Merge pull request #10736 from jhrozek/rhcos_stig_ia

SRG-APP-000148-CTR-000335,SRG-APP-000190-CTR-000500: Covered by sshd_disable_root_login
ComplianceAsCode · Jun 30, 2023 · 8947d30 · 8947d30
2 parents b9d1388 + 930512d
commit 8947d30
Show file tree

Hide file tree

Showing 5 changed files with 10 additions and 13 deletions.
diff --git a/controls/srg_ctr/SRG-APP-000148-CTR-000335.yml b/controls/srg_ctr/SRG-APP-000148-CTR-000335.yml
@@ -3,18 +3,11 @@ controls:
  levels:
  - medium
  title: {{{ full_name }}} must uniquely identify and authenticate users.
+ rules:
+ - sshd_disable_root_login
  related_rules:
  - idp_is_configured
  - ocp_idp_no_htpasswd
  - kubeadmin_removed
- status: inherently met
- status_justification: |-
- Users of the OpenShift Platform must be uniquely identified and
- authenticated in order to access the platform's console. Anonymous
- users are prohibited, and authorization is enforced by the platform's
- RBAC policies. Refer to
- https://docs.openshift.com/container-platform/latest/authentication/index.html
- for more information.
- artifact_description: |-
- Supporting evidence is in the following documentation
- https://docs.openshift.com/container-platform/latest/authentication/index.html
+ status: automated
+
diff --git a/controls/srg_ctr/SRG-APP-000190-CTR-000500.yml b/controls/srg_ctr/SRG-APP-000190-CTR-000500.yml
@@ -8,4 +8,5 @@ controls:
  of inactivity;'
  status: automated
  rules:
+ - sshd_disable_root_login
  - oauthclient_inactivity_timeout
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_disable_root_login/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_disable_root_login/rule.yml
@@ -19,6 +19,7 @@ rationale: |-
 severity: medium
 
 identifiers:
+ cce@rhcos4: CCE-89550-8
  cce@rhel7: CCE-27445-6
  cce@rhel8: CCE-80901-2
  cce@rhel9: CCE-90800-4
@@ -51,7 +52,7 @@ references:
  ospp: FAU_GEN.1
  pcidss: Req-2.2.4
  pcidss4: "2.2.6"
- srg: SRG-OS-000109-GPOS-00056,SRG-OS-000480-GPOS-00227
+ srg: SRG-OS-000109-GPOS-00056,SRG-OS-000480-GPOS-00227,SRG-APP-000148-CTR-000335,SRG-APP-000190-CTR-000500
  stigid@ol7: OL07-00-040370
  stigid@ol8: OL08-00-010550
  stigid@rhel7: RHEL-07-040370

diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_disable_root_login/tests/ocp4/e2e.yml b/linux_os/guide/services/ssh/ssh_server/sshd_disable_root_login/tests/ocp4/e2e.yml
@@ -0,0 +1,3 @@
+---
+default_result: FAIL
+result_after_remediation: PASS
diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt
@@ -2860,7 +2860,6 @@ CCE-89546-6
 CCE-89547-4
 CCE-89548-2
 CCE-89549-0
-CCE-89550-8
 CCE-89551-6
 CCE-89552-4
 CCE-89553-2