Merge pull request #10735 from jhrozek/rhcos_stig_cm

RHCOS4 STIG: Cover controls related to NIST CM family
ComplianceAsCode · Jun 30, 2023 · 57f1185 · 57f1185
2 parents 8947d30 + fb9c083
commit 57f1185
Show file tree

Hide file tree

Showing 5 changed files with 35 additions and 42 deletions.
diff --git a/controls/srg_ctr/SRG-APP-000141-CTR-000315.yml b/controls/srg_ctr/SRG-APP-000141-CTR-000315.yml
@@ -3,12 +3,11 @@ controls:
  levels:
  - medium
  title: {{{ full_name }}} must be configured with only essential configurations.
- status: inherently met
- artifact_description: |-
- Supporting evidence is in the following documentation
+ related_rules:
+ - service_sshd_disabled
+ - kernel_module_usb-storage_disabled
+ - package_usbguard_installed
+ - service_usbguard_enabled
+ - configure_usbguard_auditbackend
+ status: automated
 
- https://docs.openshift.com/container-platform/latest/architecture/architecture-rhcos.html
- status_justification: |-
- RHCOS itself is built with the sole intention of running OpenShift,
- therefore it doesn't have extra packages that are not necessary to run the main
- workload (OCP). There is, for instance, no extra interpreters, e.g. python.
diff --git a/controls/srg_ctr/SRG-APP-000185-CTR-000490.yml b/controls/srg_ctr/SRG-APP-000185-CTR-000490.yml
@@ -5,27 +5,5 @@ controls:
  title: {{{ full_name }}} must employ strong authenticators in the establishment
  of non-local maintenance and diagnostic sessions.
  related_rules:
- - idp_is_configured
- - ocp_idp_no_htpasswd
- - kubeadmin_removed
- status: inherently met
- status_justification: |-
- Typically maintenance of the OpenShift Platform is performed remotely
- using the API server by means of the web console or cli tools. Access
- to host nodes is done either through SSH using SSH keys provided during
- install, or through the OpenShift CLI (oc) tool. Note, that applying
- SRG-OS-000480-GPOS-00227 will disable SSH access to the node's host
- machine. Thus limiting any remote management access to using only the
- API Server. The API server requires TLS encryption, and enforces the
- authentication and authorization policies configured on the platform.
-
- Accessing hosts instructions for SSH
- https://docs.openshift.com/container-platform/latest/networking/accessing-hosts.html
-
- Accessing hosts via cluster admin oc commands
- https://docs.openshift.com/container-platform/latest/nodes/nodes/nodes-nodes-working.html
-
- OpenShift TLS documentation https://access.redhat.com/articles/5348961
- artifact_description: |-
- Supporting evidence is in the following documentation
- https://docs.openshift.com/container-platform/latest/authentication/index.html
+ - service_sshd_disabled
+ status: automated
diff --git a/linux_os/guide/services/ssh/service_sshd_disabled/rule.yml b/linux_os/guide/services/ssh/service_sshd_disabled/rule.yml
@@ -1,28 +1,45 @@
 documentation_complete: true
 
-title: 'Disable SSH Server If Possible (Unusual)'
+title: 'Disable SSH Server If Possible'
 
 description: |-
- The SSH server service, sshd, is commonly needed.
- However, if it can be disabled, do so.
- {{% if product in ['debian10', 'debian11', 'ubuntu1604', 'ubuntu1804'] %}}
+ {{% if product == "rhcos4" %}}
+ Instead of using ssh to remotely log in to a cluster node, it is recommended
+ to use <tt>oc debug</tt>
  {{{ describe_service_disable(service="sshd") }}}
  {{% else %}}
- {{{ describe_service_disable(service="sshd") }}}
- {{% endif %}}
+ The SSH server service, sshd, is commonly needed.
+ However, if it can be disabled, do so.
  This is unusual, as SSH is a common method for encrypted and authenticated
  remote access.
+ {{% endif %}}
 
-rationale: ""
+rationale: |-
+ {{% if product == "rhcos4" %}}
+ Red Hat Enterprise Linux CoreOS (RHCOS) is a single-purpose container
+ operating system. RHCOS is only supported as a component of the
+ OpenShift Container Platform. Remote management of the RHCOS nodes is
+ performed at the OpenShift Container Platform API level. As a result,
+ any direct remote access to the RHCOS nodes is unnecessary. Disabling
+ the SSHD service helps reduce the number of open ports on each host.
+ {{% endif %}}
 
 references:
  nist: CM-3(6),IA-2(4)
+ srg: SRG-APP-000185-CTR-000490,SRG-APP-000141-CTR-000315
 
-severity: unknown
+severity: high
 
 identifiers:
+ cce@rhcos4: CCE-86189-8
  cce@rhel7: CCE-80217-3
 
+ocil_clause: |-
+ {{{ ocil_clause_service_disabled(service="sshd") }}}
+
+ocil: |-
+ {{{ ocil_service_disabled(service="sshd") }}}
+
 template:
  name: service_disabled
  vars:

diff --git a/linux_os/guide/services/usbguard/configure_usbguard_auditbackend/rule.yml b/linux_os/guide/services/usbguard/configure_usbguard_auditbackend/rule.yml
@@ -25,7 +25,7 @@ references:
  disa: CCI-000169,CCI-000172
  nist: AU-2,CM-8(3),IA-3
  ospp: FMT_SMF_EXT.1
- srg: SRG-OS-000062-GPOS-00031,SRG-OS-000471-GPOS-00215
+ srg: SRG-OS-000062-GPOS-00031,SRG-OS-000471-GPOS-00215,SRG-APP-000141-CTR-000315
  stigid@ol8: OL08-00-030603
  stigid@rhel8: RHEL-08-030603
 

diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt
@@ -49,7 +49,6 @@ CCE-86185-6
 CCE-86186-4
 CCE-86187-2
 CCE-86188-0
-CCE-86189-8
 CCE-86190-6
 CCE-86191-4
 CCE-86192-2