From 34b3a0af532edd10991b548028e221b7b10dda23 Mon Sep 17 00:00:00 2001 From: Vojtech Polasek Date: Wed, 10 Aug 2022 12:41:23 +0200 Subject: [PATCH] apply updates related to RHEL9 OSPP profile Resolves: rhbz#1998583 Resolves: rhbz#2081688 Resolves: rhbz#2081728 Resolves: rhbz#2092799 Resolves: rhbz#2108569 Resolves: rhbz#2114979 --- ...1.64-audit_rules_for_ppc64le-PR_9124.patch | 2093 +++++++++++++++++ ...-authselect_minimal_for_ospp-PR_9298.patch | 90 + ...1.64-coredump_rules_for_ospp-PR_9285.patch | 302 +++ ...ssl_cryptopolicy_remediation-PR_9194.patch | 47 + ...uire_single_user_description-PR_9256.patch | 29 + ...late_extension_and_bpf_rules-PR_9147.patch | 1888 +++++++++++++++ scap-security-guide.spec | 17 +- 7 files changed, 4465 insertions(+), 1 deletion(-) create mode 100644 scap-security-guide-0.1.64-audit_rules_for_ppc64le-PR_9124.patch create mode 100644 scap-security-guide-0.1.64-authselect_minimal_for_ospp-PR_9298.patch create mode 100644 scap-security-guide-0.1.64-coredump_rules_for_ospp-PR_9285.patch create mode 100644 scap-security-guide-0.1.64-fix_openssl_cryptopolicy_remediation-PR_9194.patch create mode 100644 scap-security-guide-0.1.64-fix_require_single_user_description-PR_9256.patch create mode 100644 scap-security-guide-0.1.64-sysctl_template_extension_and_bpf_rules-PR_9147.patch diff --git a/scap-security-guide-0.1.64-audit_rules_for_ppc64le-PR_9124.patch b/scap-security-guide-0.1.64-audit_rules_for_ppc64le-PR_9124.patch new file mode 100644 index 0000000..9970f6d --- /dev/null +++ b/scap-security-guide-0.1.64-audit_rules_for_ppc64le-PR_9124.patch @@ -0,0 +1,2093 @@ +From 1f53aae9b711466ce3d8f5d72d544c16024b6f7f Mon Sep 17 00:00:00 2001 +From: Vojtech Polasek +Date: Fri, 8 Jul 2022 13:21:36 +0200 +Subject: [PATCH 01/18] add ppc64le applicability platform + +--- + shared/applicability/arch.yml | 6 ++++ + ...proc_sys_kernel_osrelease_arch_ppc64le.xml | 33 +++++++++++++++++++ + 2 files changed, 39 insertions(+) + create mode 100644 shared/checks/oval/proc_sys_kernel_osrelease_arch_ppc64le.xml + +diff --git a/shared/applicability/arch.yml b/shared/applicability/arch.yml +index cb64a037192..1223001846a 100644 +--- a/shared/applicability/arch.yml ++++ b/shared/applicability/arch.yml +@@ -28,3 +28,9 @@ cpes: + bash_conditional: 'grep -q aarch64 /proc/sys/kernel/osrelease' + ansible_conditional: 'ansible_architecture == "aarch64"' + ++ - ppc64le_arch: ++ name: "cpe:/a:ppc64le_arch" ++ title: "System architecture is ppc64le" ++ check_id: proc_sys_kernel_osrelease_arch_ppc64le ++ bash_conditional: 'grep -q ppc64le /proc/sys/kernel/osrelease' ++ ansible_conditional: 'ansible_architecture == "ppc64le"' +diff --git a/shared/checks/oval/proc_sys_kernel_osrelease_arch_ppc64le.xml b/shared/checks/oval/proc_sys_kernel_osrelease_arch_ppc64le.xml +new file mode 100644 +index 00000000000..058de0db5e7 +--- /dev/null ++++ b/shared/checks/oval/proc_sys_kernel_osrelease_arch_ppc64le.xml +@@ -0,0 +1,33 @@ ++ ++ ++ ++ Test that the architecture is ppc64le ++ ++ multi_platform_all ++ ++ Check that architecture of kernel in /proc/sys/kernel/osrelease is ppc64le ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ /proc/sys/kernel/osrelease ++ ^.*\.(.*)$ ++ 1 ++ ++ ++ ++ ^ppc64le$ ++ ++ + +From ced2b8699637af0f75786bd07f2944a6febaa531 Mon Sep 17 00:00:00 2001 +From: Vojtech Polasek +Date: Fri, 8 Jul 2022 13:46:47 +0200 +Subject: [PATCH 02/18] add audit_access_failed_ppc64le + +--- + .../policy_rules/audit_access_failed/rule.yml | 2 +- + .../kubernetes/shared.yml | 15 ++++++ + .../audit_access_failed_ppc64le/rule.yml | 54 +++++++++++++++++++ + 3 files changed, 70 insertions(+), 1 deletion(-) + create mode 100644 linux_os/guide/system/auditing/policy_rules/audit_access_failed_ppc64le/kubernetes/shared.yml + create mode 100644 linux_os/guide/system/auditing/policy_rules/audit_access_failed_ppc64le/rule.yml + +diff --git a/linux_os/guide/system/auditing/policy_rules/audit_access_failed/rule.yml b/linux_os/guide/system/auditing/policy_rules/audit_access_failed/rule.yml +index 87fc33ad041..74f92b94762 100644 +--- a/linux_os/guide/system/auditing/policy_rules/audit_access_failed/rule.yml ++++ b/linux_os/guide/system/auditing/policy_rules/audit_access_failed/rule.yml +@@ -28,7 +28,7 @@ rationale: |- + # so do not apply this rule but apply the specific one instead + {{% if product == "rhel9" %}} + platforms: +- - not aarch64_arch ++ - not aarch64_arch and not ppc64le_arch + {{% endif %}} + + identifiers: +diff --git a/linux_os/guide/system/auditing/policy_rules/audit_access_failed_ppc64le/kubernetes/shared.yml b/linux_os/guide/system/auditing/policy_rules/audit_access_failed_ppc64le/kubernetes/shared.yml +new file mode 100644 +index 00000000000..412c67f15a1 +--- /dev/null ++++ b/linux_os/guide/system/auditing/policy_rules/audit_access_failed_ppc64le/kubernetes/shared.yml +@@ -0,0 +1,15 @@ ++--- ++# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_rhcos ++apiVersion: machineconfiguration.openshift.io/v1 ++kind: MachineConfig ++spec: ++ config: ++ ignition: ++ version: 3.1.0 ++ storage: ++ files: ++ - contents: ++ source: data:,%23%23%20Unsuccessful%20file%20access%20%28any%20other%20opens%29%20This%20has%20to%20go%20last.%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20open%2Copenat%2Copenat2%2Copen_by_handle_at%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccessful-access%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20open%2Copenat%2Copenat2%2Copen_by_handle_at%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccessful-access%0A ++ mode: 0600 ++ path: /etc/audit/rules.d/30-ospp-v42-3-access-failed.rules ++ overwrite: true +diff --git a/linux_os/guide/system/auditing/policy_rules/audit_access_failed_ppc64le/rule.yml b/linux_os/guide/system/auditing/policy_rules/audit_access_failed_ppc64le/rule.yml +new file mode 100644 +index 00000000000..f764da506e9 +--- /dev/null ++++ b/linux_os/guide/system/auditing/policy_rules/audit_access_failed_ppc64le/rule.yml +@@ -0,0 +1,54 @@ ++documentation_complete: true ++ ++prodtype: ol8,ol9,rhcos4,rhel8,rhel9 ++ ++title: 'Configure auditing of unsuccessful file accesses (ppc64le)' ++ ++{{% set file_contents_audit_access_failed = ++"## Unsuccessful file access (any other opens) This has to go last. ++-a always,exit -F arch=b64 -S open,openat,openat2,open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-access ++-a always,exit -F arch=b64 -S open,openat,openat2,open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-access" %}} ++ ++description: |- ++ Ensure that unsuccessful attempts to access a file are audited. ++ ++ The following rules configure audit as described above: ++
{{{ file_contents_audit_access_failed|indent }}}    
++ ++ Load new Audit rules into kernel by running: ++
augenrules --load
++ ++ Note: This rule uses a special set of Audit rules to comply with OSPP 4.2.1. You may reuse this rule in different profiles. If you decide to do so, it is recommended that you inspect contents of the file closely and make sure that they are alligned with your needs. ++ ++rationale: |- ++ Unsuccessful attempts to access a file might be signs of malicious activity happening within the system. Auditing of such activities helps in their monitoring and investigation. ++ ++severity: medium ++ ++platforms: ++ - ppc64le_arch ++ ++identifiers: ++ cce@rhel8: CCE-85953-8 ++ cce@rhel9: CCE-85955-3 ++ ++references: ++ ism: 0582,0584,05885,0586,0846,0957 ++ nist: AU-2(a) ++ ospp: FAU_GEN.1.1.c ++ srg: SRG-OS-000458-GPOS-00203,SRG-OS-000474-GPOS-00219,SRG-OS-000475-GPOS-00220,SRG-OS-000463-GPOS-00207,SRG-OS-000465-GPOS-00209,SRG-OS-000461-GPOS-00205 ++ ++ocil_clause: 'the file does not exist or the content differs' ++ ++ocil: |- ++ To verify that the Audit is correctly configured according to recommended rules, check the content of the file with the following command: ++
cat /etc/audit/rules.d/30-ospp-v42-3-access-failed.rules
++ The output has to be exactly as follows: ++
{{{ file_contents_audit_access_failed|indent }}}    
++ ++template: ++ name: audit_file_contents ++ vars: ++ filepath: /etc/audit/rules.d/30-ospp-v42-3-access-failed.rules ++ contents: |- ++ {{{ file_contents_audit_access_failed|indent(12) }}} + +From 6c9b276ce50932934afa4e1af38ee5cd88166580 Mon Sep 17 00:00:00 2001 +From: Vojtech Polasek +Date: Fri, 8 Jul 2022 13:56:29 +0200 +Subject: [PATCH 03/18] add audit_access_success ppc64le + +--- + .../audit_access_success/rule.yml | 2 +- + .../kubernetes/shared.yml | 15 ++++++ + .../audit_access_success_ppc64le/rule.yml | 54 +++++++++++++++++++ + 3 files changed, 70 insertions(+), 1 deletion(-) + create mode 100644 linux_os/guide/system/auditing/policy_rules/audit_access_success_ppc64le/kubernetes/shared.yml + create mode 100644 linux_os/guide/system/auditing/policy_rules/audit_access_success_ppc64le/rule.yml + +diff --git a/linux_os/guide/system/auditing/policy_rules/audit_access_success/rule.yml b/linux_os/guide/system/auditing/policy_rules/audit_access_success/rule.yml +index 284ed1756ff..7646d5f9f4b 100644 +--- a/linux_os/guide/system/auditing/policy_rules/audit_access_success/rule.yml ++++ b/linux_os/guide/system/auditing/policy_rules/audit_access_success/rule.yml +@@ -27,7 +27,7 @@ rationale: |- + # so do not apply this rule but apply the specific one instead + {{% if product == "rhel9" %}} + platforms: +- - not aarch64_arch ++ - not aarch64_arch and not ppc64le_arch + {{% endif %}} + + identifiers: +diff --git a/linux_os/guide/system/auditing/policy_rules/audit_access_success_ppc64le/kubernetes/shared.yml b/linux_os/guide/system/auditing/policy_rules/audit_access_success_ppc64le/kubernetes/shared.yml +new file mode 100644 +index 00000000000..372b7c27c76 +--- /dev/null ++++ b/linux_os/guide/system/auditing/policy_rules/audit_access_success_ppc64le/kubernetes/shared.yml +@@ -0,0 +1,15 @@ ++--- ++# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_rhcos ++apiVersion: machineconfiguration.openshift.io/v1 ++kind: MachineConfig ++spec: ++ config: ++ ignition: ++ version: 3.1.0 ++ storage: ++ files: ++ - contents: ++ source: data:,%23%23%20Successful%20file%20access%20%28any%20other%20opens%29%20This%20has%20to%20go%20last.%0A%23%23%20These%20next%20two%20are%20likely%20to%20result%20in%20a%20whole%20lot%20of%20events%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20open%2Copenat%2Copenat2%2Copen_by_handle_at%20-F%20success%3D1%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dsuccessful-access%0A ++ mode: 0600 ++ path: /etc/audit/rules.d/30-ospp-v42-3-access-success.rules ++ overwrite: true +diff --git a/linux_os/guide/system/auditing/policy_rules/audit_access_success_ppc64le/rule.yml b/linux_os/guide/system/auditing/policy_rules/audit_access_success_ppc64le/rule.yml +new file mode 100644 +index 00000000000..b76fe0b4a4e +--- /dev/null ++++ b/linux_os/guide/system/auditing/policy_rules/audit_access_success_ppc64le/rule.yml +@@ -0,0 +1,54 @@ ++documentation_complete: true ++ ++prodtype: ol8,ol9,rhcos4,rhel8,rhel9 ++ ++title: 'Configure auditing of successful file accesses (ppc64le)' ++ ++{{% set file_contents_audit_access_success = ++"## Successful file access (any other opens) This has to go last. ++## These next two are likely to result in a whole lot of events ++-a always,exit -F arch=b64 -S open,openat,openat2,open_by_handle_at -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-access" %}} ++ ++description: |- ++ Ensure that successful attempts to access a file are audited. ++ ++ The following rules configure audit as described above: ++
{{{ file_contents_audit_access_success|indent }}}    
++ ++ Load new Audit rules into kernel by running: ++
augenrules --load
++ ++ Note: This rule uses a special set of Audit rules to comply with OSPP 4.2.1. You may reuse this rule in different profiles. If you decide to do so, it is recommended that you inspect contents of the file closely and make sure that they are alligned with your needs. ++ ++rationale: |- ++ Auditing of successful attempts to access a file helps in investigation of activities performed on the system. ++ ++severity: medium ++ ++platforms: ++ - ppc64le_arch ++ ++identifiers: ++ cce@rhel8: CCE-85960-3 ++ cce@rhel9: CCE-85961-1 ++ ++references: ++ ism: 0582,0584,05885,0586,0846,0957 ++ nist: AU-2(a) ++ ospp: FAU_GEN.1.1.c ++ srg: SRG-OS-000458-GPOS-00203,SRG-OS-000474-GPOS-00219,SRG-OS-000475-GPOS-00220,SRG-OS-000463-GPOS-00207,SRG-OS-000465-GPOS-00209,SRG-OS-000461-GPOS-00205 ++ ++ocil_clause: 'the file does not exist or the content differs' ++ ++ocil: |- ++ To verify that the Audit is correctly configured according to recommended rules, check the content of the file with the following command: ++
cat /etc/audit/rules.d/30-ospp-v42-3-access-success.rules
++ The output has to be exactly as follows: ++
{{{ file_contents_audit_access_success|indent }}}    
++ ++template: ++ name: audit_file_contents ++ vars: ++ filepath: /etc/audit/rules.d/30-ospp-v42-3-access-success.rules ++ contents: |- ++ {{{ file_contents_audit_access_success|indent(12) }}} + +From 7a343648d9e206a1b981f4235daeb9dd3cd475dc Mon Sep 17 00:00:00 2001 +From: Vojtech Polasek +Date: Fri, 8 Jul 2022 14:01:03 +0200 +Subject: [PATCH 04/18] add audit_create_failed ppc64le + +--- + .../policy_rules/audit_create_failed/rule.yml | 2 +- + .../kubernetes/shared.yml | 15 +++++ + .../audit_create_failed_ppc64le/rule.yml | 57 +++++++++++++++++++ + 3 files changed, 73 insertions(+), 1 deletion(-) + create mode 100644 linux_os/guide/system/auditing/policy_rules/audit_create_failed_ppc64le/kubernetes/shared.yml + create mode 100644 linux_os/guide/system/auditing/policy_rules/audit_create_failed_ppc64le/rule.yml + +diff --git a/linux_os/guide/system/auditing/policy_rules/audit_create_failed/rule.yml b/linux_os/guide/system/auditing/policy_rules/audit_create_failed/rule.yml +index f4da514e080..ac5e1f97413 100644 +--- a/linux_os/guide/system/auditing/policy_rules/audit_create_failed/rule.yml ++++ b/linux_os/guide/system/auditing/policy_rules/audit_create_failed/rule.yml +@@ -36,7 +36,7 @@ rationale: |- + # so do not apply this rule but apply the specific one instead + {{% if product == "rhel9" %}} + platforms: +- - not aarch64_arch ++ - not aarch64_arch and not ppc64le_arch + {{% endif %}} + + identifiers: +diff --git a/linux_os/guide/system/auditing/policy_rules/audit_create_failed_ppc64le/kubernetes/shared.yml b/linux_os/guide/system/auditing/policy_rules/audit_create_failed_ppc64le/kubernetes/shared.yml +new file mode 100644 +index 00000000000..08c8dc85507 +--- /dev/null ++++ b/linux_os/guide/system/auditing/policy_rules/audit_create_failed_ppc64le/kubernetes/shared.yml +@@ -0,0 +1,15 @@ ++--- ++# platform = multi_platform_rhel,multi_platform_fedora ++apiVersion: machineconfiguration.openshift.io/v1 ++kind: MachineConfig ++spec: ++ config: ++ ignition: ++ version: 3.1.0 ++ storage: ++ files: ++ - contents: ++ source: data:,%23%23%20Unsuccessful%20file%20creation%20%28open%20with%20O_CREAT%29%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20openat%2Copen_by_handle_at%20-F%20a2%260100%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccessful-create%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20open%20-F%20a1%260100%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccessful-create%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20creat%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccessful-create%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20openat%2Copen_by_handle_at%20-F%20a2%260100%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccessful-create%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20open%20-F%20a1%260100%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccessful-create%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20creat%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccessful-create%0A ++ mode: 0600 ++ path: /etc/audit/rules.d/30-ospp-v42-1-create-failed.rules ++ overwrite: true +diff --git a/linux_os/guide/system/auditing/policy_rules/audit_create_failed_ppc64le/rule.yml b/linux_os/guide/system/auditing/policy_rules/audit_create_failed_ppc64le/rule.yml +new file mode 100644 +index 00000000000..ead598f8b9a +--- /dev/null ++++ b/linux_os/guide/system/auditing/policy_rules/audit_create_failed_ppc64le/rule.yml +@@ -0,0 +1,57 @@ ++documentation_complete: true ++ ++prodtype: ol8,ol9,rhcos4,rhel8,rhel9 ++ ++title: 'Configure auditing of unsuccessful file creations (ppc64le)' ++ ++{{% set file_contents_audit_create_failed = ++"## Unsuccessful file creation (open with O_CREAT) ++-a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-create ++-a always,exit -F arch=b64 -S open -F a1&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-create ++-a always,exit -F arch=b64 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-create ++-a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-create ++-a always,exit -F arch=b64 -S open -F a1&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-create ++-a always,exit -F arch=b64 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-create" %}} ++ ++description: |- ++ Ensure that unsuccessful attempts to create a file are audited. ++ ++ The following rules configure audit as described above: ++
{{{ file_contents_audit_create_failed|indent }}}    
++ ++ Load new Audit rules into kernel by running: ++
augenrules --load
++ ++ Note: This rule uses a special set of Audit rules to comply with OSPP 4.2.1. You may reuse this rule in different profiles. If you decide to do so, it is recommended that you inspect contents of the file closely and make sure that they are alligned with your needs. ++ ++rationale: |- ++ Unsuccessful file creations might be a sign of a malicious action being performed on the system. Keeping log of such events helps in monitoring and investigation of such actions. ++ ++severity: medium ++ ++platforms: ++ - ppc64le_arch ++ ++identifiers: ++ cce@rhel8: CCE-85962-9 ++ cce@rhel9: CCE-85965-2 ++ ++references: ++ nist: AU-2(a) ++ ospp: FAU_GEN.1.1.c ++ srg: SRG-OS-000458-GPOS-00203,SRG-OS-000474-GPOS-00219,SRG-OS-000475-GPOS-00220,SRG-OS-000463-GPOS-00207,SRG-OS-000465-GPOS-00209,SRG-OS-000461-GPOS-00205 ++ ++ocil_clause: 'the file does not exist or the content differs' ++ ++ocil: |- ++ To verify that the Audit is correctly configured according to recommended rules, check the content of the file with the following command: ++
cat /etc/audit/rules.d/30-ospp-v42-1-create-failed.rules
++ The output has to be exactly as follows: ++
{{{ file_contents_audit_create_failed|indent }}}    
++ ++template: ++ name: audit_file_contents ++ vars: ++ filepath: /etc/audit/rules.d/30-ospp-v42-1-create-failed.rules ++ contents: |- ++ {{{ file_contents_audit_create_failed|indent(12) }}} + +From c433196a29cfcf5b3dca2f3cde7dc230f43a181e Mon Sep 17 00:00:00 2001 +From: Vojtech Polasek +Date: Fri, 8 Jul 2022 14:03:38 +0200 +Subject: [PATCH 05/18] add audit_create_success ppc64le + +--- + .../audit_create_success/rule.yml | 2 +- + .../audit_create_success_ppc64le/rule.yml | 54 +++++++++++++++++++ + 2 files changed, 55 insertions(+), 1 deletion(-) + create mode 100644 linux_os/guide/system/auditing/policy_rules/audit_create_success_ppc64le/rule.yml + +diff --git a/linux_os/guide/system/auditing/policy_rules/audit_create_success/rule.yml b/linux_os/guide/system/auditing/policy_rules/audit_create_success/rule.yml +index 43e8674178b..21e71077030 100644 +--- a/linux_os/guide/system/auditing/policy_rules/audit_create_success/rule.yml ++++ b/linux_os/guide/system/auditing/policy_rules/audit_create_success/rule.yml +@@ -30,7 +30,7 @@ rationale: |- + # so do not apply this rule but apply the specific one instead + {{% if product == "rhel9" %}} + platforms: +- - not aarch64_arch ++ - not aarch64_arch and not ppc64le_arch + {{% endif %}} + + identifiers: +new file mode 100644 +index 00000000000..294947c14ba +--- /dev/null ++++ b/linux_os/guide/system/auditing/policy_rules/audit_create_success_ppc64le/rule.yml +@@ -0,0 +1,54 @@ ++documentation_complete: true ++ ++prodtype: ol8,ol9,rhcos4,rhel8,rhel9 ++ ++title: 'Configure auditing of successful file creations (ppc64le)' ++ ++{{% set file_contents_audit_create_success = ++"## Successful file creation (open with O_CREAT) ++-a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&0100 -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-create ++-a always,exit -F arch=b64 -S open -F a1&0100 -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-create ++-a always,exit -F arch=b64 -S creat -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-create" %}} ++ ++description: |- ++ Ensure that successful attempts to create a file are audited. ++ ++ The following rules configure audit as described above: ++
{{{ file_contents_audit_create_success |indent }}}    
++ ++ Load new Audit rules into kernel by running: ++
augenrules --load
++ ++ Note: This rule uses a special set of Audit rules to comply with OSPP 4.2.1. You may reuse this rule in different profiles. If you decide to do so, it is recommended that you inspect contents of the file closely and make sure that they are alligned with your needs. ++ ++rationale: |- ++ Auditing of successful attempts to create a file helps in investigation of actions which happened on the system. ++ ++severity: medium ++ ++platforms: ++ - ppc64le_arch ++ ++identifiers: ++ cce@rhel8: CCE-85966-0 ++ cce@rhel9: CCE-85968-6 ++ ++references: ++ nist: AU-2(a) ++ ospp: FAU_GEN.1.1.c ++ srg: SRG-OS-000458-GPOS-00203,SRG-OS-000474-GPOS-00219,SRG-OS-000475-GPOS-00220,SRG-OS-000463-GPOS-00207,SRG-OS-000465-GPOS-00209,SRG-OS-000461-GPOS-00205 ++ ++ocil_clause: 'the file does not exist or the content differs' ++ ++ocil: |- ++ To verify that the Audit is correctly configured according to recommended rules, check the content of the file with the following command: ++
cat /etc/audit/rules.d/30-ospp-v42-1-create-success.rules
++ The output has to be exactly as follows: ++
{{{ file_contents_audit_create_success|indent }}}    
