Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add RHEL 9 STIG #11193

Merged
merged 68 commits into from
Oct 31, 2023
Merged

Add RHEL 9 STIG #11193

merged 68 commits into from
Oct 31, 2023

Conversation

Mab879
Copy link
Member

@Mab879 Mab879 commented Oct 11, 2023

Description:

  • Add RHEL 9 STIG IDs
  • Make the RHEL 9 STIG not a draft

Rationale:

Make the RHEL 9 STIG not a draft.

@Mab879 Mab879 added Highlight This PR/Issue should make it to the featured changelog. RHEL9 Red Hat Enterprise Linux 9 product related. Update Profile Issues or pull requests related to Profiles updates. STIG STIG Benchmark related. labels Oct 11, 2023
@Mab879 Mab879 added this to the 0.1.71 milestone Oct 11, 2023
@openshift-ci openshift-ci bot added the do-not-merge/work-in-progress Used by openshift-ci bot. label Oct 11, 2023
@openshift-ci
Copy link

openshift-ci bot commented Oct 11, 2023

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

@github-actions
Copy link

Start a new ephemeral environment with changes proposed in this pull request:

rhel8 (from CTF) Environment (using Fedora as testing environment)
Open in Gitpod

Fedora Testing Environment
Open in Gitpod

Oracle Linux 8 Environment
Open in Gitpod

@Mab879 Mab879 force-pushed the add_rhel9_stig branch 2 times, most recently from 6397d5b to 02c9865 Compare October 17, 2023 14:37
@Mab879
First draft of utils/add_stigid_from_csv.py
52eda97
@Mab879
Improve the import script.
b07cc36
@Mab879
Add RHEL 9 STIG IDs
0bc66b3
@Mab879
Add the RHEL 9 STIG Control File
dcc50d7
@Mab879
Move the RHEL 9 STIG to the RHEL 9 STIG Control File
caefaaf
@Mab879
Fix RHEL 9 STIG ID for RHEL-09-215060
94035e0
@Mab879
Add RHEL 9 STIGID for service_debug-shell_disabled
19356de
@Mab879
Format add variables for the RHEL 9 STIG
df7cbb3
@Mab879
Add tests for RHEL 9 STIG control file
725ecf6
@Mab879
Add rekey variables
ed468b1
@Mab879
Add umask variable
d4dcd08
@Mab879
Add PAM variables
c7926d3
@Mab879
Add SELinux vars for the RHEL 9 STIG
0348d73
@Mab879
Add sshd_idle_timeout_value var to RHEL 9
b6d8fcb
@Mab879
Add failock vars for RHEL 9 STIG
efb5fe7
@Mab879
Add password vars for RHEL 9 STIG
c3c2867
@Mab879
Add enable_authselect rule to RHEL 9 STIG
f85dbb0
@Mab879
Update RHEL 9 STIG FIPS rule
0fede69
@Mab879
Fix Needed rules for RHEL 9 STIG
831c71c
@Mab879
Add var for chronyd_or_ntpd_set_maxpoll to RHEL 9 STIG
13ee2b5
@Mab879
Pull rpm_verify_hashes from RHEL-09-214030
08fe79f 
Due to crypto policy rules this rule should be pulled.
@Mab879
Move RHEL-09-672030 to configure_crypto_policy
af60d32 
As the STIG only checks if the system policy is FIPS.
ggbecker
ggbecker reviewed Oct 24, 2023
View reviewed changes
controls/stig_rhel9.yml Outdated
Comment on lines 68 to 73
title:
RHEL 9 must enable the hardware random number generator entropy gatherer
service.
rules:
- service_rngd_enabled
status: automated
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sounds like the service_rngd_enabled must be completely purged out from the RHEL9 STIG: #10153

If that is really true, then we have to request this back to DISA.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

So in virtual machines of RHEL 9.4 it seems that rngd is running with FIPS mode on. However, since the tests are failing here I will pull it.

