RHCOS4 STIG: Cover controls that correspond to NIST AC

[jhrozek]

Description:

• OCP4 STIG: SRG-APP-000343-CTR-000780 and SRG-APP-000381-CTR-000905 are covered by audit_rules_suid_privilege_function - this one is quite easy
• SRG-APP-000029-CTR-000085: Audit execution of all setuid and setgid binaries on RHCOS4 - this one is more tricky. First, there's quite a few new rules that were added because I didn't find rules equivalent to the check and fix in the STIG draft. Second, I'm not sure if this SRG is the right one to be covered by the rules - the rules are valid and should be included in the STIG, but I think that SRG-APP-000381-CTR-000905 would be better suited for these checks. But at this point I'm unsure what to do and I think we should start an epic with stories that tracks the next STIG update to shuffle things around. Finally, I think some of the rules are following the letter of "let's audit all SUID binaries", but are not really needed, e.g. the SSSD binaries are really just helpers that can't be executed by a user and the grub2 binary probably shouldn't be on RHCOS in the first place (there's no GRUB on RHCOS...)

Rationale:

• RHCOS4 STIG

Review Hints:

• Make sure that the e2e tests pass
• Make sure that the checks and remediations are in line with the AC controls in the STIG draft. I recommend making a copy of the document, then filtering column A with any controls that start with AC and looking for MachineConfig in column I (Fix).

[github-actions]

Start a new ephemeral environment with changes proposed in this pull request:

rhcos4 (from CTF) Environment (using Fedora as testing environment)

Fedora Testing Environment

Oracle Linux 8 Environment

[github-actions]

This datastream diff is auto generated by the check Compare DS/Generate Diff

Click here to see the full diff

New content has different text for rule 'xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_chage'.
--- xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_chage
+++ xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_chage
@@ -8,11 +8,11 @@
 configured to use the augenrules program to read audit rules during
 daemon startup (the default), add a line of the following form to a file with
 suffix .rules in the directory /etc/audit/rules.d:
--a always,exit -F path=/usr/bin/chage -F auid>=1000 -F auid!=unset -F key=privileged
+-a always,exit -F path=/usr/bin/chage -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
 If the auditd daemon is configured to use the auditctl
 utility to read audit rules during daemon startup, add a line of the following
 form to /etc/audit/audit.rules:
--a always,exit -F path=/usr/bin/chage -F auid>=1000 -F auid!=unset -F key=privileged
+-a always,exit -F path=/usr/bin/chage -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
 
 [reference]:
 1
@@ -286,6 +286,9 @@
 
 [reference]:
 SRG-OS-000471-GPOS-00215
+
+[reference]:
+SRG-APP-000029-CTR-000085
 
 [rationale]:
 Misuse of privileged functions, either intentionally or unintentionally by

New content has different text for rule 'xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_gpasswd'.
--- xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_gpasswd
+++ xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_gpasswd
@@ -8,11 +8,11 @@
 configured to use the augenrules program to read audit rules during
 daemon startup (the default), add a line of the following form to a file with
 suffix .rules in the directory /etc/audit/rules.d:
--a always,exit -F path=/usr/bin/gpasswd -F auid>=1000 -F auid!=unset -F key=privileged
+-a always,exit -F path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
 If the auditd daemon is configured to use the auditctl
 utility to read audit rules during daemon startup, add a line of the following
 form to /etc/audit/audit.rules:
--a always,exit -F path=/usr/bin/gpasswd -F auid>=1000 -F auid!=unset -F key=privileged
+-a always,exit -F path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
 
 [reference]:
 1
@@ -286,6 +286,9 @@
 
 [reference]:
 SRG-OS-000471-GPOS-00215
+
+[reference]:
+SRG-APP-000029-CTR-000085
 
 [rationale]:
 Misuse of privileged functions, either intentionally or unintentionally by

New content has different text for rule 'xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_mount'.
--- xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_mount
+++ xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_mount
@@ -8,11 +8,11 @@
 configured to use the augenrules program to read audit rules during
 daemon startup (the default), add a line of the following form to a file with
 suffix .rules in the directory /etc/audit/rules.d:
--a always,exit -F path=/usr/bin/mount -F auid>=1000 -F auid!=unset -F key=privileged
+-a always,exit -F path=/usr/bin/mount -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
 If the auditd daemon is configured to use the auditctl
 utility to read audit rules during daemon startup, add a line of the following
 form to /etc/audit/audit.rules:
--a always,exit -F path=/usr/bin/mount -F auid>=1000 -F auid!=unset -F key=privileged
+-a always,exit -F path=/usr/bin/mount -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
 
