make sysctl_user_max_user_namespaces enforcing in RHEL9 OSPP

Resolves: rhbz#2083716
2022-07-18 10:46:37 +02:00 · 2022-07-18 10:46:37 +02:00 · 3c0a847089
parent ac5b9ee8a7
commit 3c0a847089
2 changed files with 29 additions and 0 deletions
--- a/scap-security-guide-0.1.63-sysctl_user_max_user_namespaces_enforce_in_ospp-PR_9084.patch
+++ b/scap-security-guide-0.1.63-sysctl_user_max_user_namespaces_enforce_in_ospp-PR_9084.patch
@ -0,0 +1,27 @@
+From b18adf58035b2c2ce1d4259bccb52d364bf7a6a0 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= <jcerny@redhat.com>
+Date: Fri, 1 Jul 2022 15:22:03 +0200
+Subject: [PATCH] Enforce rule sysctl_user_max_user_namespaces in RHEL 9 OSPP
+
+Removal of the role and severity attributes will cause that
+the rule will start to be evaluated and remediation will
+actually disable the user namespaces on the target system.
+
+Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=2083716
+---
+ products/rhel9/profiles/ospp.profile | 2 --
+ 1 file changed, 2 deletions(-)
+
+diff --git a/products/rhel9/profiles/ospp.profile b/products/rhel9/profiles/ospp.profile
+index 1fad0031749..136bb163646 100644
+--- a/products/rhel9/profiles/ospp.profile
+++ b/products/rhel9/profiles/ospp.profile
+@@ -135,8 +135,6 @@ selections:
+     - sysctl_kernel_yama_ptrace_scope
+     - sysctl_kernel_perf_event_paranoid
+     - sysctl_user_max_user_namespaces
+-    - sysctl_user_max_user_namespaces.role=unscored
+-    - sysctl_user_max_user_namespaces.severity=info
+     - sysctl_kernel_unprivileged_bpf_disabled
+     - sysctl_net_core_bpf_jit_harden
+     - service_kdump_disabled
--- a/scap-security-guide.spec
+++ b/scap-security-guide.spec
@ -27,6 +27,7 @@ Requires:	xml-common, openscap-scanner >= 1.2.5
 Patch0:                scap-security-guide-0.1.63-remove_sysctl_proteced_fs_rules-PR_9081.patch
 Patch1:                scap-security-guide-0.1.63-audit_access_success_unenforcing-PR_9082.patch
 Patch2:                scap-security-guide-0.1.63-drop_zipl_vsyscall_argument-PR_9083.patch
+Patch3:                scap-security-guide-0.1.63-sysctl_user_max_user_namespaces_enforce_in_ospp-PR_9084.patch

 %description
 The scap-security-guide project provides a guide for configuration of the
@ -106,6 +107,7 @@ rm %{buildroot}/%{_docdir}/%{name}/Contributors.md
 - Remove sysctl_fs_protected_* rules from RHEL9 OSPP (RHBZ#2081719)
 - Make rule audit_access_success_ unenforcing in RHEL9 OSPP (RHBZ#2058154)
 - Drop zipl_vsyscall_argument rule from RHEL9 OSPP profile (RHBZ#2060049)
+- make sysctl_user_max_user_namespaces in RHEL9 OSPP (RHBZ#2083716)

 * Wed Jun 01 2022 Matej Tyc <matyc@redhat.com> - 0.1.62-1
 - Rebase to a new upstream release (RHBZ#2070563)