Merge pull request #10742 from jhrozek/rhcos_stig_sc

RHCOS4 STIG: Cover the controls that relate to NIST SC

controls/srg_ctr/SRG-APP-000211-CTR-000530.yml

@@ -4,4 +4,35 @@ controls:
  - medium
  title: {{{ full_name }}} must separate user functionality (including user interface
  services) from information system management functionality.
- status: inherently met
+ status: manual
+ check: |-
+ Verify that root and core are the only user accounts on the nodes by executing the following:
+
+ for node in $(oc get node -oname); do oc debug $node -- chroot /host /bin/bash -c 'echo -n "$HOSTNAME "; cat /etc/passwd' 2>/dev/null; done
+
+ The output will look something like
+
+ <node_name> root:x:0:0:root:/root:/bin/bash
+ core:x:1000:1000:CoreOS Admin:/var/home/core:/bin/bash
+ containers:x:993:995:User for housing the sub ID range for containers:/var/home/containers:/sbin/nologin
+
+ If there are any user accounts in addition to root, containers and core, this is a finding.
+
+ Verify the root and core users are set to disable password logon by executing the following:
+
+ for node in $(oc get node -oname); do oc debug $node -- chroot /host /bin/bash -c 'echo -n "$HOSTNAME "; grep -e "^root" -e "^core" /etc/shadow' 2>/dev/null; done
+
+ The output will look something like
+ <node_name>
+ root:*:18367:0:99999:7:::
+ core:*:18939:0:99999:7:::
+
+ If the password entry has anything other than '*', this is a finding.
+ fixtext: |-
+ Disable and remove passwords from root and core accounts by executing the following:
+
+ for node in $(oc get node -oname); do oc debug $node -- chroot /host /bin/bash -c 'usermod -p "*" root; usermod -p "*" core' 2>/dev/null; done
+
+ Remove any additional user accounts from the nodes by executing the following:
+
+ oc debug node/<node> -- chroot /host /bin/bash -c 'userdel <user>'

controls/srg_ctr/SRG-APP-000233-CTR-000585.yml

@@ -4,4 +4,8 @@ controls:
  - medium
  title: {{{ full_name }}} runtime must isolate security functions from non-security
  functions.
- status: inherently met
+ status: automated
+ rules:
+ - coreos_enable_selinux_kernel_argument
+ - selinux_policytype
+ - selinux_state

controls/srg_ctr/SRG-APP-000243-CTR-000600.yml

@@ -4,19 +4,10 @@ controls:
  - medium
  title: {{{ full_name }}} must prevent unauthorized and unintended information
  transfer via shared system resources.
- status: manual
- check: |-
- Verify that all world-writable directories have the sticky bit set. The following command will list any world-writeable directories that do not have the sticky bit set.
-
- > for node in $(oc get node -oname); do oc debug $node -- chroot /host /bin/bash -c 'echo -n "$HOSTNAME "; find / -type d \( -perm -0002 -a ! -perm -1000 ! -path "/var/lib/containers/*" ! -path "/var/lib/kubelet/pods/*" ! -path "/sysroot/ostree/deploy/*" \) -print 2>/dev/null' 2>/dev/null; done
-
- If there are any directories listed in the results, this is a finding.
- fixtext: |-
- Fix the directory permissions, by either removing world-writeable permission, or setting the sticky bit
-
- > oc debug node/<node_name> -- chroot /host /bin/bash -c 'chmod XXXX <directory>'
-
- where
- node_name: The name of the node to connect to (oc get node)
- XXXX: Either 1777 (sticky bit) or 0755 (remove group and world write permission)
- <directory>: The directory on which to correct the permissions
+ status: automated
+ rules:
+ - coreos_page_poison_kernel_argument
+ - coreos_vsyscall_kernel_argument
+ - coreos_slub_debug_kernel_argument
+ - sysctl_kernel_dmesg_restrict
+ - sysctl_kernel_perf_event_paranoid

linux_os/guide/system/bootloader-grub2/coreos_vsyscall_kernel_argument/rule.yml

@@ -20,7 +20,7 @@ identifiers:
 
 references:
  nist: CM-7(a)
- srg: SRG-OS-000480-GPOS-00227
+ srg: SRG-OS-000480-GPOS-00227,SRG-APP-000243-CTR-000600
 
 ocil_clause: 'vsyscalls are enabled'
 

linux_os/guide/system/permissions/files/dir_perms_world_writable_sticky_bits/rule.yml