 [reference]:
 CCI-000130
@@ -62,6 +62,9 @@
 [reference]:
 SRG-OS-000471-GPOS-00215
 
+[reference]:
+SRG-APP-000029-CTR-000085
+
 [rationale]:
 Misuse of privileged functions, either intentionally or unintentionally by
 authorized users, or by unauthorized external entities that have compromised system accounts,

New content has different text for rule 'xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_newgrp'.
--- xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_newgrp
+++ xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_newgrp
@@ -8,11 +8,11 @@
 configured to use the augenrules program to read audit rules during
 daemon startup (the default), add a line of the following form to a file with
 suffix .rules in the directory /etc/audit/rules.d:
--a always,exit -F path=/usr/bin/newgrp -F auid>=1000 -F auid!=unset -F key=privileged
+-a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
 If the auditd daemon is configured to use the auditctl
 utility to read audit rules during daemon startup, add a line of the following
 form to /etc/audit/audit.rules:
--a always,exit -F path=/usr/bin/newgrp -F auid>=1000 -F auid!=unset -F key=privileged
+-a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
 
 [reference]:
 1
@@ -286,6 +286,9 @@
 
 [reference]:
 SRG-OS-000471-GPOS-00215
+
+[reference]:
+SRG-APP-000029-CTR-000085
 
 [rationale]:
 Misuse of privileged functions, either intentionally or unintentionally by

New content has different text for rule 'xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_pam_timestamp_check'.
--- xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_pam_timestamp_check
+++ xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_pam_timestamp_check
@@ -9,12 +9,12 @@
 daemon startup (the default), add a line of the following form to a file with
 suffix .rules in the directory /etc/audit/rules.d:
 -a always,exit -F path=/usr/sbin/pam_timestamp_check
--F auid>=1000 -F auid!=unset -F key=privileged
+-F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
 If the auditd daemon is configured to use the auditctl
 utility to read audit rules during daemon startup, add a line of the following
 form to /etc/audit/audit.rules:
 -a always,exit -F path=/usr/sbin/pam_timestamp_check
--F auid>=1000 -F auid!=unset -F key=privileged
+-F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
 
 [reference]:
 1
@@ -258,6 +258,9 @@
 
 [reference]:
 SRG-OS-000471-GPOS-00215
+
+[reference]:
+SRG-APP-000029-CTR-000085
 
 [rationale]:
 Misuse of privileged functions, either intentionally or unintentionally by

New content has different text for rule 'xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_passwd'.
--- xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_passwd
+++ xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_passwd
@@ -8,11 +8,11 @@
 configured to use the augenrules program to read audit rules during
 daemon startup (the default), add a line of the following form to a file with
 suffix .rules in the directory /etc/audit/rules.d:
--a always,exit -F path=/usr/bin/passwd -F auid>=1000 -F auid!=unset -F key=privileged
+-a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
 If the auditd daemon is configured to use the auditctl
 utility to read audit rules during daemon startup, add a line of the following
 form to /etc/audit/audit.rules:
--a always,exit -F path=/usr/bin/passwd -F auid>=1000 -F auid!=unset -F key=privileged
+-a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
 
 [reference]:
 1
@@ -286,6 +286,9 @@
 
 [reference]:
 SRG-OS-000471-GPOS-00215
+
+[reference]:
+SRG-APP-000029-CTR-000085
 
 [rationale]:
 Misuse of privileged functions, either intentionally or unintentionally by

New content has different text for rule 'xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_ssh_keysign'.
--- xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_ssh_keysign
+++ xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_ssh_keysign
@@ -260,6 +260,9 @@
 [reference]:
 SRG-OS-000471-GPOS-00215
 
+[reference]:
+SRG-APP-000029-CTR-000085
+
 [rationale]:
 Misuse of privileged functions, either intentionally or unintentionally by
 authorized users, or by unauthorized external entities that have compromised system accounts,

New content has different text for rule 'xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_su'.
--- xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_su
+++ xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_su
@@ -8,11 +8,11 @@
 configured to use the augenrules program to read audit rules during
 daemon startup (the default), add a line of the following form to a file with
 suffix .rules in the directory /etc/audit/rules.d:
--a always,exit -F path=/usr/bin/su -F auid>=1000 -F auid!=unset -F key=privileged
+-a always,exit -F path=/usr/bin/su -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
 If the auditd daemon is configured to use the auditctl
 utility to read audit rules during daemon startup, add a line of the following
 form to /etc/audit/audit.rules:
--a always,exit -F path=/usr/bin/su -F auid>=1000 -F auid!=unset -F key=privileged
+-a always,exit -F path=/usr/bin/su -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
 
