-p%20wa%20-k%20audit_rules_usergroup_modification%0A + mode: 0644 + path: /etc/audit/rules.d/30-etc_security_opasswd_usergroup_modification.rules + overwrite: true + - contents: + source: data:,-w%20/etc/passwd%20-p%20wa%20-k%20audit_rules_usergroup_modification%0A + mode: 0644 + path: /etc/audit/rules.d/30-etc_passwd_usergroup_modification.rules + overwrite: true + - contents: + source: data:,-w%20/etc/shadow%20-p%20wa%20-k%20audit_rules_usergroup_modification%0A + mode: 0644 + path: /etc/audit/rules.d/30-etc_shadow_usergroup_modification.rules + overwrite: true + " | oc apply -f - + done diff --git a/controls/srg_ctr/SRG-APP-000294-CTR-000690.yml b/controls/srg_ctr/SRG-APP-000294-CTR-000690.yml index a7c7eff926c..de09bd7f702 100644 --- a/controls/srg_ctr/SRG-APP-000294-CTR-000690.yml +++ b/controls/srg_ctr/SRG-APP-000294-CTR-000690.yml @@ -2,8 +2,7 @@ controls: - id: SRG-APP-000294-CTR-000690 levels: - medium - title: {{{ full_name }}} must notify system administrators and ISSO for account - removal actions. + title: {{{ full_name }}} must generate audit rules to capture account creation, modification, disabling, removal and enabling actions. related_rules: - idp_is_configured - ocp_idp_no_htpasswd @@ -12,4 +11,64 @@ controls: rules: - audit_rules_sysadmin_actions - audit_rules_usergroup_modification + check: |- + Verify the audit rules capture account creation, modification, disabling, removal and enabling actions by executing the following: + for node in $(oc get node -oname); do oc debug $node -- chroot /host /bin/bash -c 'echo -n "$HOSTNAME "; grep -e user-modify -e group-modify -e audit_rules_usergroup_modification /etc/audit/rules.d/* /etc/audit/audit.rules' 2>/dev/null; done + + Confirm the following rules exist on each node: + -w /etc/group -p wa -k audit_rules_usergroup_modification + -w /etc/gshadow -p wa -k audit_rules_usergroup_modification + -w /etc/security/opasswd -p wa -k audit_rules_usergroup_modification + -w /etc/passwd -p wa -k audit_rules_usergroup_modification + -w /etc/shadow -p wa -k audit_rules_usergroup_modification + + If the above rules are not listed on each node, this is a finding. + fixtext: |- + Apply the machine config using the following command: + + for mcpool in $(oc get mcp -oname | sed "s:.*/::" ); do + echo "apiVersion: machineconfiguration.openshift.io/v1 + kind: MachineConfig + metadata: + name: 75-account-modifications-rules-$mcpool + labels: + machineconfiguration.openshift.io/role: $mcpool + spec: + config: + ignition: + version: 3.1.0 + storage: + files: + - contents: + source: data:,-w%20/etc/sudoers.d/%20-p%20wa%20-k%20actions%0A-w%20/etc/sudoers%20-p%20wa%20-k%20actions%0A + mode: 0644 + path: /etc/audit/rules.d/75-audit-sysadmin-actions.rules + overwrite: true + - contents: + source: data:,-w%20/etc/group%20-p%20wa%20-k%20audit_rules_usergroup_modification%0A + mode: 0644 + path: /etc/audit/rules.d/30-etc_group_usergroup_modification.rules + overwrite: true + - contents: + source: data:,-w%20/etc/gshadow%20-p%20wa%20-k%20audit_rules_usergroup_modification%0A + mode: 0644 + path: /etc/audit/rules.d/30-etc_gshadow_usergroup_modification.rules + overwrite: true + - contents: + source: data:,-w%20/etc/security/opasswd%20-p%20wa%20-k%20audit_rules_usergroup_modification%0A + mode: 0644 + path: /etc/audit/rules.d/30-etc_security_opasswd_usergroup_modification.rules + overwrite: true + - contents: + source: data:,-w%20/etc/passwd%20-p%20wa%20-k%20audit_rules_usergroup_modification%0A + mode: 0644 + path: /etc/audit/rules.d/30-etc_passwd_usergroup_modification.rules + overwrite: true + - contents: + source: data:,-w%20/etc/shadow%20-p%20wa%20-k%20audit_rules_usergroup_modification%0A + mode: 0644 + path: /etc/audit/rules.d/30-etc_shadow_usergroup_modification.rules + overwrite: true + " | oc apply -f - + done diff --git a/controls/srg_ctr/SRG-APP-000319-CTR-000745.yml b/controls/srg_ctr/SRG-APP-000319-CTR-000745.yml index 173db7ba9e1..1ed84619d9b 100644 --- a/controls/srg_ctr/SRG-APP-000319-CTR-000745.yml +++ b/controls/srg_ctr/SRG-APP-000319-CTR-000745.yml @@ -2,7 +2,7 @@ controls: - id: SRG-APP-000319-CTR-000745 levels: - medium - title: {{{ full_name }}} must automatically audit account-enabling actions. + title: {{{ full_name }}} must generate audit rules to capture account creation, modification, disabling, removal and enabling actions. related_rules: - idp_is_configured - ocp_idp_no_htpasswd @@ -11,4 +11,64 @@ controls: rules: - audit_rules_sysadmin_actions - audit_rules_usergroup_modification + check: |- + Verify the audit rules capture account creation, modification, disabling, removal and enabling actions by executing the following: + for node in $(oc get node -oname); do oc debug $node -- chroot /host /bin/bash -c 'echo -n "$HOSTNAME "; grep -e user-modify -e group-modify -e audit_rules_usergroup_modification /etc/audit/rules.d/* /etc/audit/audit.rules' 2>/dev/null; done + + Confirm the following rules exist on each node: + -w /etc/group -p wa -k audit_rules_usergroup_modification + -w /etc/gshadow -p wa -k audit_rules_usergroup_modification + -w /etc/security/opasswd -p wa -k audit_rules_usergroup_modification + -w /etc/passwd -p wa -k audit_rules_usergroup_modification + -w /etc/shadow -p wa -k audit_rules_usergroup_modification + + If the above rules are not listed on each node, this is a finding. + fixtext: |- + Apply the machine config using the following command: + + for mcpool in $(oc get mcp -oname | sed "s:.*/::" ); do + echo "apiVersion: machineconfiguration.openshift.io/v1 + kind: MachineConfig + metadata: + name: 75-account-modifications-rules-$mcpool + labels: + machineconfiguration.openshift.io/role: $mcpool + spec: + config: + ignition: + version: 3.1.0 + storage: + files: + - contents: + source: data:,-w%20/etc/sudoers.d/%20-p%20wa%20-k%20actions%0A-w%20/etc/sudoers%20-p%20wa%20-k%20actions%0A + mode: 0644 + path: /etc/audit/rules.d/75-audit-sysadmin-actions.rules + overwrite: true + - contents: + source: data:,-w%20/etc/group%20-p%20wa%20-k%20audit_rules_usergroup_modification%0A + mode: 0644 + path: /etc/audit/rules.d/30-etc_group_usergroup_modification.rules + overwrite: true + - contents: + source: data:,-w%20/etc/gshadow%20-p%20wa%20-k%20audit_rules_usergroup_modification%0A + mode: 0644 + path: /etc/audit/rules.d/30-etc_gshadow_usergroup_modification.rules + overwrite: true + - contents: + source: data:,-w%20/etc/security/opasswd%20-p%20wa%20-k%20audit_rules_usergroup_modification%0A + mode: 0644 + path: /etc/audit/rules.d/30-etc_security_opasswd_usergroup_modification.rules + overwrite: true + - contents: + source: data:,-w%20/etc/passwd%20-p%20wa%20-k%20audit_rules_usergroup_modification%0A + mode: 0644 + path: /etc/audit/rules.d/30-etc_passwd_usergroup_modification.rules + overwrite: true + - contents: + source: data:,-w%20/etc/shadow%20-p%20wa%20-k%20audit_rules_usergroup_modification%0A + mode: 0644 + path: /etc/audit/rules.d/30-etc_shadow_usergroup_modification.rules + overwrite: true + " | oc apply -f - + done diff --git a/controls/srg_ctr/SRG-APP-000320-CTR-000750.yml b/controls/srg_ctr/SRG-APP-000320-CTR-000750.yml index 85d87d9d55a..a71893916ae 100644 --- a/controls/srg_ctr/SRG-APP-000320-CTR-000750.yml +++ b/controls/srg_ctr/SRG-APP-000320-CTR-000750.yml @@ -2,8 +2,7 @@ controls: - id: SRG-APP-000320-CTR-000750 levels: - medium - title: {{{ full_name }}} must notify system administrator and ISSO of account - enabling actions. + title: {{{ full_name }}} must generate audit rules to capture account creation, modification, disabling, removal and enabling actions. related_rules: - idp_is_configured - ocp_idp_no_htpasswd @@ -12,4 +11,64 @@ controls: rules: - audit_rules_sysadmin_actions - audit_rules_usergroup_modification + check: |- + Verify the audit rules capture account creation, modification, disabling, removal and enabling actions by executing the following: + for node in $(oc get node -oname); do oc debug $node -- chroot /host /bin/bash -c 'echo -n "$HOSTNAME "; grep -e user-modify -e group-modify -e audit_rules_usergroup_modification /etc/audit/rules.d/* /etc/audit/audit.rules' 2>/dev/null; done + + Confirm the following rules exist on each node: + -w /etc/group -p wa -k audit_rules_usergroup_modification + -w /etc/gshadow -p wa -k audit_rules_usergroup_modification + -w /etc/security/opasswd -p wa -k audit_rules_usergroup_modification + -w /etc/passwd -p wa -k audit_rules_usergroup_modification + -w /etc/shadow -p wa -k audit_rules_usergroup_modification + + If the above rules are not listed on each node, this is a finding. + fixtext: |- + Apply the machine config using the following command: + + for mcpool in $(oc get mcp -oname | sed "s:.