++ ++template: ++ name: audit_file_contents ++ vars: ++ filepath: /etc/audit/rules.d/30-ospp-v42-1-create-success.rules ++ contents: |- ++ {{{ file_contents_audit_create_success|indent(12) }}} + +From d8593e7d56ed85f34f228b24526b703eed141071 Mon Sep 17 00:00:00 2001 +From: Vojtech Polasek +Date: Fri, 8 Jul 2022 14:07:50 +0200 +Subject: [PATCH 06/18] add audit_delete_failed ppc64le + +--- + .../policy_rules/audit_delete_failed/rule.yml | 2 +- + .../kubernetes/shared.yml | 15 +++++ + .../audit_delete_failed_ppc64le/rule.yml | 65 +++++++++++++++++++ + 3 files changed, 81 insertions(+), 1 deletion(-) + create mode 100644 linux_os/guide/system/auditing/policy_rules/audit_delete_failed_ppc64le/kubernetes/shared.yml + create mode 100644 linux_os/guide/system/auditing/policy_rules/audit_delete_failed_ppc64le/rule.yml + +diff --git a/linux_os/guide/system/auditing/policy_rules/audit_delete_failed/rule.yml b/linux_os/guide/system/auditing/policy_rules/audit_delete_failed/rule.yml +index 07ed41a9c4f..5ac68376970 100644 +--- a/linux_os/guide/system/auditing/policy_rules/audit_delete_failed/rule.yml ++++ b/linux_os/guide/system/auditing/policy_rules/audit_delete_failed/rule.yml +@@ -28,7 +28,7 @@ rationale: |- + # so do not apply this rule but apply the specific one instead + {{% if product == "rhel9" %}} + platforms: +- - not aarch64_arch ++ - not aarch64_arch and not ppc64le_arch + {{% endif %}} + + identifiers: +diff --git a/linux_os/guide/system/auditing/policy_rules/audit_delete_failed_ppc64le/kubernetes/shared.yml b/linux_os/guide/system/auditing/policy_rules/audit_delete_failed_ppc64le/kubernetes/shared.yml +new file mode 100644 +index 00000000000..2fb2c25aa30 +--- /dev/null ++++ b/linux_os/guide/system/auditing/policy_rules/audit_delete_failed_ppc64le/kubernetes/shared.yml +@@ -0,0 +1,15 @@ ++--- ++# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_rhcos ++apiVersion: machineconfiguration.openshift.io/v1 ++kind: MachineConfig ++spec: ++ config: ++ ignition: ++ version: 3.1.0 ++ storage: ++ files: ++ - contents: ++ source: data:,%23%23%20Unsuccessful%20file%20delete%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20unlink%2Cunlinkat%2Crename%2Crenameat%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccessful-delete%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20unlink%2Cunlinkat%2Crename%2Crenameat%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccessful-delete ++ mode: 0600 ++ path: /etc/audit/rules.d/30-ospp-v42-4-delete-failed.rules ++ overwrite: true +diff --git a/linux_os/guide/system/auditing/policy_rules/audit_delete_failed_ppc64le/rule.yml b/linux_os/guide/system/auditing/policy_rules/audit_delete_failed_ppc64le/rule.yml +new file mode 100644 +index 00000000000..c8c532cb3bb +--- /dev/null ++++ b/linux_os/guide/system/auditing/policy_rules/audit_delete_failed_ppc64le/rule.yml +@@ -0,0 +1,65 @@ ++documentation_complete: true ++ ++prodtype: ol8,ol9,rhcos4,rhel8,rhel9 ++ ++title: 'Configure auditing of unsuccessful file deletions (ppc64le)' ++ ++{{% set file_contents_audit_delete_failed = ++"## Unsuccessful file delete ++-a always,exit -F arch=b64 -S unlink,unlinkat,rename,renameat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete ++-a always,exit -F arch=b64 -S unlink,unlinkat,rename,renameat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete" %}} ++ ++description: |- ++ Ensure that unsuccessful attempts to delete a file are audited. ++ ++ The following rules configure audit as described above: ++
{{{ file_contents_audit_delete_failed|indent }}}    
++ ++ Load new Audit rules into kernel by running: ++
augenrules --load
++ ++ Note: This rule uses a special set of Audit rules to comply with OSPP 4.2.1. You may reuse this rule in different profiles. If you decide to do so, it is recommended that you inspect contents of the file closely and make sure that they are alligned with your needs. ++ ++rationale: |- ++ Unsuccessful attempts to delete a file might be signs of malicious activities. Auditing of such events help in monitoring and investigating of such activities. ++ ++severity: medium ++ ++platforms: ++ - ppc64le_arch ++ ++identifiers: ++ cce@rhel8: CCE-85969-4 ++ cce@rhel9: CCE-85970-2 ++ ++references: ++ nist: AU-2(a) ++ ospp: FAU_GEN.1.1.c ++ srg: SRG-OS-000458-GPOS-00203,SRG-OS-000474-GPOS-00219,SRG-OS-000475-GPOS-00220,SRG-OS-000463-GPOS-00207,SRG-OS-000465-GPOS-00209,SRG-OS-000461-GPOS-00205,SRG-OS-000468-GPOS-00212 ++ ++ocil_clause: 'the file does not exist or the content differs' ++ ++ocil: |- ++ To verify that the Audit is correctly configured according to recommended rules, check the content of the file with the following command: ++
cat /etc/audit/rules.d/30-ospp-v42-4-delete-failed.rules
++ The output has to be exactly as follows: ++
{{{ file_contents_audit_delete_failed|indent }}}    
++ ++template: ++ name: audit_file_contents ++ vars: ++ filepath: /etc/audit/rules.d/30-ospp-v42-4-delete-failed.rules ++ contents: |- ++ {{{ file_contents_audit_delete_failed|indent(12) }}} ++ ++fixtext: |- ++ Configure {{{ full_name }}} to audit all unsuccessful attempts to delete a file. ++ ++ Create file "/etc/audit/rules.d/30-ospp-v42-4-delete-failed.rules" with the exactly following content: ++ ++ {{{ file_contents_audit_delete_failed|indent(4) }}} ++ ++ Then, run the following commands: ++ ++ $ sudo chmod o-rwx /etc/audit/rules.d/30-ospp-v42-4-delete-failed.rules ++ $ sudo augenrules --load + +From 364e30b710df1f58a004edce60cfc6043d0aed3b Mon Sep 17 00:00:00 2001 +From: Vojtech Polasek +Date: Fri, 8 Jul 2022 14:12:20 +0200 +Subject: [PATCH 07/18] add audit_delete_success ppc64le + +--- + .../audit_delete_success/rule.yml | 2 +- + .../kubernetes/shared.yml | 7 ++ + .../audit_delete_success_ppc64le/rule.yml | 64 +++++++++++++++++++ + 3 files changed, 72 insertions(+), 1 deletion(-) + create mode 100644 linux_os/guide/system/auditing/policy_rules/audit_delete_success_ppc64le/kubernetes/shared.yml + create mode 100644 linux_os/guide/system/auditing/policy_rules/audit_delete_success_ppc64le/rule.yml + +diff --git a/linux_os/guide/system/auditing/policy_rules/audit_delete_success/rule.yml b/linux_os/guide/system/auditing/policy_rules/audit_delete_success/rule.yml +index 93b42e3f4d6..b2fc0cca348 100644 +--- a/linux_os/guide/system/auditing/policy_rules/audit_delete_success/rule.yml ++++ b/linux_os/guide/system/auditing/policy_rules/audit_delete_success/rule.yml +@@ -26,7 +26,7 @@ rationale: |- + # so do not apply this rule but apply the specific one instead + {{% if product == "rhel9" %}} + platforms: +- - not aarch64_arch ++ - not aarch64_arch and not ppc64le_arch + {{% endif %}} + + identifiers: +diff --git a/linux_os/guide/system/auditing/policy_rules/audit_delete_success_ppc64le/kubernetes/shared.yml b/linux_os/guide/system/auditing/policy_rules/audit_delete_success_ppc64le/kubernetes/shared.yml +new file mode 100644 +index 00000000000..3734328c9e1 +--- /dev/null ++++ b/linux_os/guide/system/auditing/policy_rules/audit_delete_success_ppc64le/kubernetes/shared.yml +@@ -0,0 +1,7 @@ ++--- ++# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_rhcos ++ ++{{% set file_contents = """## Successful file delete ++-a always,exit -F arch=b64 -S unlink,unlinkat,rename,renameat -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-delete""" -%}} ++ ++{{{- kubernetes_machine_config_file(path='/etc/audit/rules.d/30-ospp-v42-4-delete-success.rules', file_permissions_mode='0600', source=file_contents) }}} +diff --git a/linux_os/guide/system/auditing/policy_rules/audit_delete_success_ppc64le/rule.yml b/linux_os/guide/system/auditing/policy_rules/audit_delete_success_ppc64le/rule.yml +new file mode 100644 +index 00000000000..35362051948 +--- /dev/null ++++ b/linux_os/guide/system/auditing/policy_rules/audit_delete_success_ppc64le/rule.yml +@@ -0,0 +1,64 @@ ++documentation_complete: true ++ ++prodtype: ol8,ol9,rhcos4,rhel8,rhel9 ++ ++title: 'Configure auditing of successful file deletions (ppc64le)' ++ ++{{% set file_contents_audit_delete_success = ++"## Successful file delete ++-a always,exit -F arch=b64 -S unlink,unlinkat,rename,renameat -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-delete" %}} ++ ++description: |- ++ Ensure that successful attempts to delete a file are audited. ++ ++ The following rules configure audit as described above: ++
{{{ file_contents_audit_delete_success|indent }}}    
++ ++ Load new Audit rules into kernel by running: ++
augenrules --load
++ ++ Note: This rule uses a special set of Audit rules to comply with OSPP 4.2.1. You may reuse this rule in different profiles. If you decide to do so, it is recommended that you inspect contents of the file closely and make sure that they are alligned with your needs. ++ ++rationale: |- ++ Auditing of successful attempts to delete a file may help in monitoring and investigation of activities performed on the system. ++ ++severity: medium ++ ++platforms: ++ - ppc64le_arch ++ ++identifiers: ++ cce@rhel8: CCE-85974-4 ++ cce@rhel9: CCE-85976-9 ++ ++references: ++ nist: AU-2(a) ++ ospp: FAU_GEN.1.1.c ++ srg: SRG-OS-000458-GPOS-00203,SRG-OS-000474-GPOS-00219,SRG-OS-000475-GPOS-00220,SRG-OS-000463-GPOS-00207,SRG-OS-000465-GPOS-00209,SRG-OS-000461-GPOS-00205,SRG-OS-000468-GPOS-00212 ++ ++ocil_clause: 'the file does not exist or the content differs' ++ ++ocil: |- ++ To verify that the Audit is correctly configured according to recommended rules, check the content of the file with the following command: ++
cat /etc/audit/rules.d/30-ospp-v42-4-delete-success.rules
++ The output has to be exactly as follows: ++
{{{ file_contents_audit_delete_success|indent }}}    
++ ++template: ++ name: audit_file_contents ++ vars: ++ filepath: /etc/audit/rules.d/30-ospp-v42-4-delete-success.rules ++ contents: |- ++ {{{ file_contents_audit_delete_success|indent(12) }}} ++ ++fixtext: |- ++ Configure {{{ full_name }}} to audit all successful attempts to delete a file. ++ ++ Create file "/etc/audit/rules.d/30-ospp-v42-4-delete-success.rules" with the exactly following content: ++ ++ {{{ file_contents_audit_delete_success|indent(4) }}} ++ ++ Then, run the following commands: ++ ++ $ sudo chmod o-rwx /etc/audit/rules.d/30-ospp-v42-4-delete-failed.rules ++ $ sudo augenrules --load + +From 3bb8799b634e8ec164a6ff7287df92e9519c1a47 Mon Sep 17 00:00:00 2001 +From: Vojtech Polasek +Date: Fri, 8 Jul 2022 14:16:37 +0200 +Subject: [PATCH 08/18] add audit_modify_failed ppc64le + +--- + .../policy_rules/audit_modify_failed/rule.yml | 2 +- + .../kubernetes/shared.yml | 15 +++++ + .../audit_modify_failed_ppc64le/rule.yml | 57 +++++++++++++++++++ + 3 files changed, 73 insertions(+), 1 deletion(-) + create mode 100644 linux_os/guide/system/auditing/policy_rules/audit_modify_failed_ppc64le/kubernetes/shared.yml + create mode 100644 linux_os/guide/system/auditing/policy_rules/audit_modify_failed_ppc64le/rule.yml + +diff --git a/linux_os/guide/system/auditing/policy_rules/audit_modify_failed/rule.yml b/linux_os/guide/system/auditing/policy_rules/audit_modify_failed/rule.yml +index e4d042a50cb..16c7ca38e5a 100644 +--- a/linux_os/guide/system/auditing/policy_rules/audit_modify_failed/rule.yml ++++ b/linux_os/guide/system/auditing/policy_rules/audit_modify_failed/rule.yml +@@ -36,7 +36,7 @@ rationale: |- + # so do not apply this rule but apply the specific one instead + {{% if product == "rhel9" %}} + platforms: +- - not aarch64_arch ++ - not aarch64_arch and not ppc64le_arch + {{% endif %}} + + identifiers: +diff --git a/linux_os/guide/system/auditing/policy_rules/audit_modify_failed_ppc64le/kubernetes/shared.yml b/linux_os/guide/system/auditing/policy_rules/audit_modify_failed_ppc64le/kubernetes/shared.yml +new file mode 100644 +index 00000000000..f07ff3607ae +--- /dev/null ++++ b/linux_os/guide/system/auditing/policy_rules/audit_modify_failed_ppc64le/kubernetes/shared.yml +@@ -0,0 +1,15 @@ ++--- ++# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_rhcos ++apiVersion: machineconfiguration.openshift.io/v1 ++kind: MachineConfig ++spec: ++ config: ++ ignition: ++ version: 3.1.0 ++ storage: ++ files: ++ - contents: ++ source: data:,%23%23%20Unsuccessful%20file%20modifications%20%28open%20for%20write%20or%20truncate%29%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20openat%2Copen_by_handle_at%20-F%20a2%2601003%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccessful-modification%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20open%20-F%20a1%2601003%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccessful-modification%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20truncate%2Cftruncate%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccessful-modification%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20openat%2Copen_by_handle_at%20-F%20a2%2601003%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccessful-modification%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20open%20-F%20a1%2601003%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccessful-modification%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20truncate%2Cftruncate%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccessful-modification%0A ++ mode: 0600 ++ path: /etc/audit/rules.d/30-ospp-v42-2-modify-failed.rules ++ overwrite: true +diff --git a/linux_os/guide/system/auditing/policy_rules/audit_modify_failed_ppc64le/rule.yml b/linux_os/guide/system/auditing/policy_rules/audit_modify_failed_ppc64le/rule.yml +new file mode 100644 +index 00000000000..d5d11a0f214 +--- /dev/null ++++ b/linux_os/guide/system/auditing/policy_rules/audit_modify_failed_ppc64le/rule.yml +@@ -0,0 +1,57 @@ ++documentation_complete: true ++ ++prodtype: ol8,ol9,rhcos4,rhel8,rhel9 ++ ++title: 'Configure auditing of unsuccessful file modifications (ppc64le)' ++ ++{{% set file_contents_audit_modify_failed = ++"## Unsuccessful file modifications (open for write or truncate) ++-a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification ++-a always,exit -F arch=b64 -S open -F a1&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification ++-a always,exit -F arch=b64 -S truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification ++-a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification ++-a always,exit -F arch=b64 -S open -F a1&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification ++-a always,exit -F arch=b64 -S truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification" %}} ++ ++description: |- ++ Ensure that unsuccessful attempts to modify a file are audited. ++ ++ The following rules configure audit as described above: ++
{{{ file_contents_audit_modify_failed|indent }}}    
++ ++ Load new Audit rules into kernel by running: ++
augenrules --load
++ ++ Note: This rule uses a special set of Audit rules to comply with OSPP 4.2.1. You may reuse this rule in different profiles. If you decide to do so, it is recommended that you inspect contents of the file closely and make sure that they are alligned with your needs. ++ ++rationale: |- ++ Unsuccessful file modifications might be a sign of a malicious action being performed on the system. Auditing of such events helps in detection and investigation of such actions. ++ ++severity: medium ++ ++platforms: ++ - ppc64le_arch ++ ++identifiers: ++ cce@rhel8: CCE-85977-7 ++ cce@rhel9: CCE-85978-5 ++ ++references: ++ nist: AU-2(a) ++ ospp: FAU_GEN.1.1.c ++ srg: SRG-OS-000458-GPOS-00203,SRG-OS-000474-GPOS-00219,SRG-OS-000475-GPOS-00220,SRG-OS-000463-GPOS-00207,SRG-OS-000465-GPOS-00209,SRG-OS-000461-GPOS-00205 ++ ++ocil_clause: 'the file does not exist or the content differs' ++ ++ocil: |- ++ To verify that the Audit is correctly configured according to recommended rules, check the content of the file with the following command: ++
cat /etc/audit/rules.d/30-ospp-v42-2-modify-failed.rules
++ The output has to be exactly as follows: ++
{{{ file_contents_audit_modify_failed|indent }}}    
++ ++template: ++ name: audit_file_contents ++ vars: ++ filepath: /etc/audit/rules.d/30-ospp-v42-2-modify-failed.rules ++ contents: |- ++ {{{ file_contents_audit_modify_failed|indent(12) }}} + +From 86196a6512dab40e8bed5a06ea0581f2290d5ad8 Mon Sep 17 00:00:00 2001 +From: Vojtech Polasek +Date: Fri, 8 Jul 2022 14:20:01 +0200 +Subject: [PATCH 09/18] add audit modify_success ppc64le + +--- + .../audit_modify_success/rule.yml | 2 +- + .../kubernetes/shared.yml | 15 +++++ + .../audit_modify_success_ppc64le/rule.yml | 55 +++++++++++++++++++ + 3 files changed, 71 insertions(+), 1 deletion(-) + create mode 100644 linux_os/guide/system/auditing/policy_rules/audit_modify_success_ppc64le/kubernetes/shared.yml + create mode 100644 linux_os/guide/system/auditing/policy_rules/audit_modify_success_ppc64le/rule.yml + +diff --git a/linux_os/guide/system/auditing/policy_rules/audit_modify_success/rule.yml b/linux_os/guide/system/auditing/policy_rules/audit_modify_success/rule.yml +index 4c65055f577..cafc88f49b7 100644 +--- a/linux_os/guide/system/auditing/policy_rules/audit_modify_success/rule.yml ++++ b/linux_os/guide/system/auditing/policy_rules/audit_modify_success/rule.yml +@@ -31,7 +31,7 @@ rationale: |- + # so do not apply this rule but apply the specific one instead + {{% if product == "rhel9" %}} + platforms: +- - not aarch64_arch ++ - not aarch64_arch and not ppc64le_arch + {{% endif %}} + + identifiers: +diff --git a/linux_os/guide/system/auditing/policy_rules/audit_modify_success_ppc64le/kubernetes/shared.yml b/linux_os/guide/system/auditing/policy_rules/audit_modify_success_ppc64le/kubernetes/shared.yml +new file mode 100644 +index 00000000000..92310b9772e +--- /dev/null ++++ b/linux_os/guide/system/auditing/policy_rules/audit_modify_success_ppc64le/kubernetes/shared.yml +@@ -0,0 +1,15 @@ ++--- ++# platform = multi_platform_rhel,multi_platform_fedora ++apiVersion: machineconfiguration.openshift.io/v1 ++kind: MachineConfig ++spec: ++ config: ++ ignition: ++ version: 3.1.0 ++ storage: ++ files: ++ - contents: ++ source: data:,%23%23%20Successful%20file%20modifications%20%28open%20for%20write%20or%20truncate%29%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20openat%2Copen_by_handle_at%20-F%20a2%2601003%20-F%20success%3D1%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dsuccessful-modification%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20open%20-F%20a1%2601003%20-F%20success%3D1%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dsuccessful-modification%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20truncate%2Cftruncate%20-F%20success%3D1%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dsuccessful-modification%0A ++ mode: 0600 ++ path: /etc/audit/rules.d/30-ospp-v42-2-modify-success.rules ++ overwrite: true +diff --git a/linux_os/guide/system/auditing/policy_rules/audit_modify_success_ppc64le/rule.yml b/linux_os/guide/system/auditing/policy_rules/audit_modify_success_ppc64le/rule.yml +new file mode 100644 +index 00000000000..e45015e5949 +--- /dev/null ++++ b/linux_os/guide/system/auditing/policy_rules/audit_modify_success_ppc64le/rule.yml +@@ -0,0 +1,55 @@ ++documentation_complete: true ++ ++prodtype: ol8,ol9,rhcos4,rhel8,rhel9 ++ ++title: 'Configure auditing of successful file modifications (ppc64le)' ++ ++{{% set file_contents_audit_modify_success = ++"## Successful file modifications (open for write or truncate) ++-a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&01003 -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-modification ++-a always,exit -F arch=b64 -S open -F a1&01003 -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-modification ++-a always,exit -F arch=b64 -S truncate,ftruncate -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-modification" %}} ++ ++description: |- ++ Ensure that successful attempts to modify a file are audited. ++ ++ The following rules configure audit as described above: ++
{{{ file_contents_audit_modify_success|indent }}}    
++ ++ Load new Audit rules into kernel by running: ++
augenrules --load
++ ++ Note: This rule uses a special set of Audit rules to comply with OSPP 4.2.1. You may reuse this rule in different profiles. If you decide to do so, it is recommended that you inspect contents of the file closely and make sure that they are alligned with your needs. ++ ++ ++rationale: |- ++ Auditing of successful attempts to modify a file helps in investigation of actions which happened on the system. ++ ++severity: medium ++ ++platforms: ++ - ppc64le_arch ++ ++identifiers: ++ cce@rhel8: CCE-85979-3 ++ cce@rhel9: CCE-85980-1 ++ ++references: ++ nist: AU-2(a) ++ ospp: FAU_GEN.1.1.c ++ srg: SRG-OS-000458-GPOS-00203,SRG-OS-000474-GPOS-00219,SRG-OS-000475-GPOS-00220,SRG-OS-000463-GPOS-00207,SRG-OS-000465-GPOS-00209,SRG-OS-000461-GPOS-00205 ++ ++ocil_clause: 'the file does not exist or the content differs' ++ ++ocil: |- ++ To verify that the Audit is correctly configured according to recommended rules, check the content of the file with the following command: ++
cat /etc/audit/rules.d/30-ospp-v42-2-modify-success.rules
++ The output has to be exactly as follows: ++
{{{ file_contents_audit_modify_success|indent }}}    
++ ++template: ++ name: audit_file_contents ++ vars: ++ filepath: /etc/audit/rules.d/30-ospp-v42-2-modify-success.rules ++ contents: |- ++ {{{ file_contents_audit_modify_success|indent(12) }}} + +From 4b3fc315e2e946f103826ac010a056390c906aca Mon Sep 17 00:00:00 2001 +From: Vojtech Polasek +Date: Fri, 8 Jul 2022 14:23:45 +0200 +Subject: [PATCH 10/18] add audit_module_load ppc64le + +--- + .../policy_rules/audit_module_load/rule.yml | 3 ++ + .../kubernetes/shared.yml | 15 ++++++ + .../audit_module_load_ppc64le/rule.yml | 52 +++++++++++++++++++ + 3 files changed, 70 insertions(+) + create mode 100644 linux_os/guide/system/auditing/policy_rules/audit_module_load_ppc64le/kubernetes/shared.yml + create mode 100644 linux_os/guide/system/auditing/policy_rules/audit_module_load_ppc64le/rule.yml + +diff --git a/linux_os/guide/system/auditing/policy_rules/audit_module_load/rule.yml b/linux_os/guide/system/auditing/policy_rules/audit_module_load/rule.yml +index 5e840fca5a3..b04d879a9c0 100644 +--- a/linux_os/guide/system/auditing/policy_rules/audit_module_load/rule.yml ++++ b/linux_os/guide/system/auditing/policy_rules/audit_module_load/rule.yml +@@ -26,6 +26,9 @@ rationale: |- + + severity: medium + ++platforms: ++ - not ppc64le_arch ++ + identifiers: + cce@rhel8: CCE-82838-4 + cce@rhel9: CCE-90814-5 +diff --git a/linux_os/guide/system/auditing/policy_rules/audit_module_load_ppc64le/kubernetes/shared.yml b/linux_os/guide/system/auditing/policy_rules/audit_module_load_ppc64le/kubernetes/shared.yml +new file mode 100644 +index 00000000000..231034a9c54 +--- /dev/null ++++ b/linux_os/guide/system/auditing/policy_rules/audit_module_load_ppc64le/kubernetes/shared.yml +@@ -0,0 +1,15 @@ ++--- ++# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_rhcos ++apiVersion: machineconfiguration.openshift.io/v1 ++kind: MachineConfig ++spec: ++ config: ++ ignition: ++ version: 3.1.0 ++ storage: ++ files: ++ - contents: ++ source: data:,%23%23%20These%20rules%20watch%20for%20kernel%20module%20insertion.%20By%20monitoring%0A%23%23%20the%20syscall%2C%20we%20do%20not%20need%20any%20watches%20on%20programs.%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20init_module%2Cfinit_module%20-F%20key%3Dmodule-load%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20delete_module%20-F%20key%3Dmodule-unload%0A ++ mode: 0600 ++ path: /etc/audit/rules.d/43-module-load.rules ++ overwrite: true +diff --git a/linux_os/guide/system/auditing/policy_rules/audit_module_load_ppc64le/rule.yml b/linux_os/guide/system/auditing/policy_rules/audit_module_load_ppc64le/rule.yml +new file mode 100644 +index 00000000000..3f59eecec86 +--- /dev/null ++++ b/linux_os/guide/system/auditing/policy_rules/audit_module_load_ppc64le/rule.yml +@@ -0,0 +1,52 @@ ++documentation_complete: true ++ ++prodtype: ol8,ol9,rhcos4,rhel8,rhel9 ++ ++title: 'Configure auditing of loading and unloading of kernel modules (ppc64le)' ++ ++{{% set file_contents_audit_module_load = ++"## These rules watch for kernel module insertion. By monitoring ++## the syscall, we do not need any watches on programs. ++-a always,exit -F arch=b64 -S init_module,finit_module -F key=module-load ++-a always,exit -F arch=b64 -S delete_module -F key=module-unload" %}} ++ ++description: |- ++ Ensure that loading and unloading of kernel modules is audited. ++ ++ The following rules configure audit as described above: ++
