scap-security-guide/scap-security-guide-0.1.64-coredump_rules_for_ospp-PR_9285.patch

303 lines
12 KiB
Diff
Raw Normal View History

From 694af59f0c400d34b11e80b29b66cdb82ad080b6 Mon Sep 17 00:00:00 2001
From: Vojtech Polasek <vpolasek@redhat.com>
Date: Wed, 27 Jul 2022 13:49:05 +0200
Subject: [PATCH 1/8] remove unneeded coredump related rules from rhel9 ospp
---
products/rhel9/profiles/ospp.profile | 3 ---
1 file changed, 3 deletions(-)
diff --git a/products/rhel9/profiles/ospp.profile b/products/rhel9/profiles/ospp.profile
index dcc41970043..0902abf58db 100644
--- a/products/rhel9/profiles/ospp.profile
+++ b/products/rhel9/profiles/ospp.profile
@@ -110,10 +110,7 @@ selections:
- package_gnutls-utils_installed
### Login
- - disable_users_coredumps
- sysctl_kernel_core_pattern
- - coredump_disable_storage
- - coredump_disable_backtraces
- service_systemd-coredump_disabled
- var_authselect_profile=minimal
- enable_authselect
From da50ca7abc0358b6b5db72f26173843454461dcf Mon Sep 17 00:00:00 2001
From: Vojtech Polasek <vpolasek@redhat.com>
Date: Wed, 3 Aug 2022 12:17:27 +0200
Subject: [PATCH 2/8] remove conditional from sysctl templated OVAL
actually now it is quite common that the sysctlval can be undefined. In this case, XCCDF variable is used. See documentation for sysctl template.
I don't think there is a need to have this special regex. Moreover, the regex was checking only for numbers.
---
shared/templates/sysctl/oval.template | 5 -----
1 file changed, 5 deletions(-)
diff --git a/shared/templates/sysctl/oval.template b/shared/templates/sysctl/oval.template
index 1a7c4979bbe..e0c6f72f928 100644
--- a/shared/templates/sysctl/oval.template
+++ b/shared/templates/sysctl/oval.template
@@ -17,13 +17,8 @@
{{% endif %}}
{{%- endmacro -%}}
{{%- macro sysctl_match() -%}}
-{{%- if SYSCTLVAL == "" -%}}
- <ind:pattern operation="pattern match">^[\s]*{{{ SYSCTLVAR }}}[\s]*=[\s]*(\d+)[\s]*$</ind:pattern>
- <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-{{%- else -%}}
<ind:pattern operation="pattern match">^[\s]*{{{ SYSCTLVAR }}}[\s]*=[\s]*(.*)[\s]*$</ind:pattern>
<ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-{{%- endif -%}}
{{%- endmacro -%}}
{{%- if "P" in FLAGS -%}}
From 9b9110cd969afe7ba3796030a33dd795432a9373 Mon Sep 17 00:00:00 2001
From: Vojtech Polasek <vpolasek@redhat.com>
Date: Wed, 3 Aug 2022 13:00:45 +0200
Subject: [PATCH 3/8] add new rule sysctl_kernel_core_uses_pid
---
.../sysctl_kernel_core_uses_pid/rule.yml | 36 +++++++++++++++++++
2 files changed, 36 insertions(+), 1 deletion(-)
create mode 100644 linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_uses_pid/rule.yml
diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_uses_pid/rule.yml b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_uses_pid/rule.yml
new file mode 100644
index 00000000000..7fa36fb940e
--- /dev/null
+++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_uses_pid/rule.yml
@@ -0,0 +1,36 @@
+documentation_complete: true
+
+prodtype: fedora,ol8,ol9,rhcos4,rhel8,rhel9
+
+title: 'Configure file name of core dumps'
+
+description: '{{{ describe_sysctl_option_value(sysctl="kernel.core_uses_pid", value=0) }}}'
+
+rationale: |-
+ The default coredump filename is <pre>core</pre>. By setting
+ <pre>core_uses_pid</pre> to <pre>1</pre>, the coredump filename becomes
+ <pre>core.PID</pre>. If <pre>core_pattern</pre> does not include
+ <pre>%p</pre> (default does not) and <pre>core_uses_pid</pre> is set, then
+ <pre>.PID</pre> will be appended to the filename.