@Mab879
Pull service_rngd_enabled from the RHEL 9 STIG
4f94bd9 
It is causing testing issues and may not be worth it.
@Mab879 Mab879 marked this pull request as ready for review October 24, 2023 13:22
@Mab879 Mab879 requested a review from a team as a code owner October 24, 2023 13:22
@openshift-ci openshift-ci bot removed the do-not-merge/work-in-progress Used by openshift-ci bot. label Oct 24, 2023
@ggbecker
Copy link
Member

@vojtapolasek this is the comment about comparison of profiles I mentioned: #8580 (comment)

The strategy here is basically to build the profile using the main branch, then save the built profile that you can find in build/rhel9/profiles/stig.profile, then switch to the contents of this pull request, build again and compare the built profile with the older one.

There should be no differences between the two profiles, unless there is something required to be removed/added.

Commands will look like this:

./build_product rhel9 --debug --datastream-only

python build-scripts/profile_tool.py sub --profile2 build/rhel9/profiles/stig.profile --profile1 old_stig.profile --ssg-root . --product rhel9 --build-config-yaml build/build_config.yml

jan-cerny
jan-cerny reviewed Oct 25, 2023
View reviewed changes
utils/refchecker.py Outdated
parser.add_argument("reference", type=str,
help="Required reference system to check for")
parser.add_argument("--exclude", "-e", type=str,
help="A comma separated list of rules to be ignored")
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
help="A comma separated list of rules to be ignored")
help="A comma separated list of rules to be ignored")

tests/CMakeLists.txt Outdated
@@ -225,6 +225,14 @@ if(PYTHON_VERSION_MAJOR GREATER 2 AND SSG_PRODUCT_RHEL9)
ssg_refcheck_test("rhel9" "cis" "cis")
ssg_refcheck_test("rhel9" "ccn_basic" "ccn")
ssg_refcheck_test("rhel9" "ccn_advanced" "ccn")
# This can moved back the macro once enable_authselect has a stigid
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Don't increase technical debt. I think it would be better to add a parameter to the macro instead of copying the macro code.

controls/stig_rhel9.yml Outdated
Comment on lines 99 to 110
- id: RHEL-09-211055
levels:
- medium
title: RHEL 9 debug-shell systemd service must be disabled.
status: automated

rules:
- service_debug-shell_disabled
- id: RHEL-09-212010
levels:
- medium
title: RHEL 9 must require a boot loader superuser password.
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Empty line 104 causes a visually confusing formatting.

@vojtapolasek vojtapolasek self-assigned this Oct 26, 2023
vojtapolasek
vojtapolasek requested changes Oct 27, 2023
View reviewed changes
Copy link
Collaborator

@vojtapolasek vojtapolasek left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hello @Mab879 and thank you for this important contribution.
I have reviewed the profile. Actually, Instead of the tool @ggbecker suggested, I built old and new profile, sorted both files, and performed a diff. The result is very similar, but sometimes it provides better context.
See my suggestions.
I have one general question - I see that we do not build STIG HTML tables for RHEL 9. Is this intentional?

products/rhel9/profiles/stig_gui.profile Outdated Show resolved Hide resolved
controls/stig_rhel9.yml Show resolved Hide resolved
controls/stig_rhel9.yml Show resolved Hide resolved
controls/stig_rhel9.yml Outdated Show resolved Hide resolved
controls/stig_rhel9.yml Outdated Show resolved Hide resolved
controls/stig_rhel9.yml Show resolved Hide resolved
controls/stig_rhel9.yml Outdated Show resolved Hide resolved
controls/stig_rhel9.yml Outdated Show resolved Hide resolved
controls/stig_rhel9.yml Outdated Show resolved Hide resolved
controls/stig_rhel9.yml Outdated Show resolved Hide resolved
@vojtapolasek
Copy link
Collaborator

Hello @Mab879 and thank you for changes. I see you modified the control file, but you did not modify references in rule.yml. Here is output of ctest:

Rule aide_scan_notification lacks required reference stigid or stigid@rhel9
Rule dconf_gnome_disable_autorun lacks required reference stigid or stigid@rhel9
Rule sysctl_kernel_unprivileged_bpf_disabled lacks required reference stigid or stigid@rhel9
Rule audit_rules_privileged_commands_mount lacks required reference stigid or stigid@rhel9

Please fix these references. Also please ensure that you remove STIG RHEL 9 references from rules which we decided to remove from the profile.

