From 8074636e14d029cd6918298c34b7bece8010dd0d Mon Sep 17 00:00:00 2001 From: Jakub Hrozek Date: Thu, 29 Jun 2023 21:52:58 +0200 Subject: [PATCH 1/3] create_srg_export: Add a command-line flag to prefer check and fix from the control over rules The OCP4 STIG if a bit of an weird case. First, it mixes OCP4 and RHCOS controls into a single stig and second, because of how the MachineConfig remediations are not exactly user-friendly, we often lumped several MachineConfigs from several rules into a single SRG row in the STIG spreadsheet. The current script presumes that every rule would emit a single row in the sheet and that every rule's policy would be used exactly ones. The most straightforward way of solving this is to just put the checks and the fixes in the controls and then let the script optionally, with a new command line flag that this patch adds, prefer those over policy files. That way, we can have a single row even if the control specifies several rules. Additionally, because the current script presumes that rows whose check and fix are read from the control files are either NA or IM and should be separate in the resulting sheet, the script implements a rudimentary deduplication of duplicate rows. This behaviour is opt-in and would only be used by the OCP4 STIG for the time being. --- utils/create_srg_export.py | 54 +++++++++++++++++++++++++++++++++++--- 1 file changed, 50 insertions(+), 4 deletions(-) diff --git a/utils/create_srg_export.py b/utils/create_srg_export.py index 5cabdd5031a..d588f5ea3bc 100755 --- a/utils/create_srg_export.py +++ b/utils/create_srg_export.py @@ -202,6 +202,9 @@ def parse_args() -> argparse.Namespace: parser.add_argument("-m", "--manual", type=str, action="store", help="Path to XML XCCDF manual file to use as the source of the SRGs", default=SRG_PATH) + parser.add_argument("--prefer-controls", action="store_true", + help="When creating rows prefer checks and fixes from controls over rules", + default=False) parser.add_argument("-f", "--out-format", type=str, choices=("csv", "xlsx", "html", "md"), action="store", help="The format the output should take. Defaults to csv", default="csv") @@ -218,9 +221,16 @@ def get_policy_specific_content(key: str, rule_object: ssg.build_yaml.Rule) -> s return stig.get(key, "") +def use_rule_content(control: ssg.controls.Control, prefer_controls: bool) -> bool: + if control.fixtext is not None and control.check is not None and prefer_controls: + return False + return True + + def handle_control(product: str, control: ssg.controls.Control, env_yaml: ssg.environment, - rule_json: dict, srgs: dict, used_rules: list, root_path: str) -> list: - if len(control.selections) > 0: + rule_json: dict, srgs: dict, used_rules: list, root_path: str, + prefer_controls: bool) -> list: + if len(control.selections) > 0 and use_rule_content(control, prefer_controls): rows = list() for selection in control.selections: if selection not in used_rules and selection in control.selected: @@ -380,6 +390,42 @@ def get_env_yaml(root: str, product_path: str, build_config_yaml: str) -> dict: return env_yaml +def rows_match(old: dict, new: dict) -> bool: + must_match = ['Requirement', 'Fix', 'Check'] + for k in must_match: + if old[k] != new[k]: + return False + return True + + +def merge_rows(old: dict, new: dict) -> None: + old["SRGID"] = old["SRGID"] + "," + new["SRGID"] + + +def extend_results(results: list, rows: list, prefer_controls: bool) -> None: + # We always extend with rows that are generated based on rule selection + # We also only attempt to merge the new row if we prefer control-based + # policy data over rule-based + if len(rows) > 1 or not prefer_controls: + results.extend(rows) + return + + if len(rows) == 0: + return + + # If we only have one row, possibly with check and fix from the control + # file and not rules, let's find a row with the same requirement, fix + # and check and if they match, merge + new_row = rows[0] + for r in results: + if rows_match(r, new_row): + merge_rows(r, new_row) + return + + # We didn't find any match, so we just add the row as new + results.extend(rows) + + def main() -> None: args = parse_args() check_paths(args.control, args.json) @@ -396,8 +442,8 @@ def main() -> None: results = list() for control in policy.controls: rows = handle_control(args.product, control, env_yaml, rule_json, srgs, used_rules, - args.root) - results.extend(rows) + args.root, args.prefer_controls) + extend_results(results, rows, args.prefer_controls) handle_output(args.output, results, args.out_format, args.product) From 862145e2b003d558182e939bfa76c6cf4c3445eb Mon Sep 17 00:00:00 2001 From: Jakub Hrozek Date: Thu, 29 Jun 2023 21:53:05 +0200 Subject: [PATCH 2/3] Amend several RHCOS controls to include a check and a fix To