diff --git a/controls/srg_ctr/SRG-APP-000141-CTR-000315.yml b/controls/srg_ctr/SRG-APP-000141-CTR-000315.yml index 76abe99524b..f92c38bc8b1 100644 --- a/controls/srg_ctr/SRG-APP-000141-CTR-000315.yml +++ b/controls/srg_ctr/SRG-APP-000141-CTR-000315.yml @@ -3,12 +3,11 @@ controls: levels: - medium title: {{{ full_name }}} must be configured with only essential configurations. - status: inherently met - artifact_description: |- - Supporting evidence is in the following documentation + related_rules: + - service_sshd_disabled + - kernel_module_usb-storage_disabled + - package_usbguard_installed + - service_usbguard_enabled + - configure_usbguard_auditbackend + status: automated - https://docs.openshift.com/container-platform/latest/architecture/architecture-rhcos.html - status_justification: |- - RHCOS itself is built with the sole intention of running OpenShift, - therefore it doesn't have extra packages that are not necessary to run the main - workload (OCP). There is, for instance, no extra interpreters, e.g. python. diff --git a/controls/srg_ctr/SRG-APP-000185-CTR-000490.yml b/controls/srg_ctr/SRG-APP-000185-CTR-000490.yml index e871921fa0b..e38c6e528f0 100644 --- a/controls/srg_ctr/SRG-APP-000185-CTR-000490.yml +++ b/controls/srg_ctr/SRG-APP-000185-CTR-000490.yml @@ -5,27 +5,5 @@ controls: title: {{{ full_name }}} must employ strong authenticators in the establishment of non-local maintenance and diagnostic sessions. related_rules: - - idp_is_configured - - ocp_idp_no_htpasswd - - kubeadmin_removed - status: inherently met - status_justification: |- - Typically maintenance of the OpenShift Platform is performed remotely - using the API server by means of the web console or cli tools. Access - to host nodes is done either through SSH using SSH keys provided during - install, or through the OpenShift CLI (oc) tool. Note, that applying - SRG-OS-000480-GPOS-00227 will disable SSH access to the node's host - machine. Thus limiting any remote management access to using only the - API Server. The API server requires TLS encryption, and enforces the - authentication and authorization policies configured on the platform. - - Accessing hosts instructions for SSH - https://docs.openshift.com/container-platform/latest/networking/accessing-hosts.html - - Accessing hosts via cluster admin oc commands - https://docs.openshift.com/container-platform/latest/nodes/nodes/nodes-nodes-working.html - - OpenShift TLS documentation https://access.redhat.com/articles/5348961 - artifact_description: |- - Supporting evidence is in the following documentation - https://docs.openshift.com/container-platform/latest/authentication/index.html + - service_sshd_disabled + status: automated diff --git a/linux_os/guide/services/ssh/service_sshd_disabled/rule.yml b/linux_os/guide/services/ssh/service_sshd_disabled/rule.yml index d0decfccd87..c58e3e993f3 100644 --- a/linux_os/guide/services/ssh/service_sshd_disabled/rule.yml +++ b/linux_os/guide/services/ssh/service_sshd_disabled/rule.yml @@ -1,28 +1,45 @@ documentation_complete: true -title: 'Disable SSH Server If Possible (Unusual)' +title: 'Disable SSH Server If Possible' description: |- - The SSH server service, sshd, is commonly needed. - However, if it can be disabled, do so. - {{% if product in ['debian10', 'debian11', 'ubuntu1604', 'ubuntu1804'] %}} + {{% if product == "rhcos4" %}} + Instead of using ssh to remotely log in to a cluster node, it is recommended + to use oc debug {{{ describe_service_disable(service="sshd") }}} {{% else %}} - {{{ describe_service_disable(service="sshd") }}} - {{% endif %}} + The SSH server service, sshd, is commonly needed. + However, if it can be disabled, do so. This is unusual, as SSH is a common method for encrypted and authenticated remote access. + {{% endif %}} -rationale: "" +rationale: |- + {{% if product == "rhcos4" %}} + Red Hat Enterprise Linux CoreOS (RHCOS) is a single-purpose container + operating system. RHCOS is only supported as a component of the + OpenShift Container Platform. Remote management of the RHCOS nodes is + performed at the OpenShift Container Platform API level. As a result, + any direct remote access to the RHCOS nodes is unnecessary. Disabling + the SSHD service helps reduce the number of open ports on each host. + {{% endif %}} references: nist: CM-3(6),IA-2(4) + srg: SRG-APP-000185-CTR-000490,SRG-APP-000141-CTR-000315 -severity: unknown +severity: high identifiers: + cce@rhcos4: CCE-86189-8 cce@rhel7: CCE-80217-3 +ocil_clause: |- + {{{ ocil_clause_service_disabled(service="sshd") }}} + +ocil: |- + {{{ ocil_service_disabled(service="sshd") }}} + template: name: service_disabled vars: diff --git a/linux_os/guide/services/usbguard/configure_usbguard_auditbackend/rule.yml b/linux_os/guide/services/usbguard/configure_usbguard_auditbackend/rule.yml index 28780fb3358..c20527bf10e 100644 --- a/linux_os/guide/services/usbguard/configure_usbguard_auditbackend/rule.yml +++ b/linux_os/guide/services/usbguard/configure_usbguard_auditbackend/rule.yml @@ -25,7 +25,7 @@ references: disa: CCI-000169,CCI-000172 nist: AU-2,CM-8(3),IA-3 ospp: FMT_SMF_EXT.1 - srg: SRG-OS-000062-GPOS-00031,SRG-OS-000471-GPOS-00215 + srg: SRG-OS-000062-GPOS-00031,SRG-OS-000471-GPOS-00215,SRG-APP-000141-CTR-000315 stigid@ol8: OL08-00-030603 stigid@rhel8: RHEL-08-030603 diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt index e385fe6828f..0f24857bb38 100644 --- a/shared/references/cce-redhat-avail.txt +++ b/shared/references/cce-redhat-avail.txt @@ -49,7 +49,6 @@ CCE-86185-6 CCE-86186-4 CCE-86187-2 CCE-86188-0 -CCE-86189-8 CCE-86190-6 CCE-86191-4 CCE-86192-2