Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add RHCOS STIG content and enable for NIST #6046

Merged
merged 4 commits into from
Dec 2, 2020

Conversation

redhatrises
Copy link
Contributor

@redhatrises redhatrises commented Sep 3, 2020

Description:

  • Enable draft STIG for RHCOS
  • Enable rules for RHCOS4 that are in the draft STIG
  • Enable building of NIST Refs, CCE, and STIG tables

@redhatrises redhatrises marked this pull request as draft September 3, 2020 21:40
@openshift-ci-robot openshift-ci-robot added the do-not-merge/work-in-progress Used by openshift-ci bot. label Sep 3, 2020
@mildas
Copy link
Contributor

mildas commented Sep 3, 2020

Changes identified:
Profile ospp on rhcos4:
 Newly added profile.
Profile stig on rhcos4:
 STIG profile extends changed OSPP profile.
 Newly added profile.

Recommended tests to execute:
 build_product rhcos4
 tests/test_suite.py profile --libvirt qemu:///system test-suite-vm --datastream build/ssg-rhcos4-ds.xml stig
 tests/test_suite.py profile --libvirt qemu:///system test-suite-vm --datastream build/ssg-rhcos4-ds.xml ospp

@openshift-ci-robot openshift-ci-robot added the needs-rebase Used by openshift-ci bot. label Sep 29, 2020
@openshift-ci-robot openshift-ci-robot removed the needs-rebase Used by openshift-ci bot. label Sep 29, 2020
@redhatrises redhatrises marked this pull request as ready for review September 29, 2020 22:06
@openshift-ci-robot openshift-ci-robot removed the do-not-merge/work-in-progress Used by openshift-ci bot. label Sep 29, 2020
@redhatrises
Copy link
Contributor Author

Moving this out of draft mode as the content builds correctly.

@@ -0,0 +1,23 @@
documentation_complete: true
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

if this is a draft, why not set documentation_complete: false?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@JAORMX Need it to build so that updated transmission to DISA can happen.

- var_ssh_client_rekey_limit_size=1G
- var_ssh_client_rekey_limit_time=1hour

# zIPl specific rules
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@evgenyz is working on an alternative for kernel parameters: #6100 perhaps those names could be added here but commented out in the meantime?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Need the rules enabled so that updated transmission to DISA can easily happen without having to enable/disable rules. Can they be enabled and updated later when completed?

- configure_crypto_policy
- configure_ssh_crypto_policy
- configure_openssl_crypto_policy
- configure_libreswan_crypto_policy
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Let's comment this out for now since libreswan is not available in RHCOS

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Currently, no. But it was submitted as part of the draft STIG. Need the rules enabled so that updated transmission to DISA can easily happen without having to enable/disable rules.

- grub2_vsyscall_argument
- grub2_vsyscall_argument.role=unscored
- grub2_vsyscall_argument.severity=info
- grub2_pti_argument
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@evgenyz is working on an alternative for kernel parameters: #6100 perhaps those names could be added here but commented out in the meantime?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Need the rules enabled so that updated transmission to DISA can easily happen without having to enable/disable rules. Can they be enabled and updated later when completed?

- selinux_policytype

### Application Whitelisting (RHEL 8)
- package_fapolicyd_installed
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Are these rules relevant since fapolicyd is not part of RHCOS?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It is a requirement for STIG, yes.

### Configure USBGuard
- service_usbguard_enabled
- configure_usbguard_auditbackend
- usbguard_allow_hid_and_hub
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Are these rules relevant since usbguard is not part of RHCOS?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We gotta research the extension mechanism in RHCOS [1], we could install usbguard nowadays with that.

[1] openshift/enhancements#317

## Disable Unauthenticated Login (such as Guest Accounts)
## FIA_UAU.1
- require_singleuser_auth
- grub2_disable_interactive_boot
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do we know if these rules work with the RHCOS bootloader?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

That's a good question. Something we gotta research.

- accounts_tmout
- sudo_remove_no_authenticate
- sudo_remove_nopasswd
- sudo_require_authentication
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

By default the core user is a member of the sudo group which has %sudo ALL=(ALL) NOPASSWD: ALL set in sudoers, this likely clash with the sudo rules above. Just saying.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Right, however it is a problem to just sudo without password. Also, I believe that the recommended guidance that we are going to also give is to remove the core user.

@jhrozek
Copy link
Collaborator

jhrozek commented Sep 30, 2020 via email

@redhatrises
Copy link
Contributor Author

On Wed, Sep 30, 2020 at 09:15:50AM -0700, Gabe Alford wrote: @redhatrises commented on this pull request. > + - accounts_umask_etc_bashrc + - accounts_umask_etc_csh_cshrc + + ### Software update + - ensure_redhat_gpgkey_installed + + ### Kernel Config + ## Boot prompt + - grub2_audit_argument + - grub2_audit_backlog_limit_argument + - grub2_slub_debug_argument + - grub2_page_poison_argument + - grub2_vsyscall_argument + - grub2_vsyscall_argument.role=unscored + - grub2_vsyscall_argument.severity=info + - grub2_pti_argument Need the rules enabled so that updated transmission to DISA can easily happen without having to enable/disable rules. Can they be enabled and updated later when completed?
I guess? I haven't tested the rules, but I guess at worst the grub config file wouldn't be there and the result wouldn't be compliant.

True. Equally, we aren't testing it yet either in CI/CD, but since this is draft and under review, which not only are there bound to be errors, but it the draft could change as well too.

@openshift-ci-robot
Copy link
Collaborator

@redhatrises: The following tests failed, say /retest to rerun all failed tests:

Test name Commit Details Rerun command
ci/prow/e2e-aws-ocp4-cis 202807a link /test e2e-aws-ocp4-cis
ci/prow/e2e-aws-ocp4-cis-node 202807a link /test e2e-aws-ocp4-cis-node

Full PR test history. Your PR dashboard.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.

@redhatrises
Copy link
Contributor Author

/retest

@redhatrises
Copy link
Contributor Author

@openscap-ci test this please

@openscap-ci
Copy link
Collaborator

openscap-ci commented Nov 3, 2020

Changes identified:
Profiles:
 ospp on rhcos4
 stig on rhcos4

Show details

Profile ospp on rhcos4:
 Newly added profile.
Profile stig on rhcos4:
 Newly added profile.
 STIG profile extends changed OSPP profile.

Recommended tests to execute:
 build_product rhcos4
 tests/test_suite.py profile --libvirt qemu:///system test-suite-vm --datastream build/ssg-rhcos4-ds.xml ospp
 tests/test_suite.py profile --libvirt qemu:///system test-suite-vm --datastream build/ssg-rhcos4-ds.xml stig

@JAORMX
Copy link
Contributor

JAORMX commented Nov 3, 2020

Might wanna rebase this

@redhatrises
Copy link
Contributor Author

Might wanna rebase this

Yeah... I was just wanting fresh tests.

@redhatrises redhatrises force-pushed the enable_rhcos branch 2 times, most recently from 32fab46 to 4bd1be1 Compare November 4, 2020 22:32
@carlosmmatos carlosmmatos merged commit cedc4f6 into ComplianceAsCode:master Dec 2, 2020
@redhatrises redhatrises deleted the enable_rhcos branch December 2, 2020 21:16
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

7 participants