enable the create_srg_export to create a single row for these SRGs and later dedup them, let's add the check and the fix to the controls directly. --- .../srg_ctr/SRG-APP-000026-CTR-000070.yml | 58 +++++++++++++++++ .../srg_ctr/SRG-APP-000027-CTR-000075.yml | 53 ++++++++++++++++ .../srg_ctr/SRG-APP-000028-CTR-000080.yml | 62 +++++++++++++++++- .../srg_ctr/SRG-APP-000291-CTR-000675.yml | 63 ++++++++++++++++++- .../srg_ctr/SRG-APP-000292-CTR-000680.yml | 63 ++++++++++++++++++- .../srg_ctr/SRG-APP-000293-CTR-000685.yml | 63 ++++++++++++++++++- .../srg_ctr/SRG-APP-000294-CTR-000690.yml | 63 ++++++++++++++++++- .../srg_ctr/SRG-APP-000319-CTR-000745.yml | 62 +++++++++++++++++- .../srg_ctr/SRG-APP-000320-CTR-000750.yml | 63 ++++++++++++++++++- .../srg_ctr/SRG-APP-000509-CTR-001305.yml | 63 ++++++++++++++++++- 10 files changed, 599 insertions(+), 14 deletions(-) diff --git a/controls/srg_ctr/SRG-APP-000026-CTR-000070.yml b/controls/srg_ctr/SRG-APP-000026-CTR-000070.yml index 4600d64d19f..01a8def95f4 100644 --- a/controls/srg_ctr/SRG-APP-000026-CTR-000070.yml +++ b/controls/srg_ctr/SRG-APP-000026-CTR-000070.yml @@ -7,4 +7,62 @@ controls: rules: - audit_rules_sysadmin_actions - audit_rules_usergroup_modification + check: |- + Verify Red Hat Enterprise Linux CoreOS (RHCOS) generates audit records for all account creations, modifications, disabling, and termination events that affect "/etc/shadow". + Logging on as administrator, check the auditing rules in "/etc/audit/audit.rules" by executing the following: + + for node in $(oc get node -oname); do oc debug $node -- chroot /host /bin/bash -c 'echo -n "$HOSTNAME: "; grep /etc/shadow /etc/audit/audit.rules /etc/audit/rules.d/*'; done + + (Example output: + -w /etc/shadow -p wa -k identity) + + If the command does not return a line, or the line is commented out, this is a finding. + fixtext: |- + Apply the machine config using the following command: + + for mcpool in $(oc get mcp -oname | sed "s:.*/::" ); do + echo "apiVersion: machineconfiguration.openshift.io/v1 + kind: MachineConfig + metadata: + name: 75-account-modifications-rules-$mcpool + labels: + machineconfiguration.openshift.io/role: $mcpool + spec: + config: + ignition: + version: 3.1.0 + storage: + files: + - contents: + source: data:,-w%20/etc/sudoers.d/%20-p%20wa%20-k%20actions%0A-w%20/etc/sudoers%20-p%20wa%20-k%20actions%0A + mode: 0644 + path: /etc/audit/rules.d/75-audit-sysadmin-actions.rules + overwrite: true + - contents: + source: data:,-w%20/etc/group%20-p%20wa%20-k%20audit_rules_usergroup_modification%0A + mode: 0644 + path: /etc/audit/rules.d/30-etc_group_usergroup_modification.rules + overwrite: true + - contents: + source: data:,-w%20/etc/gshadow%20-p%20wa%20-k%20audit_rules_usergroup_modification%0A + mode: 0644 + path: /etc/audit/rules.d/30-etc_gshadow_usergroup_modification.rules + overwrite: true + - contents: + source: data:,-w%20/etc/security/opasswd%20-p%20wa%20-k%20audit_rules_usergroup_modification%0A + mode: 0644 + path: /etc/audit/rules.d/30-etc_security_opasswd_usergroup_modification.rules + overwrite: true + - contents: + source: data:,-w%20/etc/passwd%20-p%20wa%20-k%20audit_rules_usergroup_modification%0A + mode: 0644 + path: /etc/audit/rules.d/30-etc_passwd_usergroup_modification.rules + overwrite: true + - contents: + source: data:,-w%20/etc/shadow%20-p%20wa%20-k%20audit_rules_usergroup_modification%0A + mode: 0644 + path: /etc/audit/rules.d/30-etc_shadow_usergroup_modification.rules + overwrite: true + " | oc apply -f - + done diff --git a/controls/srg_ctr/SRG-APP-000027-CTR-000075.yml b/controls/srg_ctr/SRG-APP-000027-CTR-000075.yml index ff3a356e306..ad9414b9683 100644 --- a/controls/srg_ctr/SRG-APP-000027-CTR-000075.yml +++ b/controls/srg_ctr/SRG-APP-000027-CTR-000075.yml @@ -7,4 +7,57 @@ controls: rules: - audit_rules_sysadmin_actions - audit_rules_usergroup_modification + check: |- + Verify for each of the files that contain account information the system is configured to emit an audit event in case of a write, by executing the following: + for node in $(oc get node -oname); do oc debug $node -- chroot /host /bin/bash -c 'echo -n "$HOSTNAME "; for f in /etc/passwd /etc/group /etc/gshadow /etc/security/opasswd /etc/shadow /etc/sudoers /etc/sudoers.d/; do grep -q "\-w $f \-p wa \-k" /etc/audit/audit.rules || echo "rule for $f not found"; done' 2>/dev/null; done + + If for any of the files a line saying "rule for $filename not found" is printed, this is a finding. + fixtext: |- + Apply the machine config using the following command: + + for mcpool in $(oc get mcp -oname | sed "s:.