From 742e103392746dac771663247d169cfe498ee658 Mon Sep 17 00:00:00 2001 From: Vojtech Polasek Date: Fri, 21 Jan 2022 14:02:16 +0100 Subject: [PATCH 1/7] modify vsyscall rules according to rhel9 ospp add references make rules scored in th e profile --- .../system/bootloader-grub2/grub2_vsyscall_argument/rule.yml | 1 + .../system/bootloader-zipl/zipl_vsyscall_argument/rule.yml | 3 +++ products/rhel9/profiles/ospp.profile | 4 ---- 3 files changed, 4 insertions(+), 4 deletions(-) diff --git a/linux_os/guide/system/bootloader-grub2/grub2_vsyscall_argument/rule.yml b/linux_os/guide/system/bootloader-grub2/grub2_vsyscall_argument/rule.yml index 1dd26fea9b6..9f38a1c13b9 100644 --- a/linux_os/guide/system/bootloader-grub2/grub2_vsyscall_argument/rule.yml +++ b/linux_os/guide/system/bootloader-grub2/grub2_vsyscall_argument/rule.yml @@ -25,6 +25,7 @@ identifiers: references: disa: CCI-001084 nist: CM-7(a) + ospp: FPT_ASLR_EXT.1 srg: SRG-OS-000480-GPOS-00227,SRG-OS-000134-GPOS-00068 stigid@ol8: OL08-00-010422 stigid@rhel8: RHEL-08-010422 diff --git a/linux_os/guide/system/bootloader-zipl/zipl_vsyscall_argument/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_vsyscall_argument/rule.yml index 52b192ffc52..9d645c8876e 100644 --- a/linux_os/guide/system/bootloader-zipl/zipl_vsyscall_argument/rule.yml +++ b/linux_os/guide/system/bootloader-zipl/zipl_vsyscall_argument/rule.yml @@ -21,6 +21,9 @@ identifiers: cce@rhel8: CCE-83381-4 cce@rhel9: CCE-84100-7 +references: + ospp: FPT_ASLR_EXT.1 + ocil_clause: 'vsyscalls are enabled' ocil: |- diff --git a/products/rhel9/profiles/ospp.profile b/products/rhel9/profiles/ospp.profile index 287a28c43c5..f0b850a4ced 100644 --- a/products/rhel9/profiles/ospp.profile +++ b/products/rhel9/profiles/ospp.profile @@ -128,8 +128,6 @@ selections: - grub2_slub_debug_argument - grub2_page_poison_argument - grub2_vsyscall_argument - - grub2_vsyscall_argument.role=unscored - - grub2_vsyscall_argument.severity=info - grub2_pti_argument - grub2_kernel_trust_cpu_rng @@ -421,5 +419,3 @@ selections: - zipl_slub_debug_argument - zipl_page_poison_argument - zipl_vsyscall_argument - - zipl_vsyscall_argument.role=unscored - - zipl_vsyscall_argument.severity=info From d167658d46accbc75200a5d145a746322f1c2d4a Mon Sep 17 00:00:00 2001 From: Vojtech Polasek Date: Fri, 21 Jan 2022 14:05:24 +0100 Subject: [PATCH 2/7] add ospp references to fips rules --- .../software/integrity/fips/enable_dracut_fips_module/rule.yml | 1 + .../system/software/integrity/fips/enable_fips_mode/rule.yml | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/linux_os/guide/system/software/integrity/fips/enable_dracut_fips_module/rule.yml b/linux_os/guide/system/software/integrity/fips/enable_dracut_fips_module/rule.yml index f342b9b8d95..3b7c3229b6f 100644 --- a/linux_os/guide/system/software/integrity/fips/enable_dracut_fips_module/rule.yml +++ b/linux_os/guide/system/software/integrity/fips/enable_dracut_fips_module/rule.yml @@ -29,6 +29,7 @@ references: ism: "1446" nerc-cip: CIP-003-8 R4.2,CIP-007-3 R5.1 nist: SC-12(2),SC-12(3),IA-7,SC-13,CM-6(a),SC-12 + ospp: FCS_RBG_EXT.1 srg: SRG-OS-000478-GPOS-00223 stigid@ol8: OL08-00-010020 stigid@rhel8: RHEL-08-010020 diff --git a/linux_os/guide/system/software/integrity/fips/enable_fips_mode/rule.yml b/linux_os/guide/system/software/integrity/fips/enable_fips_mode/rule.yml index 7559e61600d..9d89114b07f 100644 --- a/linux_os/guide/system/software/integrity/fips/enable_fips_mode/rule.yml +++ b/linux_os/guide/system/software/integrity/fips/enable_fips_mode/rule.yml @@ -39,7 +39,7 @@ references: ism: "1446" nerc-cip: CIP-003-8 R4.2,CIP-007-3 R5.1 nist: SC-12(2),SC-12(3),IA-7,SC-13,CM-6(a),SC-12 - ospp: FCS_COP.1(1),FCS_COP.1(2),FCS_COP.1(3),FCS_COP.1(4),FCS_CKM.1,FCS_CKM.2,FCS_TLSC_EXT.1 + ospp: FCS_COP.1(1),FCS_COP.1(2),FCS_COP.1(3),FCS_COP.1(4),FCS_CKM.1,FCS_CKM.2,FCS_TLSC_EXT.1,FCS_RBG_EXT.1 srg: SRG-OS-000478-GPOS-00223,SRG-OS-000396-GPOS-00176 stigid@ol8: OL08-00-010020 stigid@rhel8: RHEL-08-010020 From f05e895bb96b64a5142e62e3dd0f7208633d5c23 Mon Sep 17 00:00:00 2001 From: Vojtech Polasek Date: Fri, 21 Jan 2022 14:08:36 +0100 Subject: [PATCH 3/7] drop no longer needed rules from ospp rhel9 profile --- products/rhel9/profiles/ospp.profile | 6 ------ 1 file changed, 6 deletions(-) diff --git a/products/rhel9/profiles/ospp.profile b/products/rhel9/profiles/ospp.profile index f0b850a4ced..7e30054bc98 100644 --- a/products/rhel9/profiles/ospp.profile +++ b/products/rhel9/profiles/ospp.profile @@ -125,11 +125,7 @@ selections: ## Boot prompt - grub2_audit_argument - grub2_audit_backlog_limit_argument - - grub2_slub_debug_argument - - grub2_page_poison_argument - grub2_vsyscall_argument - - grub2_pti_argument - - grub2_kernel_trust_cpu_rng ## Security Settings - sysctl_kernel_kptr_restrict @@ -416,6 +412,4 @@ selections: - zipl_bootmap_is_up_to_date - zipl_audit_argument - zipl_audit_backlog_limit_argument - - zipl_slub_debug_argument - - zipl_page_poison_argument - zipl_vsyscall_argument From 972ae269eff95de8a6914056d38e58b7aeafb8c3 Mon Sep 17 00:00:00 2001 From: Vojtech Polasek Date: Fri, 21 Jan 2022 15:12:46 +0100 Subject: [PATCH 4/7] add grub2_init_on_alloc rule --- .../grub2_init_on_alloc_argument/rule.yml | 46 +++++++++++++++++++ shared/references/cce-redhat-avail.txt | 1 - 2 files changed, 46 insertions(+), 1 deletion(-) create mode 100644 linux_os/guide/system/bootloader-grub2/grub2_init_on_alloc_argument/rule.yml diff --git a/linux_os/guide/system/bootloader-grub2/grub2_init_on_alloc_argument/rule.yml b/linux_os/guide/system/bootloader-grub2/grub2_init_on_alloc_argument/rule.yml new file mode 100644 index 00000000000..592e2fb117d --- /dev/null +++ b/linux_os/guide/system/bootloader-grub2/grub2_init_on_alloc_argument/rule.yml @@ -0,0 +1,46 @@ +documentation_complete: true + +prodtype: rhel9 + +title: 'Configure kernel to zero out memory before allocation (through Grub2)' + +description: |- + To configure the kernel to zero out memory before allocating it, add the + init_on_alloc=1 argument to the default GRUB 2 command line for + the Linux operating system in /etc/default/grub, in the manner + below: + 
GRUB_CMDLINE_LINUX="crashkernel=auto quiet rd.shell=0 audit=1 audit_backlog_limit=8192 init_on_alloc=1"
+ Update the boot parameter for existing kernels by running the following command: + 
# grubby --update-kernel=ALL --args="init_on_alloc=1"
+ +rationale: |- + When the kernel configuration option init_on_alloc is enabled, + all page allocator and slab allocator memory will be zeroed when allocated, + eliminating many kinds of "uninitialized heap memory" flaws, effectively + preventing data leaks. + +severity: medium + +identifiers: + cce@rhel9: CCE-85867-0 + +ocil_clause: 'the kernel is not configured to zero out memory before allocation' + +ocil: |- + Make sure that the kernel is configured to zero out memory before + allocation. Ensure that the parameter is configured in + /etc/default/grub: + 
grep GRUB_CMDLINE_LINUX /etc/default/grub
+ The output should contain init_on_alloc=1. + Run the following command to display command line parameters of all + installed kernels: + 
# grubby --info=ALL | grep args
+ Ensure that each line contains the init_on_alloc=1 parameter. + +platform: machine + +template: + name: grub2_bootloader_argument + vars: + arg_name: init_on_alloc + arg_value: '1' diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt index 8aad24b20f7..6835189cd99 100644 --- a/shared/references/cce-redhat-avail.txt +++ b/shared/references/cce-redhat-avail.txt @@ -1,4 +1,3 @@ -CCE-85867-0 CCE-85868-8 CCE-85872-0 CCE-85873-8 From a865514257c85d79aaf7e4286d8723aa1ad8de03 Mon Sep 17 00:00:00 2001 From: Vojtech Polasek Date: Mon, 24 Jan 2022 10:01:23 +0100 Subject: [PATCH 5/7] add zipl_init_on_alloc_argument rule --- .../zipl_init_on_alloc_argument/rule.yml | 41 +++++++++++++++++++ .../tests/correct_option.pass.sh | 15 +++++++ .../tests/missing_in_cmdline.fail.sh | 13 ++++++ .../tests/missing_in_entry.fail.sh | 13 ++++++ shared/references/cce-redhat-avail.txt | 1 - 5 files changed, 82 insertions(+), 1 deletion(-) create mode 100644 linux_os/guide/system/bootloader-zipl/zipl_init_on_alloc_argument/rule.yml create mode 100644 linux_os/guide/system/bootloader-zipl/zipl_init_on_alloc_argument/tests/correct_option.pass.sh create mode 100644 linux_os/guide/system/bootloader-zipl/zipl_init_on_alloc_argument/tests/missing_in_cmdline.fail.sh create mode 100644 linux_os/guide/system/bootloader-zipl/zipl_init_on_alloc_argument/tests/missing_in_entry.fail.sh diff --git a/linux_os/guide/system/bootloader-zipl/zipl_init_on_alloc_argument/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_init_on_alloc_argument/rule.yml new file mode 100644 index 00000000000..b47a7757327 --- /dev/null +++ b/linux_os/guide/system/bootloader-zipl/zipl_init_on_alloc_argument/rule.yml @@ -0,0 +1,41 @@ +documentation_complete: true + +prodtype: rhel9 + +title: 'Configure kernel to zero out memory before allocation (through zIPl)' + +description: |- + To ensure that the kernel is configured to zero out memory before + allocation, check that all boot entries in + /boot/loader/entries/*.conf have init_on_alloc=1 + included in its options.
