Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

RHCOS4 STIG: Cover the controls that correspond to the AU control family #10732

Merged
merged 20 commits into from
Jul 20, 2023
Merged

RHCOS4 STIG: Cover the controls that correspond to the AU control family #10732

merged 20 commits into from
Jul 20, 2023

Conversation

jhrozek
Copy link
Collaborator

@jhrozek jhrozek commented Jun 20, 2023

Description:

  • This is a largish PR, but it covers all the controls in the STIG draft
    that correspond to any of the NIST AU controls

Rationale:

  • RHCOS4 STIG

Review Hints:

  • Make sure that the RHCOS4 STIG CI run passes. I tried to add test stanzas to all the rules.
  • Make sure that the rules correspond to the STIG DRAFT. I recommend making a copy and then filtering the first column on anything that contains AU.

@github-actions
Copy link

Start a new ephemeral environment with changes proposed in this pull request:

Fedora Environment
Open in Gitpod

Oracle Linux 8 Environment
Open in Gitpod

@jhrozek
Copy link
Collaborator Author

jhrozek commented Jun 20, 2023

/test e2e-aws-rhcos4-stig

@jhrozek
Copy link
Collaborator Author

jhrozek commented Jun 20, 2023

/test e2e-aws-ocp4-stig

@jhrozek
Copy link
Collaborator Author

jhrozek commented Jun 20, 2023

/test e2e-aws-ocp4-stig-node

@jhrozek
Copy link
Collaborator Author

jhrozek commented Jun 20, 2023

direct link to e2e test log: https://gcsweb-ci.apps.ci.l2s4.p1.openshiftapps.com/gcs/origin-ci-test/pr-logs/pull/ComplianceAsCode_content/10732/pull-ci-ComplianceAsCode-content-master-e2e-aws-rhcos4-stig/1671091732978077696/artifacts/e2e-aws-rhcos4-stig/test/build-log.txt

@Mab879 Mab879 added this to the 0.1.69 milestone Jun 20, 2023
@Mab879 Mab879 added OpenShift OpenShift product related. STIG STIG Benchmark related. labels Jun 20, 2023
@yuumasato yuumasato self-assigned this Jul 6, 2023
@jhrozek
Copy link
Collaborator Author

jhrozek commented Jul 6, 2023

/test e2e-aws-rhcos4-stig
/test e2e-aws-ocp4-stig-node
/test e2e-aws-ocp4-stig

@jhrozek
Copy link
Collaborator Author

jhrozek commented Jul 6, 2023

rebased on master to get a clean e2e test run

yuumasato
yuumasato reviewed Jul 6, 2023
View reviewed changes
Copy link
Member

@yuumasato yuumasato left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Also, none of the rules included in the controls had their srgs updated.

But as we are considering changing the approach to set references from control files, I think we can waive this aspect.

controls/srg_ctr/SRG-APP-000091-CTR-000160.yml Outdated Show resolved Hide resolved
controls/srg_ctr/SRG-APP-000492-CTR-001220.yml Outdated Show resolved Hide resolved
controls/srg_ctr/SRG-APP-000493-CTR-001225.yml Outdated Show resolved Hide resolved
controls/srg_ctr/SRG-APP-000494-CTR-001230.yml Outdated Show resolved Hide resolved
controls/srg_ctr/SRG-APP-000500-CTR-001260.yml Outdated Show resolved Hide resolved
controls/srg_ctr/SRG-APP-000507-CTR-001295.yml Outdated Show resolved Hide resolved
controls/srg_ctr/SRG-APP-000100-CTR-000200.yml Show resolved Hide resolved
controls/srg_ctr/SRG-APP-000109-CTR-000215.yml Show resolved Hide resolved
controls/srg_ctr/SRG-APP-000290-CTR-000670.yml Show resolved Hide resolved
linux_os/guide/system/auditing/policy_rules/audit_ospp_general/kubernetes/shared.yml Show resolved Hide resolved
@jhrozek
Copy link
Collaborator Author

jhrozek commented Jul 10, 2023

@yuumasato thank you for the careful review. New patches are attached, feel free to ask additional questions, I wasn't sure if I answered them correctly

@yuumasato
Copy link
Member

/test e2e-aws-rhcos4-stig
/test e2e-aws-ocp4-stig-node
/test e2e-aws-ocp4-stig

@jhrozek
Copy link
Collaborator Author

jhrozek commented Jul 18, 2023

Hmm I should fix these I think:

    helpers.go:808: Result - Name: e2e-stig-master-audit-access-failed - Status: FAIL - Severity: medium
    helpers.go:815: E2E-FAILURE: The expected result for the audit_access_failed rule didn't match. Expected 'PASS', Got 'FAIL'
    helpers.go:808: Result - Name: e2e-stig-master-audit-create-failed - Status: FAIL - Severity: medium
    helpers.go:815: E2E-FAILURE: The expected result for the audit_create_failed rule didn't match. Expected 'PASS', Got 'FAIL'