 [reference]:
 1
@@ -265,6 +265,9 @@
 
 [reference]:
 SRG-OS-000466-GPOS-00210
+
+[reference]:
+SRG-APP-000029-CTR-000085
 
 [rationale]:
 Misuse of privileged functions, either intentionally or unintentionally by

New content has different text for rule 'xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_sudo'.
--- xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_sudo
+++ xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_sudo
@@ -8,11 +8,11 @@
 configured to use the augenrules program to read audit rules during
 daemon startup (the default), add a line of the following form to a file with
 suffix .rules in the directory /etc/audit/rules.d:
--a always,exit -F path=/usr/bin/sudo -F auid>=1000 -F auid!=unset -F key=privileged
+-a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
 If the auditd daemon is configured to use the auditctl
 utility to read audit rules during daemon startup, add a line of the following
 form to /etc/audit/audit.rules:
--a always,exit -F path=/usr/bin/sudo -F auid>=1000 -F auid!=unset -F key=privileged
+-a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
 
 [reference]:
 BP28(R19)
@@ -265,6 +265,9 @@
 
 [reference]:
 SRG-OS-000466-GPOS-00210
+
+[reference]:
+SRG-APP-000029-CTR-000085
 
 [rationale]:
 Misuse of privileged functions, either intentionally or unintentionally by

New content has different text for rule 'xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_umount'.
--- xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_umount
+++ xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_umount
@@ -8,11 +8,11 @@
 configured to use the augenrules program to read audit rules during
 daemon startup (the default), add a line of the following form to a file with
 suffix .rules in the directory /etc/audit/rules.d:
--a always,exit -F path=/usr/bin/umount -F auid>=1000 -F auid!=unset -F key=privileged
+-a always,exit -F path=/usr/bin/umount -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
 If the auditd daemon is configured to use the auditctl
 utility to read audit rules during daemon startup, add a line of the following
 form to /etc/audit/audit.rules:
--a always,exit -F path=/usr/bin/umount -F auid>=1000 -F auid!=unset -F key=privileged
+-a always,exit -F path=/usr/bin/umount -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
 
 [reference]:
 1
@@ -256,6 +256,9 @@
 
 [reference]:
 SRG-OS-000471-GPOS-00215
+
+[reference]:
+SRG-APP-000029-CTR-000085
 
 [rationale]:
 Misuse of privileged functions, either intentionally or unintentionally by

New content has different text for rule 'xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_unix_chkpwd'.
--- xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_unix_chkpwd
+++ xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_unix_chkpwd
@@ -8,11 +8,11 @@
 configured to use the augenrules program to read audit rules during
 daemon startup (the default), add a line of the following form to a file with
 suffix .rules in the directory /etc/audit/rules.d:
--a always,exit -F path=/usr/sbin/unix_chkpwd -F auid>=1000 -F auid!=unset -F key=privileged
+-a always,exit -F path=/usr/sbin/unix_chkpwd -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
 If the auditd daemon is configured to use the auditctl
 utility to read audit rules during daemon startup, add a line of the following
 form to /etc/audit/audit.rules:
--a always,exit -F path=/usr/sbin/unix_chkpwd -F auid>=1000 -F auid!=unset -F key=privileged
+-a always,exit -F path=/usr/sbin/unix_chkpwd -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
 
 [reference]:
 1
@@ -307,6 +307,9 @@
 
 [reference]:
 SRG-OS-000471-GPOS-00215
+
+[reference]:
+SRG-APP-000029-CTR-000085
 
 [rationale]:
 Misuse of privileged functions, either intentionally or unintentionally by

[jhrozek]

@ggbecker @yuumasato I'm at loss to debug the CI issues:

ValueError: The rule 'audit_rules_privileged_commands_dbus_daemon_launch_helper' isn't mapped to any component! Insert the rule ID at least once to the rule-component mapping.

what is a rule-component mapping?

and then this test fails:

./shared/templates/audit_rules_privileged_commands/tests/auditctl_missing_auid.fail.sh

why does it fail? What does the test do?

[yuumasato]

@jhrozek I'm not sure, but I think you need to add the new rules into any file in components/.
components/audit.yml seems to be the most fit.