*/::" ); do + echo "apiVersion: machineconfiguration.openshift.io/v1 + kind: MachineConfig + metadata: + name: 75-account-modifications-rules-$mcpool + labels: + machineconfiguration.openshift.io/role: $mcpool + spec: + config: + ignition: + version: 3.1.0 + storage: + files: + - contents: + source: data:,-w%20/etc/sudoers.d/%20-p%20wa%20-k%20actions%0A-w%20/etc/sudoers%20-p%20wa%20-k%20actions%0A + mode: 0644 + path: /etc/audit/rules.d/75-audit-sysadmin-actions.rules + overwrite: true + - contents: + source: data:,-w%20/etc/group%20-p%20wa%20-k%20audit_rules_usergroup_modification%0A + mode: 0644 + path: /etc/audit/rules.d/30-etc_group_usergroup_modification.rules + overwrite: true + - contents: + source: data:,-w%20/etc/gshadow%20-p%20wa%20-k%20audit_rules_usergroup_modification%0A + mode: 0644 + path: /etc/audit/rules.d/30-etc_gshadow_usergroup_modification.rules + overwrite: true + - contents: + source: data:,-w%20/etc/security/opasswd%20-p%20wa%20-k%20audit_rules_usergroup_modification%0A + mode: 0644 + path: /etc/audit/rules.d/30-etc_security_opasswd_usergroup_modification.rules + overwrite: true + - contents: + source: data:,-w%20/etc/passwd%20-p%20wa%20-k%20audit_rules_usergroup_modification%0A + mode: 0644 + path: /etc/audit/rules.d/30-etc_passwd_usergroup_modification.rules + overwrite: true + - contents: + source: data:,-w%20/etc/shadow%20-p%20wa%20-k%20audit_rules_usergroup_modification%0A + mode: 0644 + path: /etc/audit/rules.d/30-etc_shadow_usergroup_modification.rules + overwrite: true + " | oc apply -f - + done diff --git a/controls/srg_ctr/SRG-APP-000509-CTR-001305.yml b/controls/srg_ctr/SRG-APP-000509-CTR-001305.yml index 70200b2ce3e..99c54f5aba4 100644 --- a/controls/srg_ctr/SRG-APP-000509-CTR-001305.yml +++ b/controls/srg_ctr/SRG-APP-000509-CTR-001305.yml @@ -2,12 +2,71 @@ controls: - id: SRG-APP-000509-CTR-001305 levels: - medium - title: {{{ full_name }}} must generate audit records for all account creations, - modifications, disabling, and termination events. + title: {{{ full_name }}} must generate audit rules to capture account creation, modification, disabling, removal and enabling actions. related_rules: - audit_profile_set rules: - audit_rules_sysadmin_actions - audit_rules_usergroup_modification status: automated + check: |- + Verify the audit rules capture account creation, modification, disabling, removal and enabling actions by executing the following: + for node in $(oc get node -oname); do oc debug $node -- chroot /host /bin/bash -c 'echo -n "$HOSTNAME "; grep -e user-modify -e group-modify -e audit_rules_usergroup_modification /etc/audit/rules.d/* /etc/audit/audit.rules' 2>/dev/null; done + + Confirm the following rules exist on each node: + -w /etc/group -p wa -k audit_rules_usergroup_modification + -w /etc/gshadow -p wa -k audit_rules_usergroup_modification + -w /etc/security/opasswd -p wa -k audit_rules_usergroup_modification + -w /etc/passwd -p wa -k audit_rules_usergroup_modification + -w /etc/shadow -p wa -k audit_rules_usergroup_modification + + If the above rules are not listed on each node, this is a finding. + fixtext: |- + Apply the machine config using the following command: + + for mcpool in $(oc get mcp -oname | sed "s:.