@codeclimate
Copy link

codeclimate bot commented Oct 30, 2023

Code Climate has analyzed commit 4522aef and detected 2 issues on this pull request.

Here's the issue category breakdown:

Category Count
Complexity 2

The test coverage on the diff in this pull request is 100.0% (50% is the threshold).

This pull request will bring the total coverage in the repository to 58.4%.

View more on Code Climate.

@vojtapolasek
Copy link
Collaborator

Thank you @Mab879 for adding the new STIG profile. I am merging the PR.
I don't see SLE 15 automatus failure as relevant for this PR because the PR touches rules only with regards to their references, it does not touch functionality.
The Codeclimate warning is valid, but I think it should be solved as part of a different PR.

@vojtapolasek vojtapolasek merged commit 3a89685 into ComplianceAsCode:master Oct 31, 2023
36 of 38 checks passed
@Mab879 Mab879 deleted the add_rhel9_stig branch October 31, 2023 13:23
alanmcanonical pushed a commit to alanmcanonical/CaC_content that referenced this pull request Aug 14, 2024
@mpurg @dodys
Checked out audit_rules_kernel_module_loading_init
6e03cfa 
Too many disruptive changes to cherry pick.

Only in master:
- 91023c9|2023-11-02|2023-11-08 Review and update pcidss_4 requirement 10.2.1.7 [Marcus Burghardt]
- 3a89685|2023-10-31|2023-10-31 Merge pull request ComplianceAsCode#11193 from Mab879/add_rhel9_stig [GitHub]
- 2df3231|2023-10-18|2023-10-27 Copy Debian11 product to Debian12 [Paul Rensing]
- 2804dfb|2023-10-17|2023-10-18 Add rule for RHEL-09-654080 [Matthew Burket]
- 92e7882|2023-08-02|2023-09-12 Fix UBTU-20-010179 to use proper parameters and key [Dexter Le]
- c493b4d|2023-05-22|2023-07-19 SRG-APP-000504-CTR-001280: Red Hat Enterprise Linux CoreOS (RHCOS) must be configured to audit the loading and unloading of dynamic kernel modules [Jakub Hrozek]
- bdcd7c9|2023-05-22|2023-07-19 SRG-APP-000495-CTR-001235: audit records when successful/unsuccessful attempts to modify privileges occur [Jakub Hrozek]
- 29f415f|2023-05-05|2023-07-06 products/anolis23: supports Anolis OS 23 [YuQing]
- ec2bfe8|2023-05-28|2023-05-28 fix: uid_min: use it in audit auid checks, out jinja macro [Markus Linnala]
- 8fe3315|2023-04-21|2023-05-15 Update jinja conditionals that apply to any ol [Edgar Aguilar]
- 4f18ae7|2023-04-17|2023-04-18 Ensure that all files in the repo end with a newline [Matthew Burket]
- acc24a1|2023-04-11|2023-04-11 Merge pull request ComplianceAsCode#10334 from vojtapolasek/anssi_20_upstream [GitHub]
- 0c5d7b9|2023-03-30|2023-03-30 Drop Req prefix from pcidss4 reference ids [teacup-on-rockingchair]
- d6338b6|2023-03-19|2023-03-26 Extract rules from SLE15 profile to PCI-DSS v4 control file [teacup-on-rockingchair]
- 209fc25|2023-03-08|2023-03-23 add anssi references to rules [Vojtech Polasek]
- 5ae4bfd|2023-03-14|2023-03-14 Remove vmmsrg references from rules [Matthew Burket]
- e3886d4|2023-01-19|2023-01-19 Include CIS RHEL9 reference in Logging related rules [Marcus Burghardt]
- 9f273f2|2022-12-08|2022-12-14 ubuntu2204: cis_level2_server: Add cis references [Eduardo Barretto]
- 3d711c8|2022-11-30|2022-11-30 Merge pull request ComplianceAsCode#9897 from litios/master [GitHub]
- 795f076|2022-11-28|2022-11-28 Update rule tests to rely on platform_package_overrides + add needed alternatives to products [David Fernandez Gonzalez]