{{{ file_contents_audit_module_load|indent }}}    
++ ++ Load new Audit rules into kernel by running: ++
augenrules --load
++ ++rationale: |- ++ Loading of a malicious kernel module introduces a risk to the system, as the module has access to sensitive data and perform actions at the operating system kernel level. Having such events audited helps in monitoring and investigating of malicious activities. ++ ++severity: medium ++ ++platforms: ++ - ppc64le_arch ++ ++identifiers: ++ cce@rhel8: CCE-85981-9 ++ cce@rhel9: CCE-85982-7 ++ ++references: ++ nist: AU-2(a) ++ ospp: FAU_GEN.1.1.c ++ srg: SRG-OS-000471-GPOS-00216,SRG-OS-000477-GPOS-00222,SRG-OS-000475-GPOS-00220 ++ ++ocil_clause: 'the file does not exist or the content differs' ++ ++ocil: |- ++ To verify that the Audit is correctly configured according to recommended rules, check the content of the file with the following command: ++
cat /etc/audit/rules.d/43-module-load.rules
++ The output has to be exactly as follows: ++
{{{ file_contents_audit_module_load|indent }}}    
++ ++template: ++ name: audit_file_contents ++ vars: ++ filepath: /etc/audit/rules.d/43-module-load.rules ++ contents: |- ++ {{{ file_contents_audit_module_load|indent(12) }}} + +From 3265584f7f4396ee037f675a4994a1e85e26564b Mon Sep 17 00:00:00 2001 +From: Vojtech Polasek +Date: Fri, 8 Jul 2022 14:34:25 +0200 +Subject: [PATCH 11/18] add audit_ospp_general ppc64le + +--- + .../policy_rules/audit_ospp_general/rule.yml | 2 +- + .../kubernetes/shared.yml | 15 ++ + .../audit_ospp_general_ppc64le/rule.yml | 132 ++++++++++++++++++ + 3 files changed, 148 insertions(+), 1 deletion(-) + create mode 100644 linux_os/guide/system/auditing/policy_rules/audit_ospp_general_ppc64le/kubernetes/shared.yml + create mode 100644 linux_os/guide/system/auditing/policy_rules/audit_ospp_general_ppc64le/rule.yml + +diff --git a/linux_os/guide/system/auditing/policy_rules/audit_ospp_general/rule.yml b/linux_os/guide/system/auditing/policy_rules/audit_ospp_general/rule.yml +index e82c5aee936..93417f4cf6d 100644 +--- a/linux_os/guide/system/auditing/policy_rules/audit_ospp_general/rule.yml ++++ b/linux_os/guide/system/auditing/policy_rules/audit_ospp_general/rule.yml +@@ -109,7 +109,7 @@ rationale: |- + # so do not apply this rule but apply the specific one instead + {{% if product == "rhel9" %}} + platforms: +- - not aarch64_arch ++ - not aarch64_arch and not ppc64le_arch + {{% endif %}} + + identifiers: +diff --git a/linux_os/guide/system/auditing/policy_rules/audit_ospp_general_ppc64le/kubernetes/shared.yml b/linux_os/guide/system/auditing/policy_rules/audit_ospp_general_ppc64le/kubernetes/shared.yml +new file mode 100644 +index 00000000000..fa81ece03c6 +--- /dev/null ++++ b/linux_os/guide/system/auditing/policy_rules/audit_ospp_general_ppc64le/kubernetes/shared.yml +@@ -0,0 +1,15 @@ ++--- ++# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_rhcos ++apiVersion: machineconfiguration.openshift.io/v1 ++kind: MachineConfig ++spec: ++ config: ++ ignition: ++ version: 3.1.0 ++ storage: ++ files: ++ - contents: ++ source: data:,%23%23%20The%20purpose%20of%20these%20rules%20is%20to%20meet%20the%20requirements%20for%20Operating%0A%23%23%20System%20Protection%20Profile%20%28OSPP%29v4.2.%20These%20rules%20depends%20on%20having%0A%23%23%20the%20following%20rule%20files%20copied%20to%20%2Fetc%2Faudit%2Frules.d%3A%0A%23%23%0A%23%23%2010-base-config.rules%2C%2011-loginuid.rules%2C%0A%23%23%2030-ospp-v42-1-create-failed.rules%2C%2030-ospp-v42-1-create-success.rules%2C%0A%23%23%2030-ospp-v42-2-modify-failed.rules%2C%2030-ospp-v42-2-modify-success.rules%2C%0A%23%23%2030-ospp-v42-3-access-failed.rules%2C%2030-ospp-v42-3-access-success.rules%2C%0A%23%23%2030-ospp-v42-4-delete-failed.rules%2C%2030-ospp-v42-4-delete-success.rules%2C%0A%23%23%2030-ospp-v42-5-perm-change-failed.rules%2C%0A%23%23%2030-ospp-v42-5-perm-change-success.rules%2C%0A%23%23%2030-ospp-v42-6-owner-change-failed.rules%2C%0A%23%23%2030-ospp-v42-6-owner-change-success.rules%0A%23%23%0A%23%23%20original%20copies%20may%20be%20found%20in%20%2Fusr%2Fshare%2Faudit%2Fsample-rules%2F%0A%0A%0A%23%23%20User%20add%20delete%20modify.%20This%20is%20covered%20by%20pam.%20However%2C%20someone%20could%0A%23%23%20open%20a%20file%20and%20directly%20create%20or%20modify%20a%20user%2C%20so%20we%27ll%20watch%20passwd%20and%0A%23%23%20shadow%20for%20writes%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20openat%2Copen_by_handle_at%20-F%20a2%2603%20-F%20path%3D%2Fetc%2Fpasswd%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Duser-modify%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20open%20-F%20a1%2603%20-F%20path%3D%2Fetc%2Fpasswd%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Duser-modify%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20openat%2Copen_by_handle_at%20-F%20a2%2603%20-F%20path%3D%2Fetc%2Fshadow%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Duser-modify%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20open%20-F%20a1%2603%20-F%20path%3D%2Fetc%2Fshadow%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Duser-modify%0A%0A%23%23%20User%20enable%20and%20disable.%20This%20is%20entirely%20handled%20by%20pam.%0A%0A%23%23%20Group%20add%20delete%20modify.%20This%20is%20covered%20by%20pam.%20However%2C%20someone%20could%0A%23%23%20open%20a%20file%20and%20directly%20create%20or%20modify%20a%20user%2C%20so%20we%27ll%20watch%20group%20and%0A%23%23%20gshadow%20for%20writes%0A-a%20always%2Cexit%20-F%20path%3D%2Fetc%2Fpasswd%20-F%20perm%3Dwa%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Duser-modify%0A-a%20always%2Cexit%20-F%20path%3D%2Fetc%2Fshadow%20-F%20perm%3Dwa%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Duser-modify%0A-a%20always%2Cexit%20-F%20path%3D%2Fetc%2Fgroup%20-F%20perm%3Dwa%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dgroup-modify%0A-a%20always%2Cexit%20-F%20path%3D%2Fetc%2Fgshadow%20-F%20perm%3Dwa%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dgroup-modify%0A%0A%0A%23%23%20Use%20of%20special%20rights%20for%20config%20changes.%20This%20would%20be%20use%20of%20setuid%0A%23%23%20programs%20that%20relate%20to%20user%20accts.%20This%20is%20not%20all%20setuid%20apps%20because%0A%23%23%20requirements%20are%20only%20for%20ones%20that%20affect%20system%20configuration.%0A-a%20always%2Cexit%20-F%20path%3D%2Fusr%2Fsbin%2Funix_chkpwd%20-F%20perm%3Dx%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dspecial-config-changes%0A-a%20always%2Cexit%20-F%20path%3D%2Fusr%2Fsbin%2Fusernetctl%20-F%20perm%3Dx%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dspecial-config-changes%0A-a%20always%2Cexit%20-F%20path%3D%2Fusr%2Fsbin%2Fuserhelper%20-F%20perm%3Dx%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dspecial-config-changes%0A-a%20always%2Cexit%20-F%20path%3D%2Fusr%2Fsbin%2Fseunshare%20-F%20perm%3Dx%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dspecial-config-changes%0A-a%20always%2Cexit%20-F%20path%3D%2Fusr%2Fbin%2Fmount%20-F%20perm%3Dx%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dspecial-config-changes%0A-a%20always%2Cexit%20-F%20path%3D%2Fusr%2Fbin%2Fnewgrp%20-F%20perm%3Dx%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dspecial-config-changes%0A-a%20always%2Cexit%20-F%20path%3D%2Fusr%2Fbin%2Fnewuidmap%20-F%20perm%3Dx%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dspecial-config-changes%0A-a%20always%2Cexit%20-F%20path%3D%2Fusr%2Fbin%2Fgpasswd%20-F%20perm%3Dx%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dspecial-config-changes%0A-a%20always%2Cexit%20-F%20path%3D%2Fusr%2Fbin%2Fnewgidmap%20-F%20perm%3Dx%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dspecial-config-changes%0A-a%20always%2Cexit%20-F%20path%3D%2Fusr%2Fbin%2Fumount%20-F%20perm%3Dx%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dspecial-config-changes%0A-a%20always%2Cexit%20-F%20path%3D%2Fusr%2Fbin%2Fpasswd%20-F%20perm%3Dx%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dspecial-config-changes%0A-a%20always%2Cexit%20-F%20path%3D%2Fusr%2Fbin%2Fcrontab%20-F%20perm%3Dx%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dspecial-config-changes%0A-a%20always%2Cexit%20-F%20path%3D%2Fusr%2Fbin%2Fat%20-F%20perm%3Dx%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dspecial-config-changes%0A%0A%23%23%20Privilege%20escalation%20via%20su%20or%20sudo.%20This%20is%20entirely%20handled%20by%20pam.%0A%0A%23%23%20Watch%20for%20configuration%20changes%20to%20privilege%20escalation.%0A-a%20always%2Cexit%20-F%20path%3D%2Fetc%2Fsudoers%20-F%20perm%3Dwa%20-F%20key%3Dspecial-config-changes%0A-a%20always%2Cexit%20-F%20dir%3D%2Fetc%2Fsudoers.d%2F%20-F%20perm%3Dwa%20-F%20key%3Dspecial-config-changes%0A%0A%23%23%20Audit%20log%20access%0A-a%20always%2Cexit%20-F%20dir%3D%2Fvar%2Flog%2Faudit%2F%20-F%20perm%3Dr%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Daccess-audit-trail%0A%23%23%20Attempts%20to%20Alter%20Process%20and%20Session%20Initiation%20Information%0A-a%20always%2Cexit%20-F%20path%3D%2Fvar%2Frun%2Futmp%20-F%20perm%3Dwa%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dsession%0A-a%20always%2Cexit%20-F%20path%3D%2Fvar%2Flog%2Fbtmp%20-F%20perm%3Dwa%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dsession%0A-a%20always%2Cexit%20-F%20path%3D%2Fvar%2Flog%2Fwtmp%20-F%20perm%3Dwa%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dsession%0A%0A%23%23%20Attempts%20to%20modify%20MAC%20controls%0A-a%20always%2Cexit%20-F%20dir%3D%2Fetc%2Fselinux%2F%20-F%20perm%3Dwa%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3DMAC-policy%0A%0A%23%23%20Software%20updates.%20This%20is%20entirely%20handled%20by%20rpm.%0A%0A%23%23%20System%20start%20and%20shutdown.%20This%20is%20entirely%20handled%20by%20systemd%0A%0A%23%23%20Kernel%20Module%20loading.%20This%20is%20handled%20in%2043-module-load.rules%0A%0A%23%23%20Application%20invocation.%20The%20requirements%20list%20an%20optional%20requirement%0A%23%23%20FPT_SRP_EXT.1%20Software%20Restriction%20Policies.%20This%20event%20is%20intended%20to%0A%23%23%20state%20results%20from%20that%20policy.%20This%20would%20be%20handled%20entirely%20by%0A%23%23%20that%20daemon.%0A ++ mode: 0600 ++ path: /etc/audit/rules.d/30-ospp-v42.rules ++ overwrite: true +diff --git a/linux_os/guide/system/auditing/policy_rules/audit_ospp_general_ppc64le/rule.yml b/linux_os/guide/system/auditing/policy_rules/audit_ospp_general_ppc64le/rule.yml +new file mode 100644 +index 00000000000..8d408578c3a +--- /dev/null ++++ b/linux_os/guide/system/auditing/policy_rules/audit_ospp_general_ppc64le/rule.yml +@@ -0,0 +1,132 @@ ++documentation_complete: true ++ ++prodtype: ol8,ol9,rhcos4,rhel8,rhel9 ++ ++title: 'Perform general configuration of Audit for OSPP (ppc64le)' ++ ++{{% set file_contents_audit_ospp_general = ++"## The purpose of these rules is to meet the requirements for Operating ++## System Protection Profile (OSPP)v4.2. These rules depends on having ++## the following rule files copied to /etc/audit/rules.d: ++## ++## 10-base-config.rules, 11-loginuid.rules, ++## 30-ospp-v42-1-create-failed.rules, 30-ospp-v42-1-create-success.rules, ++## 30-ospp-v42-2-modify-failed.rules, 30-ospp-v42-2-modify-success.rules, ++## 30-ospp-v42-3-access-failed.rules, 30-ospp-v42-3-access-success.rules, ++## 30-ospp-v42-4-delete-failed.rules, 30-ospp-v42-4-delete-success.rules, ++## 30-ospp-v42-5-perm-change-failed.rules, ++## 30-ospp-v42-5-perm-change-success.rules, ++## 30-ospp-v42-6-owner-change-failed.rules, ++## 30-ospp-v42-6-owner-change-success.rules ++## ++## original copies may be found in /usr/share/audit/sample-rules/ ++ ++ ++## User add delete modify. This is covered by pam. However, someone could ++## open a file and directly create or modify a user, so we'll watch passwd and ++## shadow for writes ++-a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=user-modify ++-a always,exit -F arch=b64 -S open -F a1&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=user-modify ++-a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&03 -F path=/etc/shadow -F auid>=1000 -F auid!=unset -F key=user-modify ++-a always,exit -F arch=b64 -S open -F a1&03 -F path=/etc/shadow -F auid>=1000 -F auid!=unset -F key=user-modify ++ ++## User enable and disable. This is entirely handled by pam. ++ ++## Group add delete modify. This is covered by pam. However, someone could ++## open a file and directly create or modify a user, so we'll watch group and ++## gshadow for writes ++-a always,exit -F path=/etc/passwd -F perm=wa -F auid>=1000 -F auid!=unset -F key=user-modify ++-a always,exit -F path=/etc/shadow -F perm=wa -F auid>=1000 -F auid!=unset -F key=user-modify ++-a always,exit -F path=/etc/group -F perm=wa -F auid>=1000 -F auid!=unset -F key=group-modify ++-a always,exit -F path=/etc/gshadow -F perm=wa -F auid>=1000 -F auid!=unset -F key=group-modify ++ ++ ++## Use of special rights for config changes. This would be use of setuid ++## programs that relate to user accts. This is not all setuid apps because ++## requirements are only for ones that affect system configuration. ++-a always,exit -F path=/usr/sbin/unix_chkpwd -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes ++-a always,exit -F path=/usr/sbin/usernetctl -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes ++-a always,exit -F path=/usr/sbin/userhelper -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes ++-a always,exit -F path=/usr/sbin/seunshare -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes ++-a always,exit -F path=/usr/bin/mount -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes ++-a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes ++-a always,exit -F path=/usr/bin/newuidmap -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes ++-a always,exit -F path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes ++-a always,exit -F path=/usr/bin/newgidmap -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes ++-a always,exit -F path=/usr/bin/umount -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes ++-a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes ++-a always,exit -F path=/usr/bin/crontab -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes ++-a always,exit -F path=/usr/bin/at -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes ++ ++## Privilege escalation via su or sudo. This is entirely handled by pam. ++ ++## Watch for configuration changes to privilege escalation. ++-a always,exit -F path=/etc/sudoers -F perm=wa -F key=special-config-changes ++-a always,exit -F dir=/etc/sudoers.d/ -F perm=wa -F key=special-config-changes ++ ++## Audit log access ++-a always,exit -F dir=/var/log/audit/ -F perm=r -F auid>=1000 -F auid!=unset -F key=access-audit-trail ++## Attempts to Alter Process and Session Initiation Information ++-a always,exit -F path=/var/run/utmp -F perm=wa -F auid>=1000 -F auid!=unset -F key=session ++-a always,exit -F path=/var/log/btmp -F perm=wa -F auid>=1000 -F auid!=unset -F key=session ++-a always,exit -F path=/var/log/wtmp -F perm=wa -F auid>=1000 -F auid!=unset -F key=session ++ ++## Attempts to modify MAC controls ++-a always,exit -F dir=/etc/selinux/ -F perm=wa -F auid>=1000 -F auid!=unset -F key=MAC-policy ++ ++## Software updates. This is entirely handled by rpm. ++ ++## System start and shutdown. This is entirely handled by systemd ++ ++## Kernel Module loading. This is handled in 43-module-load.rules ++ ++## Application invocation. The requirements list an optional requirement ++## FPT_SRP_EXT.1 Software Restriction Policies. This event is intended to ++## state results from that policy. This would be handled entirely by ++## that daemon." %}} ++ ++description: |- ++ Configure some basic Audit parameters specific for OSPP profile. ++ In particular, configure Audit to watch for direct modification of files storing system user and group information, and usage of applications with special rights which can change system configuration. ++ Further audited events include access to audit log it self, attempts to Alter Process and Session Initiation Information, and attempts to modify MAC controls. ++ ++ The following rules configure audit as described above: ++
{{{ file_contents_audit_ospp_general|indent }}}    
++ ++ Load new Audit rules into kernel by running: ++
augenrules --load
++ ++ Note: This rule uses a special set of Audit rules to comply with OSPP 4.2.1. You may reuse this rule in different profiles. If you decide to do so, it is recommended that you inspect contents of the file closely and make sure that they are alligned with your needs. ++ ++rationale: |- ++ Auditing of events listed in the description provides data for monitoring and investigation of potentially malicious events e.g. tampering with Audit logs, malicious access to files storing information about system users and groups etc. ++ ++severity: medium ++ ++platforms: ++ - ppc64le_arch ++ ++identifiers: ++ cce@rhel8: CCE-85983-5 ++ cce@rhel9: CCE-85984-3 ++ ++references: ++ nist: AU-2(a) ++ ospp: FAU_GEN.1.1.c ++ srg: SRG-OS-000004-GPOS-00004,SRG-OS-000241-GPOS-00091,SRG-OS-000476-GPOS-00221,SRG-OS-000327-GPOS-00127,SRG-OS-000475-GPOS-00220,SRG-OS-000239-GPOS-00089,SRG-OS-000274-GPOS-00104,SRG-OS-000275-GPOS-00105,SRG-OS-000303-GPOS-00120,SRG-OS-000304-GPOS-00121 ++ ++ocil_clause: 'the file does not exist or the content differs' ++ ++ocil: |- ++ To verify that the Audit is correctly configured according to recommended rules, check the content of the file with the following command: ++
cat /etc/audit/rules.d/30-ospp-v42.rules
++ The output has to be exactly as follows: ++
{{{ file_contents_audit_ospp_general|indent }}}    
++ ++template: ++ name: audit_file_contents ++ vars: ++ filepath: /etc/audit/rules.d/30-ospp-v42.rules ++ contents: |+ ++ {{{ file_contents_audit_ospp_general|indent(12) }}} ++#do not remove this comment, it stops Jinja from including more blank lines to the variable + +From 33d024e126e207e9b1e79b8946bcd2cf4cfc864c Mon Sep 17 00:00:00 2001 +From: Vojtech Polasek +Date: Mon, 11 Jul 2022 11:08:54 +0200 +Subject: [PATCH 12/18] add audit_owner_change_failed ppc64le + +--- + .../audit_owner_change_failed/rule.yml | 2 +- + .../rule.yml | 53 +++++++++++++++++++ + shared/references/cce-redhat-avail.txt | 2 - + 3 files changed, 54 insertions(+), 3 deletions(-) + create mode 100644 linux_os/guide/system/auditing/policy_rules/audit_owner_change_failed_ppc64le/rule.yml + +diff --git a/linux_os/guide/system/auditing/policy_rules/audit_owner_change_failed/rule.yml b/linux_os/guide/system/auditing/policy_rules/audit_owner_change_failed/rule.yml +index 09c29fb1421..630c54693b5 100644 +--- a/linux_os/guide/system/auditing/policy_rules/audit_owner_change_failed/rule.yml ++++ b/linux_os/guide/system/auditing/policy_rules/audit_owner_change_failed/rule.yml +@@ -28,7 +28,7 @@ rationale: |- + # so do not apply this rule but apply the specific one instead + {{% if product == "rhel9" %}} + platforms: +- - not aarch64_arch ++ - not aarch64_arch and not ppc64le_arch + {{% endif %}} + + identifiers: +diff --git a/linux_os/guide/system/auditing/policy_rules/audit_owner_change_failed_ppc64le/rule.yml b/linux_os/guide/system/auditing/policy_rules/audit_owner_change_failed_ppc64le/rule.yml +new file mode 100644 +index 00000000000..6324bb4fd3b +--- /dev/null ++++ b/linux_os/guide/system/auditing/policy_rules/audit_owner_change_failed_ppc64le/rule.yml +@@ -0,0 +1,53 @@ ++documentation_complete: true ++ ++prodtype: ol8,ol9,rhcos4,rhel8,rhel9 ++ ++title: 'Configure auditing of unsuccessful ownership changes (ppc64le)' ++ ++{{% set file_contents_audit_owner_change_failed = ++"## Unsuccessful ownership change ++-a always,exit -F arch=b64 -S lchown,fchown,chown,fchownat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-owner-change ++-a always,exit -F arch=b64 -S lchown,fchown,chown,fchownat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-owner-change" %}} ++ ++description: |- ++ Ensure that unsuccessful attempts to change an ownership of files or directories are audited. ++ ++ The following rules configure audit as described above: ++
{{{ file_contents_audit_owner_change_failed|indent }}}    
++ ++ Load new Audit rules into kernel by running: ++
augenrules --load
++ ++ Note: This rule uses a special set of Audit rules to comply with OSPP 4.2.1. You may reuse this rule in different profiles. If you decide to do so, it is recommended that you inspect contents of the file closely and make sure that they are alligned with your needs. ++ ++rationale: |- ++ Unsuccessful attempts to change an ownership of files or directories might be signs of a malicious activity. Having such events audited helps in monitoring and investigation of such activities. ++ ++severity: medium ++ ++platforms: ++ - ppc64le_arch ++ ++identifiers: ++ cce@rhel8: CCE-85985-0 ++ cce@rhel9: CCE-85988-4 ++ ++references: ++ nist: AU-2(a) ++ ospp: FAU_GEN.1.1.c ++ srg: SRG-OS-000462-GPOS-00206,SRG-OS-000463-GPOS-00207,SRG-OS-000465-GPOS-00209,SRG-OS-000474-GPOS-00219,SRG-OS-000475-GPOS-00220,SRG-OS-000466-GPOS-00210,SRG-OS-000064-GPOS-00033 ++ ++ocil_clause: 'the file does not exist or the content differs' ++ ++ocil: |- ++ To verify that the Audit is correctly configured according to recommended rules, check the content of the file with the following command: ++
cat /etc/audit/rules.d/30-ospp-v42-6-owner-change-failed.rules
++ The output has to be exactly as follows: ++
{{{ file_contents_audit_owner_change_failed|indent }}}    
