From 694af59f0c400d34b11e80b29b66cdb82ad080b6 Mon Sep 17 00:00:00 2001
From: Vojtech Polasek <vpolasek@redhat.com>
Date: Wed, 27 Jul 2022 13:49:05 +0200
Subject: [PATCH 1/8] remove unneeded coredump related rules from rhel9 ospp

---
 products/rhel9/profiles/ospp.profile | 3 ---
 1 file changed, 3 deletions(-)

diff --git a/products/rhel9/profiles/ospp.profile b/products/rhel9/profiles/ospp.profile
index dcc41970043..0902abf58db 100644
--- a/products/rhel9/profiles/ospp.profile
+++ b/products/rhel9/profiles/ospp.profile
@@ -110,10 +110,7 @@ selections:
     - package_gnutls-utils_installed
 
     ### Login
-    - disable_users_coredumps
     - sysctl_kernel_core_pattern
-    - coredump_disable_storage
-    - coredump_disable_backtraces
     - service_systemd-coredump_disabled
     - var_authselect_profile=minimal
     - enable_authselect

From da50ca7abc0358b6b5db72f26173843454461dcf Mon Sep 17 00:00:00 2001
From: Vojtech Polasek <vpolasek@redhat.com>
Date: Wed, 3 Aug 2022 12:17:27 +0200
Subject: [PATCH 2/8] remove conditional from sysctl templated OVAL

actually now it is quite common that the sysctlval can be undefined. In this case, XCCDF variable is used. See documentation for sysctl template.
I don't think there is a need to have this special regex. Moreover, the regex was checking only for numbers.
---
 shared/templates/sysctl/oval.template | 5 -----
 1 file changed, 5 deletions(-)

diff --git a/shared/templates/sysctl/oval.template b/shared/templates/sysctl/oval.template
index 1a7c4979bbe..e0c6f72f928 100644
--- a/shared/templates/sysctl/oval.template
+++ b/shared/templates/sysctl/oval.template
@@ -17,13 +17,8 @@
 {{% endif %}}
 {{%- endmacro -%}}
 {{%- macro sysctl_match() -%}}
-{{%- if SYSCTLVAL == "" -%}}
-    <ind:pattern operation="pattern match">^[\s]*{{{ SYSCTLVAR }}}[\s]*=[\s]*(\d+)[\s]*$</ind:pattern>
-    <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-{{%- else -%}}
     <ind:pattern operation="pattern match">^[\s]*{{{ SYSCTLVAR }}}[\s]*=[\s]*(.*)[\s]*$</ind:pattern>
     <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-{{%- endif -%}}
 {{%- endmacro -%}}
 {{%- if "P" in FLAGS -%}}
 

From 9b9110cd969afe7ba3796030a33dd795432a9373 Mon Sep 17 00:00:00 2001
From: Vojtech Polasek <vpolasek@redhat.com>
Date: Wed, 3 Aug 2022 13:00:45 +0200
Subject: [PATCH 3/8] add new rule sysctl_kernel_core_uses_pid

---
 .../sysctl_kernel_core_uses_pid/rule.yml      | 36 +++++++++++++++++++
 2 files changed, 36 insertions(+), 1 deletion(-)
 create mode 100644 linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_uses_pid/rule.yml

diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_uses_pid/rule.yml b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_uses_pid/rule.yml
new file mode 100644
index 00000000000..7fa36fb940e
--- /dev/null
+++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_uses_pid/rule.yml
@@ -0,0 +1,36 @@
+documentation_complete: true
+
+prodtype: fedora,ol8,ol9,rhcos4,rhel8,rhel9
+
+title: 'Configure file name of core dumps'
+
+description: '{{{ describe_sysctl_option_value(sysctl="kernel.core_uses_pid", value=0) }}}'
+
+rationale: |-
+    The default coredump filename is <pre>core</pre>. By setting
+    <pre>core_uses_pid</pre> to <pre>1</pre>, the coredump filename becomes
+    <pre>core.PID</pre>. If <pre>core_pattern</pre> does not include
+    <pre>%p</pre> (default does not) and <pre>core_uses_pid</pre> is set, then
+    <pre>.PID</pre> will be appended to the filename.
+
+severity: medium
+
+identifiers:
+    cce@rhel9: CCE-86003-1
+
+references:
+    ospp: FMT_SMF_EXT.1
+
+ocil_clause: 'the returned line does not have a value of 0, or a line is not returned and the need for core dumps is not documented with the Information System Security Officer (ISSO) as an operational requirement'
+
+ocil: |-
+    {{{ ocil_sysctl_option_value(sysctl="kernel.core_pattern", value=0) }}}
+
+platform: machine
+
+template:
+    name: sysctl
+    vars:
+        sysctlvar: kernel.core_uses_pid
+        datatype: int
+        sysctlval: '0'