*/::" ); do + echo "apiVersion: machineconfiguration.openshift.io/v1 + kind: MachineConfig + metadata: + name: 75-account-modifications-rules-$mcpool + labels: + machineconfiguration.openshift.io/role: $mcpool + spec: + config: + ignition: + version: 3.1.0 + storage: + files: + - contents: + source: data:,-w%20/etc/sudoers.d/%20-p%20wa%20-k%20actions%0A-w%20/etc/sudoers%20-p%20wa%20-k%20actions%0A + mode: 0644 + path: /etc/audit/rules.d/75-audit-sysadmin-actions.rules + overwrite: true + - contents: + source: data:,-w%20/etc/group%20-p%20wa%20-k%20audit_rules_usergroup_modification%0A + mode: 0644 + path: /etc/audit/rules.d/30-etc_group_usergroup_modification.rules + overwrite: true + - contents: + source: data:,-w%20/etc/gshadow%20-p%20wa%20-k%20audit_rules_usergroup_modification%0A + mode: 0644 + path: /etc/audit/rules.d/30-etc_gshadow_usergroup_modification.rules + overwrite: true + - contents: + source: data:,-w%20/etc/security/opasswd%20-p%20wa%20-k%20audit_rules_usergroup_modification%0A + mode: 0644 + path: /etc/audit/rules.d/30-etc_security_opasswd_usergroup_modification.rules + overwrite: true + - contents: + source: data:,-w%20/etc/passwd%20-p%20wa%20-k%20audit_rules_usergroup_modification%0A + mode: 0644 + path: /etc/audit/rules.d/30-etc_passwd_usergroup_modification.rules + overwrite: true + - contents: + source: data:,-w%20/etc/shadow%20-p%20wa%20-k%20audit_rules_usergroup_modification%0A + mode: 0644 + path: /etc/audit/rules.d/30-etc_shadow_usergroup_modification.rules + overwrite: true + " | oc apply -f - + done diff --git a/controls/srg_ctr/SRG-APP-000028-CTR-000080.yml b/controls/srg_ctr/SRG-APP-000028-CTR-000080.yml index 0b7f308a1bb..399b0f2b664 100644 --- a/controls/srg_ctr/SRG-APP-000028-CTR-000080.yml +++ b/controls/srg_ctr/SRG-APP-000028-CTR-000080.yml @@ -2,7 +2,7 @@ controls: - id: SRG-APP-000028-CTR-000080 levels: - medium - title: {{{ full_name }}} must automatically audit account-disabling actions. + title: {{{ full_name }}} must generate audit rules to capture account creation, modification, disabling, removal and enabling actions. related_rules: - idp_is_configured - ocp_idp_no_htpasswd @@ -11,4 +11,64 @@ controls: rules: - audit_rules_sysadmin_actions - audit_rules_usergroup_modification + check: |- + Verify the audit rules capture account creation, modification, disabling, removal and enabling actions by executing the following: + for node in $(oc get node -oname); do oc debug $node -- chroot /host /bin/bash -c 'echo -n "$HOSTNAME "; grep -e user-modify -e group-modify -e audit_rules_usergroup_modification /etc/audit/rules.d/* /etc/audit/audit.rules' 2>/dev/null; done + + Confirm the following rules exist on each node: + -w /etc/group -p wa -k audit_rules_usergroup_modification + -w /etc/gshadow -p wa -k audit_rules_usergroup_modification + -w /etc/security/opasswd -p wa -k audit_rules_usergroup_modification + -w /etc/passwd -p wa -k audit_rules_usergroup_modification + -w /etc/shadow -p wa -k audit_rules_usergroup_modification + + If the above rules are not listed on each node, this is a finding. + fixtext: |- + Apply the machine config using the following command: + + for mcpool in $(oc get mcp -oname | sed "s:.*/::" ); do + echo "apiVersion: machineconfiguration.openshift.io/v1 + kind: MachineConfig + metadata: + name: 75-account-modifications-rules-$mcpool + labels: + machineconfiguration.openshift.io/role: $mcpool + spec: + config: + ignition: + version: 3.1.0 + storage: + files: + - contents: + source: data:,-w%20/etc/sudoers.d/%20-p%20wa%20-k%20actions%0A-w%20/etc/sudoers%20-p%20wa%20-k%20actions%0A + mode: 0644 + path: /etc/audit/rules.d/75-audit-sysadmin-actions.rules + overwrite: true + - contents: + source: data:,-w%20/etc/group%20-p%20wa%20-k%20audit_rules_usergroup_modification%0A + mode: 0644 + path: /etc/audit/rules.d/30-etc_group_usergroup_modification.rules + overwrite: true + - contents: + source: data:,-w%20/etc/gshadow%20-p%20wa%20-k%20audit_rules_usergroup_modification%0A + mode: 0644 + path: /etc/audit/rules.d/30-etc_gshadow_usergroup_modification.rules + overwrite: true + - contents: + source: data:,-w%20/etc/security/opasswd%20-p%20wa%20-k%20audit_rules_usergroup_modification%0A + mode: 0644 + path: /etc/audit/rules.d/30-etc_security_opasswd_usergroup_modification.rules + overwrite: true + - contents: + source: data:,-w%20/etc/passwd%20-p%20wa%20-k%20audit_rules_usergroup_modification%0A + mode: 0644 + path: /etc/audit/rules.d/30-etc_passwd_usergroup_modification.rules + overwrite: true + - contents: + source: data:,-w%20/etc/shadow%20-p%20wa%20-k%20audit_rules_usergroup_modification%0A + mode: 0644 + path: /etc/audit/rules.d/30-etc_shadow_usergroup_modification.rules + overwrite: true + " | oc apply -f - + done diff --git a/controls/srg_ctr/SRG-APP-000291-CTR-000675.yml b/controls/srg_ctr/SRG-APP-000291-CTR-000675.yml index 1ee0db212c6..7d953163230 100644 --- a/controls/srg_ctr/SRG-APP-000291-CTR-000675.yml +++ b/controls/srg_ctr/SRG-APP-000291-CTR-000675.yml @@ -2,8 +2,7 @@ controls: - id: SRG-APP-000291-CTR-000675 levels: - medium - title: {{{ full_name }}} must notify system administrators and ISSO when accounts - are created. + title: {{{ full_name }}} must generate audit rules to capture account creation, modification, disabling, removal and enabling actions. related_rules: - idp_is_configured - ocp_idp_no_htpasswd @@ -12,4 +11,64 @@ controls: rules: - audit_rules_sysadmin_actions - audit_rules_usergroup_modification + check: |- + Verify the audit rules capture account creation, modification, disabling, removal and enabling actions by executing the following: + for node in $(oc get node -oname); do oc debug $node -- chroot /host /bin/bash -c 'echo -n "$HOSTNAME "; grep -e user-modify -e group-modify -e audit_rules_usergroup_modification /etc/audit/rules.d/* /etc/audit/audit.rules' 2>/dev/null; done + + Confirm the following rules exist on each node: + -w /etc/group -p wa -k audit_rules_usergroup_modification + -w /etc/gshadow -p wa -k audit_rules_usergroup_modification + -w /etc/security/opasswd -p wa -k audit_rules_usergroup_modification + -w /etc/passwd -p wa -k audit_rules_usergroup_modification + -w /etc/shadow -p wa -k audit_rules_usergroup_modification + + If the above rules are not listed on each node, this is a finding. + fixtext: |- + Apply the machine config using the following command: + + for mcpool in $(oc get mcp -oname | sed "s:.*/::" ); do + echo "apiVersion: machineconfiguration.openshift.io/v1 + kind: MachineConfig + metadata: + name: 75-account-modifications-rules-$mcpool + labels: + machineconfiguration.openshift.io/role: $mcpool + spec: + config: + ignition: + version: 3.1.0 + storage: + files: + - contents: + source: data:,-w%20/etc/sudoers.d/%20-p%20wa%20-k%20actions%0A-w%20/etc/sudoers%20-p%20wa%20-k%20actions%0A + mode: 0644 + path: /etc/audit/rules.d/75-audit-sysadmin-actions.rules + overwrite: true + - contents: + source: data:,-w%20/etc/group%20-p%20wa%20-k%20audit_rules_usergroup_modification%0A + mode: 0644 + path: /etc/audit/rules.d/30-etc_group_usergroup_modification.rules + overwrite: true + - contents: + source: data:,-w%20/etc/gshadow%20-p%20wa%20-k%20audit_rules_usergroup_modification%0A + mode: 0644 + path: /etc/audit/rules.d/30-etc_gshadow_usergroup_modification.rules + overwrite: true + - contents: + source: data:,-w%20/etc/security/opasswd%20-p%20wa%20-k%20audit_rules_usergroup_modification%0A + mode: 0644 + path: /etc/audit/rules.d/30-etc_security_opasswd_usergroup_modification.rules + overwrite: true + - contents: + source: data:,-w%20/etc/passwd%20-p%20wa%20-k%20audit_rules_usergroup_modification%0A + mode: 0644 + path: /etc/audit/rules.d/30-etc_passwd_usergroup_modification.rules + overwrite: true + - contents: + source: data:,-w%20/etc/shadow%20-p%20wa%20-k%20audit_rules_usergroup_modification%0A + mode: 0644 + path: /etc/audit/rules.d/30-etc_shadow_usergroup_modification.rules + overwrite: true + " | oc apply -f - + done diff --git a/controls/srg_ctr/SRG-APP-000292-CTR-000680.yml b/controls/srg_ctr/SRG-APP-000292-CTR-000680.yml index 2578b4772b8..1ca17e91d50 100644 --- a/controls/srg_ctr/SRG-APP-000292-CTR-000680.yml +++ b/controls/srg_ctr/SRG-APP-000292-CTR-000680.yml @@ -2,8 +2,7 @@ controls: - id: SRG-APP-000292-CTR-000680 levels: - medium - title: {{{ full_name }}} must notify system administrators and ISSO when accounts - are modified. + title: {{{ full_name }}} must generate audit rules to capture account creation, modification, disabling, removal and enabling actions. related_rules: - idp_is_configured - ocp_idp_no_htpasswd @@ -12,4 +11,64 @@ controls: rules: - audit_rules_sysadmin_actions - audit_rules_usergroup_modification + check: |- + Verify the audit rules capture account creation, modification, disabling, removal and enabling actions by executing the following: + for node in $(oc get node -oname); do oc debug $node -- chroot /host /bin/bash -c 'echo -n "$HOSTNAME "; grep -e user-modify -e group-modify -e audit_rules_usergroup_modification /etc/audit/rules.d/* /etc/audit/audit.rules' 2>/dev/null; done + + Confirm the following rules exist on each node: + -w /etc/group -p wa -k audit_rules_usergroup_modification + -w /etc/gshadow -p wa -k audit_rules_usergroup_modification + -w /etc/security/opasswd -p wa -k audit_rules_usergroup_modification + -w /etc/passwd -p wa -k audit_rules_usergroup_modification + -w /etc/shadow -p wa -k audit_rules_usergroup_modification + + If the above rules are not listed on each node, this is a finding. + fixtext: |- + Apply the machine config using the following command: + + for mcpool in $(oc get mcp -oname | sed "s:.