+
+severity: medium
+
+identifiers:
+ cce@rhel9: CCE-86003-1
+
+references:
+ ospp: FMT_SMF_EXT.1
+
+ocil_clause: 'the returned line does not have a value of 0, or a line is not returned and the need for core dumps is not documented with the Information System Security Officer (ISSO) as an operational requirement'
+
+ocil: |-
+ {{{ ocil_sysctl_option_value(sysctl="kernel.core_pattern", value=0) }}}
+
+platform: machine
+
+template:
+ name: sysctl
+ vars:
+ sysctlvar: kernel.core_uses_pid
+ datatype: int
+ sysctlval: '0'
From 04dbd2db9469082a450e9b062d91e47190abe552 Mon Sep 17 00:00:00 2001
From: Vojtech Polasek <vpolasek@redhat.com>
Date: Fri, 5 Aug 2022 09:08:37 +0200
Subject: [PATCH 4/8] add new rule setting kernel.core_pattern to empty string
---
.../rule.yml | 49 +++++++++++++++++++
2 files changed, 49 insertions(+), 1 deletion(-)
create mode 100644 linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/rule.yml
diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/rule.yml b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/rule.yml
new file mode 100644
index 00000000000..089bb1481aa
--- /dev/null
+++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/rule.yml
@@ -0,0 +1,49 @@
+documentation_complete: true
+
+prodtype: fedora,ol8,ol9,rhcos4,rhel8,rhel9
+
+title: 'Disable storing core dumps'
+
+description: |-
+ The <tt>kernel.core_pattern</tt> option specifies the core dumpfile pattern
+ name. It can be set to an empty string <tt>''</tt>. In this case, the kernel
+ behaves differently based on another related option. If
+ <tt>kernel.core_uses_pid</tt> is set to <tt>1</tt>, then a file named as
+ <tt>.PID</tt> (where <tt>PID</tt> is process ID of the crashed process) is
+ created in the working directory. If <tt>kernel.core_uses_pid</tt> is set to
+ <tt>0</tt>, no coredump is saved.
+ {{{ describe_sysctl_option_value(sysctl="kernel.core_pattern", value="''") }}}'
+
+rationale: |-
+ A core dump includes a memory image taken at the time the operating system
+ terminates an application. The memory image could contain sensitive data and is generally useful
+ only for developers trying to debug problems.
+
+severity: medium
+
+requires:
+ - sysctl_kernel_core_uses_pid
+
+conflicts:
+ - sysctl_kernel_core_pattern
+
+identifiers:
+ cce@rhel9: CCE-86005-6
+
+references:
+ ospp: FMT_SMF_EXT.1
+
+ocil_clause: |-
+ the returned line does not have a value of ''.
+
+ocil: |
+ {{{ ocil_sysctl_option_value(sysctl="kernel.core_pattern", value="''") }}}
+
+platform: machine
+
+template:
+ name: sysctl
+ vars:
+ sysctlvar: kernel.core_pattern
+ sysctlval: "''"
+ datatype: string
From 42690d39487d5483693fc4ce32c0c95d11ee3203 Mon Sep 17 00:00:00 2001
From: Vojtech Polasek <vpolasek@redhat.com>
Date: Fri, 5 Aug 2022 10:40:47 +0200
Subject: [PATCH 5/8] add rule to RHEL9 OSPP profile
---
products/rhel9/profiles/ospp.profile | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/products/rhel9/profiles/ospp.profile b/products/rhel9/profiles/ospp.profile
index 0902abf58db..b1b18261d48 100644
--- a/products/rhel9/profiles/ospp.profile
+++ b/products/rhel9/profiles/ospp.profile
@@ -110,7 +110,8 @@ selections:
- package_gnutls-utils_installed
### Login
- - sysctl_kernel_core_pattern
+ - sysctl_kernel_core_pattern_empty_string
+ - sysctl_kernel_core_uses_pid
- service_systemd-coredump_disabled
- var_authselect_profile=minimal
- enable_authselect
From d7e194f1998757d3b5a7691c598a71549215f97b Mon Sep 17 00:00:00 2001
From: Vojtech Polasek <vpolasek@redhat.com>
Date: Wed, 3 Aug 2022 13:01:12 +0200
Subject: [PATCH 6/8] describe beneficial dependency between
sysctl_kernel_core_pattern_empty_string and sysctl:kernel_core_uses_pid
---
.../sysctl_kernel_core_uses_pid/rule.yml | 13 ++++++++-----
1 file changed, 8 insertions(+), 5 deletions(-)
diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_uses_pid/rule.yml b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_uses_pid/rule.yml
index 7fa36fb940e..d6d2c468c10 100644
--- a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_uses_pid/rule.yml
+++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_uses_pid/rule.yml
@@ -7,11 +7,14 @@ title: 'Configure file name of core dumps'
description: '{{{ describe_sysctl_option_value(sysctl="kernel.core_uses_pid", value=0) }}}'
rationale: |-
- The default coredump filename is <pre>core</pre>. By setting
- <pre>core_uses_pid</pre> to <pre>1</pre>, the coredump filename becomes
- <pre>core.PID</pre>. If <pre>core_pattern</pre> does not include
- <pre>%p</pre> (default does not) and <pre>core_uses_pid</pre> is set, then
- <pre>.PID</pre> will be appended to the filename.