From 04dbd2db9469082a450e9b062d91e47190abe552 Mon Sep 17 00:00:00 2001
From: Vojtech Polasek <vpolasek@redhat.com>
Date: Fri, 5 Aug 2022 09:08:37 +0200
Subject: [PATCH 4/8] add new rule setting kernel.core_pattern to empty string

---
 .../rule.yml                                  | 49 +++++++++++++++++++
 2 files changed, 49 insertions(+), 1 deletion(-)
 create mode 100644 linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/rule.yml

diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/rule.yml b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/rule.yml
new file mode 100644
index 00000000000..089bb1481aa
--- /dev/null
+++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/rule.yml
@@ -0,0 +1,49 @@
+documentation_complete: true
+
+prodtype: fedora,ol8,ol9,rhcos4,rhel8,rhel9
+
+title: 'Disable storing core dumps'
+
+description: |-
+    The <tt>kernel.core_pattern</tt> option specifies the core dumpfile pattern
+    name. It can be set to an empty string <tt>''</tt>. In this case, the kernel
+    behaves differently based on another related option. If
+    <tt>kernel.core_uses_pid</tt> is set to <tt>1</tt>, then a file named as
+    <tt>.PID</tt> (where <tt>PID</tt> is process ID of the crashed process) is
+    created in the working directory. If <tt>kernel.core_uses_pid</tt> is set to
+    <tt>0</tt>, no coredump is saved.
+    {{{ describe_sysctl_option_value(sysctl="kernel.core_pattern", value="''") }}}'
+
+rationale: |-
+    A core dump includes a memory image taken at the time the operating system
+    terminates an application. The memory image could contain sensitive data and is generally useful
+    only for developers trying to debug problems.
+
+severity: medium
+
+requires:
+    - sysctl_kernel_core_uses_pid
+
+conflicts:
+    - sysctl_kernel_core_pattern
+
+identifiers:
+    cce@rhel9: CCE-86005-6
+
+references:
+    ospp: FMT_SMF_EXT.1
+
+ocil_clause: |-
+    the returned line does not have a value of ''.
+
+ocil: |
+    {{{ ocil_sysctl_option_value(sysctl="kernel.core_pattern", value="''") }}}
+
+platform: machine
+
+template:
+    name: sysctl
+    vars:
+        sysctlvar: kernel.core_pattern
+        sysctlval: "''"
+        datatype: string

From 42690d39487d5483693fc4ce32c0c95d11ee3203 Mon Sep 17 00:00:00 2001
From: Vojtech Polasek <vpolasek@redhat.com>
Date: Fri, 5 Aug 2022 10:40:47 +0200
Subject: [PATCH 5/8] add rule to RHEL9 OSPP profile

---
 products/rhel9/profiles/ospp.profile | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/products/rhel9/profiles/ospp.profile b/products/rhel9/profiles/ospp.profile
index 0902abf58db..b1b18261d48 100644
--- a/products/rhel9/profiles/ospp.profile
+++ b/products/rhel9/profiles/ospp.profile
@@ -110,7 +110,8 @@ selections:
     - package_gnutls-utils_installed
 
     ### Login
-    - sysctl_kernel_core_pattern
+    - sysctl_kernel_core_pattern_empty_string
+    - sysctl_kernel_core_uses_pid
     - service_systemd-coredump_disabled
     - var_authselect_profile=minimal
     - enable_authselect

From d7e194f1998757d3b5a7691c598a71549215f97b Mon Sep 17 00:00:00 2001
From: Vojtech Polasek <vpolasek@redhat.com>
Date: Wed, 3 Aug 2022 13:01:12 +0200
Subject: [PATCH 6/8] describe beneficial dependency between
 sysctl_kernel_core_pattern_empty_string and sysctl:kernel_core_uses_pid