- 15abac6|2022-11-25|2022-11-25 Recognize all 64bit architectures in audit rules [Milan Lysonek]
- 5f2250d|2022-11-04|2022-11-07 products/anolis8: supports Anolis OS 8 [YiLin.Li]
- 2e2af47|2022-09-30|2022-10-04 Import STIG content for RHEL9 [Matthew Burket]
- e02980a|2022-09-19|2022-09-19 Remove Debian 9 from products [Matthew Burket]
- fd54c29|2022-08-31|2022-09-01 Add ol7 platform to existing required tests [Edgar Aguilar]
- 95f767a|2022-08-19|2022-08-22 Tag Ubuntu CIS reference for 22.04 [Juan Antonio Osorio]
- 7f5b811|2022-08-19|2022-08-22 Tag rules applicable to ubuntu2004 as applicable to ubuntu2204 too [Juan Antonio Osorio]
- 16e89ad|2022-08-10|2022-08-11 Add the AUID filters on audit kernel module rules [Federico Ramirez]
- a29edee|2022-08-03|2022-08-03 Add the AUID filters on audit kernel module rules [Watson Sato]
- b020fd2|2022-07-28|2022-07-30 ssg/constants.py: fix the alinux3 full name error [YiLin.Li]
- 95cfa85|2022-07-15|2022-07-15 Update RHEL8 CIS refereces for logging and auditing rules [Marcus Burghardt]
- 41ea38b|2022-07-08|2022-07-08 Remove WRLinux 1019 product [Matthew Burket]
- 1b538df|2022-05-11|2022-06-16 Update references in OL8 STIG rules [Edgar Aguilar]
- 7a25ff4|2022-04-15|2022-06-08 products/alinux2 && controls: Add CIS Alibaba Cloud Linux (Aliyun Linux) 2 profiles [YiLin.Li]
- 32c8074|2022-05-24|2022-05-26 Add fixtext and srg_requirement to audit_rules_kernel_module_loading_init [Matthew Burket]
- fa81eb1|2022-04-06|2022-04-06 Merge pull request ComplianceAsCode#8327 from Xeicker/ol08-00-030390 [GitHub]
- c0ae24e|2022-04-04|2022-04-04 Update ansible in audit_rules_kernel_module rules [Edgar Aguilar]
- de702fb|2022-04-04|2022-04-04 Update tests in audit_rules_kernel_module rules [Edgar Aguilar]
- 55f2f34|2022-03-30|2022-03-30 Update tests in audit_rules_kernel_module rules [Edgar Aguilar]
- fa8680a|2022-03-22|2022-03-22 Group init_module and finit_module audit rules. [Yavor Georgiev]
- c8b9548|2022-03-09|2022-03-10 Add auid criteria to rules required by rhel8 [Edgar Aguilar]
- a62d887|2022-03-09|2022-03-10 Add auid criteria to rule to meet OL08-00-030360 [Edgar Aguilar]
- fb60278|2022-01-20|2022-01-25 Add OL9 prodtype to rules part of standard profile [Federico Ramirez]
- f2530de|2021-11-19|2021-11-29 Add OL8 STIG IDs [Federico Ramirez]
- a59d63a|2021-11-02|2021-11-02 Run ./utils/fix_rules.py sort_prodtypes [Matthew Burket]
- f59b8db|2021-10-08|2021-10-08 Add support for Debian 11 [Marco De Donno]
- 5ad8290|2021-08-20|2021-09-08 Completed CIS Chapters 4-6 Build currently failing. [Nico Truzzolino]
- 2214054|2021-08-26|2021-08-30 Converted function calls to macro invocations; removed the old function; fixed comment in macro file [Jiri Odehnal]

Only in focal:
- 782f6c4|2021-08-31|2021-09-01 Add packages entry to auditd tests [richardmaciel-canonical]
- f44e014|2021-08-17|2021-09-01 Fix auditd tests as the package is not installed by default in Ubuntu [richardmaciel-canonical]
- 60345d7|2021-08-24|2021-08-25 Automatically add Ubuntu to existing shared fixes [Richard Maciel Costa]
- 51c80e3|2021-07-08|2021-08-25 Manually add missing disa & srg references [Richard Maciel Costa]
alanmcanonical pushed a commit to alanmcanonical/CaC_content that referenced this pull request Aug 14, 2024
@mpurg @dodys
Checked out audit_rules_kernel_module_loading_finit
d1cafd9 
Too many disruptive changes to cherry pick.