*/::" ); do + echo "apiVersion: machineconfiguration.openshift.io/v1 + kind: MachineConfig + metadata: + name: 75-account-modifications-rules-$mcpool + labels: + machineconfiguration.openshift.io/role: $mcpool + spec: + config: + ignition: + version: 3.1.0 + storage: + files: + - contents: + source: data:,-w%20/etc/sudoers.d/%20-p%20wa%20-k%20actions%0A-w%20/etc/sudoers%20-p%20wa%20-k%20actions%0A + mode: 0644 + path: /etc/audit/rules.d/75-audit-sysadmin-actions.rules + overwrite: true + - contents: + source: data:,-w%20/etc/group%20-p%20wa%20-k%20audit_rules_usergroup_modification%0A + mode: 0644 + path: /etc/audit/rules.d/30-etc_group_usergroup_modification.rules + overwrite: true + - contents: + source: data:,-w%20/etc/gshadow%20-p%20wa%20-k%20audit_rules_usergroup_modification%0A + mode: 0644 + path: /etc/audit/rules.d/30-etc_gshadow_usergroup_modification.rules + overwrite: true + - contents: + source: data:,-w%20/etc/security/opasswd%20-p%20wa%20-k%20audit_rules_usergroup_modification%0A + mode: 0644 + path: /etc/audit/rules.d/30-etc_security_opasswd_usergroup_modification.rules + overwrite: true + - contents: + source: data:,-w%20/etc/passwd%20-p%20wa%20-k%20audit_rules_usergroup_modification%0A + mode: 0644 + path: /etc/audit/rules.d/30-etc_passwd_usergroup_modification.rules + overwrite: true + - contents: + source: data:,-w%20/etc/shadow%20-p%20wa%20-k%20audit_rules_usergroup_modification%0A + mode: 0644 + path: /etc/audit/rules.d/30-etc_shadow_usergroup_modification.rules + overwrite: true + " | oc apply -f - + done diff --git a/controls/srg_ctr/SRG-APP-000293-CTR-000685.yml b/controls/srg_ctr/SRG-APP-000293-CTR-000685.yml index dd7a3788211..5800ba9b671 100644 --- a/controls/srg_ctr/SRG-APP-000293-CTR-000685.yml +++ b/controls/srg_ctr/SRG-APP-000293-CTR-000685.yml @@ -2,8 +2,7 @@ controls: - id: SRG-APP-000293-CTR-000685 levels: - medium - title: {{{ full_name }}} must notify system administrators and ISSO for account - disabling actions. + title: {{{ full_name }}} must generate audit rules to capture account creation, modification, disabling, removal and enabling actions. related_rules: - idp_is_configured - ocp_idp_no_htpasswd @@ -12,4 +11,64 @@ controls: rules: - audit_rules_sysadmin_actions - audit_rules_usergroup_modification + check: |- + Verify the audit rules capture account creation, modification, disabling, removal and enabling actions by executing the following: + for node in $(oc get node -oname); do oc debug $node -- chroot /host /bin/bash -c 'echo -n "$HOSTNAME "; grep -e user-modify -e group-modify -e audit_rules_usergroup_modification /etc/audit/rules.d/* /etc/audit/audit.rules' 2>/dev/null; done + + Confirm the following rules exist on each node: + -w /etc/group -p wa -k audit_rules_usergroup_modification + -w /etc/gshadow -p wa -k audit_rules_usergroup_modification + -w /etc/security/opasswd -p wa -k audit_rules_usergroup_modification + -w /etc/passwd -p wa -k audit_rules_usergroup_modification + -w /etc/shadow -p wa -k audit_rules_usergroup_modification + + If the above rules are not listed on each node, this is a finding. + fixtext: |- + Apply the machine config using the following command: + + for mcpool in $(oc get mcp -oname | sed "s:.*/::" ); do + echo "apiVersion: machineconfiguration.openshift.io/v1 + kind: MachineConfig + metadata: + name: 75-account-modifications-rules-$mcpool + labels: + machineconfiguration.openshift.io/role: $mcpool + spec: + config: + ignition: + version: 3.1.0 + storage: + files: + - contents: + source: data:,-w%20/etc/sudoers.d/%20-p%20wa%20-k%20actions%0A-w%20/etc/sudoers%20-p%20wa%20-k%20actions%0A + mode: 0644 + path: /etc/audit/rules.d/75-audit-sysadmin-actions.rules + overwrite: true + - contents: + source: data:,-w%20/etc/group%20-p%20wa%20-k%20audit_rules_usergroup_modification%0A + mode: 0644 + path: /etc/audit/rules.d/30-etc_group_usergroup_modification.rules + overwrite: true + - contents: + source: data:,-w%20/etc/gshadow%20-p%20wa%20-k%20audit_rules_usergroup_modification%0A + mode: 0644 + path: /etc/audit/rules.d/30-etc_gshadow_usergroup_modification.rules + overwrite: true + - contents: + source: data:,-w%20/etc/security/opasswd%20-p%20wa%20-k%20audit_rules_usergroup_modification%0A + mode: 0644 + path: /etc/audit/rules.d/30-etc_security_opasswd_usergroup_modification.rules + overwrite: true + - contents: + source: data:,-w%20/etc/passwd%20-p%20wa%20-k%20audit_rules_usergroup_modification%0A + mode: 0644 + path: /etc/audit/rules.d/30-etc_passwd_usergroup_modification.rules + overwrite: true + - contents: + source: data:,-w%20/etc/shadow%20-p%20wa%20-k%20audit_rules_usergroup_modification%0A + mode: 0644 + path: /etc/audit/rules.d/30-etc_shadow_usergroup_modification.rules + overwrite: true + " | oc apply -f - + done diff --git a/controls/srg_ctr/SRG-APP-000294-CTR-000690.yml