Update rules for RHEL 9 STIG #9527
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
jan-cerny
added
RHEL9
|
Start a new ephemeral environment with changes proposed in this pull request: rhel8 (from CTF) Environment (using Fedora as testing environment) Fedora Testing Environment Oracle Linux 8 Environment |
|
This datastream diff is auto generated by the check Click here to see the full diffOCIL for rule 'xccdf_org.ssgproject.content_rule_ensure_gpgcheck_globally_activated' differs.
--- ocil:ssg-ensure_gpgcheck_globally_activated_ocil:questionnaire:1
+++ ocil:ssg-ensure_gpgcheck_globally_activated_ocil:questionnaire:1
@@ -1,9 +1,9 @@
-To determine whether yum is configured to use gpgcheck,
-inspect /etc/yum.conf and ensure the following appears in the
-[main] section:
+Verify that yum verifies the signature of packages from a repository prior to install with the following command:
+
+$ grep gpgcheck /etc/yum.conf
+
gpgcheck=1
-A value of 1 indicates that gpgcheck is enabled. Absence of a
-gpgcheck line or a setting of 0 indicates that it is
-disabled.
- Is it the case that GPG checking is not enabled?
+
+If "gpgcheck" is not set to "1", or if the option is missing or commented out, ask the System Administrator how the certificates for patches and other operating system components are verified.
+ Is it the case that there is no process to validate certificates that is approved by the organization?
OCIL for rule 'xccdf_org.ssgproject.content_rule_ensure_gpgcheck_local_packages' differs.
--- ocil:ssg-ensure_gpgcheck_local_packages_ocil:questionnaire:1
+++ ocil:ssg-ensure_gpgcheck_local_packages_ocil:questionnaire:1
@@ -1,7 +1,9 @@
-To verify that localpkg_gpgcheck is configured properly, run the following
-command:
+Verify that yum verifies the signature of local packages prior to install with the following command:
+
$ grep localpkg_gpgcheck /etc/yum.conf
-The output should return something similar to:
+
localpkg_gpgcheck=1
- Is it the case that gpgcheck is not enabled or configured correctly to verify local packages?
+
+If "localpkg_gpgcheck" is not set to "1", or if the option is missing or commented out, ask the System Administrator how the certificates for patches and other operating system components are verified.
+ Is it the case that there is no process to validate certificates for local packages that is approved by the organization?
OCIL for rule 'xccdf_org.ssgproject.content_rule_configure_bashrc_exec_tmux' differs.
--- ocil:ssg-configure_bashrc_exec_tmux_ocil:questionnaire:1
+++ ocil:ssg-configure_bashrc_exec_tmux_ocil:questionnaire:1
@@ -1,11 +1,25 @@
-To verify that tmux is configured to execute,
-run the following command:
-$ grep -A1 -B3 "case ..name. in sshd|login) exec tmux ;; esac" /etc/bashrc /etc/profile.d/*
-The output should return the following:
+Verify Red Hat Enterprise Linux 8 shell initialization file is configured to start each shell with the tmux terminal multiplexer.
+
+Determine the location of the tmux script with the following command:
+
+$ sudo grep tmux /etc/bashrc /etc/profile.d/*
+
+/etc/profile.d/tmux.sh: case "$name" in (sshd|login) exec tmux ;; esac
+
+Review the tmux script by using the following example:
+
+$ cat /etc/profile.d/tmux.sh
+
if [ "$PS1" ]; then
- parent=$(ps -o ppid= -p $$)
- name=$(ps -o comm= -p $parent)
- case "$name" in sshd|login) exec tmux ;; esac
+parent=$(ps -o ppid= -p $$)
+name=$(ps -o comm= -p $parent)
+case "$name" in (sshd|login) exec tmux ;; esac
fi
- Is it the case that exec tmux is not present at the end of bashrc?
+
+If the shell file is not configured as the example above, is commented out, or is missing, this is a finding.
+
+Determine if tmux is currently running with the following command:
+
+$ sudo ps all | grep tmux | grep -v grep
+ Is it the case that the command does not produce output?
OCIL for rule 'xccdf_org.ssgproject.content_rule_configure_tmux_lock_after_time' differs.
--- ocil:ssg-configure_tmux_lock_after_time_ocil:questionnaire:1
+++ ocil:ssg-configure_tmux_lock_after_time_ocil:questionnaire:1
@@ -1,14 +1,13 @@
-To verify that session locking after period of inactivity is configured in tmux,
-run the following command:
+Verify Red Hat Enterprise Linux 8 initiates a session lock after 15 minutes of inactivity.
-$ sudo grep lock-after-time /etc/tmux.conf
+Check the value of the system inactivity timeout with the following command:
-The output should return the following:
+$ grep -i lock-after-time /etc/tmux.conf
set -g lock-after-time 900
Then, verify that the /etc/tmux.conf file can be read by other users than root:
$ sudo ls -al /etc/tmux.conf
- Is it the case that lock-after-time is set to a value greater than 900 or zero?
+ Is it the case that "lock-after-time" is not set to "900" or less in the global tmux configuration file to enforce session lock after inactivity?