++ ++template: ++ name: audit_file_contents ++ vars: ++ filepath: /etc/audit/rules.d/30-ospp-v42-6-owner-change-failed.rules ++ contents: |- ++ {{{ file_contents_audit_owner_change_failed|indent(12) }}} + +From a7d6fd67d0916baa324d9d342073b93f386004ce Mon Sep 17 00:00:00 2001 +From: Vojtech Polasek +Date: Mon, 11 Jul 2022 11:11:38 +0200 +Subject: [PATCH 13/18] add audit_owner_change_success aarch64 + +--- + .../audit_owner_change_success/rule.yml | 2 +- + .../rule.yml | 52 +++++++++++++++++++ + shared/references/cce-redhat-avail.txt | 2 - + 3 files changed, 53 insertions(+), 3 deletions(-) + create mode 100644 linux_os/guide/system/auditing/policy_rules/audit_owner_change_success_ppc64le/rule.yml + +diff --git a/linux_os/guide/system/auditing/policy_rules/audit_owner_change_success/rule.yml b/linux_os/guide/system/auditing/policy_rules/audit_owner_change_success/rule.yml +index 934739fd043..744249d8740 100644 +--- a/linux_os/guide/system/auditing/policy_rules/audit_owner_change_success/rule.yml ++++ b/linux_os/guide/system/auditing/policy_rules/audit_owner_change_success/rule.yml +@@ -26,7 +26,7 @@ rationale: |- + # so do not apply this rule but apply the specific one instead + {{% if product == "rhel9" %}} + platforms: +- - not aarch64_arch ++ - not aarch64_arch and not ppc64le_arch + {{% endif %}} + + identifiers: +diff --git a/linux_os/guide/system/auditing/policy_rules/audit_owner_change_success_ppc64le/rule.yml b/linux_os/guide/system/auditing/policy_rules/audit_owner_change_success_ppc64le/rule.yml +new file mode 100644 +index 00000000000..62639140885 +--- /dev/null ++++ b/linux_os/guide/system/auditing/policy_rules/audit_owner_change_success_ppc64le/rule.yml +@@ -0,0 +1,52 @@ ++documentation_complete: true ++ ++prodtype: ol8,ol9,rhcos4,rhel8,rhel9 ++ ++title: 'Configure auditing of successful ownership changes (ppc64le)' ++ ++{{% set file_contents_audit_owner_change_success = ++"## Successful ownership change ++-a always,exit -F arch=b64 -S lchown,fchown,chown,fchownat -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-owner-change" %}} ++ ++description: |- ++ Ensure that successful attempts to change an ownership of files or directories are audited. ++ ++ The following rules configure audit as described above: ++
{{{ file_contents_audit_owner_change_success|indent }}}    
++ ++ Load new Audit rules into kernel by running: ++
augenrules --load
++ ++ Note: This rule uses a special set of Audit rules to comply with OSPP 4.2.1. You may reuse this rule in different profiles. If you decide to do so, it is recommended that you inspect contents of the file closely and make sure that they are alligned with your needs. ++ ++rationale: |- ++ Auditing of successful ownership changes of files or directories helps in monitoring or investingating of activities performed on the system. ++ ++severity: medium ++ ++platforms: ++ - ppc64le_arch ++ ++identifiers: ++ cce@rhel8: CCE-85997-5 ++ cce@rhel9: CCE-85998-3 ++ ++references: ++ nist: AU-2(a) ++ ospp: FAU_GEN.1.1.c ++ srg: SRG-OS-000462-GPOS-00206,SRG-OS-000463-GPOS-00207,SRG-OS-000465-GPOS-00209,SRG-OS-000474-GPOS-00219,SRG-OS-000475-GPOS-00220,SRG-OS-000466-GPOS-00210,SRG-OS-000064-GPOS-00033 ++ ++ocil_clause: 'the file does not exist or the content differs' ++ ++ocil: |- ++ To verify that the Audit is correctly configured according to recommended rules, check the content of the file with the following command: ++
cat /etc/audit/rules.d/30-ospp-v42-6-owner-change-success.rules
++ The output has to be exactly as follows: ++
{{{ file_contents_audit_owner_change_success|indent }}}    
++ ++template: ++ name: audit_file_contents ++ vars: ++ filepath: /etc/audit/rules.d/30-ospp-v42-6-owner-change-success.rules ++ contents: |- ++ {{{ file_contents_audit_owner_change_success|indent(12) }}} + +From 0e86aaed2dbe0d215d73e02565ab7eaefe803c70 Mon Sep 17 00:00:00 2001 +From: Vojtech Polasek +Date: Mon, 11 Jul 2022 11:13:57 +0200 +Subject: [PATCH 14/18] add audit_perm_change_failed for ppc64le + +--- + .../audit_perm_change_failed/rule.yml | 2 +- + .../audit_perm_change_failed_ppc64le/rule.yml | 53 +++++++++++++++++++ + shared/references/cce-redhat-avail.txt | 2 - + 3 files changed, 54 insertions(+), 3 deletions(-) + create mode 100644 linux_os/guide/system/auditing/policy_rules/audit_perm_change_failed_ppc64le/rule.yml + +diff --git a/linux_os/guide/system/auditing/policy_rules/audit_perm_change_failed/rule.yml b/linux_os/guide/system/auditing/policy_rules/audit_perm_change_failed/rule.yml +index 3f7db62b615..0870d41738e 100644 +--- a/linux_os/guide/system/auditing/policy_rules/audit_perm_change_failed/rule.yml ++++ b/linux_os/guide/system/auditing/policy_rules/audit_perm_change_failed/rule.yml +@@ -28,7 +28,7 @@ rationale: |- + # so do not apply this rule but apply the specific one instead + {{% if product == "rhel9" %}} + platforms: +- - not aarch64_arch ++ - not aarch64_arch and not ppc64le_arch + {{% endif %}} + + identifiers: +diff --git a/linux_os/guide/system/auditing/policy_rules/audit_perm_change_failed_ppc64le/rule.yml b/linux_os/guide/system/auditing/policy_rules/audit_perm_change_failed_ppc64le/rule.yml +new file mode 100644 +index 00000000000..e55de06efc0 +--- /dev/null ++++ b/linux_os/guide/system/auditing/policy_rules/audit_perm_change_failed_ppc64le/rule.yml +@@ -0,0 +1,53 @@ ++documentation_complete: true ++ ++prodtype: ol8,ol9,rhcos4,rhel8,rhel9 ++ ++title: 'Configure auditing of unsuccessful permission changes (ppc64le)' ++ ++{{% set file_contents_audit_perm_change_failed = ++"## Unsuccessful permission change ++-a always,exit -F arch=b64 -S chmod,fchmod,fchmodat,setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-perm-change ++-a always,exit -F arch=b64 -S chmod,fchmod,fchmodat,setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-perm-change" %}} ++ ++description: |- ++ Ensure that unsuccessful attempts to change file or directory permissions are audited. ++ ++ The following rules configure audit as described above: ++
{{{ file_contents_audit_perm_change_failed|indent }}}    
++ ++ Load new Audit rules into kernel by running: ++
augenrules --load
++ ++ Note: This rule uses a special set of Audit rules to comply with OSPP 4.2.1. You may reuse this rule in different profiles. If you decide to do so, it is recommended that you inspect contents of the file closely and make sure that they are alligned with your needs. ++ ++rationale: |- ++ Unsuccessful attempts to change permissions of files or directories might be signs of malicious activity. Having such events audited helps in monitoring and investigation of such activities. ++ ++severity: medium ++ ++platforms: ++ - ppc64le_arch ++ ++identifiers: ++ cce@rhel8: CCE-85999-1 ++ cce@rhel9: CCE-86000-7 ++ ++references: ++ nist: AU-2(a) ++ ospp: FAU_GEN.1.1.c ++ srg: SRG-OS-000462-GPOS-00206,SRG-OS-000463-GPOS-00207,SRG-OS-000465-GPOS-00209,SRG-OS-000474-GPOS-00219,SRG-OS-000475-GPOS-00220,SRG-OS-000466-GPOS-00210,SRG-OS-000064-GPOS-00033 ++ ++ocil_clause: 'the file does not exist or the content differs' ++ ++ocil: |- ++ To verify that the Audit is correctly configured according to recommended rules, check the content of the file with the following command: ++
cat /etc/audit/rules.d/30-ospp-v42-5-perm-change-failed.rules
++ The output has to be exactly as follows: ++
{{{ file_contents_audit_perm_change_failed|indent }}}    
++ ++template: ++ name: audit_file_contents ++ vars: ++ filepath: /etc/audit/rules.d/30-ospp-v42-5-perm-change-failed.rules ++ contents: |- ++ {{{ file_contents_audit_perm_change_failed|indent(12) }}} + +From c4df26914cc7dc0911f08950be391a31faae8d63 Mon Sep 17 00:00:00 2001 +From: Vojtech Polasek +Date: Mon, 11 Jul 2022 11:16:05 +0200 +Subject: [PATCH 15/18] add audit_perm_change_success ppc64le + +--- + .../audit_perm_change_success/rule.yml | 2 +- + .../rule.yml | 52 +++++++++++++++++++ + shared/references/cce-redhat-avail.txt | 2 - + 3 files changed, 53 insertions(+), 3 deletions(-) + create mode 100644 linux_os/guide/system/auditing/policy_rules/audit_perm_change_success_ppc64le/rule.yml + +diff --git a/linux_os/guide/system/auditing/policy_rules/audit_perm_change_success/rule.yml b/linux_os/guide/system/auditing/policy_rules/audit_perm_change_success/rule.yml +index 4a67bfde428..e0ff8648348 100644 +--- a/linux_os/guide/system/auditing/policy_rules/audit_perm_change_success/rule.yml ++++ b/linux_os/guide/system/auditing/policy_rules/audit_perm_change_success/rule.yml +@@ -26,7 +26,7 @@ rationale: |- + # so do not apply this rule but apply the specific one instead + {{% if product == "rhel9" %}} + platforms: +- - not aarch64_arch ++ - not aarch64_arch and not ppc64le_arch + {{% endif %}} + + identifiers: +diff --git a/linux_os/guide/system/auditing/policy_rules/audit_perm_change_success_ppc64le/rule.yml b/linux_os/guide/system/auditing/policy_rules/audit_perm_change_success_ppc64le/rule.yml +new file mode 100644 +index 00000000000..0cbb0f60e0c +--- /dev/null ++++ b/linux_os/guide/system/auditing/policy_rules/audit_perm_change_success_ppc64le/rule.yml +@@ -0,0 +1,52 @@ ++documentation_complete: true ++ ++prodtype: ol8,ol9,rhcos4,rhel8,rhel9 ++ ++title: 'Configure auditing of successful permission changes (ppc64le)' ++ ++{{% set file_contents_audit_perm_change_success = ++"## Successful permission change ++-a always,exit -F arch=b64 -S chmod,fchmod,fchmodat,setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-perm-change" %}} ++ ++description: |- ++ Ensure that successful attempts to modify permissions of files or directories are audited. ++ ++ The following rules configure audit as described above: ++
{{{ file_contents_audit_perm_change_success|indent }}}    
++ ++ Load new Audit rules into kernel by running: ++
augenrules --load
++ ++ Note: This rule uses a special set of Audit rules to comply with OSPP 4.2.1. You may reuse this rule in different profiles. If you decide to do so, it is recommended that you inspect contents of the file closely and make sure that they are alligned with your needs. ++ ++rationale: |- ++ Auditing successful file or directory permission changes helps in monitoring and investigating of activities performed on the system. ++ ++severity: medium ++ ++platforms: ++ - ppc64le_arch ++ ++identifiers: ++ cce@rhel8: CCE-86001-5 ++ cce@rhel9: CCE-86002-3 ++ ++references: ++ nist: AU-2(a) ++ ospp: FAU_GEN.1.1.c ++ srg: SRG-OS-000462-GPOS-00206,SRG-OS-000463-GPOS-00207,SRG-OS-000465-GPOS-00209,SRG-OS-000474-GPOS-00219,SRG-OS-000475-GPOS-00220,SRG-OS-000466-GPOS-00210,SRG-OS-000064-GPOS-00033 ++ ++ocil_clause: 'the file does not exist or the content differs' ++ ++ocil: |- ++ To verify that the Audit is correctly configured according to recommended rules, check the content of the file with the following command: ++
cat /etc/audit/rules.d/30-ospp-v42-5-perm-change-success.rules
++ The output has to be exactly as follows: ++
{{{ file_contents_audit_perm_change_success|indent }}}    
++ ++template: ++ name: audit_file_contents ++ vars: ++ filepath: /etc/audit/rules.d/30-ospp-v42-5-perm-change-success.rules ++ contents: |- ++ {{{ file_contents_audit_perm_change_success|indent(12) }}} + +From af066dd83f416d40eabe8b9cec584f726b37f14e Mon Sep 17 00:00:00 2001 +From: Vojtech Polasek +Date: Mon, 11 Jul 2022 11:42:46 +0200 +Subject: [PATCH 16/18] add new rules to rhel9 ospp profile + +--- + products/rhel9/profiles/ospp.profile | 16 ++++++++++++++++ + 1 file changed, 16 insertions(+) + +diff --git a/products/rhel9/profiles/ospp.profile b/products/rhel9/profiles/ospp.profile +index 1c97558669f..41930e4b840 100644 +--- a/products/rhel9/profiles/ospp.profile ++++ b/products/rhel9/profiles/ospp.profile +@@ -279,35 +279,51 @@ selections: + - audit_immutable_login_uids + - audit_create_failed + - audit_create_failed_aarch64 ++ - audit_create_failed_ppc64le + - audit_create_success + - audit_create_success_aarch64 ++ - audit_create_success_ppc64le + - audit_modify_failed + - audit_modify_failed_aarch64 ++ - audit_modify_failed_ppc64le + - audit_modify_success + - audit_modify_success_aarch64 ++ - audit_modify_success_ppc64le + - audit_access_failed + - audit_access_failed_aarch64 ++ - audit_access_failed_ppc64le + - audit_access_success + - audit_access_success.severity=info + - audit_access_success.role=unscored + - audit_access_success_aarch64 + - audit_access_success_aarch64.severity=info + - audit_access_success_aarch64.role=unscored ++ - audit_access_success_ppc64le ++ - audit_access_success_ppc64le.severity=info ++ - audit_access_success_ppc64le.role=unscored + - audit_delete_failed + - audit_delete_failed_aarch64 ++ - audit_delete_failed_ppc64le + - audit_delete_success + - audit_delete_success_aarch64 ++ - audit_delete_success_ppc64le + - audit_perm_change_failed + - audit_perm_change_failed_aarch64 ++ - audit_perm_change_failed_ppc64le + - audit_perm_change_success + - audit_perm_change_success_aarch64 ++ - audit_perm_change_success_ppc64le + - audit_owner_change_failed + - audit_owner_change_failed_aarch64 ++ - audit_owner_change_failed_ppc64le + - audit_owner_change_success + - audit_owner_change_success_aarch64 ++ - audit_owner_change_success_ppc64le + - audit_ospp_general + - audit_ospp_general_aarch64 ++ - audit_ospp_general_ppc64le + - audit_module_load ++ - audit_module_load_ppc64le + + ## Enable Automatic Software Updates + ## SI-2 / FMT_MOF_EXT.1 (FMT_SMF_EXT.1) + +From 1fb5a22850fb1bfbaee76422ef57b3b631d4c91f Mon Sep 17 00:00:00 2001 +From: Vojtech Polasek +Date: Fri, 15 Jul 2022 10:40:07 +0200 +Subject: [PATCH 17/18] make newly added rules RHEL9 only + +- change their prodtype to rhel9 +- return rhel8 cces back to the pool +- make the platform in generic rule applicable only on rhel9 since on rhel8 the file content is the same regardless of the architecture +- remove rules from rhel8 profiles +--- + .../policy_rules/audit_access_failed/rule.yml | 4 ++++ + .../audit_access_failed_ppc64le/rule.yml | 3 +-- + .../policy_rules/audit_access_success/rule.yml | 4 ++++ + .../audit_access_success_ppc64le/rule.yml | 3 +-- + .../policy_rules/audit_create_failed/rule.yml | 4 ++++ + .../audit_create_failed_ppc64le/rule.yml | 3 +-- + .../policy_rules/audit_create_success/rule.yml | 4 ++++ + .../audit_create_success_ppc64le/rule.yml | 3 +-- + .../policy_rules/audit_delete_failed/rule.yml | 5 ++++- + .../audit_delete_failed_ppc64le/rule.yml | 3 +-- + .../policy_rules/audit_delete_success/rule.yml | 4 ++++ + .../audit_delete_success_ppc64le/rule.yml | 3 +-- + .../policy_rules/audit_modify_failed/rule.yml | 4 ++++ + .../audit_modify_failed_ppc64le/rule.yml | 3 +-- + .../policy_rules/audit_modify_success/rule.yml | 4 ++++ + .../audit_modify_success_ppc64le/rule.yml | 3 +-- + .../policy_rules/audit_module_load/rule.yml | 4 ++++ + .../audit_module_load_ppc64le/rule.yml | 3 +-- + .../policy_rules/audit_ospp_general/rule.yml | 4 ++++ + .../audit_ospp_general_ppc64le/rule.yml | 3 +-- + .../audit_owner_change_failed/rule.yml | 4 ++++ + .../audit_owner_change_failed_ppc64le/rule.yml | 3 +-- + .../audit_owner_change_success/rule.yml | 4 ++++ + .../audit_owner_change_success_ppc64le/rule.yml | 3 +-- + .../policy_rules/audit_perm_change_failed/rule.yml | 4 ++++ + .../audit_perm_change_failed_ppc64le/rule.yml | 3 +-- + .../audit_perm_change_success/rule.yml | 4 ++++ + .../audit_perm_change_success_ppc64le/rule.yml | 3 +-- + shared/references/cce-redhat-avail.txt | 14 ++++++++++++++ + 29 files changed, 84 insertions(+), 29 deletions(-) + +diff --git a/linux_os/guide/system/auditing/policy_rules/audit_access_failed_ppc64le/rule.yml b/linux_os/guide/system/auditing/policy_rules/audit_access_failed_ppc64le/rule.yml +index f764da506e9..6547b12e349 100644 +--- a/linux_os/guide/system/auditing/policy_rules/audit_access_failed_ppc64le/rule.yml ++++ b/linux_os/guide/system/auditing/policy_rules/audit_access_failed_ppc64le/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: ol8,ol9,rhcos4,rhel8,rhel9 ++prodtype: rhel9 + + title: 'Configure auditing of unsuccessful file accesses (ppc64le)' + +@@ -29,7 +29,6 @@ platforms: + - ppc64le_arch + + identifiers: +- cce@rhel8: CCE-85953-8 + cce@rhel9: CCE-85955-3 + + references: +diff --git a/linux_os/guide/system/auditing/policy_rules/audit_access_success_ppc64le/rule.yml b/linux_os/guide/system/auditing/policy_rules/audit_access_success_ppc64le/rule.yml +index b76fe0b4a4e..6ec2fc3b32d 100644 +--- a/linux_os/guide/system/auditing/policy_rules/audit_access_success_ppc64le/rule.yml ++++ b/linux_os/guide/system/auditing/policy_rules/audit_access_success_ppc64le/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: ol8,ol9,rhcos4,rhel8,rhel9 ++prodtype: rhel9 + + title: 'Configure auditing of successful file accesses (ppc64le)' + +@@ -29,7 +29,6 @@ platforms: + - ppc64le_arch + + identifiers: +- cce@rhel8: CCE-85960-3 + cce@rhel9: CCE-85961-1 + + references: +diff --git a/linux_os/guide/system/auditing/policy_rules/audit_create_failed_ppc64le/rule.yml b/linux_os/guide/system/auditing/policy_rules/audit_create_failed_ppc64le/rule.yml +index ead598f8b9a..7af3f3b5bbb 100644 +--- a/linux_os/guide/system/auditing/policy_rules/audit_create_failed_ppc64le/rule.yml ++++ b/linux_os/guide/system/auditing/policy_rules/audit_create_failed_ppc64le/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: ol8,ol9,rhcos4,rhel8,rhel9 ++prodtype: rhel9 + + title: 'Configure auditing of unsuccessful file creations (ppc64le)' + +@@ -33,7 +33,6 @@ platforms: + - ppc64le_arch + + identifiers: +- cce@rhel8: CCE-85962-9 + cce@rhel9: CCE-85965-2 + + references: +diff --git a/linux_os/guide/system/auditing/policy_rules/audit_create_success_ppc64le/rule.yml b/linux_os/guide/system/auditing/policy_rules/audit_create_success_ppc64le/rule.yml +index 294947c14ba..87bfe3de933 100644 +--- a/linux_os/guide/system/auditing/policy_rules/audit_create_success_ppc64le/rule.yml ++++ b/linux_os/guide/system/auditing/policy_rules/audit_create_success_ppc64le/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: ol8,ol9,rhcos4,rhel8,rhel9 ++prodtype: rhel9 + + title: 'Configure auditing of successful file creations (ppc64le)' + +@@ -30,7 +30,6 @@ platforms: + - ppc64le_arch + + identifiers: +- cce@rhel8: CCE-85966-0 + cce@rhel9: CCE-85968-6 + + references: +diff --git a/linux_os/guide/system/auditing/policy_rules/audit_delete_failed_ppc64le/rule.yml b/linux_os/guide/system/auditing/policy_rules/audit_delete_failed_ppc64le/rule.yml +index c8c532cb3bb..30279c88b23 100644 +--- a/linux_os/guide/system/auditing/policy_rules/audit_delete_failed_ppc64le/rule.yml ++++ b/linux_os/guide/system/auditing/policy_rules/audit_delete_failed_ppc64le/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: ol8,ol9,rhcos4,rhel8,rhel9 ++prodtype: rhel9 + + title: 'Configure auditing of unsuccessful file deletions (ppc64le)' + +@@ -29,7 +29,6 @@ platforms: + - ppc64le_arch + + identifiers: +- cce@rhel8: CCE-85969-4 + cce@rhel9: CCE-85970-2 + + references: +diff --git a/linux_os/guide/system/auditing/policy_rules/audit_delete_success_ppc64le/rule.yml b/linux_os/guide/system/auditing/policy_rules/audit_delete_success_ppc64le/rule.yml +index 35362051948..220e5d9ca78 100644 +--- a/linux_os/guide/system/auditing/policy_rules/audit_delete_success_ppc64le/rule.yml ++++ b/linux_os/guide/system/auditing/policy_rules/audit_delete_success_ppc64le/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: ol8,ol9,rhcos4,rhel8,rhel9 ++prodtype: rhel9 + + title: 'Configure auditing of successful file deletions (ppc64le)' + +@@ -28,7 +28,6 @@ platforms: + - ppc64le_arch + + identifiers: +- cce@rhel8: CCE-85974-4 + cce@rhel9: CCE-85976-9 + + references: +diff --git a/linux_os/guide/system/auditing/policy_rules/audit_modify_failed_ppc64le/rule.yml b/linux_os/guide/system/auditing/policy_rules/audit_modify_failed_ppc64le/rule.yml +index d5d11a0f214..ae0931dcee3 100644 +--- a/linux_os/guide/system/auditing/policy_rules/audit_modify_failed_ppc64le/rule.yml ++++ b/linux_os/guide/system/auditing/policy_rules/audit_modify_failed_ppc64le/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: ol8,ol9,rhcos4,rhel8,rhel9 ++prodtype: rhel9 + + title: 'Configure auditing of unsuccessful file modifications (ppc64le)' + +@@ -33,7 +33,6 @@ platforms: + - ppc64le_arch + + identifiers: +- cce@rhel8: CCE-85977-7 + cce@rhel9: CCE-85978-5 + + references: +diff --git a/linux_os/guide/system/auditing/policy_rules/audit_modify_success_ppc64le/rule.yml b/linux_os/guide/system/auditing/policy_rules/audit_modify_success_ppc64le/rule.yml +index e45015e5949..4c4b1c7d8e0 100644 +--- a/linux_os/guide/system/auditing/policy_rules/audit_modify_success_ppc64le/rule.yml ++++ b/linux_os/guide/system/auditing/policy_rules/audit_modify_success_ppc64le/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: ol8,ol9,rhcos4,rhel8,rhel9 ++prodtype: rhel9 + + title: 'Configure auditing of successful file modifications (ppc64le)' + +@@ -31,7 +31,6 @@ platforms: + - ppc64le_arch + + identifiers: +- cce@rhel8: CCE-85979-3 + cce@rhel9: CCE-85980-1 + + references: +diff --git a/linux_os/guide/system/auditing/policy_rules/audit_module_load_ppc64le/rule.yml b/linux_os/guide/system/auditing/policy_rules/audit_module_load_ppc64le/rule.yml +index 3f59eecec86..4f8b06c5e2f 100644 +--- a/linux_os/guide/system/auditing/policy_rules/audit_module_load_ppc64le/rule.yml ++++ b/linux_os/guide/system/auditing/policy_rules/audit_module_load_ppc64le/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: ol8,ol9,rhcos4,rhel8,rhel9 ++prodtype: rhel9 + + title: 'Configure auditing of loading and unloading of kernel modules (ppc64le)' + +@@ -28,7 +28,6 @@ platforms: + - ppc64le_arch + + identifiers: +- cce@rhel8: CCE-85981-9 + cce@rhel9: CCE-85982-7 + + references: +diff --git a/linux_os/guide/system/auditing/policy_rules/audit_ospp_general_ppc64le/rule.yml b/linux_os/guide/system/auditing/policy_rules/audit_ospp_general_ppc64le/rule.yml +index 8d408578c3a..3fe9257c0cc 100644 +--- a/linux_os/guide/system/auditing/policy_rules/audit_ospp_general_ppc64le/rule.yml ++++ b/linux_os/guide/system/auditing/policy_rules/audit_ospp_general_ppc64le/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: ol8,ol9,rhcos4,rhel8,rhel9 ++prodtype: rhel9 + + title: 'Perform general configuration of Audit for OSPP (ppc64le)' + +@@ -107,7 +107,6 @@ platforms: + - ppc64le_arch + + identifiers: +- cce@rhel8: CCE-85983-5 + cce@rhel9: CCE-85984-3 + + references: +diff --git a/linux_os/guide/system/auditing/policy_rules/audit_owner_change_failed_ppc64le/rule.yml b/linux_os/guide/system/auditing/policy_rules/audit_owner_change_failed_ppc64le/rule.yml +index 6324bb4fd3b..f0a7c78dd14 100644 +--- a/linux_os/guide/system/auditing/policy_rules/audit_owner_change_failed_ppc64le/rule.yml ++++ b/linux_os/guide/system/auditing/policy_rules/audit_owner_change_failed_ppc64le/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: ol8,ol9,rhcos4,rhel8,rhel9 ++prodtype: rhel9 + + title: 'Configure auditing of unsuccessful ownership changes (ppc64le)' + +@@ -29,7 +29,6 @@ platforms: + - ppc64le_arch + + identifiers: +- cce@rhel8: CCE-85985-0 + cce@rhel9: CCE-85988-4 + + references: +diff --git a/linux_os/guide/system/auditing/policy_rules/audit_owner_change_success_ppc64le/rule.yml b/linux_os/guide/system/auditing/policy_rules/audit_owner_change_success_ppc64le/rule.yml +index 62639140885..dd0cf8d7cca 100644 +--- a/linux_os/guide/system/auditing/policy_rules/audit_owner_change_success_ppc64le/rule.yml ++++ b/linux_os/guide/system/auditing/policy_rules/audit_owner_change_success_ppc64le/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: ol8,ol9,rhcos4,rhel8,rhel9 ++prodtype: rhel9 + + title: 'Configure auditing of successful ownership changes (ppc64le)' + +@@ -28,7 +28,6 @@ platforms: + - ppc64le_arch + + identifiers: +- cce@rhel8: CCE-85997-5 + cce@rhel9: CCE-85998-3 + + references: +diff --git a/linux_os/guide/system/auditing/policy_rules/audit_perm_change_failed_ppc64le/rule.yml b/linux_os/guide/system/auditing/policy_rules/audit_perm_change_failed_ppc64le/rule.yml +index e55de06efc0..71e5354753e 100644 +--- a/linux_os/guide/system/auditing/policy_rules/audit_perm_change_failed_ppc64le/rule.yml ++++ b/linux_os/guide/system/auditing/policy_rules/audit_perm_change_failed_ppc64le/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: ol8,ol9,rhcos4,rhel8,rhel9 ++prodtype: rhel9 + + title: 'Configure auditing of unsuccessful permission changes (ppc64le)' + +@@ -29,7 +29,6 @@ platforms: + - ppc64le_arch + + identifiers: +- cce@rhel8: CCE-85999-1 + cce@rhel9: CCE-86000-7 + + references: +diff --git a/linux_os/guide/system/auditing/policy_rules/audit_perm_change_success_ppc64le/rule.yml b/linux_os/guide/system/auditing/policy_rules/audit_perm_change_success_ppc64le/rule.yml +index 0cbb0f60e0c..282a2e316f4 100644 +--- a/linux_os/guide/system/auditing/policy_rules/audit_perm_change_success_ppc64le/rule.yml ++++ b/linux_os/guide/system/auditing/policy_rules/audit_perm_change_success_ppc64le/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: ol8,ol9,rhcos4,rhel8,rhel9 ++prodtype: rhel9 + + title: 'Configure auditing of successful permission changes (ppc64le)' + +@@ -28,7 +28,6 @@ platforms: + - ppc64le_arch + + identifiers: +- cce@rhel8: CCE-86001-5 + cce@rhel9: CCE-86002-3 + + references: + +From 3b4bc8b3bec38c27e67bde1ad34ff42c85e7cd94 Mon Sep 17 00:00:00 2001 +From: Vojtech Polasek +Date: Mon, 18 Jul 2022 14:12:08 +0200 +Subject: [PATCH 18/18] fix CCE assignments after rebase + +--- + .../audit_access_failed_ppc64le/rule.yml | 2 +- + .../audit_access_success_ppc64le/rule.yml | 2 +- + .../audit_create_failed_ppc64le/rule.yml | 2 +- + .../audit_create_success_ppc64le/rule.yml | 2 +- + .../audit_delete_failed_ppc64le/rule.yml | 2 +- + .../audit_delete_success_ppc64le/rule.yml | 2 +- + .../audit_modify_failed_ppc64le/rule.yml | 2 +- + .../audit_modify_success_ppc64le/rule.yml | 2 +- + .../audit_module_load_ppc64le/rule.yml | 2 +- + .../audit_ospp_general_ppc64le/rule.yml | 2 +- + shared/references/cce-redhat-avail.txt | 20 ------------------- + 11 files changed, 10 insertions(+), 30 deletions(-) + +diff --git a/linux_os/guide/system/auditing/policy_rules/audit_access_failed_ppc64le/rule.yml b/linux_os/guide/system/auditing/policy_rules/audit_access_failed_ppc64le/rule.yml +index 6547b12e349..222290c9dd7 100644 +--- a/linux_os/guide/system/auditing/policy_rules/audit_access_failed_ppc64le/rule.yml ++++ b/linux_os/guide/system/auditing/policy_rules/audit_access_failed_ppc64le/rule.yml +@@ -29,7 +29,7 @@ platforms: + - ppc64le_arch + + identifiers: +- cce@rhel9: CCE-85955-3 ++ cce@rhel9: CCE-86001-5 + + references: + ism: 0582,0584,05885,0586,0846,0957 +diff --git a/linux_os/guide/system/auditing/policy_rules/audit_access_success_ppc64le/rule.yml b/linux_os/guide/system/auditing/policy_rules/audit_access_success_ppc64le/rule.yml +index 6ec2fc3b32d..0091db466df 100644 +--- a/linux_os/guide/system/auditing/policy_rules/audit_access_success_ppc64le/rule.yml ++++ b/linux_os/guide/system/auditing/policy_rules/audit_access_success_ppc64le/rule.yml +@@ -29,7 +29,7 @@ platforms: + - ppc64le_arch + + identifiers: +- cce@rhel9: CCE-85961-1 ++ cce@rhel9: CCE-85999-1 + + references: + ism: 0582,0584,05885,0586,0846,0957 +diff --git a/linux_os/guide/system/auditing/policy_rules/audit_create_failed_ppc64le/rule.yml b/linux_os/guide/system/auditing/policy_rules/audit_create_failed_ppc64le/rule.yml +index 7af3f3b5bbb..c85274a3540 100644 +--- a/linux_os/guide/system/auditing/policy_rules/audit_create_failed_ppc64le/rule.yml ++++ b/linux_os/guide/system/auditing/policy_rules/audit_create_failed_ppc64le/rule.yml +@@ -33,7 +33,7 @@ platforms: + - ppc64le_arch + + identifiers: +- cce@rhel9: CCE-85965-2 ++ cce@rhel9: CCE-85997-5 + + references: + nist: AU-2(a) +diff --git a/linux_os/guide/system/auditing/policy_rules/audit_create_success_ppc64le/rule.yml b/linux_os/guide/system/auditing/policy_rules/audit_create_success_ppc64le/rule.yml +index 87bfe3de933..54eb4be972d 100644 +--- a/linux_os/guide/system/auditing/policy_rules/audit_create_success_ppc64le/rule.yml ++++ b/linux_os/guide/system/auditing/policy_rules/audit_create_success_ppc64le/rule.yml +@@ -30,7 +30,7 @@ platforms: + - ppc64le_arch + + identifiers: +- cce@rhel9: CCE-85968-6 ++ cce@rhel9: CCE-85985-0 + + references: + nist: AU-2(a) +diff --git a/linux_os/guide/system/auditing/policy_rules/audit_delete_failed_ppc64le/rule.yml b/linux_os/guide/system/auditing/policy_rules/audit_delete_failed_ppc64le/rule.yml +index 30279c88b23..123a38cc0c6 100644 +--- a/linux_os/guide/system/auditing/policy_rules/audit_delete_failed_ppc64le/rule.yml ++++ b/linux_os/guide/system/auditing/policy_rules/audit_delete_failed_ppc64le/rule.yml +@@ -29,7 +29,7 @@ platforms: + - ppc64le_arch + + identifiers: +- cce@rhel9: CCE-85970-2 ++ cce@rhel9: CCE-90787-3 + + references: + nist: AU-2(a) +diff --git a/linux_os/guide/system/auditing/policy_rules/audit_delete_success_ppc64le/rule.yml b/linux_os/guide/system/auditing/policy_rules/audit_delete_success_ppc64le/rule.yml +index 220e5d9ca78..f127ee47197 100644 +--- a/linux_os/guide/system/auditing/policy_rules/audit_delete_success_ppc64le/rule.yml ++++ b/linux_os/guide/system/auditing/policy_rules/audit_delete_success_ppc64le/rule.yml +@@ -28,7 +28,7 @@ platforms: + - ppc64le_arch + + identifiers: +- cce@rhel9: CCE-85976-9 ++ cce@rhel9: CCE-90789-9 + + references: + nist: AU-2(a) +diff --git a/linux_os/guide/system/auditing/policy_rules/audit_modify_failed_ppc64le/rule.yml b/linux_os/guide/system/auditing/policy_rules/audit_modify_failed_ppc64le/rule.yml +index ae0931dcee3..22a90d645e3 100644 +--- a/linux_os/guide/system/auditing/policy_rules/audit_modify_failed_ppc64le/rule.yml ++++ b/linux_os/guide/system/auditing/policy_rules/audit_modify_failed_ppc64le/rule.yml +@@ -33,7 +33,7 @@ platforms: + - ppc64le_arch + + identifiers: +- cce@rhel9: CCE-85978-5 ++ cce@rhel9: CCE-90790-7 + + references: + nist: AU-2(a) +diff --git a/linux_os/guide/system/auditing/policy_rules/audit_modify_success_ppc64le/rule.yml b/linux_os/guide/system/auditing/policy_rules/audit_modify_success_ppc64le/rule.yml +index 4c4b1c7d8e0..94b15c57c2f 100644 +--- a/linux_os/guide/system/auditing/policy_rules/audit_modify_success_ppc64le/rule.yml ++++ b/linux_os/guide/system/auditing/policy_rules/audit_modify_success_ppc64le/rule.yml +@@ -31,7 +31,7 @@ platforms: + - ppc64le_arch + + identifiers: +- cce@rhel9: CCE-85980-1 ++ cce@rhel9: CCE-90791-5 + + references: + nist: AU-2(a) +diff --git a/linux_os/guide/system/auditing/policy_rules/audit_module_load_ppc64le/rule.yml b/linux_os/guide/system/auditing/policy_rules/audit_module_load_ppc64le/rule.yml +index 4f8b06c5e2f..486f0ba2d9e 100644 +--- a/linux_os/guide/system/auditing/policy_rules/audit_module_load_ppc64le/rule.yml ++++ b/linux_os/guide/system/auditing/policy_rules/audit_module_load_ppc64le/rule.yml +@@ -28,7 +28,7 @@ platforms: + - ppc64le_arch + + identifiers: +- cce@rhel9: CCE-85982-7 ++ cce@rhel9: CCE-90788-1 + + references: + nist: AU-2(a) +diff --git a/linux_os/guide/system/auditing/policy_rules/audit_ospp_general_ppc64le/rule.yml b/linux_os/guide/system/auditing/policy_rules/audit_ospp_general_ppc64le/rule.yml +index 3fe9257c0cc..cb712714c19 100644 +--- a/linux_os/guide/system/auditing/policy_rules/audit_ospp_general_ppc64le/rule.yml ++++ b/linux_os/guide/system/auditing/policy_rules/audit_ospp_general_ppc64le/rule.yml +@@ -107,7 +107,7 @@ platforms: + - ppc64le_arch + + identifiers: +- cce@rhel9: CCE-85984-3 ++ cce@rhel9: CCE-90786-5 + + references: + nist: AU-2(a) diff --git a/scap-security-guide-0.1.64-authselect_minimal_for_ospp-PR_9298.patch b/scap-security-guide-0.1.64-authselect_minimal_for_ospp-PR_9298.patch new file mode 100644 index 0000000..2ac4abd --- /dev/null +++ b/scap-security-guide-0.1.64-authselect_minimal_for_ospp-PR_9298.patch @@ -0,0 +1,90 @@ +From 4ef59d44355179b6450ac493d4417a8b29d8ccf1 Mon Sep 17 00:00:00 2001 +From: Vojtech Polasek +Date: Fri, 5 Aug 2022 11:45:15 +0200 +Subject: [PATCH 1/4] fix ospp references + +--- + linux_os/guide/system/accounts/enable_authselect/rule.yml | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/linux_os/guide/system/accounts/enable_authselect/rule.yml b/linux_os/guide/system/accounts/enable_authselect/rule.yml +index c151d3c4aa1..f9b46c51ddd 100644 +--- a/linux_os/guide/system/accounts/enable_authselect/rule.yml ++++ b/linux_os/guide/system/accounts/enable_authselect/rule.yml +@@ -34,6 +34,7 @@ references: + disa: CCI-000213 + hipaa: 164.308(a)(1)(ii)(B),164.308(a)(7)(i),164.308(a)(7)(ii)(A),164.310(a)(1),164.310(a)(2)(i),164.310(a)(2)(ii),164.310(a)(2)(iii),164.310(b),164.310(c),164.310(d)(1),164.310(d)(2)(iii) # taken from require_singleuser_auth + nist: AC-3 ++ ospp: FIA_UAU.1,FIA_AFL.1 + srg: SRG-OS-000480-GPOS-00227 + + ocil: |- + +From 05a0414b565097c155d0c4a1696d8c4f2da91298 Mon Sep 17 00:00:00 2001 +From: Vojtech Polasek +Date: Fri, 5 Aug 2022 11:45:42 +0200 +Subject: [PATCH 2/4] change authselect profile to minimal in rhel9 ospp + +--- + products/rhel9/profiles/ospp.profile | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/products/rhel9/profiles/ospp.profile b/products/rhel9/profiles/ospp.profile +index b47630c62b0..dcc41970043 100644 +--- a/products/rhel9/profiles/ospp.profile ++++ b/products/rhel9/profiles/ospp.profile +@@ -115,7 +115,7 @@ selections: + - coredump_disable_storage + - coredump_disable_backtraces + - service_systemd-coredump_disabled +- - var_authselect_profile=sssd ++ - var_authselect_profile=minimal + - enable_authselect + - use_pam_wheel_for_su + + +From 350135aa0c49a8a383103f88034acbb3925bb556 Mon Sep 17 00:00:00 2001 +From: Vojtech Polasek +Date: Fri, 5 Aug 2022 11:45:54 +0200 +Subject: [PATCH 3/4] change authselect profile to minimal in rhel8 ospp + +--- + products/rhel8/profiles/ospp.profile | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/products/rhel8/profiles/ospp.profile b/products/rhel8/profiles/ospp.profile +index 39ad1797c7a..ebec8a3a6f9 100644 +--- a/products/rhel8/profiles/ospp.profile ++++ b/products/rhel8/profiles/ospp.profile +@@ -220,7 +220,7 @@ selections: + - var_accounts_max_concurrent_login_sessions=10 + - accounts_max_concurrent_login_sessions + - securetty_root_login_console_only +- - var_authselect_profile=sssd ++ - var_authselect_profile=minimal + - enable_authselect + - var_password_pam_unix_remember=5 + - accounts_password_pam_unix_remember + +From 9d6014242b3fcda06b38ac35d73d5d4df75313a3 Mon Sep 17 00:00:00 2001 +From: Vojtech Polasek +Date: Fri, 5 Aug 2022 13:55:05 +0200 +Subject: [PATCH 4/4] update profile stability test + +--- + tests/data/profile_stability/rhel8/ospp.profile | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/tests/data/profile_stability/rhel8/ospp.profile b/tests/data/profile_stability/rhel8/ospp.profile +index 5d73a8c6fef..21e93e310d5 100644 +--- a/tests/data/profile_stability/rhel8/ospp.profile ++++ b/tests/data/profile_stability/rhel8/ospp.profile +@@ -242,7 +242,7 @@ selections: + - var_slub_debug_options=P + - var_auditd_flush=incremental_async + - var_accounts_max_concurrent_login_sessions=10 +-- var_authselect_profile=sssd ++- var_authselect_profile=minimal + - var_password_pam_unix_remember=5 + - var_selinux_state=enforcing + - var_selinux_policy_name=targeted diff --git a/scap-security-guide-0.1.64-coredump_rules_for_ospp-PR_9285.patch b/scap-security-guide-0.1.64-coredump_rules_for_ospp-PR_9285.patch new file mode 100644 index 0000000..20b17ab --- /dev/null +++ b/scap-security-guide-0.1.64-coredump_rules_for_ospp-PR_9285.patch @@ -0,0 +1,302 @@ +From 694af59f0c400d34b11e80b29b66cdb82ad080b6 Mon Sep 17 00:00:00 2001 +From: Vojtech Polasek +Date: Wed, 27 Jul 2022 13:49:05 +0200 +Subject: [PATCH 1/8] remove unneeded coredump related rules from rhel9 ospp + +--- + products/rhel9/profiles/ospp.profile | 3 --- + 1 file changed, 3 deletions(-) + +diff --git a/products/rhel9/profiles/ospp.profile b/products/rhel9/profiles/ospp.profile +index dcc41970043..0902abf58db 100644 +--- a/products/rhel9/profiles/ospp.profile ++++ b/products/rhel9/profiles/ospp.profile +@@ -110,10 +110,7 @@ selections: + - package_gnutls-utils_installed + + ### Login +- - disable_users_coredumps + - sysctl_kernel_core_pattern +- - coredump_disable_storage +- - coredump_disable_backtraces + - service_systemd-coredump_disabled + - var_authselect_profile=minimal + - enable_authselect + +From da50ca7abc0358b6b5db72f26173843454461dcf Mon Sep 17 00:00:00 2001 +From: Vojtech Polasek +Date: Wed, 3 Aug 2022 12:17:27 +0200 +Subject: [PATCH 2/8] remove conditional from sysctl templated OVAL + +actually now it is quite common that the sysctlval can be undefined. In this case, XCCDF variable is used. See documentation for sysctl template. +I don't think there is a need to have this special regex. Moreover, the regex was checking only for numbers. +--- + shared/templates/sysctl/oval.template | 5 ----- + 1 file changed, 5 deletions(-) + +diff --git a/shared/templates/sysctl/oval.template b/shared/templates/sysctl/oval.template +index 1a7c4979bbe..e0c6f72f928 100644 +--- a/shared/templates/sysctl/oval.template ++++ b/shared/templates/sysctl/oval.template +@@ -17,13 +17,8 @@ + {{% endif %}} + {{%- endmacro -%}} + {{%- macro sysctl_match() -%}} +-{{%- if SYSCTLVAL == "" -%}} +- ^[\s]*{{{ SYSCTLVAR }}}[\s]*=[\s]*(\d+)[\s]*$ +- 1 +-{{%- else -%}} + ^[\s]*{{{ SYSCTLVAR }}}[\s]*=[\s]*(.*)[\s]*$ + 1 +-{{%- endif -%}} + {{%- endmacro -%}} + {{%- if "P" in FLAGS -%}} + + +From 9b9110cd969afe7ba3796030a33dd795432a9373 Mon Sep 17 00:00:00 2001 +From: Vojtech Polasek +Date: Wed, 3 Aug 2022 13:00:45 +0200 +Subject: [PATCH 3/8] add new rule sysctl_kernel_core_uses_pid + +--- + .../sysctl_kernel_core_uses_pid/rule.yml | 36 +++++++++++++++++++ + 2 files changed, 36 insertions(+), 1 deletion(-) + create mode 100644 linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_uses_pid/rule.yml + +diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_uses_pid/rule.yml b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_uses_pid/rule.yml +new file mode 100644 +index 00000000000..7fa36fb940e +--- /dev/null ++++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_uses_pid/rule.yml +@@ -0,0 +1,36 @@ ++documentation_complete: true ++ ++prodtype: fedora,ol8,ol9,rhcos4,rhel8,rhel9 ++ ++title: 'Configure file name of core dumps' ++ ++description: '{{{ describe_sysctl_option_value(sysctl="kernel.core_uses_pid", value=0) }}}' ++ ++rationale: |- ++ The default coredump filename is
core
. By setting ++
core_uses_pid
to
1
, the coredump filename becomes ++
core.PID
. If
core_pattern
does not include ++
%p
(default does not) and
core_uses_pid
is set, then ++
.PID
will be appended to the filename. ++ ++severity: medium ++ ++identifiers: ++ cce@rhel9: CCE-86003-1 ++ ++references: ++ ospp: FMT_SMF_EXT.1 ++ ++ocil_clause: 'the returned line does not have a value of 0, or a line is not returned and the need for core dumps is not documented with the Information System Security Officer (ISSO) as an operational requirement' ++ ++ocil: |- ++ {{{ ocil_sysctl_option_value(sysctl="kernel.core_pattern", value=0) }}} ++ ++platform: machine ++ ++template: ++ name: sysctl ++ vars: ++ sysctlvar: kernel.core_uses_pid ++ datatype: int ++ sysctlval: '0' + +From 04dbd2db9469082a450e9b062d91e47190abe552 Mon Sep 17 00:00:00 2001 +From: Vojtech Polasek +Date: Fri, 5 Aug 2022 09:08:37 +0200 +Subject: [PATCH 4/8] add new rule setting kernel.core_pattern to empty string + +--- + .../rule.yml | 49 +++++++++++++++++++ + 2 files changed, 49 insertions(+), 1 deletion(-) + create mode 100644 linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/rule.yml + +diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/rule.yml b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/rule.yml +new file mode 100644 +index 00000000000..089bb1481aa +--- /dev/null ++++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/rule.yml +@@ -0,0 +1,49 @@ ++documentation_complete: true ++ ++prodtype: fedora,ol8,ol9,rhcos4,rhel8,rhel9 ++ ++title: 'Disable storing core dumps' ++ ++description: |- ++ The kernel.core_pattern option specifies the core dumpfile pattern ++ name. It can be set to an empty string ''. In this case, the kernel ++ behaves differently based on another related option. If ++ kernel.core_uses_pid is set to 1, then a file named as ++ .PID (where PID is process ID of the crashed process) is ++ created in the working directory. If kernel.core_uses_pid is set to ++ 0, no coredump is saved. ++ {{{ describe_sysctl_option_value(sysctl="kernel.core_pattern", value="''") }}}' ++ ++rationale: |- ++ A core dump includes a memory image taken at the time the operating system ++ terminates an application. The memory image could contain sensitive data and is generally useful ++ only for developers trying to debug problems. ++ ++severity: medium ++ ++requires: ++ - sysctl_kernel_core_uses_pid ++ ++conflicts: ++ - sysctl_kernel_core_pattern ++ ++identifiers: ++ cce@rhel9: CCE-86005-6 ++ ++references: ++ ospp: FMT_SMF_EXT.1 ++ ++ocil_clause: |- ++ the returned line does not have a value of ''. ++ ++ocil: | ++ {{{ ocil_sysctl_option_value(sysctl="kernel.core_pattern", value="''") }}} ++ ++platform: machine ++ ++template: ++ name: sysctl ++ vars: ++ sysctlvar: kernel.core_pattern ++ sysctlval: "''" ++ datatype: string + +From 42690d39487d5483693fc4ce32c0c95d11ee3203 Mon Sep 17 00:00:00 2001 +From: Vojtech Polasek +Date: Fri, 5 Aug 2022 10:40:47 +0200 +Subject: [PATCH 5/8] add rule to RHEL9 OSPP profile + +--- + products/rhel9/profiles/ospp.profile | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/products/rhel9/profiles/ospp.profile b/products/rhel9/profiles/ospp.profile +index 0902abf58db..b1b18261d48 100644 +--- a/products/rhel9/profiles/ospp.profile ++++ b/products/rhel9/profiles/ospp.profile +@@ -110,7 +110,8 @@ selections: + - package_gnutls-utils_installed + + ### Login +- - sysctl_kernel_core_pattern ++ - sysctl_kernel_core_pattern_empty_string ++ - sysctl_kernel_core_uses_pid + - service_systemd-coredump_disabled + - var_authselect_profile=minimal + - enable_authselect + +From d7e194f1998757d3b5a7691c598a71549215f97b Mon Sep 17 00:00:00 2001 +From: Vojtech Polasek +Date: Wed, 3 Aug 2022 13:01:12 +0200 +Subject: [PATCH 6/8] describe beneficial dependency between + sysctl_kernel_core_pattern_empty_string and sysctl:kernel_core_uses_pid + +--- + .../sysctl_kernel_core_uses_pid/rule.yml | 13 ++++++++----- + 1 file changed, 8 insertions(+), 5 deletions(-) + +diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_uses_pid/rule.yml b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_uses_pid/rule.yml +index 7fa36fb940e..d6d2c468c10 100644 +--- a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_uses_pid/rule.yml ++++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_uses_pid/rule.yml +@@ -7,11 +7,14 @@ title: 'Configure file name of core dumps' + description: '{{{ describe_sysctl_option_value(sysctl="kernel.core_uses_pid", value=0) }}}' + + rationale: |- +- The default coredump filename is
core
. By setting +-
core_uses_pid
to
1
, the coredump filename becomes +-
core.PID
. If
core_pattern
does not include +-
%p
(default does not) and
core_uses_pid
is set, then +-
.PID