b/controls/srg_ctr/SRG-APP-000294-CTR-000690.yml index a7c7eff926c..de09bd7f702 100644 --- a/controls/srg_ctr/SRG-APP-000294-CTR-000690.yml +++ b/controls/srg_ctr/SRG-APP-000294-CTR-000690.yml @@ -2,8 +2,7 @@ controls: - id: SRG-APP-000294-CTR-000690 levels: - medium - title: {{{ full_name }}} must notify system administrators and ISSO for account - removal actions. + title: {{{ full_name }}} must generate audit rules to capture account creation, modification, disabling, removal and enabling actions. related_rules: - idp_is_configured - ocp_idp_no_htpasswd @@ -12,4 +11,64 @@ controls: rules: - audit_rules_sysadmin_actions - audit_rules_usergroup_modification + check: |- + Verify the audit rules capture account creation, modification, disabling, removal and enabling actions by executing the following: + for node in $(oc get node -oname); do oc debug $node -- chroot /host /bin/bash -c 'echo -n "$HOSTNAME "; grep -e user-modify -e group-modify -e audit_rules_usergroup_modification /etc/audit/rules.d/* /etc/audit/audit.rules' 2>/dev/null; done + + Confirm the following rules exist on each node: + -w /etc/group -p wa -k audit_rules_usergroup_modification + -w /etc/gshadow -p wa -k audit_rules_usergroup_modification + -w /etc/security/opasswd -p wa -k audit_rules_usergroup_modification + -w /etc/passwd -p wa -k audit_rules_usergroup_modification + -w /etc/shadow -p wa -k audit_rules_usergroup_modification + + If the above rules are not listed on each node, this is a finding. + fixtext: |- + Apply the machine config using the following command: + + for mcpool in $(oc get mcp -oname | sed "s:.*/::" ); do + echo "apiVersion: machineconfiguration.openshift.io/v1 + kind: MachineConfig + metadata: + name: 75-account-modifications-rules-$mcpool + labels: + machineconfiguration.openshift.io/role: $mcpool + spec: + config: + ignition: + version: 3.1.0 + storage: + files: + - contents: + source: data:,-w%20/etc/sudoers.d/%20-p%20wa%20-k%20actions%0A-w%20/etc/sudoers%20-p%20wa%20-k%20actions%0A + mode: 0644 + path: /etc/audit/rules.d/75-audit-sysadmin-actions.rules + overwrite: true + - contents: + source: data:,-w%20/etc/group%20-p%20wa%20-k%20audit_rules_usergroup_modification%0A + mode: 0644 + path: /etc/audit/rules.d/30-etc_group_usergroup_modification.rules + overwrite: true + - contents: + source: data:,-w%20/etc/gshadow%20-p%20wa%20-k%20audit_rules_usergroup_modification%0A + mode: 0644 + path: /etc/audit/rules.d/30-etc_gshadow_usergroup_modification.rules + overwrite: true + - contents: + source: data:,-w%20/etc/security/opasswd%20-p%20wa%20-k%20audit_rules_usergroup_modification%0A + mode: 0644 + path: /etc/audit/rules.d/30-etc_security_opasswd_usergroup_modification.rules + overwrite: true + - contents: + source: data:,-w%20/etc/passwd%20-p%20wa%20-k%20audit_rules_usergroup_modification%0A + mode: 0644 + path: /etc/audit/rules.d/30-etc_passwd_usergroup_modification.rules + overwrite: true + - contents: + source: data:,-w%20/etc/shadow%20-p%20wa%20-k%20audit_rules_usergroup_modification%0A + mode: 0644 + path: /etc/audit/rules.d/30-etc_shadow_usergroup_modification.rules + overwrite: true + " | oc apply -f - + done diff --git a/controls/srg_ctr/SRG-APP-000319-CTR-000745.yml b/controls/srg_ctr/SRG-APP-000319-CTR-000745.yml index 173db7ba9e1..1ed84619d9b 100644 --- a/controls/srg_ctr/SRG-APP-000319-CTR-000745.yml +++ b/controls/srg_ctr/SRG-APP-000319-CTR-000745.yml @@ -2,7 +2,7 @@ controls: - id: SRG-APP-000319-CTR-000745 levels: - medium - title: {{{ full_name }}} must automatically audit account-enabling actions. + title: {{{ full_name }}} must generate audit rules to capture account creation, modification, disabling, removal and enabling actions. related_rules: - idp_is_configured - ocp_idp_no_htpasswd @@ -11,4 +11,64 @@ controls: rules: - audit_rules_sysadmin_actions - audit_rules_usergroup_modification + check: |- + Verify the audit rules capture account creation, modification, disabling, removal and enabling actions by executing the following: + for node in $(oc get node -oname); do oc debug $node -- chroot /host /bin/bash -c 'echo -n "$HOSTNAME "; grep -e user-modify -e group-modify -e audit_rules_usergroup_modification /etc/audit/rules.d/* /etc/audit/audit.rules' 2>/dev/null; done + + Confirm the following rules exist on each node: + -w /etc/group -p wa -k audit_rules_usergroup_modification + -w /etc/gshadow -p wa -k audit_rules_usergroup_modification + -w /etc/security/opasswd -p wa -k audit_rules_usergroup_modification + -w /etc/passwd -p wa -k audit_rules_usergroup_modification + -w /etc/shadow -p wa -k audit_rules_usergroup_modification + + If the above rules are not listed on each node, this is a finding. + fixtext: |- + Apply the machine config using the following command: + + for mcpool in $(oc get mcp -oname | sed "s:.