@@ -69,15 +69,34 @@ references:
 ocil_clause: 'any world-writable directories are missing the sticky bit'
 
 ocil: |-
+ {{% if product == "rhcos4" -%}}
+ Verify that all world-writable directories have the sticky bit set. The following command will list any world-writeable directories that do not have the sticky bit set.
+
+ > for node in $(oc get node -oname); do oc debug $node -- chroot /host /bin/bash -c 'echo -n "$HOSTNAME "; find / -type d \( -perm -0002 -a ! -perm -1000 ! -path "/var/lib/containers/*" ! -path "/var/lib/kubelet/pods/*" ! -path "/sysroot/ostree/deploy/*" \) -print 2>/dev/null' 2>/dev/null; done
+
+ If there are any directories listed in the results, this is a finding.
+ {{% else -%}}
  To find world-writable directories that lack the sticky bit, run the following command:
  <pre>$ sudo find / -type d \( -perm -0002 -a ! -perm -1000 \) -print 2>/dev/null</pre>
+ {{% endif -%}}
 
 fixtext: |-
+ {{% if product == "rhcos4" -%}}
+ Fix the directory permissions, by either removing world-writeable permission, or setting the sticky bit
+
+ > oc debug node/<node_name> -- chroot /host /bin/bash -c 'chmod XXXX <directory>'
+
+ where
+ node_name: The name of the node to connect to (oc get node)
+ XXXX: Either 1777 (sticky bit) or 0755 (remove group and world write permission)
+ <directory>: The directory on which to correct the permissions
+ {{% else -%}}
  Configure all world-writable directories to have the sticky bit set to prevent unauthorized and unintended information transferred via shared system resources.
 
  Set the sticky bit on all world-writable directories using the command, replace "[World-Writable Directory]" with any directory path missing the sticky bit:
 
  $ chmod a+t [World-Writable Directory]
+ {{% endif -%}}
 
 srg_requirement:
  A sticky bit must be set on all {{{ full_name }}} public directories to prevent unauthorized and unintended information transferred via shared system resources.

linux_os/guide/system/permissions/restrictions/poisoning/coreos_page_poison_kernel_argument/rule.yml

@@ -24,7 +24,7 @@ identifiers:
 
 references:
  nist: CM-6(a)
- srg: SRG-OS-000480-GPOS-00227
+ srg: SRG-APP-000243-CTR-000600
 
 ocil_clause: 'page allocator poisoning is not enabled'
 

linux_os/guide/system/permissions/restrictions/poisoning/coreos_slub_debug_kernel_argument/rule.yml

@@ -23,7 +23,7 @@ identifiers:
 
 references:
  nist: CM-6(a)
- srg: SRG-OS-000433-GPOS-00192
+ srg: SRG-APP-000243-CTR-000600
 
 ocil_clause: 'SLUB/SLAB poisoning is not enabled'
 

linux_os/guide/system/permissions/restrictions/sysctl_kernel_dmesg_restrict/rule.yml

@@ -26,7 +26,7 @@ references:
  disa: CCI-001090,CCI-001314
  hipaa: 164.308(a)(1)(ii)(D),164.308(a)(3),164.308(a)(4),164.310(b),164.310(c),164.312(a),164.312(e)
  nist: SI-11(a),SI-11(b)
- srg: SRG-OS-000132-GPOS-00067,SRG-OS-000138-GPOS-00069
+ srg: SRG-OS-000132-GPOS-00067,SRG-OS-000138-GPOS-00069,SRG-APP-000243-CTR-000600
  stigid@ol7: OL07-00-010375
  stigid@ol8: OL08-00-010375
  stigid@rhel7: RHEL-07-010375

linux_os/guide/system/permissions/restrictions/sysctl_kernel_perf_event_paranoid/rule.yml