@yuumasato
Copy link
Member

yuumasato commented Jul 18, 2023
edited
Loading

@jhrozek I think what is missing is the openat2 syscall in the remediation.
Edit: at least in audit_access_failed

@yuumasato
Copy link
Member

And I think audit_create_failed is failing because of this comment:
## /etc/audit/rules.d/30-ospp-v42-1-create-failed.rules

@vojtapolasek vojtapolasek modified the milestones: 0.1.69, 0.1.70 Jul 18, 2023
jhrozek added 13 commits July 19, 2023 14:39
@jhrozek
OCP4 STIG: Add the service_auditd_enabled rule to ensure that auditin…
c0dfc78 
…g is enabled at runtime
@jhrozek
RHCOS STIG: Cover controls that need auditd.conf to be set
a284246
@jhrozek
SRG-APP-000116-CTR-000235: Needs chrony and NTP servers to be set
36c383e
@jhrozek
SRG-APP-000119-CTR-000245 and SRG-APP-000120-CTR-000250: Covered by t…
e9aa251 
…he audit_rules_immutable rule
@jhrozek
SRG-APP-000121-CTR-000255: Covered by the audit_immutable_login_uids …
3237105 
…rule
@jhrozek
SRG-APP-000495-CTR-001235: audit records when successful/unsuccessful…
bdcd7c9 
… attempts to modify privileges occur
@jhrozek
OCP4 STIG: audit records when successful/unsuccessful attempts to mod…
07c522e 
…ify security objects occur.
@jhrozek
SRG-APP-000499-CTR-001255: audit records when successful/unsuccessful…
43e4972 
… attempts to delete privileges occur.
@jhrozek
SRG-APP-000501-CTR-001265,SRG-APP-000502-CTR-001270: OpenShift must g…
3269905 
…enerate audit records when successful/unsuccessful attempts to delete security objects occur
@jhrozek
SRG-APP-000503-CTR-001275: OpenShift must generate audit records when…
342d4b4 
… successful/unsuccessful attempts to delete security objects occur
@jhrozek
SRG-APP-000504-CTR-001280: Red Hat Enterprise Linux CoreOS (RHCOS) mu…
c493b4d 
…st be configured to audit the loading and unloading of dynamic kernel modules
@jhrozek
SRG-APP-000505-CTR-001285: OpenShift audit records must record user a…
dfaffd0 
…ccess start and end times.
@jhrozek
SRG-APP-000506-CTR-001290: OpenShift must generate audit records when…
0e259ad 
… concurrent logons from different workstations and systems occur.
@jhrozek
Copy link
Collaborator Author

jhrozek commented Jul 19, 2023

@yuumasato thanks, I fixed both, ended up reworking them because the hand-written urlencoded string was getting on my nerves :-)

@jhrozek
Copy link
Collaborator Author

jhrozek commented Jul 19, 2023

/test e2e-aws-rhcos4-stig
/test e2e-aws-ocp4-stig-node
/test e2e-aws-ocp4-stig

@codeclimate
Copy link

codeclimate bot commented Jul 19, 2023

Code Climate has analyzed commit ed4ee93 and detected 0 issues on this pull request.

The test coverage on the diff in this pull request is 100.0% (50% is the threshold).

This pull request will bring the total coverage in the repository to 53.2% (0.0% change).

View more on Code Climate.

yuumasato
yuumasato approved these changes Jul 20, 2023
View reviewed changes
Copy link
Member

@yuumasato yuumasato left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you, Jakub!

@yuumasato yuumasato merged commit a608f00 into ComplianceAsCode:master Jul 20, 2023
@Mab879 Mab879 added the Update Profile Issues or pull requests related to Profiles updates. label Oct 12, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@yuumasato yuumasato yuumasato approved these changes

@Vincent056 Vincent056 Awaiting requested review from Vincent056

@rhmdnd rhmdnd Awaiting requested review from rhmdnd

Assignees

@yuumasato yuumasato

Labels
OpenShift OpenShift product related. STIG STIG Benchmark related. Update Profile Issues or pull requests related to Profiles updates.
Projects
None yet
Milestone
0.1.70
Development

Successfully merging this pull request may close these issues.
4 participants
@jhrozek @yuumasato @Mab879 @vojtapolasek