will be appended to the filename. ++ The default coredump filename is core. By setting ++ core_uses_pid to 1, the coredump filename becomes ++ core.PID. If core_pattern does not include ++ %p (default does not) and core_uses_pid is set, then ++ .PID will be appended to the filename. ++ When combined with kernel.core_pattern = "" configuration, it ++ is ensured that no core dumps are generated and also no confusing error ++ messages are printed by a shell. + + severity: medium + + +From cd0f5491d57bf42e5901c681e290a9378eade3e6 Mon Sep 17 00:00:00 2001 +From: Vojtech Polasek +Date: Fri, 5 Aug 2022 10:53:37 +0200 +Subject: [PATCH 7/8] make sysctl_kernel_core_pattern conflicting with + sysctl_kernel_core_pattern_empty_string + +they are modifying the same configuration +--- + .../restrictions/sysctl_kernel_core_pattern/rule.yml | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern/rule.yml b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern/rule.yml +index 771c4d40e0f..c27a9e7ecf3 100644 +--- a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern/rule.yml ++++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern/rule.yml +@@ -13,6 +13,9 @@ rationale: |- + + severity: medium + ++conflicts: ++ - sysctl_kernel_core_pattern_empty_string ++ + identifiers: + cce@rhcos4: CCE-82527-3 + cce@rhel8: CCE-82215-5 + +From 62b0e48e7db9ed7e82940d7ca3a34a121f67c6cf Mon Sep 17 00:00:00 2001 +From: Vojtech Polasek +Date: Tue, 9 Aug 2022 16:43:20 +0200 +Subject: [PATCH 8/8] fix ocils + +--- + .../restrictions/sysctl_kernel_core_pattern/rule.yml | 5 ++++- + .../restrictions/sysctl_kernel_core_uses_pid/rule.yml | 4 ++-- + 2 files changed, 6 insertions(+), 3 deletions(-) + +diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern/rule.yml b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern/rule.yml +index c27a9e7ecf3..1a540ce20b3 100644 +--- a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern/rule.yml ++++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern/rule.yml +@@ -29,7 +29,10 @@ references: + stigid@ol8: OL08-00-010671 + stigid@rhel8: RHEL-08-010671 + +-ocil_clause: 'the returned line does not have a value of "|/bin/false", or a line is not returned and the need for core dumps is not documented with the Information System Security Officer (ISSO) as an operational requirement' ++ocil_clause: |- ++ the returned line does not have a value of "|/bin/false", or a line is not ++ returned and the need for core dumps is not documented with the Information ++ System Security Officer (ISSO) as an operational requirement + + ocil: | + {{{ ocil_sysctl_option_value(sysctl="kernel.core_pattern", value="|/bin/false") }}} +diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_uses_pid/rule.yml b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_uses_pid/rule.yml +index d6d2c468c10..8f51f97c16c 100644 +--- a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_uses_pid/rule.yml ++++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_uses_pid/rule.yml +@@ -24,10 +24,10 @@ identifiers: + references: + ospp: FMT_SMF_EXT.1 + +-ocil_clause: 'the returned line does not have a value of 0, or a line is not returned and the need for core dumps is not documented with the Information System Security Officer (ISSO) as an operational requirement' ++ocil_clause: 'the returned line does not have a value of 0' + + ocil: |- +- {{{ ocil_sysctl_option_value(sysctl="kernel.core_pattern", value=0) }}} ++ {{{ ocil_sysctl_option_value(sysctl="kernel.core_uses_pid", value=0) }}} + + platform: machine + diff --git a/scap-security-guide-0.1.64-fix_openssl_cryptopolicy_remediation-PR_9194.patch b/scap-security-guide-0.1.64-fix_openssl_cryptopolicy_remediation-PR_9194.patch new file mode 100644 index 0000000..57e9182 --- /dev/null +++ b/scap-security-guide-0.1.64-fix_openssl_cryptopolicy_remediation-PR_9194.patch @@ -0,0 +1,47 @@ +From 21124e8524967788d4c95d47dd41259a0c7f958c Mon Sep 17 00:00:00 2001 +From: Vojtech Polasek +Date: Wed, 20 Jul 2022 14:18:13 +0200 +Subject: [PATCH] change remediations to include the "=" sign + +--- + .../crypto/configure_openssl_crypto_policy/ansible/shared.yml | 4 ++-- + .../crypto/configure_openssl_crypto_policy/bash/shared.sh | 4 ++-- + 2 files changed, 4 insertions(+), 4 deletions(-) + +diff --git a/linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/ansible/shared.yml b/linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/ansible/shared.yml +index c335a9e7fa2..852ca18cf79 100644 +--- a/linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/ansible/shared.yml ++++ b/linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/ansible/shared.yml +@@ -20,7 +20,7 @@ + lineinfile: + create: yes + insertafter: '^\s*\[\s*crypto_policy\s*]\s*' +- line: ".include /etc/crypto-policies/back-ends/opensslcnf.config" ++ line: ".include = /etc/crypto-policies/back-ends/opensslcnf.config" + path: {{{ openssl_cnf_path }}} + when: + - test_crypto_policy_group.stdout is defined +@@ -29,7 +29,7 @@ + - name: "Add crypto_policy group and set include opensslcnf.config" + lineinfile: + create: yes +- line: "[crypto_policy]\n.include /etc/crypto-policies/back-ends/opensslcnf.config" ++ line: "[crypto_policy]\n.include = /etc/crypto-policies/back-ends/opensslcnf.config" + path: {{{ openssl_cnf_path }}} + when: + - test_crypto_policy_group.stdout is defined +diff --git a/linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/bash/shared.sh b/linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/bash/shared.sh +index 21edb780a2f..79eb5cff189 100644 +--- a/linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/bash/shared.sh ++++ b/linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/bash/shared.sh +@@ -2,8 +2,8 @@ + + OPENSSL_CRYPTO_POLICY_SECTION='[ crypto_policy ]' + OPENSSL_CRYPTO_POLICY_SECTION_REGEX='\[\s*crypto_policy\s*\]' +-OPENSSL_CRYPTO_POLICY_INCLUSION='.include /etc/crypto-policies/back-ends/opensslcnf.config' +-OPENSSL_CRYPTO_POLICY_INCLUSION_REGEX='^\s*\.include\s*/etc/crypto-policies/back-ends/opensslcnf.config$' ++OPENSSL_CRYPTO_POLICY_INCLUSION='.include = /etc/crypto-policies/back-ends/opensslcnf.config' ++OPENSSL_CRYPTO_POLICY_INCLUSION_REGEX='^\s*\.include\s*(?:=\s*)?/etc/crypto-policies/back-ends/opensslcnf.config$' + + {{% if 'sle' in product %}} + {{% set openssl_cnf_path="/etc/ssl/openssl.cnf" %}} diff --git a/scap-security-guide-0.1.64-fix_require_single_user_description-PR_9256.patch b/scap-security-guide-0.1.64-fix_require_single_user_description-PR_9256.patch new file mode 100644 index 0000000..00f27c1 --- /dev/null +++ b/scap-security-guide-0.1.64-fix_require_single_user_description-PR_9256.patch @@ -0,0 +1,29 @@ +From eef5cb155b9f820439ca32f993cebf1f68b29e80 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= +Date: Thu, 28 Jul 2022 15:08:15 +0200 +Subject: [PATCH] Remove a confusing sentence + +In the rule description, there are 2 conflicting sentences, they +both start by "By default ...", but they negate each other. +In fact, the second of them is true, so the first one could be +removed. + +Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=2092799 +--- + .../accounts-physical/require_singleuser_auth/rule.yml | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/linux_os/guide/system/accounts/accounts-physical/require_singleuser_auth/rule.yml b/linux_os/guide/system/accounts/accounts-physical/require_singleuser_auth/rule.yml +index 932d76c36d9..332712ea1dd 100644 +--- a/linux_os/guide/system/accounts/accounts-physical/require_singleuser_auth/rule.yml ++++ b/linux_os/guide/system/accounts/accounts-physical/require_singleuser_auth/rule.yml +@@ -8,8 +8,7 @@ title: 'Require Authentication for Single User Mode' + description: |- + Single-user mode is intended as a system recovery + method, providing a single user root access to the system by +- providing a boot option at startup. By default, no authentication +- is performed if single-user mode is selected. ++ providing a boot option at startup. +

+ By default, single-user mode is protected by requiring a password and is set + in /usr/lib/systemd/system/rescue.service. diff --git a/scap-security-guide-0.1.64-sysctl_template_extension_and_bpf_rules-PR_9147.patch b/scap-security-guide-0.1.64-sysctl_template_extension_and_bpf_rules-PR_9147.patch new file mode 100644 index 0000000..1f8f5b0 --- /dev/null +++ b/scap-security-guide-0.1.64-sysctl_template_extension_and_bpf_rules-PR_9147.patch @@ -0,0 +1,1888 @@ +From 81c2f59f42ffa2cf5a611eaeccc40c802bedd6d7 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= +Date: Fri, 8 Jul 2022 17:51:57 +0200 +Subject: [PATCH 01/23] Remove a rule from RHEL 9 OSPP + +Remove rule sysctl_net_core_bpf_jit_harden from RHEL 9 OSPP. This rule +requires to set net.core.bpf_jit_harden value to 2, the RHEL 9 default +is 1. However, bpf_jit_harden=1 disables kallsyms access from bpf +programs and all users, and it turns on constants blinding by using +random value + XOR for CAP_BPF; so the only thing in which value 1 and 2 +differ is the constants blinding for CAP_SYS_ADMIN processes in the +initial user namespaces. The extra constants blinding with +bpf_jit_harden=2 does not really help with CVE mitigation. + +Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=2081728 +--- + products/rhel9/profiles/ospp.profile | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/products/rhel9/profiles/ospp.profile b/products/rhel9/profiles/ospp.profile +index 244a421fb48..a7ba9532d2c 100644 +--- a/products/rhel9/profiles/ospp.profile ++++ b/products/rhel9/profiles/ospp.profile +@@ -75,7 +75,6 @@ selections: + - sysctl_kernel_perf_event_paranoid + - sysctl_user_max_user_namespaces + - sysctl_kernel_unprivileged_bpf_disabled +- - sysctl_net_core_bpf_jit_harden + - service_kdump_disabled + + ### Audit + +From bdcd2bafe5dd68448c0fc13e1aa1be64df607c8f Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= +Date: Tue, 12 Jul 2022 11:24:42 +0200 +Subject: [PATCH 02/23] Rename IDs in sysctl OVAL template + +The sysctl template uses its sysctlvar parameter value as a part of OVAL +object IDs, test IDs and state IDs. That means we can't have multiple +rules using the sysctl template with the same value of sysctlvar +parameter (only differ in other parameters) because there would be +duplicate elements. We will fix this by using the rule ID as a part of +OVAL object IDs, test IDs and state IDs. That will allow to use the +template for the same sysctlvar in different rules. +--- + .../oval/sysctl_kernel_ipv6_disable.xml | 4 +- + shared/templates/sysctl/oval.template | 156 +++++++++--------- + 2 files changed, 80 insertions(+), 80 deletions(-) + +diff --git a/shared/checks/oval/sysctl_kernel_ipv6_disable.xml b/shared/checks/oval/sysctl_kernel_ipv6_disable.xml +index 1195cea518f..f971d28a047 100644 +--- a/shared/checks/oval/sysctl_kernel_ipv6_disable.xml ++++ b/shared/checks/oval/sysctl_kernel_ipv6_disable.xml +@@ -19,8 +19,8 @@ + + + +- +- ++ ++ + + + +diff --git a/shared/templates/sysctl/oval.template b/shared/templates/sysctl/oval.template +index 74583dbee1d..52671c06402 100644 +--- a/shared/templates/sysctl/oval.template ++++ b/shared/templates/sysctl/oval.template +@@ -5,8 +5,8 @@ + {{%- endif %}} + + {{% macro state_static_sysctld(prefix) -%}} +- +- ++ ++ + {{%- endmacro -%}} + {{%- macro sysctl_match() -%}} + {{%- if SYSCTLVAL == "" -%}} +@@ -20,13 +20,13 @@ + {{%- if "P" in FLAGS -%}} + + +- ++ + {{{ oval_metadata("The '" + SYSCTLVAR + "' kernel parameter should be set to the appropriate value in both system configuration and system runtime.") }}} + + ++ definition_ref="{{{ rule_id }}}_static"/> + ++ definition_ref="{{{ rule_id }}}_runtime"/> + + + +@@ -34,7 +34,7 @@ + {{%- elif "I" in FLAGS -%}} + + +- ++ + {{{ oval_metadata("The kernel '" + SYSCTLVAR + "' parameter should be set to the appropriate value in both system configuration and system runtime.") }}} + + {{% if product in ["ubuntu1604", "ubuntu1804"] %}} +@@ -46,9 +46,9 @@ + {{% endif %}} + + ++ definition_ref="{{{ rule_id }}}_static"/> + ++ definition_ref="{{{ rule_id }}}_runtime"/> + + + +@@ -58,33 +58,33 @@ + {{%- if "R" in FLAGS -%}} + + +- ++ + {{{ oval_metadata("The kernel '" + SYSCTLVAR + "' parameter should be set to " + COMMENT_VALUE + " in the system runtime.") }}} + + ++ test_ref="test_{{{ rule_id }}}_runtime"/> + + +- +- +- ++ ++ + + +- ++ + {{{ SYSCTLVAR }}} + + {{% if SYSCTLVAL == "" %}} +- ++ + ++ var_ref="{{{ rule_id }}}_value"/> + + +- + {{%- else %}} +- ++ + {{% if OPERATION == "pattern match" %}} + {{{ SYSCTLVAL_REGEX }}} +@@ -100,46 +100,46 @@ + {{%- if "S" in FLAGS -%}} + + +- ++ + {{{ oval_metadata("The kernel '" + SYSCTLVAR + "' parameter should be set to " + COMMENT_VALUE + " in the system configuration.") }}} + + + ++ test_ref="test_{{{ rule_id }}}_static"/> + + ++ test_ref="test_{{{ rule_id }}}_static_etc_sysctld"/> + ++ test_ref="test_{{{ rule_id }}}_static_run_sysctld"/> + {{% if product not in [ "ol7", "ol8", "ol9", "rhcos4", "rhel7", "rhel8", "rhel9"] %}} + ++ test_ref="test_{{{ rule_id }}}_static_usr_lib_sysctld"/> + {{% endif %}} + + {{% if target_oval_version >= [5, 11] %}} +- ++ + {{% endif %}} + + + +- + {{{ state_static_sysctld("sysctl") }}} + + +- + {{{ state_static_sysctld("etc_sysctld") }}} + + +- + {{{ state_static_sysctld("run_sysctld") }}} + + + {{% if product not in [ "ol7", "ol8", "ol9", "rhcos4", "rhel7", "rhel8", "rhel9"] %}} +- + {{{ state_static_sysctld("usr_lib_sysctld") }}} +@@ -148,79 +148,79 @@ + + {{% if target_oval_version >= [5, 11] %}} + +- +- ++ id="test_{{{ rule_id }}}_defined_in_one_file" version="1"> ++ ++ + + +- +- local_var_unique_sysctl_{{{ SYSCTLID }}}_counter ++ ++ local_var_{{{ rule_id }}}_counter + + +- ++ + 1 + + +- ++ + + +- ++ + + + + +- ++ + +- object_static_set_unfiltered_sysctls_{{{ SYSCTLID }}} +- state_{{{ SYSCTLID }}}_filepath_is_symlink ++ object_{{{ rule_id }}}_static_set_sysctls_unfiltered ++ state_{{{ rule_id }}}_filepath_is_symlink + + + +- +- ++ ++ + + +- ++ + +- ++ + +- ++ + + + +- ++ + +- var_obj_symlink_{{{ SYSCTLID }}} +- var_obj_blank_{{{ SYSCTLID }}} ++ var_obj_symlink_{{{ rule_id }}} ++ var_obj_blank_{{{ rule_id }}} + + + +- +- local_var_blank_path_{{{ SYSCTLID }}} ++ ++ local_var_blank_path_{{{ rule_id }}} + + +- ++ + + + +- +- local_var_symlinks_{{{ SYSCTLID }}} ++ ++ local_var_symlinks_{{{ rule_id }}} + +- ++ + +- ++ + +- ++ + + + + +- +- +- state_symlink_points_outside_usual_dirs_{{{ SYSCTLID }}} ++ ++ ++ state_symlink_points_outside_usual_dirs_{{{ rule_id }}} + + + +- ++ + ^(?!(\/etc\/sysctl\.conf$|(\/etc|\/run|\/usr\/lib)\/sysctl\.d\/)).*$ + + {{% endif %}} + +- +- ++ ++ + + + +- ++ + +- object_static_etc_sysctls_{{{ SYSCTLID }}} +- object_static_run_usr_sysctls_{{{ SYSCTLID }}} ++ object_static_etc_sysctls_{{{ rule_id }}} ++ object_static_run_usr_sysctls_{{{ rule_id }}} + + + +- ++ + +- object_static_sysctl_{{{ SYSCTLID }}} +- object_static_etc_sysctld_{{{ SYSCTLID }}} ++ object_static_sysctl_{{{ rule_id }}} ++ object_static_etc_sysctld_{{{ rule_id }}} + + + +- ++ + +- object_static_run_sysctld_{{{ SYSCTLID }}} ++ object_static_run_sysctld_{{{ rule_id }}} + {{% if product not in [ "ol7", "ol8", "ol9", "rhcos4", "rhel7", "rhel8", "rhel9"] %}} +- object_static_usr_lib_sysctld_{{{ SYSCTLID }}} ++ object_static_usr_lib_sysctld_{{{ rule_id }}} + {{% endif %}} + + + +- ++ + /etc/sysctl.conf + {{{ sysctl_match() }}} + + +- ++ + /etc/sysctl.d + ^.*\.conf$ + {{{ sysctl_match() }}} + + +- ++ + /run/sysctl.d + ^.*\.conf$ + {{{ sysctl_match() }}} + + + {{% if product not in [ "ol7", "ol8", "ol9", "rhcos4", "rhel7", "rhel8", "rhel9"] %}} +- ++ + /usr/lib/sysctl.d + ^.*\.conf$ + {{{ sysctl_match() }}} +@@ -288,15 +288,15 @@ + {{% endif %}} + {{% if SYSCTLVAL == "" %}} + +- +- ++ + + +- + {{% else %}} +- ++ + {{% if OPERATION == "pattern match" %}} + {{{ SYSCTLVAL_REGEX }}} + {{% else %}} + +From ee5d91aaf33504e56b6959c17c8ebc6006a17a5f Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= +Date: Wed, 13 Jul 2022 10:16:45 +0200 +Subject: [PATCH 03/23] Use a list of values in sysctl template + +This patch adds an ability to use a list of values instead of a single +value in the sysctlval parameter of the sysctl template. This is useful +for situations when we want to create a rule that passes for multiple +different sysctl values. This commit modifies the OVAL for the runtime +configuration. The runtime configuration will be allowed to be any of +the values in the list. There is an OR relation between the values. In +fact, this is a first step to enable multiple values in the sysctlval +parameter in the sysctl template, because we will also need to check the +static configuration, which is not done in this commit. +--- + shared/templates/sysctl/oval.template | 32 +++++++++++++++++++++++++++ + shared/templates/sysctl/template.py | 24 ++++++++++++-------- + 2 files changed, 47 insertions(+), 9 deletions(-) + +diff --git a/shared/templates/sysctl/oval.template b/shared/templates/sysctl/oval.template +index 52671c06402..b73ccc94f72 100644 +--- a/shared/templates/sysctl/oval.template ++++ b/shared/templates/sysctl/oval.template +@@ -1,5 +1,7 @@ + {{%- if SYSCTLVAL == "" %}} + {{%- set COMMENT_VALUE="the appropriate value" %}} ++{{%- elif SYSCTLVAL is sequence %}} ++{{%- set COMMENT_VALUE = SYSCTLVAL | join(" or " ) %}} + {{%- else %}} + {{%- set COMMENT_VALUE=SYSCTLVAL %}} + {{%- endif %}} +@@ -60,21 +62,43 @@ + + + {{{ oval_metadata("The kernel '" + SYSCTLVAR + "' parameter should be set to " + COMMENT_VALUE + " in the system runtime.") }}} ++{{% if SYSCTLVAL is string %}} + + + ++{{% elif SYSCTLVAL is sequence %}} ++ ++{{% for x in SYSCTLVAL %}} ++ ++{{% endfor %}} ++ ++{{% endif %}} + ++ ++{{% if SYSCTLVAL is string %}} + + + + ++{{% elif SYSCTLVAL is sequence %}} ++{{% for x in SYSCTLVAL %}} ++ ++ ++ ++ ++{{% endfor %}} ++{{% endif %}} + + + {{{ SYSCTLVAR }}} + ++{{% if SYSCTLVAL is string %}} + {{% if SYSCTLVAL == "" %}} + + + {{%- endif %}} ++{{% elif SYSCTLVAL is sequence %}} ++{{% for x in SYSCTLVAL %}} ++ ++ {{{ x }}} ++ ++{{% endfor %}} ++{{% endif %}} + + + {{%- endif -%}} +diff --git a/shared/templates/sysctl/template.py b/shared/templates/sysctl/template.py +index fa981a9dce9..c62591357c0 100644 +--- a/shared/templates/sysctl/template.py ++++ b/shared/templates/sysctl/template.py +@@ -12,6 +12,13 @@ def preprocess(data, lang): + if "operation" not in data: + data["operation"] = "equals" + ++ if data["datatype"] not in ["string", "int"]: ++ raise ValueError( ++ "Test scenarios for data type '{0}' are not implemented yet.\n" ++ "Please check if rule '{1}' has correct data type and edit " ++ "{2} to add tests for it.".format( ++ data["datatype"], data["_rule_id"], __file__)) ++ + # Configure data for test scenarios + if data["sysctlval"] == "": + if data["datatype"] == "int": +@@ -20,20 +27,19 @@ def preprocess(data, lang): + elif data["datatype"] == "string": + data["sysctl_correct_value"] = "correct_value" + data["sysctl_wrong_value"] = "wrong_value" +- else: ++ elif isinstance(data["sysctlval"], list): ++ if len(data["sysctlval"]) == 0: + raise ValueError( +- "Test scenarios for data type '{0}' are not implemented yet.\n" +- "Please check if rule '{1}' has correct data type and edit " +- "{2} to add tests for it.".format(data["datatype"], data["_rule_id"], __file__)) ++ "The sysctlval parameter of {0} is an empty list".format(data["_rule_id"])) ++ data["sysctl_correct_value"] = data["sysctlval"][0] ++ if data["datatype"] == "int": ++ data["sysctl_wrong_value"] = "1" + data["sysctlval"][0] ++ elif data["datatype"] == "string": ++ data["sysctl_wrong_value"] = "wrong_value" + else: + data["sysctl_correct_value"] = data["sysctlval"] + if data["datatype"] == "int": + data["sysctl_wrong_value"] = "1" + data["sysctlval"] + elif data["datatype"] == "string": + data["sysctl_wrong_value"] = "wrong_value" +- else: +- raise ValueError( +- "Test scenarios for data type '{0}' are not implemented yet.\n" +- "Please check if rule '{1}' has correct data type and edit " +- "{2} to add tests for it.".format(data["datatype"], data["_rule_id"], __file__)) + return data + +From c50304234dfac1dcd74b3056c978eec2c097216d Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= +Date: Wed, 13 Jul 2022 10:47:51 +0200 +Subject: [PATCH 04/23] Move check unrelated to the test scenarios + +The check for an mepty list is unrelated to the test scenarios, +rather is a generic check to avoid problems during the build. +Therefore, it shouldn't be inside code block that is handling +data for test scenarios, but can be extracted to a sooner position. +--- + shared/templates/sysctl/template.py | 9 +++++---- + 1 file changed, 5 insertions(+), 4 deletions(-) + +diff --git a/shared/templates/sysctl/template.py b/shared/templates/sysctl/template.py +index c62591357c0..421e42c6ca1 100644 +--- a/shared/templates/sysctl/template.py ++++ b/shared/templates/sysctl/template.py +@@ -11,7 +11,12 @@ def preprocess(data, lang): + data["flags"] = "SR" + ipv6_flag + if "operation" not in data: + data["operation"] = "equals" ++ if isinstance(data["sysctlval"], list) and len(data["sysctlval"]) == 0: ++ raise ValueError( ++ "The sysctlval parameter of {0} is an empty list".format( ++ data["_rule_id"])) + ++ # Configure data for test scenarios + if data["datatype"] not in ["string", "int"]: + raise ValueError( + "Test scenarios for data type '{0}' are not implemented yet.\n" +@@ -19,7 +24,6 @@ def preprocess(data, lang): + "{2} to add tests for it.".format( + data["datatype"], data["_rule_id"], __file__)) + +- # Configure data for test scenarios + if data["sysctlval"] == "": + if data["datatype"] == "int": + data["sysctl_correct_value"] = "0" +@@ -28,9 +32,6 @@ def preprocess(data, lang): + data["sysctl_correct_value"] = "correct_value" + data["sysctl_wrong_value"] = "wrong_value" + elif isinstance(data["sysctlval"], list): +- if len(data["sysctlval"]) == 0: +- raise ValueError( +- "The sysctlval parameter of {0} is an empty list".format(data["_rule_id"])) + data["sysctl_correct_value"] = data["sysctlval"][0] + if data["datatype"] == "int": + data["sysctl_wrong_value"] = "1" + data["sysctlval"][0] + +From eb1fe4f349e2dcadd9b870e074e679383601be62 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= +Date: Wed, 13 Jul 2022 11:57:50 +0200 +Subject: [PATCH 05/23] Allow multiple values in sysctl static configuration + +This extends the OVAL checks for sysctl static configuration +to enable a list of values instead of a single value in the +sysctlval parameter of the sysctl template. The template +will generate OVAL tests for each value in the sysctlval +list. +--- + shared/templates/sysctl/oval.template | 56 +++++++++++++++++++++++++++ + 1 file changed, 56 insertions(+) + +diff --git a/shared/templates/sysctl/oval.template b/shared/templates/sysctl/oval.template +index b73ccc94f72..4e1bf3cfce3 100644 +--- a/shared/templates/sysctl/oval.template ++++ b/shared/templates/sysctl/oval.template +@@ -136,6 +136,7 @@ + {{{ oval_metadata("The kernel '" + SYSCTLVAR + "' parameter should be set to " + COMMENT_VALUE + " in the system configuration.") }}} + + ++{{% if SYSCTLVAL is string %}} + + +@@ -146,6 +147,21 @@ + {{% if product not in [ "ol7", "ol8", "ol9", "rhcos4", "rhel7", "rhel8", "rhel9"] %}} + ++{{% endif %}} ++{{% elif SYSCTLVAL is sequence %}} ++{{% for x in SYSCTLVAL %}} ++ ++ ++ ++ ++{{% if product not in [ "ol7", "ol8", "ol9", "rhcos4", "rhel7", "rhel8", "rhel9"] %}} ++ ++{{% endif %}} ++{{% endfor %}} + {{% endif %}} + + {{% if target_oval_version >= [5, 11] %}} +@@ -154,6 +170,7 @@ + + + ++{{% if SYSCTLVAL is string %}} + +@@ -177,6 +194,37 @@ + {{{ state_static_sysctld("usr_lib_sysctld") }}} + + {{% endif %}} ++{{% elif SYSCTLVAL is sequence %}} ++{{% for x in SYSCTLVAL %}} ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++{{% if product not in [ "ol7", "ol8", "ol9", "rhcos4", "rhel7", "rhel8", "rhel9"] %}} ++ ++ ++ ++ ++{{% endif %}} ++{{% endfor %}} ++{{% endif %}} + + {{% if target_oval_version >= [5, 11] %}} + + {{% endif %}} ++{{% if SYSCTLVAL is string %}} + {{% if SYSCTLVAL == "" %}} + + +@@ -336,5 +385,12 @@ + {{% endif %}} + + {{% endif %}} ++{{% elif SYSCTLVAL is sequence %}} ++{{% for x in SYSCTLVAL %}} ++ ++ {{{ x }}} ++ ++{{% endfor %}} ++{{% endif %}} + + {{%- endif -%}} + +From 93d496fb8dda6c47707e27c0b2cad15616261f27 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= +Date: Wed, 13 Jul 2022 14:55:28 +0200 +Subject: [PATCH 06/23] Add option to allow system default + +Introduce new template option `missing_static_pass` to the +systemctl template. If this option is set to `"true"` in rule.yml +the OVAL will be generated in a way that the check will pass if +there is no sysctl static configuration option in the watched sysctl +configuration files. In other words, the OVAL check will pass if +the system default isn't overridden. +--- + shared/templates/sysctl/oval.template | 15 +++++++++++++++ + 1 file changed, 15 insertions(+) + +diff --git