-
Notifications
You must be signed in to change notification settings - Fork 684
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Creation of Australian ISM 'Official' RHEL 8 profile #5861
Conversation
Can one of the admins verify this patch? |
1 similar comment
Can one of the admins verify this patch? |
Hi @wcushen. Thanks for your PR. I'm waiting for a ComplianceAsCode member to verify that this patch is reasonable to test. If it is, they should reply with Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
91bb82f
to
69f934e
Compare
@openscap-ci ok to test |
@openshift-ci-robot |
rhel8/profiles/ism_o.profile
Outdated
- accounts_password_minlen_login_defs | ||
- accounts_password_pam_minclass | ||
- accounts_password_pam_minlen | ||
- accounts_password_pam_pwquality |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is similar, Th rule accounts_password_pam_pwquality
doesn't exist, it just a check that's embedded in other accounts_password_pam_.*
rules.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Updated @jan-cerny wcushen@f90d535
## Secure Shell access | ||
## Identifiers 1506 / 1449 / 0487 | ||
- sshd_version_equal_or_higher_than_74 | ||
- sshd_allow_only_protocol2 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The rule sshd_version_equal_or_higher_than_74
doesn't exist, it's a mere OVAL check that is a part of rule sshd_allow_only_protocol2
. I think that it's enough to keep selected only rule sshd_allow_only_protocol2
. If you need for some reason to have a separate rule for the SSH version you will have to create rule directory and rule.yml which uses this check.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
If sshd_allow_only_protocol2
covers https://www.tenable.com/plugins/nessus/93194, then free to remove.
Removed here wcushen@a50c2a6
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Correct me if I am wrong, but I believe that there is no longer a way to configure Protocol version 2 in RHEL8+
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I have seen it cited in a few RHEL 8 profiles:
RH CCP:
content/rhel8/profiles/rht-ccp.profile
Line 90 in ebb41ed
- sshd_allow_only_protocol2 |
CJIS:
content/rhel8/profiles/cjis.profile
Line 94 in ebb41ed
- sshd_allow_only_protocol2 |
HIPAA:
content/rhel8/profiles/hipaa.profile
Line 52 in 4edc9b1
- sshd_allow_only_protocol2 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Correct me if I am wrong, but I believe that there is no longer a way to configure Protocol version 2 in RHEL8+
You are correct.
The rule has a conditional on the SSH version, if OpenSSH is 7.3 or older, it checks for the configuration: https://github.com/ComplianceAsCode/content/blob/master/linux_os/guide/services/ssh/ssh_server/sshd_allow_only_protocol2/oval/shared.xml#L22
For RHEL8+, the rule become just a check for OpenSSH version.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@yuumasato So can omit if RHEL 8+ has rebased OpenSSH version 7.8p1 (i.e. no longer supports protocol 1)?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@wcushen Yeah, RHEL8+ OpenSSH packages don't provide choice to switch to protocol 1.
If the policy explicitly calls out a check for protocol 2, the rule should probably be there.
Ultimately it is up to you to decide whether to omit the rule or not.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@yuumasato If it's cited in other RHEL 8 profile (CJIS, HIPAA, RH CCP) it'd be good to keep to maintain consistency - even it does just represent a check of the version.
rhel8/profiles/ism_o.profile
Outdated
## Identifiers 1418 | ||
- package_usbguard_installed | ||
- service_usbguard_enabled | ||
- usbguard_rules_not_empty_not_missing |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is also not a rule, it is just a check used in different usbguard rules. Please see rules in the services/usbguard directory.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Removed @vojtapolasek wcushen@4ff7f45
rhel8/profiles/ism_o.profile
Outdated
- rsyslog_remote_loghost | ||
- rsyslog_remote_tls | ||
- rsyslog_remote_tls_cacert | ||
- service_ntpd_enabled |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Supported ntp software on rhel8 is Chrony afaik. Could you change selections? We have some rules for Chrony, see the services/ntp folder.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thank you @vojtapolasek. Swapped out ntpd for Chrony wcushen@d713d44
rhel8/profiles/ism_o.profile
Outdated
## Identifiers 0584 / 0582 / 0585 / 0586 / 0846 / 0957 | ||
- display_login_attempts | ||
- sebool_auditadm_exec_content | ||
- audit_rules_privileged_commands_pam_timestamp_check |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think you don't need this explicit rule if you use audit_rules_privileged_commands. Audit_rules_privileged commands is a dynamic rule which checks for privileged commands on the system, see the description. Therefore it the binary pam_timestamp_check is installed, it will be included. @yuumasato am I right?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes, audit_rules_privileged_commands
covers all setuid and setgid binaries, and checks on rpm database if it is expected.
