Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

create_srg_export: Enable reading check and fix from controls even if they have rules listed #10769

Merged
merged 3 commits into from
Jul 7, 2023
Merged

create_srg_export: Enable reading check and fix from controls even if they have rules listed #10769

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
8074636
create_srg_export: Add a command-line flag to prefer check and fix fr…
jhrozek Jun 29, 2023
862145e
Amend several RHCOS controls to include a check and a fix
jhrozek Jun 29, 2023
6f5b204
Use prefer-controls in GH actions that generate OCP4 STIG exports
jhrozek Jun 29, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 2 additions & 2 deletions .github/workflows/srg-mapping-table.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -32,11 +32,11 @@ jobs:
- name: Create data directory
run: mkdir -p $PAGES_DIR
- name: Generate XLSX for OCP4
run: python3 utils/create_srg_export.py -c controls/srg_ctr.yml -p ocp4 -m shared/references/disa-ctr-srg-v1r3.xml --out-format xlsx --output $PAGES_DIR/srg-mapping-ocp4.xlsx
run: python3 utils/create_srg_export.py -c controls/srg_ctr.yml -p ocp4 -m shared/references/disa-ctr-srg-v1r3.xml --out-format xlsx --output $PAGES_DIR/srg-mapping-ocp4.xlsx --prefer-controls
env:
PYTHONPATH: ${{ github.workspace }}
- name: Generate HTML for OCP4
run: python3 utils/create_srg_export.py -c controls/srg_ctr.yml -p ocp4 -m shared/references/disa-ctr-srg-v1r3.xml --out-format html --output $PAGES_DIR/srg-mapping-ocp4.html
run: python3 utils/create_srg_export.py -c controls/srg_ctr.yml -p ocp4 -m shared/references/disa-ctr-srg-v1r3.xml --out-format html --output $PAGES_DIR/srg-mapping-ocp4.html --prefer-controls
env:
PYTHONPATH: ${{ github.workspace }}
- name: Generate XLSX for RHEL9
Expand Down
58 changes: 58 additions & 0 deletions controls/srg_ctr/SRG-APP-000026-CTR-000070.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,4 +7,62 @@ controls:
rules:
- audit_rules_sysadmin_actions
- audit_rules_usergroup_modification
check: |-
Verify Red Hat Enterprise Linux CoreOS (RHCOS) generates audit records for all account creations, modifications, disabling, and termination events that affect "/etc/shadow".

Logging on as administrator, check the auditing rules in "/etc/audit/audit.rules" by executing the following:

for node in $(oc get node -oname); do oc debug $node -- chroot /host /bin/bash -c 'echo -n "$HOSTNAME: "; grep /etc/shadow /etc/audit/audit.rules /etc/audit/rules.d/*'; done

(Example output:
-w /etc/shadow -p wa -k identity)

If the command does not return a line, or the line is commented out, this is a finding.
fixtext: |-
Apply the machine config using the following command:

for mcpool in $(oc get mcp -oname | sed "s:.*/::" ); do
echo "apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
metadata:
name: 75-account-modifications-rules-$mcpool
labels:
machineconfiguration.openshift.io/role: $mcpool
spec:
config:
ignition:
version: 3.1.0
storage:
files:
- contents:
source: data:,-w%20/etc/sudoers.d/%20-p%20wa%20-k%20actions%0A-w%20/etc/sudoers%20-p%20wa%20-k%20actions%0A
mode: 0644
path: /etc/audit/rules.d/75-audit-sysadmin-actions.rules
overwrite: true
- contents:
source: data:,-w%20/etc/group%20-p%20wa%20-k%20audit_rules_usergroup_modification%0A
mode: 0644
path: /etc/audit/rules.d/30-etc_group_usergroup_modification.rules
overwrite: true
- contents:
source: data:,-w%20/etc/gshadow%20-p%20wa%20-k%20audit_rules_usergroup_modification%0A
mode: 0644
path: /etc/audit/rules.d/30-etc_gshadow_usergroup_modification.rules
overwrite: true
- contents:
source: data:,-w%20/etc/security/opasswd%20-p%20wa%20-k%20audit_rules_usergroup_modification%0A
mode: 0644
path: /etc/audit/rules.d/30-etc_security_opasswd_usergroup_modification.rules
overwrite: true
- contents:
source: data:,-w%20/etc/passwd%20-p%20wa%20-k%20audit_rules_usergroup_modification%0A
mode: 0644
path: /etc/audit/rules.d/30-etc_passwd_usergroup_modification.rules
overwrite: true
- contents:
source: data:,-w%20/etc/shadow%20-p%20wa%20-k%20audit_rules_usergroup_modification%0A
mode: 0644
path: /etc/audit/rules.d/30-etc_shadow_usergroup_modification.rules
overwrite: true
" | oc apply -f -
done
53 changes: 53 additions & 0 deletions controls/srg_ctr/SRG-APP-000027-CTR-000075.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,4 +7,57 @@ controls:
rules:
- audit_rules_sysadmin_actions
- audit_rules_usergroup_modification
check: |-
Verify for each of the files that contain account information the system is configured to emit an audit event in case of a write, by executing the following:

for node in $(oc get node -oname); do oc debug $node -- chroot /host /bin/bash -c 'echo -n "$HOSTNAME "; for f in /etc/passwd /etc/group /etc/gshadow /etc/security/opasswd /etc/shadow /etc/sudoers /etc/sudoers.d/; do grep -q "\-w $f \-p wa \-k" /etc/audit/audit.rules || echo "rule for $f not found"; done' 2>/dev/null; done

If for any of the files a line saying "rule for $filename not found" is printed, this is a finding.
fixtext: |-
Apply the machine config using the following command:

for mcpool in $(oc get mcp -oname | sed "s:.*/::" ); do
echo "apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
metadata:
name: 75-account-modifications-rules-$mcpool
labels:
machineconfiguration.openshift.io/role: $mcpool
spec:
config:
ignition:
version: 3.1.0
storage:
files:
- contents:
source: data:,-w%20/etc/sudoers.d/%20-p%20wa%20-k%20actions%0A-w%20/etc/sudoers%20-p%20wa%20-k%20actions%0A
mode: 0644
path: /etc/audit/rules.d/75-audit-sysadmin-actions.rules
overwrite: true
- contents:
source: data:,-w%20/etc/group%20-p%20wa%20-k%20audit_rules_usergroup_modification%0A
mode: 0644
path: /etc/audit/rules.d/30-etc_group_usergroup_modification.rules
overwrite: true
- contents:
source: data:,-w%20/etc/gshadow%20-p%20wa%20-k%20audit_rules_usergroup_modification%0A
mode: 0644
path: /etc/audit/rules.d/30-etc_gshadow_usergroup_modification.rules
overwrite: true
- contents:
source: data:,-w%20/etc/security/opasswd%20-p%20wa%20-k%20audit_rules_usergroup_modification%0A
mode: 0644
path: /etc/audit/rules.d/30-etc_security_opasswd_usergroup_modification.rules
overwrite: true
- contents:
source: data:,-w%20/etc/passwd%20-p%20wa%20-k%20audit_rules_usergroup_modification%0A
mode: 0644
path: /etc/audit/rules.d/30-etc_passwd_usergroup_modification.rules
overwrite: true
- contents:
source: data:,-w%20/etc/shadow%20-p%20wa%20-k%20audit_rules_usergroup_modification%0A
mode: 0644
path: /etc/audit/rules.d/30-etc_shadow_usergroup_modification.rules
overwrite: true
" | oc apply -f -
done
62 changes: 61 additions & 1 deletion controls/srg_ctr/SRG-APP-000028-CTR-000080.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@ controls:
- id: SRG-APP-000028-CTR-000080
levels:
- medium
title: {{{ full_name }}} must automatically audit account-disabling actions.
title: {{{ full_name }}} must generate audit rules to capture account creation, modification, disabling, removal and enabling actions.
related_rules:
- idp_is_configured
- ocp_idp_no_htpasswd
Expand All @@ -11,4 +11,64 @@ controls:
rules:
- audit_rules_sysadmin_actions
- audit_rules_usergroup_modification
check: |-
Verify the audit rules capture account creation, modification, disabling, removal and enabling actions by executing the following:

for node in $(oc get node -oname); do oc debug $node -- chroot /host /bin/bash -c 'echo -n "$HOSTNAME "; grep -e user-modify -e group-modify -e audit_rules_usergroup_modification /etc/audit/rules.d/* /etc/audit/audit.rules' 2>/dev/null; done

Confirm the following rules exist on each node:
-w /etc/group -p wa -k audit_rules_usergroup_modification
-w /etc/gshadow -p wa -k audit_rules_usergroup_modification
-w /etc/security/opasswd -p wa -k audit_rules_usergroup_modification
-w /etc/passwd -p wa -k audit_rules_usergroup_modification
-w /etc/shadow -p wa -k audit_rules_usergroup_modification

