RHCOS4 STIG: Cover the controls that correspond to the AU control family

controls/srg_ctr/SRG-APP-000091-CTR-000160.yml

@@ -6,4 +6,21 @@ controls:
     attempts to access privileges occur.
   related_rules:
   - audit_profile_set
-  status: inherently met
+  rules:
+  - audit_rules_dac_modification_chmod
+  - audit_rules_dac_modification_chown
+  - audit_rules_dac_modification_fchmod
+  - audit_rules_dac_modification_fchmodat
+  - audit_rules_dac_modification_fchown
+  - audit_rules_dac_modification_fchownat
+  - audit_rules_dac_modification_fremovexattr
+  - audit_rules_dac_modification_fsetxattr
+  - audit_rules_dac_modification_lchown
+  - audit_rules_dac_modification_lremovexattr
+  - audit_rules_dac_modification_lsetxattr
+  - audit_rules_dac_modification_removexattr
+  - audit_rules_dac_modification_setxattr
+  - audit_create_failed
+  - audit_modify_failed
+  - audit_access_failed
+  status: automated

controls/srg_ctr/SRG-APP-000092-CTR-000165.yml

@@ -6,5 +6,6 @@ controls:
   rules:
   - cluster_logging_operator_exist
   - audit_log_forwarding_enabled
+  - coreos_audit_option
   status: automated
 

controls/srg_ctr/SRG-APP-000095-CTR-000170.yml

@@ -4,6 +4,8 @@ controls:
   - medium
   title: All audit records must identify what type of event has occurred within the
     container platform.
+  rules:
+  - service_auditd_enabled
   related_rules:
   - audit_profile_set
-  status: inherently met
+  status: automated

controls/srg_ctr/SRG-APP-000096-CTR-000175.yml

@@ -6,4 +6,8 @@ controls:
     with all events.
   related_rules:
   - audit_profile_set
-  status: inherently met
+  rules:
+  - auditd_log_format
+  - auditd_data_disk_error_action
+  - auditd_data_retention_max_log_file_action_stig
+  status: automated

controls/srg_ctr/SRG-APP-000097-CTR-000180.yml

@@ -6,4 +6,8 @@ controls:
     occurred.
   related_rules:
   - audit_profile_set
-  status: inherently met
+  rules:
+  - auditd_log_format
+  - auditd_data_disk_error_action
+  - auditd_data_retention_max_log_file_action_stig
+  status: automated

controls/srg_ctr/SRG-APP-000098-CTR-000185.yml

@@ -6,4 +6,8 @@ controls:
     platform.
   related_rules:
   - audit_profile_set
-  status: inherently met
+  rules:
+  - auditd_log_format
+  - auditd_data_disk_error_action
+  - auditd_data_retention_max_log_file_action_stig
+  status: automated

controls/srg_ctr/SRG-APP-000099-CTR-000190.yml

@@ -5,4 +5,8 @@ controls:
   title: All audit records must generate the event results within the container platform.
   related_rules:
   - audit_profile_set
-  status: inherently met
+  rules:
+  - auditd_log_format
+  - auditd_data_disk_error_action
+  - auditd_data_retention_max_log_file_action_stig
+  status: automated

controls/srg_ctr/SRG-APP-000100-CTR-000195.yml

@@ -6,4 +6,8 @@ controls:
     {{{ full_name }}}.
   related_rules:
   - audit_profile_set
-  status: inherently met
+  rules:
+  - auditd_log_format
+  - auditd_data_disk_error_action
+  - auditd_data_retention_max_log_file_action_stig
+  status: automated

controls/srg_ctr/SRG-APP-000100-CTR-000200.yml

@@ -6,4 +6,8 @@ controls:
     within {{{ full_name }}}.
   related_rules:
   - audit_profile_set
-  status: inherently met
+  rules:
+  - auditd_log_format
+  - auditd_data_disk_error_action
+  - auditd_data_retention_max_log_file_action_stig
+  status: automated