OCIL for rule 'xccdf_org.ssgproject.content_rule_configure_tmux_lock_command' differs.
--- ocil:ssg-configure_tmux_lock_command_ocil:questionnaire:1
+++ ocil:ssg-configure_tmux_lock_command_ocil:questionnaire:1
@@ -1,13 +1,11 @@
-To verify that vlock is configured as a locking mechanism in tmux, run the following command:
+Verify Red Hat Enterprise Linux 8 enables the user to initiate a session lock with the following command:
-$ sudo grep lock-command /etc/tmux.conf
-
-The output should return the following:
+$ grep lock-command /etc/tmux.conf
set -g lock-command vlock
Then, verify that the /etc/tmux.conf file can be read by other users than root:
$ sudo ls -al /etc/tmux.conf
- Is it the case that lock-command is not set?
+ Is it the case that the "lock-command" is not set in the global settings to call "vlock"?
OCIL for rule 'xccdf_org.ssgproject.content_rule_configure_opensc_card_drivers' differs.
--- ocil:ssg-configure_opensc_card_drivers_ocil:questionnaire:1
+++ ocil:ssg-configure_opensc_card_drivers_ocil:questionnaire:1
@@ -1,7 +1,7 @@
-To verify that is configured
-as the smart card driver, run the following command:
+Verify that Red Hat Enterprise Linux 8 loads the driver with the following command:
+
$ grep card_drivers /etc/opensc.conf
-The output should return something similar to:
+
card_drivers = ;
- Is it the case that the smart card driver is not configured correctly?
+ Is it the case that "<sub idref="var_smartcard_drivers" />" is not listed as a card driver, or there is no line returned for "card_drivers"?
OCIL for rule 'xccdf_org.ssgproject.content_rule_auditd_data_retention_space_left_action' differs.
--- ocil:ssg-auditd_data_retention_space_left_action_ocil:questionnaire:1
+++ ocil:ssg-auditd_data_retention_space_left_action_ocil:questionnaire:1
@@ -1,8 +1,9 @@
-Inspect /etc/audit/auditd.conf and locate the following line to
-determine if the system is configured to email the administrator when
-disk space is starting to run low:
-$ sudo grep space_left_action /etc/audit/auditd.conf
-space_left_action
-Acceptable values are email, suspend, single, and halt.
- Is it the case that the system is not configured to send an email to the system administrator when disk space is starting to run low?
+Verify Red Hat Enterprise Linux 8 notifies the SA and ISSO (at a minimum) when allocated audit record storage volume reaches 75 percent of the repository maximum audit record storage capacity with the following command:
+
+$ sudo grep -w space_left_action /etc/audit/auditd.conf
+
+space_left_action =
+
+If the value of the "space_left_action" is not set to "", or if the line is commented out, ask the System Administrator to indicate how the system is providing real-time alerts to the SA and ISSO.
+ Is it the case that there is no evidence that real-time alerts are configured on the system?
OCIL for rule 'xccdf_org.ssgproject.content_rule_auditd_data_retention_space_left_percentage' differs.
--- ocil:ssg-auditd_data_retention_space_left_percentage_ocil:questionnaire:1
+++ ocil:ssg-auditd_data_retention_space_left_percentage_ocil:questionnaire:1
@@ -1,5 +1,7 @@
-Inspect /etc/audit/auditd.conf and locate the following line to
-determine if the system is configured correctly:
-space_left PERCENTAGE%
- Is it the case that the system is not configured with a specific percentage to notify administrators of an issue?
+Verify Red Hat Enterprise Linux 8 takes action when allocated audit record storage volume reaches 75 percent of the repository maximum audit record storage capacity with the following command:
+
+$ sudo grep -w space_left /etc/audit/auditd.conf
+
+space_left = %
+ Is it the case that the value of the "space_left" keyword is not set to <sub idref="var_auditd_space_left_percentage" />% of the storage volume allocated to audit logs, or if the line is commented out, ask the System Administrator to indicate how the system is providing real-time alerts to the SA and ISSO. If the "space_left" value is not configured to the correct value?
OCIL for rule 'xccdf_org.ssgproject.content_rule_configure_firewalld_ports' differs.
--- ocil:ssg-configure_firewalld_ports_ocil:questionnaire:1
+++ ocil:ssg-configure_firewalld_ports_ocil:questionnaire:1
@@ -1,5 +1,8 @@
Inspect the list of enabled firewall ports and verify they are configured correctly by running
the following command:
+
$ sudo firewall-cmd --list-all
- Is it the case that the firewalld rules are not configured?
+
+Ask the System Administrator for the site or program Ports, Protocols, and Services Management Component Local Service Assessment (PPSM CLSA). Verify the services allowed by the firewall match the PPSM CLSA.
+ Is it the case that there are additional ports, protocols, or services that are not in the PPSM CLSA, or there are ports, protocols, or services that are prohibited by the PPSM Category Assurance List (CAL), or there are no firewall rules configured?
OCIL for rule 'xccdf_org.ssgproject.content_rule_coredump_disable_backtraces' differs.
