OCP4 STIG: SRG-APP-000343-CTR-000780 and SRG-APP-000381-CTR-000905 ar…

…e covered by audit_rules_suid_privilege_function

controls/srg_ctr/SRG-APP-000343-CTR-000780.yml

@@ -3,8 +3,10 @@ controls:
  levels:
  - medium
  title: {{{ full_name }}} must audit the execution of privileged functions.
- rules:
+ related_rules:
  - directory_access_var_log_kube_audit
  - directory_access_var_log_oauth_audit
  - directory_access_var_log_ocp_audit
- status: inherently met
+ rules:
+ - audit_rules_suid_privilege_function
+ status: automated

controls/srg_ctr/SRG-APP-000381-CTR-000905.yml

@@ -4,16 +4,7 @@ controls:
  - medium
  title: {{{ full_name }}} must enforce access restrictions and support auditing
  of the enforcement actions.
- related_rules:
- - audit_profile_set
- status: inherently met
- artifact_description: |-
- Supporting evidence is in the following documentation
+ rules:
+ - audit_rules_suid_privilege_function
+ status: automated
 
- https://docs.openshift.com/container-platform/latest/security/audit-log-policy-config.html
- status_justification: |-
- OpenShift comes with a robust RBAC system by default. Users are given Roles that are comprised of Actions they can or cannot perform. All interactions with the RBAC system are by way of the API Server. The API Server by default logs all activity for audit. The specific configuration for the level at which the API server logs interactions is configurable with the following steps:
- `oc edit apiserver cluster` 
- Observe the value referenced in the `spec.audit.profile` key.
- There are 3 options available for this key, all of which log the metadata for read and write requests. Those options are [Default, WriteRequestBodies, AllRequestBodies].
- https://docs.openshift.com/container-platform/latest/security/audit-log-policy-config.html

linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/kubernetes/shared.yml

@@ -0,0 +1,13 @@
+---
+# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_rhcos
+# reboot = true
+# strategy = restrict
+# complexity = low
+# disruption = low
+{{%- macro audit_suid_privilege_function() -%}}
+-a always,exit -F arch=b32 -S execve -C uid!=euid -F euid=0 -k execpriv
+-a always,exit -F arch=b64 -S execve -C uid!=euid -F euid=0 -k execpriv
+-a always,exit -F arch=b32 -S execve -C gid!=egid -F egid=0 -k execpriv
+-a always,exit -F arch=b64 -S execve -C gid!=egid -F egid=0 -k execpriv
+{{% endmacro %}}
+{{{ kubernetes_machine_config_file(path="/etc/audit/rules.d/75-audit-suid-privilege-function.rules", file_permissions_mode='0600', source=audit_suid_privilege_function()) }}}

linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/rule.yml

@@ -41,6 +41,7 @@ rationale: |-
 severity: medium
 
 identifiers:
+ cce@rhcos4: CCE-87439-6
  cce@rhel7: CCE-83555-3
  cce@rhel8: CCE-83556-1
  cce@rhel9: CCE-86402-5
@@ -53,7 +54,7 @@ references:
  cis@ubuntu2204: 4.1.3.2
  disa: CCI-001814,CCI-001882,CCI-001889,CCI-001880,CCI-001881,CCI-001878,CCI-001879,CCI-001875,CCI-001877,CCI-001914,CCI-002233,CCI-002234
  nist: CM-5(1),AU-7(a),AU-7(b),AU-8(b),AU-12(3),AC-6(9)
- srg: SRG-OS-000326-GPOS-00126,SRG-OS-000327-GPOS-00127
+ srg: SRG-OS-000326-GPOS-00126,SRG-OS-000327-GPOS-00127,SRG-APP-000343-CTR-000780,SRG-APP-000381-CTR-000905
  stigid@ol7: OL07-00-030360
  stigid@ol8: OL08-00-030000
  stigid@rhel7: RHEL-07-030360

shared/references/cce-redhat-avail.txt

@@ -993,7 +993,6 @@ CCE-87435-4
 CCE-87436-2
 CCE-87437-0
 CCE-87438-8
-CCE-87439-6
 CCE-87440-4
 CCE-87441-2
 CCE-87442-0