+ The default coredump filename is <tt>core</tt>. By setting
+ <tt>core_uses_pid</tt> to <tt>1</tt>, the coredump filename becomes
+ <tt>core.PID</tt>. If <tt>core_pattern</tt> does not include
+ <tt>%p</tt> (default does not) and <tt>core_uses_pid</tt> is set, then
+ <tt>.PID</tt> will be appended to the filename.
+ When combined with <tt>kernel.core_pattern = ""</tt> configuration, it
+ is ensured that no core dumps are generated and also no confusing error
+ messages are printed by a shell.
severity: medium
From cd0f5491d57bf42e5901c681e290a9378eade3e6 Mon Sep 17 00:00:00 2001
From: Vojtech Polasek <vpolasek@redhat.com>
Date: Fri, 5 Aug 2022 10:53:37 +0200
Subject: [PATCH 7/8] make sysctl_kernel_core_pattern conflicting with
sysctl_kernel_core_pattern_empty_string
they are modifying the same configuration
---
.../restrictions/sysctl_kernel_core_pattern/rule.yml | 3 +++
1 file changed, 3 insertions(+)
diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern/rule.yml b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern/rule.yml
index 771c4d40e0f..c27a9e7ecf3 100644
--- a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern/rule.yml
+++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern/rule.yml
@@ -13,6 +13,9 @@ rationale: |-
severity: medium
+conflicts:
+ - sysctl_kernel_core_pattern_empty_string
+
identifiers:
cce@rhcos4: CCE-82527-3
cce@rhel8: CCE-82215-5
From 62b0e48e7db9ed7e82940d7ca3a34a121f67c6cf Mon Sep 17 00:00:00 2001
From: Vojtech Polasek <vpolasek@redhat.com>
Date: Tue, 9 Aug 2022 16:43:20 +0200
Subject: [PATCH 8/8] fix ocils
---
.../restrictions/sysctl_kernel_core_pattern/rule.yml | 5 ++++-
.../restrictions/sysctl_kernel_core_uses_pid/rule.yml | 4 ++--
2 files changed, 6 insertions(+), 3 deletions(-)
diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern/rule.yml b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern/rule.yml
index c27a9e7ecf3..1a540ce20b3 100644
--- a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern/rule.yml
+++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern/rule.yml
@@ -29,7 +29,10 @@ references:
stigid@ol8: OL08-00-010671
stigid@rhel8: RHEL-08-010671
-ocil_clause: 'the returned line does not have a value of "|/bin/false", or a line is not returned and the need for core dumps is not documented with the Information System Security Officer (ISSO) as an operational requirement'
+ocil_clause: |-
+ the returned line does not have a value of "|/bin/false", or a line is not
+ returned and the need for core dumps is not documented with the Information
+ System Security Officer (ISSO) as an operational requirement
ocil: |
{{{ ocil_sysctl_option_value(sysctl="kernel.core_pattern", value="|/bin/false") }}}
diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_uses_pid/rule.yml b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_uses_pid/rule.yml
index d6d2c468c10..8f51f97c16c 100644
--- a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_uses_pid/rule.yml
+++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_uses_pid/rule.yml
@@ -24,10 +24,10 @@ identifiers:
references:
ospp: FMT_SMF_EXT.1
-ocil_clause: 'the returned line does not have a value of 0, or a line is not returned and the need for core dumps is not documented with the Information System Security Officer (ISSO) as an operational requirement'
+ocil_clause: 'the returned line does not have a value of 0'
ocil: |-
- {{{ ocil_sysctl_option_value(sysctl="kernel.core_pattern", value=0) }}}
+ {{{ ocil_sysctl_option_value(sysctl="kernel.core_uses_pid", value=0) }}}
platform: machine