While audit_rules_privileged_commands_pam_timestamp_check
is specific for pam_timestamp_check
only.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@vojtapolasek @yuumasato Removed pam_timestamp_check wcushen@e9cbc6a
Thank you very much for this contribution. I did some testing. ansible: As I said, there are still some suggestions which will improve the profile. I am also waiting for #5870 to be reviewed and merged, as currently the profile Ansible playbook ends with a fatal failure. |
/retest |
@vojtapolasek Thank you so much for your review! I've committed the suggestions. |
|
||
## Authentication hardening | ||
## Identifiers 1546 / 0974 / 1173 / 1504 / 1505 / 1401 / 1559 / 1560 | ||
## 1561 / 0421 / 1557 / 0422 / 1558 / 1403 / 0431 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@wcushen these identifiers need to be added to the rules themselves vs the profile via new references for e8 and ism.
I can do this in a follow on PR if you prefer.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@redhatrises Yes noted. The thinking with @shaneboulden was that once merged, we would go back over each control and add the ISM identifiers in the main content.
So I think a follow on PR is preferred here.
Can you please rebase on current master? I noticed that some errors, e.g. problem with Ansible, is already fixed. I will do another round of tests based on master branch, we might get much better results. |
|
## ASD Approved Cryptopgraphic Algorithims | ||
## Identifiers 1446 | ||
- enable_dracut_fips_module | ||
- enable_fips_mode |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
For this rule to pass, you have to also include:
- var_system_crypto_policy=fips_ospp
- configure_crypto_policy
This will configure system-vide crypto policy to "fips". Make sure that this IS what you want.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Updated via wcushen@c05588a
I've opted for var_system_crypto_policy=fips
not fips_ospp
. Is that OK @vojtapolasek?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Updated again to wcushen@dbc698d to align with default_nosha1
set Essential Eight RHEL 8
content/rhel8/profiles/e8.profile
Line 135 in 4d3d544
- var_system_crypto_policy=default_nosha1 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
You were thinking right, the variable will be picked up from the parent profile. However, be aware that the rule enable_fips_mode will fail if the policy is set to default-nosha1. That's stems from its definition.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@vojtapolasek Now been updated to specify fips
https://github.com/wcushen/content/blob/master/rhel8/profiles/ism_o.profile#L145
## Endpoint device control software | ||
## Identifiers 1418 | ||
- package_usbguard_installed | ||
- service_usbguard_enabled |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
For some reason the service fails to start after remediation of the profile. It seems like problem on usbguard side. I will report a bug after we merge this.
@vojtapolasek I noticed an error during one of the builds the other day regarding the presence of I thought maybe it requires a var but it is present in RHEL7 STIG without one. https://github.com/wcushen/content/blob/master/rhel8/profiles/ism_o.profile#L34 |
- Updated MFA refs (i.e. CAC card) - Removed sebool yubikey
Changes identified: Recommended tests to execute: |
Thank you for all the changes. The PR looks good to me and I am merging it. Actually some failing rules might have been caused by my testing system, for example I no longer see the service_usbguard_enabled failing. Feel free to fill upstream issues for rules which are failing and we will do our best to investigate them. |
Description:
Pull Request to merge ISM Official YAML profile (RHEL 8) as part of the work done by Red Hat ANZ to extend ACSC Essential Eight profile for customers in the region.
This profile represents the first of four 'applicability markings' (see page 2) set by the Australian Attorney-General’s Department. This profile represents the 'OFFICIAL' baseline.
https://www.cyber.gov.au/sites/default/files/2019-03/ISM_01_Cyber_Security_Framework.pdf
Rationale:
New SCAP profile. No amendments have been made to any existing codebase.