*/::" ); do + echo "apiVersion: machineconfiguration.openshift.io/v1 + kind: MachineConfig + metadata: + name: 75-account-modifications-rules-$mcpool + labels: + machineconfiguration.openshift.io/role: $mcpool + spec: + config: + ignition: + version: 3.1.0 + storage: + files: + - contents: + source: data:,-w%20/etc/sudoers.d/%20-p%20wa%20-k%20actions%0A-w%20/etc/sudoers%20-p%20wa%20-k%20actions%0A + mode: 0644 + path: /etc/audit/rules.d/75-audit-sysadmin-actions.rules + overwrite: true + - contents: + source: data:,-w%20/etc/group%20-p%20wa%20-k%20audit_rules_usergroup_modification%0A + mode: 0644 + path: /etc/audit/rules.d/30-etc_group_usergroup_modification.rules + overwrite: true + - contents: + source: data:,-w%20/etc/gshadow%20-p%20wa%20-k%20audit_rules_usergroup_modification%0A + mode: 0644 + path: /etc/audit/rules.d/30-etc_gshadow_usergroup_modification.rules + overwrite: true + - contents: + source: data:,-w%20/etc/security/opasswd%20-p%20wa%20-k%20audit_rules_usergroup_modification%0A + mode: 0644 + path: /etc/audit/rules.d/30-etc_security_opasswd_usergroup_modification.rules + overwrite: true + - contents: + source: data:,-w%20/etc/passwd%20-p%20wa%20-k%20audit_rules_usergroup_modification%0A + mode: 0644 + path: /etc/audit/rules.d/30-etc_passwd_usergroup_modification.rules + overwrite: true + - contents: + source: data:,-w%20/etc/shadow%20-p%20wa%20-k%20audit_rules_usergroup_modification%0A + mode: 0644 + path: /etc/audit/rules.d/30-etc_shadow_usergroup_modification.rules + overwrite: true + " | oc apply -f - + done diff --git a/utils/create_srg_export.py b/utils/create_srg_export.py index 5cabdd5031a..d588f5ea3bc 100755 --- a/utils/create_srg_export.py +++ b/utils/create_srg_export.py @@ -202,6 +202,9 @@ def parse_args() -> argparse.Namespace: parser.add_argument("-m", "--manual", type=str, action="store", help="Path to XML XCCDF manual file to use as the source of the SRGs", default=SRG_PATH) + parser.add_argument("--prefer-controls", action="store_true", + help="When creating rows prefer checks and fixes from controls over rules", + default=False) parser.add_argument("-f", "--out-format", type=str, choices=("csv", "xlsx", "html", "md"), action="store", help="The format the output should take. Defaults to csv", default="csv") @@ -218,9 +221,16 @@ def get_policy_specific_content(key: str, rule_object: ssg.build_yaml.Rule) -> s return stig.get(key, "") +def use_rule_content(control: ssg.controls.Control, prefer_controls: bool) -> bool: + if control.fixtext is not None and control.check is not None and prefer_controls: + return False + return True + + def handle_control(product: str, control: ssg.controls.Control, env_yaml: ssg.environment, - rule_json: dict, srgs: dict, used_rules: list, root_path: str) -> list: - if len(control.selections) > 0: + rule_json: dict, srgs: dict, used_rules: list, root_path: str, + prefer_controls: bool) -> list: + if len(control.selections) > 0 and use_rule_content(control, prefer_controls): rows = list() for selection in control.selections: if selection not in used_rules and selection in control.selected: @@ -380,6 +390,42 @@ def get_env_yaml(root: str, product_path: str, build_config_yaml: str) -> dict: return env_yaml +def rows_match(old: dict, new: dict) -> bool: + must_match = ['Requirement', 'Fix', 'Check'] + for k in must_match: + if old[k] != new[k]: + return False + return True + + +def merge_rows(old: dict, new: dict) -> None: + old["SRGID"] = old["SRGID"] + "," + new["SRGID"] + + +def extend_results(results: list, rows: list, prefer_controls: bool) -> None: + # We always extend with rows that are generated based on rule selection + # We also only attempt to merge the new row if we prefer control-based + # policy data over rule-based + if len(rows) > 1 or not prefer_controls: + results.extend(rows) + return + + if len(rows) == 0: + return + + # If we only have one row, possibly with check and fix from the control + # file and not rules, let's find a row with the same requirement, fix + # and check and if they match, merge + new_row = rows[0] + for r in results: + if rows_match(r, new_row): + merge_rows(r, new_row) + return + + # We didn't find any match, so we just add the row as new + results.extend(rows) + + def main() -> None: args = parse_args() check_paths(args.control, args.json) @@ -396,8 +442,8 @@ def main() -> None: results = list() for control in policy.controls: rows = handle_control(args.product, control, env_yaml, rule_json, srgs, used_rules, - args.root) - results.extend(rows) + args.root, args.prefer_controls) + extend_results(results, rows, args.prefer_controls) handle_output(args.output, results, args.out_format, args.product)