If the above rules are not listed on each node, this is a finding.
fixtext: |-
Apply the machine config using the following command:

for mcpool in $(oc get mcp -oname | sed "s:.*/::" ); do
echo "apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
metadata:
name: 75-account-modifications-rules-$mcpool
labels:
machineconfiguration.openshift.io/role: $mcpool
spec:
config:
ignition:
version: 3.1.0
storage:
files:
- contents:
source: data:,-w%20/etc/sudoers.d/%20-p%20wa%20-k%20actions%0A-w%20/etc/sudoers%20-p%20wa%20-k%20actions%0A
mode: 0644
path: /etc/audit/rules.d/75-audit-sysadmin-actions.rules
overwrite: true
- contents:
source: data:,-w%20/etc/group%20-p%20wa%20-k%20audit_rules_usergroup_modification%0A
mode: 0644
path: /etc/audit/rules.d/30-etc_group_usergroup_modification.rules
overwrite: true
- contents:
source: data:,-w%20/etc/gshadow%20-p%20wa%20-k%20audit_rules_usergroup_modification%0A
mode: 0644
path: /etc/audit/rules.d/30-etc_gshadow_usergroup_modification.rules
overwrite: true
- contents:
source: data:,-w%20/etc/security/opasswd%20-p%20wa%20-k%20audit_rules_usergroup_modification%0A
mode: 0644
path: /etc/audit/rules.d/30-etc_security_opasswd_usergroup_modification.rules
overwrite: true
- contents:
source: data:,-w%20/etc/passwd%20-p%20wa%20-k%20audit_rules_usergroup_modification%0A
mode: 0644
path: /etc/audit/rules.d/30-etc_passwd_usergroup_modification.rules
overwrite: true
- contents:
source: data:,-w%20/etc/shadow%20-p%20wa%20-k%20audit_rules_usergroup_modification%0A
mode: 0644
path: /etc/audit/rules.d/30-etc_shadow_usergroup_modification.rules
overwrite: true
" | oc apply -f -
done
63 changes: 61 additions & 2 deletions controls/srg_ctr/SRG-APP-000291-CTR-000675.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,8 +2,7 @@ controls:
- id: SRG-APP-000291-CTR-000675
levels:
- medium
title: {{{ full_name }}} must notify system administrators and ISSO when accounts
are created.
title: {{{ full_name }}} must generate audit rules to capture account creation, modification, disabling, removal and enabling actions.
related_rules:
- idp_is_configured
- ocp_idp_no_htpasswd
Expand All @@ -12,4 +11,64 @@ controls:
rules:
- audit_rules_sysadmin_actions
- audit_rules_usergroup_modification
check: |-
Verify the audit rules capture account creation, modification, disabling, removal and enabling actions by executing the following:

for node in $(oc get node -oname); do oc debug $node -- chroot /host /bin/bash -c 'echo -n "$HOSTNAME "; grep -e user-modify -e group-modify -e audit_rules_usergroup_modification /etc/audit/rules.d/* /etc/audit/audit.rules' 2>/dev/null; done

Confirm the following rules exist on each node:
-w /etc/group -p wa -k audit_rules_usergroup_modification
-w /etc/gshadow -p wa -k audit_rules_usergroup_modification
-w /etc/security/opasswd -p wa -k audit_rules_usergroup_modification
-w /etc/passwd -p wa -k audit_rules_usergroup_modification
-w /etc/shadow -p wa -k audit_rules_usergroup_modification

If the above rules are not listed on each node, this is a finding.
fixtext: |-
Apply the machine config using the following command:

for mcpool in $(oc get mcp -oname | sed "s:.*/::" ); do
echo "apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
metadata:
name: 75-account-modifications-rules-$mcpool
labels:
machineconfiguration.openshift.io/role: $mcpool
spec:
config:
ignition:
version: 3.1.0
storage:
files:
- contents:
source: data:,-w%20/etc/sudoers.d/%20-p%20wa%20-k%20actions%0A-w%20/etc/sudoers%20-p%20wa%20-k%20actions%0A
mode: 0644
path: /etc/audit/rules.d/75-audit-sysadmin-actions.rules
overwrite: true
- contents:
source: data:,-w%20/etc/group%20-p%20wa%20-k%20audit_rules_usergroup_modification%0A
mode: 0644
path: /etc/audit/rules.d/30-etc_group_usergroup_modification.rules
overwrite: true
- contents:
source: data:,-w%20/etc/gshadow%20-p%20wa%20-k%20audit_rules_usergroup_modification%0A
mode: 0644
path: /etc/audit/rules.d/30-etc_gshadow_usergroup_modification.rules
overwrite: true
- contents:
source: data:,-w%20/etc/security/opasswd%20-p%20wa%20-k%20audit_rules_usergroup_modification%0A
mode: 0644
path: /etc/audit/rules.d/30-etc_security_opasswd_usergroup_modification.rules
overwrite: true
- contents:
source: data:,-w%20/etc/passwd%20-p%20wa%20-k%20audit_rules_usergroup_modification%0A
mode: 0644
path: /etc/audit/rules.d/30-etc_passwd_usergroup_modification.rules
overwrite: true
- contents:
source: data:,-w%20/etc/shadow%20-p%20wa%20-k%20audit_rules_usergroup_modification%0A
mode: 0644
path: /etc/audit/rules.d/30-etc_shadow_usergroup_modification.rules
overwrite: true
" | oc apply -f -
done
63 changes: 61 additions & 2 deletions controls/srg_ctr/SRG-APP-000292-CTR-000680.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,8 +2,7 @@ controls:
- id: SRG-APP-000292-CTR-000680
levels:
- medium
title: {{{ full_name }}} must notify system administrators and ISSO when accounts
are modified.
title: {{{ full_name }}} must generate audit rules to capture account creation, modification, disabling, removal and enabling actions.
related_rules:
- idp_is_configured
- ocp_idp_no_htpasswd
Expand All @@ -12,4 +11,64 @@ controls:
rules:
- audit_rules_sysadmin_actions
- audit_rules_usergroup_modification
check: |-
Verify the audit rules capture account creation, modification, disabling, removal and enabling actions by executing the following:

for node in $(oc get node -oname); do oc debug $node -- chroot /host /bin/bash -c 'echo -n "$HOSTNAME "; grep -e user-modify -e group-modify -e audit_rules_usergroup_modification /etc/audit/rules.d/* /etc/audit/audit.rules' 2>/dev/null; done

Confirm the following rules exist on each node:
-w /etc/group -p wa -k audit_rules_usergroup_modification
-w /etc/gshadow -p wa -k audit_rules_usergroup_modification
-w /etc/security/opasswd -p wa -k audit_rules_usergroup_modification
-w /etc/passwd -p wa -k audit_rules_usergroup_modification
-w /etc/shadow -p wa -k audit_rules_usergroup_modification

If the above rules are not listed on each node, this is a finding.
fixtext: |-
Apply the machine config using the following command:

for mcpool in $(oc get mcp -oname | sed "s:.*/::" ); do
echo "apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
metadata:
name: 75-account-modifications-rules-$mcpool
labels:
machineconfiguration.openshift.io/role: $mcpool
spec:
config:
ignition:
version: 3.1.0
storage:
files:
- contents:
source: data:,-w%20/etc/sudoers.d/%20-p%20wa%20-k%20actions%0A-w%20/etc/sudoers%20-p%20wa%20-k%20actions%0A
mode: 0644
path: /etc/audit/rules.d/75-audit-sysadmin-actions.rules
overwrite: true
- contents:
source: data:,-w%20/etc/group%20-p%20wa%20-k%20audit_rules_usergroup_modification%0A
mode: 0644
path: /etc/audit/rules.d/30-etc_group_usergroup_modification.rules
overwrite: true
- contents:
source: data:,-w%20/etc/gshadow%20-p%20wa%20-k%20audit_rules_usergroup_modification%0A
mode: 0644
path: /etc/audit/rules.d/30-etc_gshadow_usergroup_modification.rules
overwrite: true
- contents:
source: data:,-w%20/etc/security/opasswd%20-p%20wa%20-k%20audit_rules_usergroup_modification%0A
mode: 0644
path: /etc/audit/rules.d/30-etc_security_opasswd_usergroup_modification.rules
overwrite: true
- contents:
source: data:,-w%20/etc/passwd%20-p%20wa%20-k%20audit_rules_usergroup_modification%0A
mode: 0644
path: /etc/audit/rules.d/30-etc_passwd_usergroup_modification.rules
overwrite: true
- contents:
source: data:,-w%20/etc/shadow%20-p%20wa%20-k%20audit_rules_usergroup_modification%0A
mode: 0644
path: /etc/audit/rules.d/30-etc_shadow_usergroup_modification.rules
overwrite: true
" | oc apply -f -
done
Loading
Loading