a/shared/templates/sysctl/oval.template b/shared/templates/sysctl/oval.template +index 4e1bf3cfce3..1719a59f9c7 100644 +--- a/shared/templates/sysctl/oval.template ++++ b/shared/templates/sysctl/oval.template +@@ -134,6 +134,9 @@ + + + {{{ oval_metadata("The kernel '" + SYSCTLVAR + "' parameter should be set to " + COMMENT_VALUE + " in the system configuration.") }}} ++{{% if MISSING_STATIC_PASS == "true" %}} ++ ++{{% endif %}} + + + {{% if SYSCTLVAL is string %}} +@@ -168,8 +171,20 @@ + + {{% endif %}} + ++{{% if MISSING_STATIC_PASS == "true" %}} ++ ++ ++{{% endif %}} + + ++{{% if MISSING_STATIC_PASS == "true" %}} ++ ++ ++ ++{{% endif %}} ++ + {{% if SYSCTLVAL is string %}} + +Date: Wed, 13 Jul 2022 17:02:35 +0200 +Subject: [PATCH 07/23] Accept multiple values in the sysctl remediation + +A new parameter sysctlval_remediate is introduced to the sysctl +template. This allows to choose which of the multiple values in +the sysctl list will be used in the Bash and Ansible remediations. +--- + docs/templates/template_reference.md | 8 ++++++++ + shared/templates/sysctl/ansible.template | 6 +++--- + shared/templates/sysctl/bash.template | 10 +++++----- + shared/templates/sysctl/template.py | 9 +++++++++ + 4 files changed, 25 insertions(+), 8 deletions(-) + +diff --git a/docs/templates/template_reference.md b/docs/templates/template_reference.md +index a439e3dca94..5785f1d453f 100644 +--- a/docs/templates/template_reference.md ++++ b/docs/templates/template_reference.md +@@ -818,6 +818,14 @@ The selected value can be changed in the profile (consult the actual variable fo + - **sysctlval** - value of the sysctl value, eg. `'1'`. If this + parameter is not specified, XCCDF Value is used instead. + ++ - **sysctlval_remediate** - the value that will be used in remediations. ++ If **sysctlval_remediate** is not specified, the template will use the ++ value of the **sysctlval** parameter in the remediations. ++ This parameter is mandatory when the **sysctlval** parameter is a list ++ because we need to know which of the values in the list the system ++ should be remedied to. When the **sysctlval** parameter is not a list ++ this parameter is optional. ++ + - **operation** - operation used for comparison of collected object + with **sysctlval**. Default value: `equals`. + +diff --git a/shared/templates/sysctl/ansible.template b/shared/templates/sysctl/ansible.template +index c13bb6637fe..7724db5e5ff 100644 +--- a/shared/templates/sysctl/ansible.template ++++ b/shared/templates/sysctl/ansible.template +@@ -21,7 +21,7 @@ + replace: '#{{{ SYSCTLVAR }}}' + loop: "{{ find_sysctl_d.files }}" + +-{{%- if SYSCTLVAL == "" %}} ++{{%- if SYSCTLVAL_REMEDIATE == "" %}} + - (xccdf-var sysctl_{{{ SYSCTLID }}}_value) + + - name: Ensure sysctl {{{ SYSCTLVAR }}} is set +@@ -29,10 +29,10 @@ + name: "{{{ SYSCTLVAR }}}" + value: "{{ sysctl_{{{ SYSCTLID }}}_value }}" + {{%- else %}} +-- name: Ensure sysctl {{{ SYSCTLVAR }}} is set to {{{ SYSCTLVAL }}} ++- name: Ensure sysctl {{{ SYSCTLVAR }}} is set to {{{ SYSCTLVAL_REMEDIATE }}} + sysctl: + name: "{{{ SYSCTLVAR }}}" +- value: "{{{ SYSCTLVAL }}}" ++ value: "{{{ SYSCTLVAL_REMEDIATE }}}" + {{%- endif %}} + state: present + reload: yes +diff --git a/shared/templates/sysctl/bash.template b/shared/templates/sysctl/bash.template +index d67a59c3886..63948bd5a26 100644 +--- a/shared/templates/sysctl/bash.template ++++ b/shared/templates/sysctl/bash.template +@@ -20,7 +20,7 @@ for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf; do + fi + done + +-{{%- if SYSCTLVAL == "" %}} ++{{%- if SYSCTLVAL_REMEDIATE == "" %}} + {{{ bash_instantiate_variables("sysctl_" + SYSCTLID + "_value") }}} + + # +@@ -38,11 +38,11 @@ done + # + # Set runtime for {{{ SYSCTLVAR }}} + # +-/sbin/sysctl -q -n -w {{{ SYSCTLVAR }}}="{{{ SYSCTLVAL }}}" ++/sbin/sysctl -q -n -w {{{ SYSCTLVAR }}}="{{{ SYSCTLVAL_REMEDIATE }}}" + + # +-# If {{{ SYSCTLVAR }}} present in /etc/sysctl.conf, change value to "{{{ SYSCTLVAL }}}" +-# else, add "{{{ SYSCTLVAR }}} = {{{ SYSCTLVAL }}}" to /etc/sysctl.conf ++# If {{{ SYSCTLVAR }}} present in /etc/sysctl.conf, change value to "{{{ SYSCTLVAL_REMEDIATE }}}" ++# else, add "{{{ SYSCTLVAR }}} = {{{ SYSCTLVAL_REMEDIATE }}}" to /etc/sysctl.conf + # +-{{{ bash_replace_or_append('/etc/sysctl.conf', '^' + SYSCTLVAR , SYSCTLVAL ) }}} ++{{{ bash_replace_or_append('/etc/sysctl.conf', '^' + SYSCTLVAR , SYSCTLVAL_REMEDIATE ) }}} + {{%- endif %}} +diff --git a/shared/templates/sysctl/template.py b/shared/templates/sysctl/template.py +index 421e42c6ca1..2574d5d42b0 100644 +--- a/shared/templates/sysctl/template.py ++++ b/shared/templates/sysctl/template.py +@@ -16,6 +16,15 @@ def preprocess(data, lang): + "The sysctlval parameter of {0} is an empty list".format( + data["_rule_id"])) + ++ if not data.get("sysctlval_remediate"): ++ if isinstance(data["sysctlval"], list): ++ raise ValueError( ++ "Problem with rule {0}: the 'sysctlval' parameter is a list " ++ "but we are missing the 'sysctlval_remediate' parameter, so " ++ "we don't know how to generate remediation content.".format( ++ data["_rule_id"])) ++ data["sysctlval_remediate"] = data["sysctlval"] ++ + # Configure data for test scenarios + if data["datatype"] not in ["string", "int"]: + raise ValueError( + +From 8a3ba3f74760b360e179da221acf7bb06f4bdc12 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= +Date: Wed, 13 Jul 2022 17:10:16 +0200 +Subject: [PATCH 08/23] Introduce new rule + sysctl_kernel_unprivileged_bpf_disabled_accept_default + +This rule is very similar to the existing rule +sysctl_kernel_unprivileged_bpf_disabled, but it allows the sysctl +setting kernel.unprivileged_bpf_disabled to be either 1 or 2. Also, the +rule will pass when the explicit configuration isn't present, allowing +to honor the system's default value which is 2. The goal of this rule is +to prevent unnecessary modification of the RHEL system default value +while still checking for the secure configuration. + +See the explanation in +https://bugzilla.redhat.com/show_bug.cgi?id=2081728: +sysctl_kernel_unprivileged_bpf_disabled sets the +kernel.unprivileged_bpf_disabled value to 1. However, on RHEL 9 the +kernel supports new value 2 which per +https://www.kernel.org/doc/html/latest/admin-guide/sysctl/kernel.html#unprivileged-bpf-disabled +makes it for a privileged admin to re-enable unprivileged BPF. The value +2 is also the RHEL 9 default. So the current +sysctl_kernel_unprivileged_bpf_disabled rule unnecessarily modifies +the RHEL 9 default. +--- + .../rule.yml | 82 +++++++++++++++++++ + shared/references/cce-redhat-avail.txt | 1 - + 2 files changed, 82 insertions(+), 1 deletion(-) + create mode 100644 linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/rule.yml + +diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/rule.yml b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/rule.yml +new file mode 100644 +index 00000000000..f45769dd2d0 +--- /dev/null ++++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/rule.yml +@@ -0,0 +1,82 @@ ++documentation_complete: true ++ ++prodtype: rhel9 ++ ++title: 'Disable Access to Network bpf() Syscall From Unprivileged Processes' ++ ++description: |- ++ To prevent unprivileged processes from using the bpf() syscall ++ the kernel.unprivileged_bpf_disabled kernel parameter must ++ be set to 1 or 2. ++ ++ Writing 1 to this entry will disable unprivileged calls to bpf(); once ++ disabled, calling bpf() without CAP_SYS_ADMIN or CAP_BPF will return -EPERM. ++ Once set to 1, this can't be cleared from the running kernel anymore. ++ ++ Writing 2 to this entry will also disable unprivileged calls to bpf(), ++ however, an admin can still change this setting later on, if needed, by ++ writing 0 or 1 to this entry. ++ ++ {{{ describe_sysctl_option_value(sysctl="kernel.unprivileged_bpf_disabled", value="1") }}} ++ ++rationale: |- ++ Loading and accessing the packet filters programs and maps using the bpf() ++ syscall has the potential of revealing sensitive information about the kernel state. ++ ++severity: medium ++ ++identifiers: ++ cce@rhel9: CCE-87712-6 ++ ++references: ++ disa: CCI-000366 ++ nist: AC-6,SC-7(10) ++ ospp: FMT_SMF_EXT.1 ++ srg: SRG-OS-000132-GPOS-00067,SRG-OS-000480-GPOS-00227 ++ stigid@ol8: OL08-00-040281 ++ stigid@rhel8: RHEL-08-040281 ++ ++ocil: |- ++ The runtime status of the kernel.unprivileged_bpf_disabled ++ kernel parameter can be queried by running the following command: ++
$ sysctl kernel.unprivileged_bpf_disabled
++ The output of the command should indicate either: ++ kernel.unprivileged_bpf_disabled = 1 ++ or: ++ kernel.unprivileged_bpf_disabled = 2 ++ The output of the command should not indicate: ++ kernel.unprivileged_bpf_disabled = 0 ++ ++ The preferable way how to assure the runtime compliance is to have ++ correct persistent configuration, and rebooting the system. ++ ++ The persistent kernel parameter configuration is performed by specifying the appropriate ++ assignment in any file located in the
/etc/sysctl.d
directory. ++ Verify that there is not any existing incorrect configuration by executing the following command: ++
$ grep -r '^\s*{{{ sysctl }}}\s*=' /etc/sysctl.conf /etc/sysctl.d
++ The command should not find any assignments other than: ++ kernel.unprivileged_bpf_disabled = 1 ++ or: ++ kernel.unprivileged_bpf_disabled = 2 ++ ++ Duplicate assignments are not allowed. Empty output is allowed, because the system default is 2. ++ ++ocil_clause: "the kernel.unprivileged_bpf_disabled is not set to 1 or 2 or is configured to be 0" ++ ++fixtext: |- ++ Configure {{{ full_name }}} to prevent privilege escalation thru the kernel by disabling access to the bpf syscall. ++ ++srg_requirement: '{{{ full_name }}} must disable access to network bpf syscall from unprivileged processes.' ++ ++platform: machine ++ ++template: ++ name: sysctl ++ vars: ++ sysctlvar: kernel.unprivileged_bpf_disabled ++ sysctlval: ++ - '1' ++ - '2' ++ sysctlval_remediate: "2" ++ missing_static_pass: "true" ++ datatype: int +diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt +index 914233f06bf..2c2cf12cafe 100644 +--- a/shared/references/cce-redhat-avail.txt ++++ b/shared/references/cce-redhat-avail.txt +@@ -1435,7 +1435,6 @@ CCE-87708-4 + CCE-87709-2 + CCE-87710-0 + CCE-87711-8 +-CCE-87712-6 + CCE-87713-4 + CCE-87714-2 + CCE-87715-9 + +From 0327b48990c2cf35aeff8adf63a2102378e43c54 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= +Date: Wed, 13 Jul 2022 17:21:50 +0200 +Subject: [PATCH 09/23] Add test scenarios for rule + sysctl_kernel_unprivileged_bpf_disabled_accept_default + +--- + .../tests/system_default.pass.sh | 5 +++++ + .../tests/test_config.yml | 6 ++++++ + .../tests/value_0.fail.sh | 11 +++++++++++ + .../tests/value_1.pass.sh | 11 +++++++++++ + .../tests/value_2.pass.sh | 11 +++++++++++ + 5 files changed, 44 insertions(+) + create mode 100644 linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/tests/system_default.pass.sh + create mode 100644 linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/tests/test_config.yml + create mode 100644 linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/tests/value_0.fail.sh + create mode 100644 linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/tests/value_1.pass.sh + create mode 100644 linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/tests/value_2.pass.sh + +diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/tests/system_default.pass.sh b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/tests/system_default.pass.sh +new file mode 100644 +index 00000000000..b9776227bdb +--- /dev/null ++++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/tests/system_default.pass.sh +@@ -0,0 +1,5 @@ ++#!/bin/bash ++# platform = Red Hat Enterprise Linux 9 ++ ++# Clean sysctl config directories ++rm -rf /usr/lib/sysctl.d/* /run/sysctl.d/* /etc/sysctl.d/* +diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/tests/test_config.yml b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/tests/test_config.yml +new file mode 100644 +index 00000000000..dbac89b4caa +--- /dev/null ++++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/tests/test_config.yml +@@ -0,0 +1,6 @@ ++deny_templated_scenarios: ++ - line_not_there.fail.sh ++ - comment.fail.sh ++ - wrong_value.fail.sh ++ - wrong_value_d_directory.fail.sh ++ - wrong_runtime.fail.sh +diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/tests/value_0.fail.sh b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/tests/value_0.fail.sh +new file mode 100644 +index 00000000000..9f19e0140b4 +--- /dev/null ++++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/tests/value_0.fail.sh +@@ -0,0 +1,11 @@ ++#!/bin/bash ++# platform = Red Hat Enterprise Linux 9 ++ ++# Clean sysctl config directories ++rm -rf /usr/lib/sysctl.d/* /run/sysctl.d/* /etc/sysctl.d/* ++ ++sed -i "/kernel.unprivileged_bpf_disabled/d" /etc/sysctl.conf ++echo "kernel.unprivileged_bpf_disabled = 0" >> /etc/sysctl.conf ++ ++# set correct runtime value to check if the filesystem configuration is evaluated properly ++sysctl -w kernel.unprivileged_bpf_disabled="0" +diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/tests/value_1.pass.sh b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/tests/value_1.pass.sh +new file mode 100644 +index 00000000000..e976db594c8 +--- /dev/null ++++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/tests/value_1.pass.sh +@@ -0,0 +1,11 @@ ++#!/bin/bash ++# platform = Red Hat Enterprise Linux 9 ++ ++# Clean sysctl config directories ++rm -rf /usr/lib/sysctl.d/* /run/sysctl.d/* /etc/sysctl.d/* ++ ++sed -i "/kernel.unprivileged_bpf_disabled/d" /etc/sysctl.conf ++echo "kernel.unprivileged_bpf_disabled = 1" >> /etc/sysctl.conf ++ ++# set correct runtime value to check if the filesystem configuration is evaluated properly ++sysctl -w kernel.unprivileged_bpf_disabled="1" +diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/tests/value_2.pass.sh b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/tests/value_2.pass.sh +new file mode 100644 +index 00000000000..b1537175eb4 +--- /dev/null ++++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/tests/value_2.pass.sh +@@ -0,0 +1,11 @@ ++#!/bin/bash ++# platform = Red Hat Enterprise Linux 9 ++ ++# Clean sysctl config directories ++rm -rf /usr/lib/sysctl.d/* /run/sysctl.d/* /etc/sysctl.d/* ++ ++sed -i "/kernel.unprivileged_bpf_disabled/d" /etc/sysctl.conf ++echo "kernel.unprivileged_bpf_disabled = 2" >> /etc/sysctl.conf ++ ++# set correct runtime value to check if the filesystem configuration is evaluated properly ++sysctl -w kernel.unprivileged_bpf_disabled="2" + +From 52415b3effb7bf80038b8d866982fd44c8c45312 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= +Date: Thu, 14 Jul 2022 09:14:53 +0200 +Subject: [PATCH 10/23] Use rule + sysctl_kernel_unprivileged_bpf_disabled_accept_default + +Use rule sysctl_kernel_unprivileged_bpf_disabled_accept_default +instead of the rule sysctl_kernel_unprivileged_bpf_disabled +in the RHEL 9 OSPP profile. +--- + products/rhel9/profiles/ospp.profile | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/products/rhel9/profiles/ospp.profile b/products/rhel9/profiles/ospp.profile +index a7ba9532d2c..19e4878c4b0 100644 +--- a/products/rhel9/profiles/ospp.profile ++++ b/products/rhel9/profiles/ospp.profile +@@ -74,7 +74,7 @@ selections: + - sysctl_kernel_yama_ptrace_scope + - sysctl_kernel_perf_event_paranoid + - sysctl_user_max_user_namespaces +- - sysctl_kernel_unprivileged_bpf_disabled ++ - sysctl_kernel_unprivileged_bpf_disabled_accept_default + - service_kdump_disabled + + ### Audit + +From 4ff536a006a9d25c9c90a1b1e5fce0f957c51c28 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= +Date: Thu, 14 Jul 2022 09:25:26 +0200 +Subject: [PATCH 11/23] Document that sysctlval can be a list + +--- + docs/templates/template_reference.md | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/docs/templates/template_reference.md b/docs/templates/template_reference.md +index 5785f1d453f..716407fd5c9 100644 +--- a/docs/templates/template_reference.md ++++ b/docs/templates/template_reference.md +@@ -815,7 +815,8 @@ The selected value can be changed in the profile (consult the actual variable fo + + - **datatype** - data type of the sysctl value, eg. `int`. + +- - **sysctlval** - value of the sysctl value, eg. `'1'`. If this ++ - **sysctlval** - value of the sysctl value. This can be either an atomic ++ value, eg. `'1'`, or a list of values, eg. `['1','2']`. If this + parameter is not specified, XCCDF Value is used instead. + + - **sysctlval_remediate** - the value that will be used in remediations. + +From df27fec11a6e8037288ee8cf5b7bfc7d05537f33 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= +Date: Thu, 14 Jul 2022 11:00:59 +0200 +Subject: [PATCH 12/23] Document the missing_static_pass option + +--- + docs/templates/template_reference.md | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/docs/templates/template_reference.md b/docs/templates/template_reference.md +index 716407fd5c9..65da697b808 100644 +--- a/docs/templates/template_reference.md ++++ b/docs/templates/template_reference.md +@@ -827,6 +827,11 @@ The selected value can be changed in the profile (consult the actual variable fo + should be remedied to. When the **sysctlval** parameter is not a list + this parameter is optional. + ++ - **missing_static_pass** - if set to `true` the check will pass if the ++ setting for the given **sysctlvar** is not present in sysctl ++ configuration files. In other words, the check will pass if the system ++ default isn't overriden by configuration. Default value: `false`. ++ + - **operation** - operation used for comparison of collected object + with **sysctlval**. Default value: `equals`. + + +From e8b8497d32d84282d7f34d83f3661c02235d33cb Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= +Date: Thu, 14 Jul 2022 11:03:53 +0200 +Subject: [PATCH 13/23] Introduce sysctlval_wrong parameter + +When the `sysctalval` parameter is a list, this parameter will be +substitued into the SYSCTL_WRONG_VALUE parameter in test scenarios. This +is better than current computing of the SYSCTL_WRONG_VALUE parameter +which is done by prepending "1" to the string value, because the +computed value could be invalid and the `sysctl -w` command used in the +test scenario wrong_runtime.fail.sh could fail to set the value to +SYSCTL_WRONG_VALUE therefore not changing the runtime. If at the same +time the `missing_static_pass` is set to `true` and the system is set to +system default, then the unchanged runtime would cause the check to pass +and therefore the test scenario wrong_runtime.fail.sh to error. +--- + docs/templates/template_reference.md | 3 +++ + .../rule.yml | 1 + + shared/templates/sysctl/template.py | 7 ++----- + 3 files changed, 6 insertions(+), 5 deletions(-) + +diff --git a/docs/templates/template_reference.md b/docs/templates/template_reference.md +index 65da697b808..7e1fc7049cf 100644 +--- a/docs/templates/template_reference.md ++++ b/docs/templates/template_reference.md +@@ -827,6 +827,9 @@ The selected value can be changed in the profile (consult the actual variable fo + should be remedied to. When the **sysctlval** parameter is not a list + this parameter is optional. + ++ - **sysctlval_wrong** - the value that is always wrong. This will be used ++ only in the test scenarios only if **sysctlval** is a list. ++ + - **missing_static_pass** - if set to `true` the check will pass if the + setting for the given **sysctlvar** is not present in sysctl + configuration files. In other words, the check will pass if the system +diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/rule.yml b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/rule.yml +index f45769dd2d0..ddff15dff8f 100644 +--- a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/rule.yml ++++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/rule.yml +@@ -78,5 +78,6 @@ template: + - '1' + - '2' + sysctlval_remediate: "2" ++ sysctlval_wrong: "0" + missing_static_pass: "true" + datatype: int +diff --git a/shared/templates/sysctl/template.py b/shared/templates/sysctl/template.py +index 2574d5d42b0..96663694997 100644 +--- a/shared/templates/sysctl/template.py ++++ b/shared/templates/sysctl/template.py +@@ -41,11 +41,8 @@ def preprocess(data, lang): + data["sysctl_correct_value"] = "correct_value" + data["sysctl_wrong_value"] = "wrong_value" + elif isinstance(data["sysctlval"], list): +- data["sysctl_correct_value"] = data["sysctlval"][0] +- if data["datatype"] == "int": +- data["sysctl_wrong_value"] = "1" + data["sysctlval"][0] +- elif data["datatype"] == "string": +- data["sysctl_wrong_value"] = "wrong_value" ++ data["sysctl_correct_value"] = data["sysctlval_remediate"] ++ data["sysctl_wrong_value"] = data["sysctlval_wrong"] + else: + data["sysctl_correct_value"] = data["sysctlval"] + if data["datatype"] == "int": + +From 5f391a7053f7ce18dd34c45a1d319d65b78348d4 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= +Date: Thu, 14 Jul 2022 11:23:59 +0200 +Subject: [PATCH 14/23] Change test_config.yml + +--- + .../tests/test_config.yml | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/tests/test_config.yml b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/tests/test_config.yml +index dbac89b4caa..c379680e25c 100644 +--- a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/tests/test_config.yml ++++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/tests/test_config.yml +@@ -1,6 +1,6 @@ + deny_templated_scenarios: ++ # this rule uses missing_static_pass: true which means the check should pass ++ # if the configuration is missing (or commented out) therefore we disable ++ # line_not_there.fail.sh and comment.fail.sh test scenarios + - line_not_there.fail.sh + - comment.fail.sh +- - wrong_value.fail.sh +- - wrong_value_d_directory.fail.sh +- - wrong_runtime.fail.sh + +From 92207a9bd11df0e69bf732e27fb91e5db270f7f6 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= +Date: Fri, 15 Jul 2022 10:36:05 +0200 +Subject: [PATCH 15/23] Simplify sysctl template + +Instead of using multiple OVAL tests in OR relation we can have +a single OVAL test containing multiple OVAL states in OR relation. +That will simplify the code. +--- + shared/templates/sysctl/oval.template | 82 +++++---------------------- + 1 file changed, 13 insertions(+), 69 deletions(-) + +diff --git a/shared/templates/sysctl/oval.template b/shared/templates/sysctl/oval.template +index 1719a59f9c7..8241c391ad2 100644 +--- a/shared/templates/sysctl/oval.template ++++ b/shared/templates/sysctl/oval.template +@@ -8,7 +8,13 @@ + + {{% macro state_static_sysctld(prefix) -%}} + ++{{% if SYSCTLVAL is string %}} + ++{{% elif SYSCTLVAL is sequence %}} ++{{% for x in SYSCTLVAL %}} ++ ++{{% endfor %}} ++{{% endif %}} + {{%- endmacro -%}} + {{%- macro sysctl_match() -%}} + {{%- if SYSCTLVAL == "" -%}} +@@ -62,38 +68,24 @@ + + + {{{ oval_metadata("The kernel '" + SYSCTLVAR + "' parameter should be set to " + COMMENT_VALUE + " in the system runtime.") }}} +-{{% if SYSCTLVAL is string %}} + + + +-{{% elif SYSCTLVAL is sequence %}} +- +-{{% for x in SYSCTLVAL %}} +- +-{{% endfor %}} +- +-{{% endif %}} + + +-{{% if SYSCTLVAL is string %}} + ++ check="all" check_existence="all_exist" state_operator="OR"> + ++{{% if SYSCTLVAL is string %}} + +- + {{% elif SYSCTLVAL is sequence %}} + {{% for x in SYSCTLVAL %}} +- +- + +- + {{% endfor %}} + {{% endif %}} ++ + + + {{{ SYSCTLVAR }}} +@@ -139,7 +131,6 @@ + {{% endif %}} + + +-{{% if SYSCTLVAL is string %}} + + +@@ -150,21 +141,6 @@ + {{% if product not in [ "ol7", "ol8", "ol9", "rhcos4", "rhel7", "rhel8", "rhel9"] %}} + +-{{% endif %}} +-{{% elif SYSCTLVAL is sequence %}} +-{{% for x in SYSCTLVAL %}} +- +- +- +- +-{{% if product not in [ "ol7", "ol8", "ol9", "rhcos4", "rhel7", "rhel8", "rhel9"] %}} +- +-{{% endif %}} +-{{% endfor %}} + {{% endif %}} + + {{% if target_oval_version >= [5, 11] %}} +@@ -185,61 +161,29 @@ +