---
 .../sysctl_kernel_core_uses_pid/rule.yml            | 13 ++++++++-----
 1 file changed, 8 insertions(+), 5 deletions(-)

diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_uses_pid/rule.yml b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_uses_pid/rule.yml
index 7fa36fb940e..d6d2c468c10 100644
--- a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_uses_pid/rule.yml
+++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_uses_pid/rule.yml
@@ -7,11 +7,14 @@ title: 'Configure file name of core dumps'
 description: '{{{ describe_sysctl_option_value(sysctl="kernel.core_uses_pid", value=0) }}}'
 
 rationale: |-
-    The default coredump filename is <pre>core</pre>. By setting
-    <pre>core_uses_pid</pre> to <pre>1</pre>, the coredump filename becomes
-    <pre>core.PID</pre>. If <pre>core_pattern</pre> does not include
-    <pre>%p</pre> (default does not) and <pre>core_uses_pid</pre> is set, then
-    <pre>.PID</pre> will be appended to the filename.
+    The default coredump filename is <tt>core</tt>. By setting
+    <tt>core_uses_pid</tt> to <tt>1</tt>, the coredump filename becomes
+    <tt>core.PID</tt>. If <tt>core_pattern</tt> does not include
+    <tt>%p</tt> (default does not) and <tt>core_uses_pid</tt> is set, then
+    <tt>.PID</tt> will be appended to the filename.
+    When combined with <tt>kernel.core_pattern = ""</tt> configuration, it
+    is ensured that no core dumps are generated and also no confusing error
+    messages are printed by a shell.
 
 severity: medium
 

From cd0f5491d57bf42e5901c681e290a9378eade3e6 Mon Sep 17 00:00:00 2001
From: Vojtech Polasek <vpolasek@redhat.com>
Date: Fri, 5 Aug 2022 10:53:37 +0200
Subject: [PATCH 7/8] make sysctl_kernel_core_pattern conflicting with
 sysctl_kernel_core_pattern_empty_string

they are modifying the same configuration
---
 .../restrictions/sysctl_kernel_core_pattern/rule.yml           | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern/rule.yml b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern/rule.yml
index 771c4d40e0f..c27a9e7ecf3 100644
--- a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern/rule.yml
+++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern/rule.yml
@@ -13,6 +13,9 @@ rationale: |-
 
 severity: medium
 
+conflicts:
+    - sysctl_kernel_core_pattern_empty_string
+
 identifiers:
     cce@rhcos4: CCE-82527-3
     cce@rhel8: CCE-82215-5

From 62b0e48e7db9ed7e82940d7ca3a34a121f67c6cf Mon Sep 17 00:00:00 2001
From: Vojtech Polasek <vpolasek@redhat.com>
Date: Tue, 9 Aug 2022 16:43:20 +0200
Subject: [PATCH 8/8] fix ocils

---
 .../restrictions/sysctl_kernel_core_pattern/rule.yml         | 5 ++++-
 .../restrictions/sysctl_kernel_core_uses_pid/rule.yml        | 4 ++--
 2 files changed, 6 insertions(+), 3 deletions(-)

diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern/rule.yml b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern/rule.yml
index c27a9e7ecf3..1a540ce20b3 100644
--- a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern/rule.yml
+++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern/rule.yml
@@ -29,7 +29,10 @@ references:
     stigid@ol8: OL08-00-010671
     stigid@rhel8: RHEL-08-010671
 
-ocil_clause: 'the returned line does not have a value of "|/bin/false", or a line is not returned and the need for core dumps is not documented with the Information System Security Officer (ISSO) as an operational requirement'
+ocil_clause:  |-
+    the returned line does not have a value of "|/bin/false", or a line is not
+    returned and the need for core dumps is not documented with the Information
+    System Security Officer (ISSO) as an operational requirement
 
 ocil: |
     {{{ ocil_sysctl_option_value(sysctl="kernel.core_pattern", value="|/bin/false") }}}
diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_uses_pid/rule.yml b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_uses_pid/rule.yml
index d6d2c468c10..8f51f97c16c 100644
--- a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_uses_pid/rule.yml
+++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_uses_pid/rule.yml
@@ -24,10 +24,10 @@ identifiers:
 references:
     ospp: FMT_SMF_EXT.1
 
-ocil_clause: 'the returned line does not have a value of 0, or a line is not returned and the need for core dumps is not documented with the Information System Security Officer (ISSO) as an operational requirement'
+ocil_clause: 'the returned line does not have a value of 0'
 
 ocil: |-
-    {{{ ocil_sysctl_option_value(sysctl="kernel.core_pattern", value=0) }}}
+    {{{ ocil_sysctl_option_value(sysctl="kernel.core_uses_pid", value=0) }}}
 
 platform: machine