controls/srg_ctr/SRG-APP-000109-CTR-000215.yml

@@ -5,21 +5,7 @@ controls:
   title: {{{ full_name }}} must take appropriate action upon an audit failure.
   rules:
   - audit_error_alert_exists
-  status: does not meet
-  status_justification: |-
-    OpenShift's architecture is not structured to allow it to specifically
-    halt on a failure to log.  The same database and API that power
-    recording events are shared for normal access, so interactivity with the
-    cluster would be lost in the event of a logging component failure, but
-    workloads would continue operating.  This is by design, as the system
-    is architected to attempt to recover from failure of components. In
-    many failure modes, automated remediations would likely take place in
-    the event of a logging failure.  The system will continue to operate
-    during the remediation attempts.
-  mitigation: |-
-    The OpenShift Platform will generate an alert upon failure of the
-    audit logging service. The responses to those alerts may be defined
-    by the organizations administrative group, and may even be automated
-    responses.  If there is a failure to forward logs to the organization's
-    log collection service, OpenShift will retain about 10 logs up to
-    100MB each, more than that, the logs will then rotate.
+  - auditd_log_format
+  - auditd_data_disk_error_action
+  - auditd_data_retention_max_log_file_action_stig
+  status: automated

controls/srg_ctr/SRG-APP-000116-CTR-000235.yml

@@ -4,6 +4,11 @@ controls:
   - medium
   title: {{{ full_name }}} must use internal system clocks to generate audit
     record time stamps.
+  rules:
+  - service_chronyd_or_ntpd_enabled
+  - chronyd_or_ntpd_specify_remote_server
   related_rules:
-  - audit_profile_set
-  status: inherently met
+  - chronyd_or_ntpd_specify_multiple_servers
+  - chronyd_or_ntpd_set_maxpoll
+  - chronyd_client_only
+  status: automated

controls/srg_ctr/SRG-APP-000119-CTR-000245.yml

@@ -3,10 +3,12 @@ controls:
   levels:
   - medium
   title: {{{ full_name }}} must protect audit information from unauthorized modification.
+  rules:
+  - audit_rules_immutable
   related_rules:
   - audit_log_forwarding_uses_tls
   - audit_profile_set
   - directory_permissions_var_log_kube_audit
   - directory_permissions_var_log_oauth_audit
   - directory_permissions_var_log_ocp_audit
-  status: inherently met
+  status: automated

controls/srg_ctr/SRG-APP-000120-CTR-000250.yml

@@ -3,10 +3,12 @@ controls:
   levels:
   - medium
   title: {{{ full_name }}} must protect audit information from unauthorized deletion.
+  rules:
+  - audit_rules_immutable
   related_rules:
   - audit_log_forwarding_uses_tls
   - audit_profile_set
   - directory_permissions_var_log_kube_audit
   - directory_permissions_var_log_oauth_audit
   - directory_permissions_var_log_ocp_audit
-  status: inherently met
+  status: automated

controls/srg_ctr/SRG-APP-000121-CTR-000255.yml

@@ -4,11 +4,12 @@ controls:
   - medium
   title: {{{ full_name }}} must protect audit tools from unauthorized access.
   rules:
+  - audit_immutable_login_uids
   - rbac_logging_view
   related_rules:
   - audit_log_forwarding_uses_tls
   - audit_profile_set
   - directory_permissions_var_log_kube_audit
   - directory_permissions_var_log_oauth_audit
   - directory_permissions_var_log_ocp_audit
-  status: manual
+  status: automated

controls/srg_ctr/SRG-APP-000290-CTR-000670.yml

@@ -6,18 +6,8 @@ controls:
     of audit tools.
   related_rules:
   - audit_log_forwarding_uses_tls
-  status: inherently met
-  status_justification: |-
-    The audit tools used with OpenShift Container Platform are all delivered as container images referenced by manifest checksum. Installation sources for OpenShift are also delivered as container images, referenced by manifest checksum. See, for example, https://mirror.openshift.com/pub/openshift-v4/x86_64/clients/ocp/stable-4.8/release.txt
-
-    The listing of platform components by their manifest checksums, as well as the installer and command line tooling, are additionally checksummed. See, for example, https://mirror.openshift.com/pub/openshift-v4/x86_64/clients/ocp/stable-4.8/sha256sum.txt
-
-    The file that contains the checksums of the installer tooling and listing of container image manifest hashes is signed and the signature, validatable with Red Hat's product security GPG key, is published alongside the listing. See, for example, https://mirror.openshift.com/pub/openshift-v4/x86_64/clients/ocp/stable-4.8/sha256sum.txt.gpg
-
-    Included in the release of the base platform are the components that index the available installation sources for additional components, delivered as Operators, from Red Hat. The images for the OpenShift Logging Operator, which are the only supported mechanism for exporting audit logs from the cluster and forwarding to an external log aggregation solution,
-  artifact_description: |-
-    Supporting evidence is in the following documentation
-
-    https://mirror.openshift.com/pub/openshift-v4/x86_64/clients/ocp/stable-4.8/release.txt
-    https://mirror.openshift.com/pub/openshift-v4/x86_64/clients/ocp/stable-4.8/sha256sum.txt
-    https://mirror.openshift.com/pub/openshift-v4/x86_64/clients/ocp/stable-4.8/sha256sum.txt.gpg
+  rules:
+  - auditd_log_format
+  - auditd_data_disk_error_action
+  - auditd_data_retention_max_log_file_action_stig
+  status: automated