*/::" ); do + echo "apiVersion: machineconfiguration.openshift.io/v1 + kind: MachineConfig + metadata: + name: 75-account-modifications-rules-$mcpool + labels: + machineconfiguration.openshift.io/role: $mcpool + spec: + config: + ignition: + version: 3.1.0 + storage: + files: + - contents: + source: data:,-w%20/etc/sudoers.d/%20-p%20wa%20-k%20actions%0A-w%20/etc/sudoers%20-p%20wa%20-k%20actions%0A + mode: 0644 + path: /etc/audit/rules.d/75-audit-sysadmin-actions.rules + overwrite: true + - contents: + source: data:,-w%20/etc/group%20-p%20wa%20-k%20audit_rules_usergroup_modification%0A + mode: 0644 + path: /etc/audit/rules.d/30-etc_group_usergroup_modification.rules + overwrite: true + - contents: + source: data:,-w%20/etc/gshadow%20-p%20wa%20-k%20audit_rules_usergroup_modification%0A + mode: 0644 + path: /etc/audit/rules.d/30-etc_gshadow_usergroup_modification.rules + overwrite: true + - contents: + source: data:,-w%20/etc/security/opasswd%20-p%20wa%20-k%20audit_rules_usergroup_modification%0A + mode: 0644 + path: /etc/audit/rules.d/30-etc_security_opasswd_usergroup_modification.rules + overwrite: true + - contents: + source: data:,-w%20/etc/passwd%20-p%20wa%20-k%20audit_rules_usergroup_modification%0A + mode: 0644 + path: /etc/audit/rules.d/30-etc_passwd_usergroup_modification.rules + overwrite: true + - contents: + source: data:,-w%20/etc/shadow%20-p%20wa%20-k%20audit_rules_usergroup_modification%0A + mode: 0644 + path: /etc/audit/rules.d/30-etc_shadow_usergroup_modification.rules + overwrite: true + " | oc apply -f - + done diff --git a/controls/srg_ctr/SRG-APP-000320-CTR-000750.yml b/controls/srg_ctr/SRG-APP-000320-CTR-000750.yml index 85d87d9d55a..a71893916ae 100644 --- a/controls/srg_ctr/SRG-APP-000320-CTR-000750.yml +++ b/controls/srg_ctr/SRG-APP-000320-CTR-000750.yml @@ -2,8 +2,7 @@ controls: - id: SRG-APP-000320-CTR-000750 levels: - medium - title: {{{ full_name }}} must notify system administrator and ISSO of account - enabling actions. + title: {{{ full_name }}} must generate audit rules to capture account creation, modification, disabling, removal and enabling actions. related_rules: - idp_is_configured - ocp_idp_no_htpasswd @@ -12,4 +11,64 @@ controls: rules: - audit_rules_sysadmin_actions - audit_rules_usergroup_modification + check: |- + Verify the audit rules capture account creation, modification, disabling, removal and enabling actions by executing the following: + for node in $(oc get node -oname); do oc debug $node -- chroot /host /bin/bash -c 'echo -n "$HOSTNAME "; grep -e user-modify -e group-modify -e audit_rules_usergroup_modification /etc/audit/rules.d/* /etc/audit/audit.rules' 2>/dev/null; done + + Confirm the following rules exist on each node: + -w /etc/group -p wa -k audit_rules_usergroup_modification + -w /etc/gshadow -p wa -k audit_rules_usergroup_modification + -w /etc/security/opasswd -p wa -k audit_rules_usergroup_modification + -w /etc/passwd -p wa -k audit_rules_usergroup_modification + -w /etc/shadow -p wa -k audit_rules_usergroup_modification + + If the above rules are not listed on each node, this is a finding. + fixtext: |- + Apply the machine config using the following command: + + for mcpool in $(oc get mcp -oname | sed "s:.*/::" ); do + echo "apiVersion: machineconfiguration.openshift.io/v1 + kind: MachineConfig + metadata: + name: 75-account-modifications-rules-$mcpool + labels: + machineconfiguration.openshift.io/role: $mcpool + spec: + config: + ignition: + version: 3.1.0 + storage: + files: + - contents: + source: data:,-w%20/etc/sudoers.d/%20-p%20wa%20-k%20actions%0A-w%20/etc/sudoers%20-p%20wa%20-k%20actions%0A + mode: 0644 + path: /etc/audit/rules.d/75-audit-sysadmin-actions.rules + overwrite: true + - contents: + source: data:,-w%20/etc/group%20-p%20wa%20-k%20audit_rules_usergroup_modification%0A + mode: 0644 + path: /etc/audit/rules.d/30-etc_group_usergroup_modification.rules + overwrite: true + - contents: + source: data:,-w%20/etc/gshadow%20-p%20wa%20-k%20audit_rules_usergroup_modification%0A + mode: 0644 + path: /etc/audit/rules.d/30-etc_gshadow_usergroup_modification.rules + overwrite: true + - contents: + source: data:,-w%20/etc/security/opasswd%20-p%20wa%20-k%20audit_rules_usergroup_modification%0A + mode: 0644 + path: /etc/audit/rules.d/30-etc_security_opasswd_usergroup_modification.rules + overwrite: true + - contents: + source: data:,-w%20/etc/passwd%20-p%20wa%20-k%20audit_rules_usergroup_modification%0A + mode: 0644 + path: /etc/audit/rules.d/30-etc_passwd_usergroup_modification.rules + overwrite: true + - contents: + source: data:,-w%20/etc/shadow%20-p%20wa%20-k%20audit_rules_usergroup_modification%0A + mode: 0644 + path: /etc/audit/rules.d/30-etc_shadow_usergroup_modification.rules + overwrite: true + " | oc apply -f - + done diff --git a/controls/srg_ctr/SRG-APP-000509-CTR-001305.yml b/controls/srg_ctr/SRG-APP-000509-CTR-001305.yml index 70200b2ce3e..99c54f5aba4 100644 --- a/controls/srg_ctr/SRG-APP-000509-CTR-001305.yml +++ b/controls/srg_ctr/SRG-APP-000509-CTR-001305.yml @@ -2,12 +2,71 @@ controls: - id: SRG-APP-000509-CTR-001305 levels: - medium - title: {{{ full_name }}} must generate audit records for all account creations, - modifications, disabling, and termination events. + title: {{{ full_name }}} must generate audit rules to capture account creation, modification, disabling, removal and enabling actions. related_rules: - audit_profile_set rules: - audit_rules_sysadmin_actions - audit_rules_usergroup_modification status: automated + check: |- + Verify the audit rules capture account creation, modification, disabling, removal and enabling actions by executing the following: + for node in $(oc get node -oname); do oc debug $node -- chroot /host /bin/bash -c 'echo -n "$HOSTNAME "; grep -e user-modify -e group-modify -e audit_rules_usergroup_modification /etc/audit/rules.d/* /etc/audit/audit.rules' 2>/dev/null; done + + Confirm the following rules exist on each node: + -w /etc/group -p wa -k audit_rules_usergroup_modification + -w /etc/gshadow -p wa -k audit_rules_usergroup_modification + -w /etc/security/opasswd -p wa -k audit_rules_usergroup_modification + -w /etc/passwd -p wa -k audit_rules_usergroup_modification + -w /etc/shadow -p wa -k audit_rules_usergroup_modification + + If the above rules are not listed on each node, this is a finding. + fixtext: |- + Apply the machine config using the following command: + + for mcpool in $(oc get mcp -oname | sed "s:.*/::" ); do + echo "apiVersion: machineconfiguration.openshift.io/v1 + kind: MachineConfig + metadata: + name: 75-account-modifications-rules-$mcpool + labels: + machineconfiguration.openshift.io/role: $mcpool + spec: + config: + ignition: + version: 3.1.0 + storage: + files: + - contents: + source: data:,-w%20/etc/sudoers.d/%20-p%20wa%20-k%20actions%0A-w%20/etc/sudoers%20-p%20wa%20-k%20actions%0A + mode: 0644 + path: /etc/audit/rules.d/75-audit-sysadmin-actions.rules + overwrite: true + - contents: + source: data:,-w%20/etc/group%20-p%20wa%20-k%20audit_rules_usergroup_modification%0A + mode: 0644 + path: /etc/audit/rules.d/30-etc_group_usergroup_modification.rules + overwrite: true + - contents: + source: data:,-w%20/etc/gshadow%20-p%20wa%20-k%20audit_rules_usergroup_modification%0A + mode: 0644 + path: /etc/audit/rules.d/30-etc_gshadow_usergroup_modification.rules + overwrite: true + - contents: + source: data:,-w%20/etc/security/opasswd%20-p%20wa%20-k%20audit_rules_usergroup_modification%0A + mode: 0644 + path: /etc/audit/rules.d/30-etc_security_opasswd_usergroup_modification.rules + overwrite: true + - contents: + source: data:,-w%20/etc/passwd%20-p%20wa%20-k%20audit_rules_usergroup_modification%0A + mode: 0644 + path: /etc/audit/rules.d/30-etc_passwd_usergroup_modification.rules + overwrite: true + - contents: + source: data:,-w%20/etc/shadow%20-p%20wa%20-k%20audit_rules_usergroup_modification%0A + mode: 0644 + path: /etc/audit/rules.d/30-etc_shadow_usergroup_modification.rules + overwrite: true + " | oc apply -f - + done From 6f5b204e0185eadf109081afebec1459e717da43 Mon Sep 17 00:00:00 2001 From: Jakub Hrozek Date: Thu, 29 Jun 2023 21:18:27 +0200 Subject: [PATCH 3/3] Use prefer-controls in GH actions that generate OCP4 STIG exports --- .github/workflows/srg-mapping-table.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/srg-mapping-table.yaml b/.github/workflows/srg-mapping-table.yaml index 6486ecdfac2..17a048e45d5 100644 --- a/.github/workflows/srg-mapping-table.yaml +++ b/.github/workflows/srg-mapping-table.yaml @@ -32,11 +32,11 @@ jobs: - name: Create data directory run: mkdir -p $PAGES_DIR - name: Generate XLSX for OCP4 - run: python3 utils/create_srg_export.py -c controls/srg_ctr.yml -p ocp4 -m shared/references/disa-ctr-srg-v1r3.xml --out-format xlsx --output $PAGES_DIR/srg-mapping-ocp4.xlsx + run: python3 utils/create_srg_export.py -c controls/srg_ctr.yml -p ocp4 -m shared/references/disa-ctr-srg-v1r3.xml --out-format xlsx --output $PAGES_DIR/srg-mapping-ocp4.xlsx --prefer-controls env: PYTHONPATH: ${{ github.workspace }} - name: Generate HTML for OCP4 - run: python3 utils/create_srg_export.py -c controls/srg_ctr.yml -p ocp4 -m shared/references/disa-ctr-srg-v1r3.xml --out-format html --output $PAGES_DIR/srg-mapping-ocp4.html + run: python3 utils/create_srg_export.py -c controls/srg_ctr.yml -p ocp4 -m shared/references/disa-ctr-srg-v1r3.xml --out-format html --output $PAGES_DIR/srg-mapping-ocp4.html --prefer-controls env: PYTHONPATH: ${{ github.workspace }} - name: Generate XLSX for RHEL9