Only in master:
- 91023c9|2023-11-02|2023-11-08 Review and update pcidss_4 requirement 10.2.1.7 [Marcus Burghardt]
- 3a89685|2023-10-31|2023-10-31 Merge pull request ComplianceAsCode#11193 from Mab879/add_rhel9_stig [GitHub]
- 2df3231|2023-10-18|2023-10-27 Copy Debian11 product to Debian12 [Paul Rensing]
- 0bc66b3|2023-09-21|2023-10-18 Add RHEL 9 STIG IDs [Matthew Burket]
- 92e7882|2023-08-02|2023-09-12 Fix UBTU-20-010179 to use proper parameters and key [Dexter Le]
- c493b4d|2023-05-22|2023-07-19 SRG-APP-000504-CTR-001280: Red Hat Enterprise Linux CoreOS (RHCOS) must be configured to audit the loading and unloading of dynamic kernel modules [Jakub Hrozek]
- bdcd7c9|2023-05-22|2023-07-19 SRG-APP-000495-CTR-001235: audit records when successful/unsuccessful attempts to modify privileges occur [Jakub Hrozek]
- 29f415f|2023-05-05|2023-07-06 products/anolis23: supports Anolis OS 23 [YuQing]
- ec2bfe8|2023-05-28|2023-05-28 fix: uid_min: use it in audit auid checks, out jinja macro [Markus Linnala]
- 8fe3315|2023-04-21|2023-05-15 Update jinja conditionals that apply to any ol [Edgar Aguilar]
- 6f8a2ee|2023-04-25|2023-04-27 Update 4.1.3.19 CIS requirement for RHEL8 and RHEL9 [Marcus Burghardt]
- 4f18ae7|2023-04-17|2023-04-18 Ensure that all files in the repo end with a newline [Matthew Burket]
- acc24a1|2023-04-11|2023-04-11 Merge pull request ComplianceAsCode#10334 from vojtapolasek/anssi_20_upstream [GitHub]
- 0c5d7b9|2023-03-30|2023-03-30 Drop Req prefix from pcidss4 reference ids [teacup-on-rockingchair]
- d6338b6|2023-03-19|2023-03-26 Extract rules from SLE15 profile to PCI-DSS v4 control file [teacup-on-rockingchair]
- 209fc25|2023-03-08|2023-03-23 add anssi references to rules [Vojtech Polasek]
- 5ae4bfd|2023-03-14|2023-03-14 Remove vmmsrg references from rules [Matthew Burket]
- b77974c|2023-02-09|2023-02-14 Fix `&gt` to `>` for audit rules in RHEL 9 STIG [Matthew Burket]
- 45f48ce|2023-02-06|2023-02-14 Escape < and > in product specific content [Matthew Burket]
- 3d711c8|2022-11-30|2022-11-30 Merge pull request ComplianceAsCode#9897 from litios/master [GitHub]
- 795f076|2022-11-28|2022-11-28 Update rule tests to rely on platform_package_overrides + add needed alternatives to products [David Fernandez Gonzalez]
- 15abac6|2022-11-25|2022-11-25 Recognize all 64bit architectures in audit rules [Milan Lysonek]
- 5f2250d|2022-11-04|2022-11-07 products/anolis8: supports Anolis OS 8 [YiLin.Li]
- 2e2af47|2022-09-30|2022-10-04 Import STIG content for RHEL9 [Matthew Burket]
- e02980a|2022-09-19|2022-09-19 Remove Debian 9 from products [Matthew Burket]
- fd54c29|2022-08-31|2022-09-01 Add ol7 platform to existing required tests [Edgar Aguilar]
- 7f5b811|2022-08-19|2022-08-22 Tag rules applicable to ubuntu2004 as applicable to ubuntu2204 too [Juan Antonio Osorio]
- 16e89ad|2022-08-10|2022-08-11 Add the AUID filters on audit kernel module rules [Federico Ramirez]