controls/srg_ctr/SRG-APP-000357-CTR-000800.yml

@@ -5,7 +5,8 @@ controls:
   title: {{{ full_name }}} must allocate audit record storage capacity in accordance
     with organization-defined audit record storage requirements.
   rules:
-  - partition_for_var_log_kube_apiserver
-  - partition_for_var_log_oauth_apiserver
-  - partition_for_var_log_openshift_apiserver
-  status: not applicable
+  - partition_for_var_log_audit
+  - auditd_log_format
+  - auditd_data_disk_error_action
+  - auditd_data_retention_max_log_file_action_stig
+  status: automated

controls/srg_ctr/SRG-APP-000409-CTR-000990.yml

@@ -4,4 +4,6 @@ controls:
   - medium
   title: {{{ full_name }}} must audit non-local maintenance and diagnostic sessions'
     organization-defined audit events associated with non-local maintenance.
-  status: inherently met
+  rules:
+  - service_auditd_enabled
+  status: automated

controls/srg_ctr/SRG-APP-000492-CTR-001220.yml

@@ -6,4 +6,21 @@ controls:
     attempts to access security objects occur.
   related_rules:
   - audit_profile_set
-  status: inherently met
+  rules:
+  - audit_rules_dac_modification_chmod
+  - audit_rules_dac_modification_chown
+  - audit_rules_dac_modification_fchmod
+  - audit_rules_dac_modification_fchmodat
+  - audit_rules_dac_modification_fchown
+  - audit_rules_dac_modification_fchownat
+  - audit_rules_dac_modification_fremovexattr
+  - audit_rules_dac_modification_fsetxattr
+  - audit_rules_dac_modification_lchown
+  - audit_rules_dac_modification_lremovexattr
+  - audit_rules_dac_modification_lsetxattr
+  - audit_rules_dac_modification_removexattr
+  - audit_rules_dac_modification_setxattr
+  - audit_create_failed
+  - audit_modify_failed
+  - audit_access_failed
+  status: automated

controls/srg_ctr/SRG-APP-000493-CTR-001225.yml

@@ -6,4 +6,21 @@ controls:
     attempts to access security levels occur.
   related_rules:
   - audit_profile_set
-  status: inherently met
+  rules:
+  - audit_rules_dac_modification_chmod
+  - audit_rules_dac_modification_chown
+  - audit_rules_dac_modification_fchmod
+  - audit_rules_dac_modification_fchmodat
+  - audit_rules_dac_modification_fchown
+  - audit_rules_dac_modification_fchownat
+  - audit_rules_dac_modification_fremovexattr
+  - audit_rules_dac_modification_fsetxattr
+  - audit_rules_dac_modification_lchown
+  - audit_rules_dac_modification_lremovexattr
+  - audit_rules_dac_modification_lsetxattr
+  - audit_rules_dac_modification_removexattr
+  - audit_rules_dac_modification_setxattr
+  - audit_create_failed
+  - audit_modify_failed
+  - audit_access_failed
+  status: automated

controls/srg_ctr/SRG-APP-000494-CTR-001230.yml

@@ -6,4 +6,21 @@ controls:
     attempts to access categories of information (e.g., classification levels) occur.
   related_rules:
   - audit_profile_set
-  status: inherently met
+  rules:
+  - audit_rules_dac_modification_chmod
+  - audit_rules_dac_modification_chown
+  - audit_rules_dac_modification_fchmod
+  - audit_rules_dac_modification_fchmodat
+  - audit_rules_dac_modification_fchown
+  - audit_rules_dac_modification_fchownat
+  - audit_rules_dac_modification_fremovexattr
+  - audit_rules_dac_modification_fsetxattr
+  - audit_rules_dac_modification_lchown
+  - audit_rules_dac_modification_lremovexattr
+  - audit_rules_dac_modification_lsetxattr
+  - audit_rules_dac_modification_removexattr
+  - audit_rules_dac_modification_setxattr
+  - audit_create_failed
+  - audit_modify_failed
+  - audit_access_failed
+  status: automated