--- ocil:ssg-coredump_disable_backtraces_ocil:questionnaire:1
+++ ocil:ssg-coredump_disable_backtraces_ocil:questionnaire:1
@@ -1,5 +1,7 @@
-Verify that logging core dump backtraces is disabled, run the
-following command:
-$ grep ProcessSizeMax /etc/systemd/coredump.conf
- Is it the case that ProcessSizeMax is not set to zero?
+Verify Red Hat Enterprise Linux 8 disables core dump backtraces by issuing the following command:
+
+$ grep -i process /etc/systemd/coredump.conf
+
+ProcessSizeMax=0
+ Is it the case that the "ProcessSizeMax" item is missing, commented out, or the value is anything other than "0" and the need for core dumps is not documented with the Information System Security Officer (ISSO) as an operational requirement for all domains that have the "core" item assigned?
OCIL for rule 'xccdf_org.ssgproject.content_rule_fapolicyd_prevent_home_folder_access' differs.
--- ocil:ssg-fapolicyd_prevent_home_folder_access_ocil:questionnaire:1
+++ ocil:ssg-fapolicyd_prevent_home_folder_access_ocil:questionnaire:1
@@ -1,4 +1,5 @@
Verify that fapolicyd on Red Hat Enterprise Linux 8 prevents ability of non-privileged users to grant other users direct access to the contents of their home directories/folders.
+
Run the following command:
grep -r "deny_audit perm=chmod path=/home" /etc/fapolicyd/rules.d |
controls/srg_gpos.yml
Outdated
| @@ -27,5 +27,6 @@ controls: | |||
| - var_account_disable_post_pw_expiration=35 | |||
| - var_auditd_action_mail_acct=root | |||
| - var_auditd_space_left_percentage=25pc | |||
| - var_auditd_admin_space_left_percentage=5pc | |||
There was a problem hiding this comment.
Why not to ad this to the relevant srg_gpos file in the subdirectory? It would be closer to the related rule. Or are you following some coding rule?
|
I have moved variable setting to SRG. |
vojtapolasek
requested changes
Sep 14, 2022
|
|
||
| <pre>set -g lock-after-time 900</pre> | ||
|
|
||
| Then, verify that the /etc/tmux.conf file can be read by other users than root: |
There was a problem hiding this comment.
Note that removing this part of OCIL makes OCIL cover only part of the rule. The check and remediations are considering permissions on /etc/tmux.conf.
...accounts-physical/screen_locking/console_screen_locking/configure_tmux_lock_command/rule.yml
Show resolved
Hide resolved
| regexp: '^\s*admin_space_left\s*=\s*.*$' | ||
| state: present | ||
| create: yes | ||
| #notify: reload auditd |
There was a problem hiding this comment.
What is this good for?
There was a problem hiding this comment.
It's a copy paste problem.
| gpgcheck=1 | ||
|
|
||
| srg_requirement: |- | ||
| {{{ full_name }}} must have GPG checking enabled in the {{{ pkg_manager }}} package manager. | ||
| {{{ full_name }}} must prevent the installation of software, patches, service packs, device drivers, or operating system components from a repository without verification they have been digitally signed using a certificate that is issued by a Certificate Authority (CA) that is recognized and approved by the organization. | ||
| {{{ full_name }}} must have GPG checking enabled in the {{{ pkg_manager }}} package manager. |
There was a problem hiding this comment.
Are you sure that srg_requirement should have two entries like this?
There was a problem hiding this comment.
it shouldn't be there.
|
|
||
| ocil: |- | ||
| To verify that <tt>localpkg_gpgcheck</tt> is configured properly, run the following | ||
| command: | ||
| Verify that dnf verifies the signature of local packages prior to install with the following command: |
There was a problem hiding this comment.
I think DNF can be replaced by the Jinja variable here.
In RHEL 9 STIG, there is a requirement configuring the admin_space_left option in /etc/audit/auditd.conf, which is different option from the space_left option. The RHEL 9 STIG configures both of these options, so we can't just modify rule auditd_data_retention_space_left_percentage but we need to keep it and create a new rule for the admin_space_left option.
Moves the variable setting to SRG where this variable is used to make the assignements closer to each other.
jan-cerny
force-pushed
the
stig_changes_2
branch
from
0604472
to
0370ae7
Compare
|
I have removed the comment from the Ansible remediation, replaced dnf by a variable, removed the sententce from SRG requirement field. Then, I have removed the removal of text related to permissions of the tmux config file, because we need to solve that separately. |
|
Code Climate has analyzed commit 0370ae7 and detected 0 issues on this pull request. The test coverage on the diff in this pull request is 100.0% (50% is the threshold). This pull request will bring the total coverage in the repository to 40.4% (0.0% change). View more on Code Climate. |
vojtapolasek
approved these changes
Sep 21, 2022
|
LGTM. Thank you. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Description:
According to feedback from DISA we updated some rules and their OCIL, fixtext, SRG requirements, etc.
Rationale:
Update the rules for RHEL 9 STIG.