- a29edee|2022-08-03|2022-08-03 Add the AUID filters on audit kernel module rules [Watson Sato]
- b020fd2|2022-07-28|2022-07-30 ssg/constants.py: fix the alinux3 full name error [YiLin.Li]
- f035005|2022-07-28|2022-07-30 ssg/constants.py: fix the alinux2 full name error [YiLin.Li]
- 41ea38b|2022-07-08|2022-07-08 Remove WRLinux 1019 product [Matthew Burket]
- 1b538df|2022-05-11|2022-06-16 Update references in OL8 STIG rules [Edgar Aguilar]
- 763df44|2022-05-09|2022-06-16 Clean and update OL8 STIG profile [Edgar Aguilar]
- 870a7f0|2022-05-24|2022-05-26 Add fixtext and srg_requirement to audit_rules_kernel_module_loading_finit [Matthew Burket]
- c0ae24e|2022-04-04|2022-04-04 Update ansible in audit_rules_kernel_module rules [Edgar Aguilar]
- de702fb|2022-04-04|2022-04-04 Update tests in audit_rules_kernel_module rules [Edgar Aguilar]
- 55f2f34|2022-03-30|2022-03-30 Update tests in audit_rules_kernel_module rules [Edgar Aguilar]
- c8b9548|2022-03-09|2022-03-10 Add auid criteria to rules required by rhel8 [Edgar Aguilar]
- c04d0fa|2022-03-09|2022-03-10 Add auid criteria to rule to meet OL08-00-030380 [Edgar Aguilar]
- d3756a7|2022-02-15|2022-02-15 Group RHEL7 STIG audit rules. [Gabriel Becker]
- dd8af26|2022-02-07|2022-02-08 Assign single STIGID to multiples syscalls rules of *init group. [Gabriel Becker]
- d29079c|2022-02-03|2022-02-04 Update STIG IDs to meet ol7 v2r6 [Edgar Aguilar]
- fb60278|2022-01-20|2022-01-25 Add OL9 prodtype to rules part of standard profile [Federico Ramirez]
- f2530de|2021-11-19|2021-11-29 Add OL8 STIG IDs [Federico Ramirez]
- a59d63a|2021-11-02|2021-11-02 Run ./utils/fix_rules.py sort_prodtypes [Matthew Burket]
- f59b8db|2021-10-08|2021-10-08 Add support for Debian 11 [Marco De Donno]
- 2214054|2021-08-26|2021-08-30 Converted function calls to macro invocations; removed the old function; fixed comment in macro file [Jiri Odehnal]

Only in focal:
- 782f6c4|2021-08-31|2021-09-01 Add packages entry to auditd tests [richardmaciel-canonical]
- f44e014|2021-08-17|2021-09-01 Fix auditd tests as the package is not installed by default in Ubuntu [richardmaciel-canonical]
- 9fbf7c4|2021-08-24|2021-08-25 Automatically add Ubuntu to existing shared fixes [Richard Maciel Costa]
- 51c80e3|2021-07-08|2021-08-25 Manually add missing disa & srg references [Richard Maciel Costa]
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jan-cerny jan-cerny jan-cerny left review comments

@ggbecker ggbecker ggbecker left review comments

@vojtapolasek vojtapolasek vojtapolasek approved these changes

Assignees

@vojtapolasek vojtapolasek

Labels
Highlight This PR/Issue should make it to the featured changelog. RHEL9 Red Hat Enterprise Linux 9 product related. STIG STIG Benchmark related. Update Profile Issues or pull requests related to Profiles updates.
Projects
None yet
Milestone
0.1.71
Development

Successfully merging this pull request may close these issues.
4 participants
@Mab879 @ggbecker @vojtapolasek @jan-cerny