CC @matejak and @jan-cerny

[jhrozek]

@jhrozek I'm not sure, but I think you need to add the new rules into any file in components/. components/audit.yml seems to be the most fit.

CC @matejak and @jan-cerny

thanks, let's see how the new CI run goes

[jan-cerny]

@jhrozek Yes, @yuumasato is correct, from now on the components are mandatory, that means you need to add a rule ID to a component file if you add a new rule to RHEL7, RHEL8, RHEL9 or Fedora products.

[jhrozek]

/test help

[openshift-ci]

@jhrozek: The specified target(s) for /test were not found.
The following commands are available to trigger required jobs:

• /test e2e-aws-ocp4-cis
• /test e2e-aws-ocp4-cis-node
• /test e2e-aws-ocp4-e8
• /test e2e-aws-ocp4-high
• /test e2e-aws-ocp4-high-node
• /test e2e-aws-ocp4-moderate
• /test e2e-aws-ocp4-moderate-node
• /test e2e-aws-ocp4-pci-dss
• /test e2e-aws-ocp4-pci-dss-node
• /test e2e-aws-ocp4-stig
• /test e2e-aws-ocp4-stig-node
• /test e2e-aws-rhcos4-e8
• /test e2e-aws-rhcos4-high
• /test e2e-aws-rhcos4-moderate
• /test e2e-aws-rhcos4-stig
• /test images

Use /test all to run the following jobs that were automatically triggered:

• pull-ci-ComplianceAsCode-content-master-images

In response to this:

/test help

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[jhrozek]

/test e2e-aws-rhcos4-stig

[jhrozek]

RHCOS STIG CI succeeded.
@Vincent056 @rhmdnd PTAL

[jhrozek]

/test e2e-aws-rhcos4-stig

[jhrozek]

/test e2e-aws-ocp4-stig

[jhrozek]

/test e2e-aws-ocp4-stig-node

[jhrozek]

direct link to e2e test log: https://gcsweb-ci.apps.ci.l2s4.p1.openshiftapps.com/gcs/origin-ci-test/pr-logs/pull/ComplianceAsCode_content/10727/pull-ci-ComplianceAsCode-content-master-e2e-aws-ocp4-stig/1671091507496488960/artifacts/e2e-aws-ocp4-stig/test/build-log.txt

[jhrozek]

Correct test log: https://gcsweb-ci.apps.ci.l2s4.p1.openshiftapps.com/gcs/origin-ci-test/pr-logs/pull/ComplianceAsCode_content/10727/pull-ci-ComplianceAsCode-content-master-e2e-aws-rhcos4-stig/1671091479709224960/artifacts/e2e-aws-rhcos4-stig/test/build-log.txt

[yuumasato]

/test e2e-aws-ocp4-stig

[yuumasato]

/test e2e-aws-ocp4-stig-node

[yuumasato]

/test e2e-aws-rhcos4-stig

[jhrozek]

/test e2e-aws-ocp4-stig
/test e2e-aws-ocp4-stig-node
/test e2e-aws-rhcos4-stig

[jhrozek]

/test e2e-aws-ocp4-stig
/test e2e-aws-ocp4-stig-node
/test e2e-aws-rhcos4-stig

[jhrozek]

lol oops I really should get into the habit of running some local checks :-)

[jhrozek]

/test e2e-aws-ocp4-stig
/test e2e-aws-ocp4-stig-node
/test e2e-aws-rhcos4-stig

[jhrozek]

Some CCEs were not unique, hopefully now all CI runs will be green

[jhrozek]

/test e2e-aws-ocp4-stig
/test e2e-aws-ocp4-stig-node
/test e2e-aws-rhcos4-stig

[yuumasato]

@jhrozek e2e passed.
Can you just add srg to audit_rules_privileged_commands_ssh_keysign, then I think we can merge.

[jhrozek]

@jhrozek e2e passed. Can you just add srg to audit_rules_privileged_commands_ssh_keysign, then I think we can merge.

nice catch, done

[codeclimate]

Code Climate has analyzed commit f5b3474 and detected 0 issues on this pull request.

The test coverage on the diff in this pull request is 100.0% (50% is the threshold).

This pull request will bring the total coverage in the repository to 53.5% (0.0% change).

View more on Code Climate.

[yuumasato]

The Automatus CS8 and CS9 tests fail because some rules are only available for rhcos. Automatus Fedora is failing to prepare environment for tests, for some reason.
The rpm-build on Fedora is failing due to import imp.