controls/srg_ctr/SRG-APP-000495-CTR-001235.yml

@@ -6,4 +6,69 @@ controls:
     attempts to modify privileges occur.
   related_rules:
   - audit_profile_set
-  status: inherently met
+  rules:
+  - audit_rules_dac_modification_chmod
+  - audit_rules_dac_modification_chown
+  - audit_rules_dac_modification_fchmod
+  - audit_rules_dac_modification_fchmodat
+  - audit_rules_dac_modification_fchown
+  - audit_rules_dac_modification_fchownat
+  - audit_rules_dac_modification_fremovexattr
+  - audit_rules_dac_modification_fsetxattr
+  - audit_rules_dac_modification_lchown
+  - audit_rules_dac_modification_lremovexattr
+  - audit_rules_dac_modification_lsetxattr
+  - audit_rules_dac_modification_removexattr
+  - audit_rules_dac_modification_setxattr
+  - audit_rules_dac_modification_umount
+  - audit_rules_dac_modification_umount2
+  - audit_rules_execution_chacl
+  - audit_rules_execution_setfacl
+  - audit_rules_execution_chcon
+  - audit_rules_execution_semanage
+  - audit_rules_execution_setfiles
+  - audit_rules_execution_setsebool
+  - audit_rules_file_deletion_events_rename
+  - audit_rules_file_deletion_events_renameat
+  - audit_rules_file_deletion_events_rmdir
+  - audit_rules_file_deletion_events_unlink
+  - audit_rules_file_deletion_events_unlinkat
+  - audit_rules_unsuccessful_file_modification_creat
+  - audit_rules_unsuccessful_file_modification_ftruncate
+  - audit_rules_unsuccessful_file_modification_open
+  - audit_rules_unsuccessful_file_modification_open_by_handle_at
+  - audit_rules_unsuccessful_file_modification_openat
+  - audit_rules_unsuccessful_file_modification_truncate
+  - audit_rules_kernel_module_loading_delete
+  - audit_rules_kernel_module_loading_finit
+  - audit_rules_kernel_module_loading_init
+  - audit_rules_login_events_lastlog
+  - audit_rules_privileged_commands_chage
+  - audit_rules_privileged_commands_chsh
+  - audit_rules_privileged_commands_crontab
+  - audit_rules_privileged_commands_gpasswd
+  - audit_rules_privileged_commands_kmod
+  - audit_rules_privileged_commands_newgrp
+  - audit_rules_privileged_commands_pam_timestamp_check
+  - audit_rules_privileged_commands_passwd
+  - audit_rules_privileged_commands_postdrop
+  - audit_rules_privileged_commands_postqueue
+  - audit_rules_privileged_commands_ssh_agent
+  - audit_rules_privileged_commands_ssh_keysign
+  - audit_rules_privileged_commands_su
+  - audit_rules_privileged_commands_sudo
+  - audit_rules_privileged_commands_sudoedit
+  - audit_rules_privileged_commands_unix_chkpwd
+  - audit_rules_privileged_commands_unix_update
+  - audit_rules_privileged_commands_userhelper
+  - audit_rules_privileged_commands_usermod
+  - audit_rules_media_export
+  - audit_rules_sudoers
+  - audit_rules_sudoers_d
+  - audit_rules_usergroup_modification_group
+  - audit_rules_usergroup_modification_gshadow
+  - audit_rules_usergroup_modification_opasswd
+  - audit_rules_usergroup_modification_passwd
+  - audit_rules_usergroup_modification_shadow
+  - audit_immutable_login_uids
+  status: automated

controls/srg_ctr/SRG-APP-000496-CTR-001240.yml

@@ -6,4 +6,16 @@ controls:
     attempts to modify security objects occur.
   related_rules:
   - audit_profile_set
-  status: inherently met
+  rules:
+  - audit_rules_dac_modification_fremovexattr
+  - audit_rules_dac_modification_fsetxattr
+  - audit_rules_dac_modification_lremovexattr
+  - audit_rules_dac_modification_lsetxattr
+  - audit_rules_dac_modification_removexattr
+  - audit_rules_execution_chcon
+  - audit_rules_execution_semanage
+  - audit_rules_execution_setfiles
+  - audit_rules_execution_setsebool
+  - audit_rules_usergroup_modification_opasswd
+  status: automated
+