@@ -24,7 +24,7 @@ references:
  disa: CCI-001090
  nist: AC-6
  ospp: FMT_SMF_EXT.1
- srg: SRG-OS-000132-GPOS-00067,SRG-OS-000138-GPOS-00069
+ srg: SRG-OS-000132-GPOS-00067,SRG-OS-000138-GPOS-00069,SRG-APP-000243-CTR-000600
  stigid@ol8: OL08-00-010376
  stigid@rhel8: RHEL-08-010376
 

linux_os/guide/system/selinux/coreos_enable_selinux_kernel_argument/rule.yml

@@ -31,6 +31,7 @@ references:
  nerc-cip: CIP-003-8 R5.1.1,CIP-003-8 R5.3,CIP-004-6 R2.2.3,CIP-004-6 R2.3,CIP-007-3 R5.1,CIP-007-3 R5.1.2,CIP-007-3 R5.2,CIP-007-3 R5.3.1,CIP-007-3 R5.3.2,CIP-007-3 R5.3.3
  nist: AC-3,AC-3(3)(a)
  nist-csf: DE.AE-1,ID.AM-3,PR.AC-4,PR.AC-5,PR.AC-6,PR.DS-5,PR.PT-1,PR.PT-3,PR.PT-4
+ srg: SRG-APP-000233-CTR-000585
 
 ocil_clause: 'SELinux is disabled at boot time'
 

linux_os/guide/system/selinux/selinux_policytype/rule.yml

@@ -53,7 +53,7 @@ references:
  nerc-cip: CIP-003-8 R5.1.1,CIP-003-8 R5.2,CIP-003-8 R5.3,CIP-004-6 R2.2.3,CIP-004-6 R2.3,CIP-004-6 R3.3,CIP-007-3 R5.1,CIP-007-3 R5.1.2,CIP-007-3 R5.2,CIP-007-3 R5.3.1,CIP-007-3 R5.3.2,CIP-007-3 R5.3.3,CIP-007-3 R6.5
  nist: AC-3,AC-3(3)(a),AU-9,SC-7(21)
  nist-csf: DE.AE-1,ID.AM-3,PR.AC-4,PR.AC-5,PR.AC-6,PR.DS-5,PR.PT-1,PR.PT-3,PR.PT-4
- srg: SRG-OS-000445-GPOS-00199
+ srg: SRG-OS-000445-GPOS-00199,SRG-APP-000233-CTR-000585
  stigid@ol7: OL07-00-020220
  stigid@ol8: OL08-00-010450
  stigid@rhel7: RHEL-07-020220

products/rhcos4/profiles/stig.profile

@@ -22,4 +22,7 @@ selections:
  - var_sshd_set_keepalive=0
  - var_selinux_policy_name=targeted
  - var_selinux_state=enforcing
-
+ # Let's mark the vsyscall argument as info - the check and the fix is there, but setting this
+ # karg is not suitable for people who still run legacy 32bit apps.
+ - coreos_vsyscall_kernel_argument.role=unscored
+ - coreos_vsyscall_kernel_argument.severity=info

tests/unit/ssg-module/test_playbook_builder_data/guide/selinux_state/rule.yml

@@ -34,7 +34,7 @@ references:
  nerc-cip: CIP-003-3 R5.1.1,CIP-003-3 R5.2,CIP-003-3 R5.3,CIP-004-3 R2.2.3,CIP-004-3 R2.3,CIP-004-3 R3.3,CIP-007-3 R5.1,CIP-007-3 R5.1.2,CIP-007-3 R5.2,CIP-007-3 R5.3.1,CIP-007-3 R5.3.2,CIP-007-3 R5.3.3,CIP-007-3 R6.5
  nist: AC-3,AC-3(3)(a),AU-9,SC-7(21)
  nist-csf: DE.AE-1,ID.AM-3,PR.AC-4,PR.AC-5,PR.AC-6,PR.DS-5,PR.PT-1,PR.PT-3,PR.PT-4
- srg: SRG-OS-000445-GPOS-00199
+ srg: SRG-OS-000445-GPOS-00199,SRG-APP-000233-CTR-000585
  stigid@ol7: OL07-00-020210
  stigid@rhel7: RHEL-07-020210
  stigid@rhel8: RHEL-08-010170