+ {{% endif %}} + +-{{% if SYSCTLVAL is string %}} + ++ comment="{{{ SYSCTLVAR }}} static configuration" state_operator="OR"> + {{{ state_static_sysctld("sysctl") }}} + + + ++ comment="{{{ SYSCTLVAR }}} static configuration in /etc/sysctl.d/*.conf" state_operator="OR"> + {{{ state_static_sysctld("etc_sysctld") }}} + + + ++ comment="{{{ SYSCTLVAR }}} static configuration in /run/sysctl.d/*.conf" state_operator="OR"> + {{{ state_static_sysctld("run_sysctld") }}} + + + {{% if product not in [ "ol7", "ol8", "ol9", "rhcos4", "rhel7", "rhel8", "rhel9"] %}} + ++ comment="{{{ SYSCTLVAR }}} static configuration in /usr/lib/sysctl.d/*.conf" state_operator="OR"> + {{{ state_static_sysctld("usr_lib_sysctld") }}} + + {{% endif %}} +-{{% elif SYSCTLVAL is sequence %}} +-{{% for x in SYSCTLVAL %}} +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +-{{% if product not in [ "ol7", "ol8", "ol9", "rhcos4", "rhel7", "rhel8", "rhel9"] %}} +- +- +- +- +-{{% endif %}} +-{{% endfor %}} +-{{% endif %}} + + {{% if target_oval_version >= [5, 11] %}} + +Date: Mon, 25 Jul 2022 15:40:24 +0200 +Subject: [PATCH 16/23] Replace the sysctlval_remediate template parameter + +Replace the sysctlval_remediate template parameter by using an XCCDF +value. The variable would be only used in the remediation and would +allow users to tailor the value, instead of the current solution where +the value is hardcoded and can be only changed during build time. +--- + docs/templates/template_reference.md | 21 +++++++++---------- + .../rule.yml | 1 - + products/rhel9/profiles/ospp.profile | 1 + + shared/templates/sysctl/ansible.template | 6 +++--- + shared/templates/sysctl/bash.template | 10 ++++----- + shared/templates/sysctl/template.py | 11 +--------- + 6 files changed, 20 insertions(+), 30 deletions(-) + +diff --git a/docs/templates/template_reference.md b/docs/templates/template_reference.md +index 7e1fc7049cf..00f991daae7 100644 +--- a/docs/templates/template_reference.md ++++ b/docs/templates/template_reference.md +@@ -815,17 +815,16 @@ The selected value can be changed in the profile (consult the actual variable fo + + - **datatype** - data type of the sysctl value, eg. `int`. + +- - **sysctlval** - value of the sysctl value. This can be either an atomic +- value, eg. `'1'`, or a list of values, eg. `['1','2']`. If this +- parameter is not specified, XCCDF Value is used instead. +- +- - **sysctlval_remediate** - the value that will be used in remediations. +- If **sysctlval_remediate** is not specified, the template will use the +- value of the **sysctlval** parameter in the remediations. +- This parameter is mandatory when the **sysctlval** parameter is a list +- because we need to know which of the values in the list the system +- should be remedied to. When the **sysctlval** parameter is not a list +- this parameter is optional. ++ - **sysctlval** - value of the sysctl value. This can be either not ++ specified, or an atomic value, eg. `'1'`, or a list of values, ++ eg. `['1','2']`. ++ - If this parameter is not specified, an XCCDF Value is used instead ++ in OVAL check and remediations. ++ - If this parameter is set to an atomic value, this atomic value ++ will be used in OVAL check and remediations. ++ - If this parameter is set to a list of values, the list will be used ++ in the OVAL check, but won't be used in the remediations. ++ All remediations will use an XCCDF value instead. + + - **sysctlval_wrong** - the value that is always wrong. This will be used + only in the test scenarios only if **sysctlval** is a list. +diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/rule.yml b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/rule.yml +index ddff15dff8f..9936ed777c8 100644 +--- a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/rule.yml ++++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/rule.yml +@@ -77,7 +77,6 @@ template: + sysctlval: + - '1' + - '2' +- sysctlval_remediate: "2" + sysctlval_wrong: "0" + missing_static_pass: "true" + datatype: int +diff --git a/products/rhel9/profiles/ospp.profile b/products/rhel9/profiles/ospp.profile +index 19e4878c4b0..b47630c62b0 100644 +--- a/products/rhel9/profiles/ospp.profile ++++ b/products/rhel9/profiles/ospp.profile +@@ -75,6 +75,7 @@ selections: + - sysctl_kernel_perf_event_paranoid + - sysctl_user_max_user_namespaces + - sysctl_kernel_unprivileged_bpf_disabled_accept_default ++ - sysctl_kernel_unprivileged_bpf_disabled_value=2 + - service_kdump_disabled + + ### Audit +diff --git a/shared/templates/sysctl/ansible.template b/shared/templates/sysctl/ansible.template +index 7724db5e5ff..edc4d3fb667 100644 +--- a/shared/templates/sysctl/ansible.template ++++ b/shared/templates/sysctl/ansible.template +@@ -21,7 +21,7 @@ + replace: '#{{{ SYSCTLVAR }}}' + loop: "{{ find_sysctl_d.files }}" + +-{{%- if SYSCTLVAL_REMEDIATE == "" %}} ++{{%- if SYSCTLVAL == "" or SYSCTLVAL is not string %}} + - (xccdf-var sysctl_{{{ SYSCTLID }}}_value) + + - name: Ensure sysctl {{{ SYSCTLVAR }}} is set +@@ -29,10 +29,10 @@ + name: "{{{ SYSCTLVAR }}}" + value: "{{ sysctl_{{{ SYSCTLID }}}_value }}" + {{%- else %}} +-- name: Ensure sysctl {{{ SYSCTLVAR }}} is set to {{{ SYSCTLVAL_REMEDIATE }}} ++- name: Ensure sysctl {{{ SYSCTLVAR }}} is set to {{{ SYSCTLVAL }}} + sysctl: + name: "{{{ SYSCTLVAR }}}" +- value: "{{{ SYSCTLVAL_REMEDIATE }}}" ++ value: "{{{ SYSCTLVAL }}}" + {{%- endif %}} + state: present + reload: yes +diff --git a/shared/templates/sysctl/bash.template b/shared/templates/sysctl/bash.template +index 63948bd5a26..cd3424b0228 100644 +--- a/shared/templates/sysctl/bash.template ++++ b/shared/templates/sysctl/bash.template +@@ -20,7 +20,7 @@ for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf; do + fi + done + +-{{%- if SYSCTLVAL_REMEDIATE == "" %}} ++{{%- if SYSCTLVAL == "" or SYSCTLVAL is not string %}} + {{{ bash_instantiate_variables("sysctl_" + SYSCTLID + "_value") }}} + + # +@@ -38,11 +38,11 @@ done + # + # Set runtime for {{{ SYSCTLVAR }}} + # +-/sbin/sysctl -q -n -w {{{ SYSCTLVAR }}}="{{{ SYSCTLVAL_REMEDIATE }}}" ++/sbin/sysctl -q -n -w {{{ SYSCTLVAR }}}="{{{ SYSCTLVAL }}}" + + # +-# If {{{ SYSCTLVAR }}} present in /etc/sysctl.conf, change value to "{{{ SYSCTLVAL_REMEDIATE }}}" +-# else, add "{{{ SYSCTLVAR }}} = {{{ SYSCTLVAL_REMEDIATE }}}" to /etc/sysctl.conf ++# If {{{ SYSCTLVAR }}} present in /etc/sysctl.conf, change value to "{{{ SYSCTLVAL }}}" ++# else, add "{{{ SYSCTLVAR }}} = {{{ SYSCTLVAL }}}" to /etc/sysctl.conf + # +-{{{ bash_replace_or_append('/etc/sysctl.conf', '^' + SYSCTLVAR , SYSCTLVAL_REMEDIATE ) }}} ++{{{ bash_replace_or_append('/etc/sysctl.conf', '^' + SYSCTLVAR , SYSCTLVAL ) }}} + {{%- endif %}} +diff --git a/shared/templates/sysctl/template.py b/shared/templates/sysctl/template.py +index 96663694997..2b779f99a62 100644 +--- a/shared/templates/sysctl/template.py ++++ b/shared/templates/sysctl/template.py +@@ -16,15 +16,6 @@ def preprocess(data, lang): + "The sysctlval parameter of {0} is an empty list".format( + data["_rule_id"])) + +- if not data.get("sysctlval_remediate"): +- if isinstance(data["sysctlval"], list): +- raise ValueError( +- "Problem with rule {0}: the 'sysctlval' parameter is a list " +- "but we are missing the 'sysctlval_remediate' parameter, so " +- "we don't know how to generate remediation content.".format( +- data["_rule_id"])) +- data["sysctlval_remediate"] = data["sysctlval"] +- + # Configure data for test scenarios + if data["datatype"] not in ["string", "int"]: + raise ValueError( +@@ -41,7 +32,7 @@ def preprocess(data, lang): + data["sysctl_correct_value"] = "correct_value" + data["sysctl_wrong_value"] = "wrong_value" + elif isinstance(data["sysctlval"], list): +- data["sysctl_correct_value"] = data["sysctlval_remediate"] ++ data["sysctl_correct_value"] = data["sysctlval"][0] + data["sysctl_wrong_value"] = data["sysctlval_wrong"] + else: + data["sysctl_correct_value"] = data["sysctlval"] + +From 817b47544b4a62aad8153360839bb14dd607d46d Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= +Date: Mon, 25 Jul 2022 15:47:11 +0200 +Subject: [PATCH 17/23] Rename a template parameter + +Rename the sysctlval_wrong parameter to wrong_sysctlval_for_testing +--- + docs/templates/template_reference.md | 4 ++-- + .../rule.yml | 2 +- + shared/templates/sysctl/template.py | 2 +- + 3 files changed, 4 insertions(+), 4 deletions(-) + +diff --git a/docs/templates/template_reference.md b/docs/templates/template_reference.md +index 00f991daae7..4e6357c1579 100644 +--- a/docs/templates/template_reference.md ++++ b/docs/templates/template_reference.md +@@ -826,8 +826,8 @@ The selected value can be changed in the profile (consult the actual variable fo + in the OVAL check, but won't be used in the remediations. + All remediations will use an XCCDF value instead. + +- - **sysctlval_wrong** - the value that is always wrong. This will be used +- only in the test scenarios only if **sysctlval** is a list. ++ - **wrong_sysctlval_for_testing** - the value that is always wrong. This will be used ++ only in the templated test scenarios only if **sysctlval** is a list. + + - **missing_static_pass** - if set to `true` the check will pass if the + setting for the given **sysctlvar** is not present in sysctl +diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/rule.yml b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/rule.yml +index 9936ed777c8..b8af4f7560d 100644 +--- a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/rule.yml ++++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/rule.yml +@@ -77,6 +77,6 @@ template: + sysctlval: + - '1' + - '2' +- sysctlval_wrong: "0" ++ wrong_sysctlval_for_testing: "0" + missing_static_pass: "true" + datatype: int +diff --git a/shared/templates/sysctl/template.py b/shared/templates/sysctl/template.py +index 2b779f99a62..9083a6a4185 100644 +--- a/shared/templates/sysctl/template.py ++++ b/shared/templates/sysctl/template.py +@@ -33,7 +33,7 @@ def preprocess(data, lang): + data["sysctl_wrong_value"] = "wrong_value" + elif isinstance(data["sysctlval"], list): + data["sysctl_correct_value"] = data["sysctlval"][0] +- data["sysctl_wrong_value"] = data["sysctlval_wrong"] ++ data["sysctl_wrong_value"] = data["wrong_sysctlval_for_testing"] + else: + data["sysctl_correct_value"] = data["sysctlval"] + if data["datatype"] == "int": + +From ed48698e95f96891889fa2c2039172015ae9f069 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= +Date: Mon, 25 Jul 2022 15:56:26 +0200 +Subject: [PATCH 18/23] Rename parameter missing_static_pass + +Rename the parameter missing_static_pass to missing_parameter_pass +to make the naming consistent with other templates where a parameter +with a similar meaning exist. +--- + docs/templates/template_reference.md | 2 +- + .../rule.yml | 2 +- + .../tests/test_config.yml | 2 +- + shared/templates/sysctl/oval.template | 6 +++--- + 4 files changed, 6 insertions(+), 6 deletions(-) + +diff --git a/docs/templates/template_reference.md b/docs/templates/template_reference.md +index 4e6357c1579..0fff58c0a23 100644 +--- a/docs/templates/template_reference.md ++++ b/docs/templates/template_reference.md +@@ -829,7 +829,7 @@ The selected value can be changed in the profile (consult the actual variable fo + - **wrong_sysctlval_for_testing** - the value that is always wrong. This will be used + only in the templated test scenarios only if **sysctlval** is a list. + +- - **missing_static_pass** - if set to `true` the check will pass if the ++ - **missing_parameter_pass** - if set to `true` the check will pass if the + setting for the given **sysctlvar** is not present in sysctl + configuration files. In other words, the check will pass if the system + default isn't overriden by configuration. Default value: `false`. +diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/rule.yml b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/rule.yml +index b8af4f7560d..7d8769a913f 100644 +--- a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/rule.yml ++++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/rule.yml +@@ -78,5 +78,5 @@ template: + - '1' + - '2' + wrong_sysctlval_for_testing: "0" +- missing_static_pass: "true" ++ missing_parameter_pass: "true" + datatype: int +diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/tests/test_config.yml b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/tests/test_config.yml +index c379680e25c..5cf68074050 100644 +--- a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/tests/test_config.yml ++++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/tests/test_config.yml +@@ -1,5 +1,5 @@ + deny_templated_scenarios: +- # this rule uses missing_static_pass: true which means the check should pass ++ # this rule uses missing_parameter_pass: true which means the check should pass + # if the configuration is missing (or commented out) therefore we disable + # line_not_there.fail.sh and comment.fail.sh test scenarios + - line_not_there.fail.sh +diff --git a/shared/templates/sysctl/oval.template b/shared/templates/sysctl/oval.template +index 8241c391ad2..1a7c4979bbe 100644 +--- a/shared/templates/sysctl/oval.template ++++ b/shared/templates/sysctl/oval.template +@@ -126,7 +126,7 @@ + + + {{{ oval_metadata("The kernel '" + SYSCTLVAR + "' parameter should be set to " + COMMENT_VALUE + " in the system configuration.") }}} +-{{% if MISSING_STATIC_PASS == "true" %}} ++{{% if MISSING_PARAMETER_PASS == "true" %}} + + {{% endif %}} + +@@ -147,13 +147,13 @@ + + {{% endif %}} + +-{{% if MISSING_STATIC_PASS == "true" %}} ++{{% if MISSING_PARAMETER_PASS == "true" %}} + + + {{% endif %}} + + +-{{% if MISSING_STATIC_PASS == "true" %}} ++{{% if MISSING_PARAMETER_PASS == "true" %}} + + +From f022f549c6d0b5bc0d24c5d1b7c606d23efbd6d2 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= +Date: Mon, 25 Jul 2022 16:26:03 +0200 +Subject: [PATCH 19/23] Add a variable + sysctl_kernel_unprivileged_bpf_disabled_value + +--- + ..._kernel_unprivileged_bpf_disabled_value.var | 18 ++++++++++++++++++ + 1 file changed, 18 insertions(+) + create mode 100644 linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_value.var + +diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_value.var b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_value.var +new file mode 100644 +index 00000000000..b8bf965a255 +--- /dev/null ++++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_value.var +@@ -0,0 +1,18 @@ ++documentation_complete: true ++ ++title: kernel.unprivileged_bpf_disabled ++ ++description: |- ++ Prevent unprivileged processes from using the bpf() syscall. ++ ++type: number ++ ++operator: equals ++ ++interactive: false ++ ++options: ++ default: 2 ++ 0: "0" ++ 1: "1" ++ 2: "2" + +From 4c8ef02cc91c821d56c061f6d8e2ba1675d0c414 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= +Date: Tue, 26 Jul 2022 09:36:09 +0200 +Subject: [PATCH 20/23] Improve documentation of the sysctl template + +--- + docs/templates/template_reference.md | 10 +++++++--- + 1 file changed, 7 insertions(+), 3 deletions(-) + +diff --git a/docs/templates/template_reference.md b/docs/templates/template_reference.md +index 0fff58c0a23..e73b95450fe 100644 +--- a/docs/templates/template_reference.md ++++ b/docs/templates/template_reference.md +@@ -819,15 +819,19 @@ The selected value can be changed in the profile (consult the actual variable fo + specified, or an atomic value, eg. `'1'`, or a list of values, + eg. `['1','2']`. + - If this parameter is not specified, an XCCDF Value is used instead +- in OVAL check and remediations. ++ in OVAL check and remediations. The XCCDF Value should have a file ++ name in the form `"sysctl_" + $escaped_sysctlvar + "_value.var"`, ++ where the `escaped_sysctlvar` is a value of the **sysctlvar** ++ parameter in which all characters that don't match the `\w` regular ++ expression are replaced by an underscore (`_`). + - If this parameter is set to an atomic value, this atomic value + will be used in OVAL check and remediations. + - If this parameter is set to a list of values, the list will be used + in the OVAL check, but won't be used in the remediations. + All remediations will use an XCCDF value instead. + +- - **wrong_sysctlval_for_testing** - the value that is always wrong. This will be used +- only in the templated test scenarios only if **sysctlval** is a list. ++ - **wrong_sysctlval_for_testing** - the value that is always wrong. This ++ will be used in templated test scenarios when **sysctlval** is a list. + + - **missing_parameter_pass** - if set to `true` the check will pass if the + setting for the given **sysctlvar** is not present in sysctl + +From 0f89cab50807ecf75269acc49e0c290c139beea6 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= +Date: Tue, 26 Jul 2022 09:36:34 +0200 +Subject: [PATCH 21/23] Remove RHEL 8 STIG ID + +--- + .../rule.yml | 2 -- + 1 file changed, 2 deletions(-) + +diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/rule.yml b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/rule.yml +index 7d8769a913f..ec3b5aef82f 100644 +--- a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/rule.yml ++++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/rule.yml +@@ -33,8 +33,6 @@ references: + nist: AC-6,SC-7(10) + ospp: FMT_SMF_EXT.1 + srg: SRG-OS-000132-GPOS-00067,SRG-OS-000480-GPOS-00227 +- stigid@ol8: OL08-00-040281 +- stigid@rhel8: RHEL-08-040281 + + ocil: |- + The runtime status of the kernel.unprivileged_bpf_disabled + +From 5c2116eb08b84c43d644f6ce51744732a63fb206 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= +Date: Tue, 26 Jul 2022 09:36:47 +0200 +Subject: [PATCH 22/23] Fix a typo + +--- + .../rule.yml | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/rule.yml b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/rule.yml +index ec3b5aef82f..589deccb0c7 100644 +--- a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/rule.yml ++++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/rule.yml +@@ -62,7 +62,7 @@ ocil: |- + ocil_clause: "the kernel.unprivileged_bpf_disabled is not set to 1 or 2 or is configured to be 0" + + fixtext: |- +- Configure {{{ full_name }}} to prevent privilege escalation thru the kernel by disabling access to the bpf syscall. ++ Configure {{{ full_name }}} to prevent privilege escalation through the kernel by disabling access to the bpf syscall. + + srg_requirement: '{{{ full_name }}} must disable access to network bpf syscall from unprivileged processes.' + + +From 22e5a11f3232234a939dc6a806752b1fa5c69ce4 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= +Date: Wed, 27 Jul 2022 10:36:04 +0200 +Subject: [PATCH 23/23] Mention both values 1 and 2 in the rule description + +--- + .../rule.yml | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/rule.yml b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/rule.yml +index 589deccb0c7..259d1f901c6 100644 +--- a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/rule.yml ++++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/rule.yml +@@ -13,11 +13,13 @@ description: |- + disabled, calling bpf() without CAP_SYS_ADMIN or CAP_BPF will return -EPERM. + Once set to 1, this can't be cleared from the running kernel anymore. + ++ {{{ describe_sysctl_option_value(sysctl="kernel.unprivileged_bpf_disabled", value="1") }}} ++ + Writing 2 to this entry will also disable unprivileged calls to bpf(), + however, an admin can still change this setting later on, if needed, by + writing 0 or 1 to this entry. + +- {{{ describe_sysctl_option_value(sysctl="kernel.unprivileged_bpf_disabled", value="1") }}} ++ {{{ describe_sysctl_option_value(sysctl="kernel.unprivileged_bpf_disabled", value="2") }}} + + rationale: |- + Loading and accessing the packet filters programs and maps using the bpf() diff --git a/scap-security-guide.spec b/scap-security-guide.spec index 43e0ab6..8e138bd 100644 --- a/scap-security-guide.spec +++ b/scap-security-guide.spec @@ -6,13 +6,20 @@ Name: scap-security-guide Version: 0.1.63 -Release: 1%{?dist} +Release: 2%{?dist} Summary: Security guidance and baselines in SCAP formats License: BSD-3-Clause URL: https://github.com/ComplianceAsCode/content/ Source0: https://github.com/ComplianceAsCode/content/releases/download/v%{version}/scap-security-guide-%{version}.tar.bz2 BuildArch: noarch +Patch0: scap-security-guide-0.1.64-audit_rules_for_ppc64le-PR_9124.patch +Patch1: scap-security-guide-0.1.64-fix_openssl_cryptopolicy_remediation-PR_9194.patch +Patch2: scap-security-guide-0.1.64-sysctl_template_extension_and_bpf_rules-PR_9147.patch +Patch3: scap-security-guide-0.1.64-fix_require_single_user_description-PR_9256.patch +Patch4: scap-security-guide-0.1.64-authselect_minimal_for_ospp-PR_9298.patch +Patch5: scap-security-guide-0.1.64-coredump_rules_for_ospp-PR_9285.patch + BuildRequires: libxslt BuildRequires: expat BuildRequires: openscap-scanner >= 1.2.5 @@ -98,6 +105,14 @@ rm %{buildroot}/%{_docdir}/%{name}/Contributors.md %endif %changelog +* Wed Aug 10 2022 Vojtech Polasek - 0.1.63-2 +- OSPP: utilize different audit rule set for different hardware platforms (RHBZ#1998583) +- OSPP: update rules related to coredumps (RHBZ#2081688) +- OSPP: update rules related to BPF (RHBZ#2081728) +- fix description of require_singleuser_mode (RHBZ#2092799) +- fix remediation of OpenSSL cryptopolicy (RHBZ#2108569) +- OSPP: use minimal Authselect profile(RHBZ#2114979) + * Mon Aug 01 2022 Vojtech Polasek - 0.1.63-1 - Rebase to a new upstream release 0.1.63 (RHBZ#2070563)