+ + To ensure that new kernels and boot entries continue to zero out memory + before allocation, add init_on_alloc=1 to /etc/kernel/cmdline. + +rationale: |- + When the kernel configuration option init_on_alloc is enabled, + all page allocator and slab allocator memory will be zeroed when allocated, + eliminating many kinds of "uninitialized heap memory" flaws, effectively + preventing data leaks. + +severity: medium + +identifiers: + cce@rhel9: CCE-85868-8 + +ocil_clause: 'the kernel is not configured to zero out memory before allocation' + +ocil: |- + To check that the kernel is configured to zero out memory before allocation + time, check all boot entries with following command: + 
sudo grep -L"^options\s+.*\binit_on_alloc=1\b" /boot/loader/entries/*.conf
+ No line should be returned, each line returned is a boot entry that doesn't enable audit. + +platform: machine + +template: + name: zipl_bls_entries_option + vars: + arg_name: init_on_alloc + arg_value: '1' diff --git a/linux_os/guide/system/bootloader-zipl/zipl_init_on_alloc_argument/tests/correct_option.pass.sh b/linux_os/guide/system/bootloader-zipl/zipl_init_on_alloc_argument/tests/correct_option.pass.sh new file mode 100644 index 00000000000..50cf1b78f70 --- /dev/null +++ b/linux_os/guide/system/bootloader-zipl/zipl_init_on_alloc_argument/tests/correct_option.pass.sh @@ -0,0 +1,15 @@ +#!/bin/bash +# platform = multi_platform_fedora,Red Hat Enterprise Linux 8, Red Hat Enterprise Linux 9 + +# Make sure boot loader entries contain init_on_alloc=1 +for file in /boot/loader/entries/*.conf +do + if ! grep -q '^options.*init_on_alloc=1.*$' "$file" ; then + sed -i '/^options / s/$/ init_on_alloc=1/' "$file" + fi +done + +# Make sure /etc/kernel/cmdline contains init_on_alloc=1 +if ! grep -qs '^(.*\s)?init_on_alloc=1(\s.*)?$' /etc/kernel/cmdline ; then + echo "init_on_alloc=1" >> /etc/kernel/cmdline +fi diff --git a/linux_os/guide/system/bootloader-zipl/zipl_init_on_alloc_argument/tests/missing_in_cmdline.fail.sh b/linux_os/guide/system/bootloader-zipl/zipl_init_on_alloc_argument/tests/missing_in_cmdline.fail.sh new file mode 100644 index 00000000000..7c0d9154776 --- /dev/null +++ b/linux_os/guide/system/bootloader-zipl/zipl_init_on_alloc_argument/tests/missing_in_cmdline.fail.sh @@ -0,0 +1,13 @@ +#!/bin/bash +# platform = multi_platform_fedora,Red Hat Enterprise Linux 8, Red Hat Enterprise Linux 9 + +# Make sure boot loader entries contain init_on_alloc=1 +for file in /boot/loader/entries/*.conf +do + if ! grep -q '^options.*init_on_alloc=1.*$' "$file" ; then + sed -i '/^options / s/$/ init_on_alloc=1/' "$file" + fi +done + +# Make sure /etc/kernel/cmdline doesn't contain init_on_alloc=1 +sed -Ei 's/(^.*)init_on_alloc=1(.*?)$/\1\2/' /etc/kernel/cmdline || true diff --git a/linux_os/guide/system/bootloader-zipl/zipl_init_on_alloc_argument/tests/missing_in_entry.fail.sh b/linux_os/guide/system/bootloader-zipl/zipl_init_on_alloc_argument/tests/missing_in_entry.fail.sh new file mode 100644 index 00000000000..9d330c9192d --- /dev/null +++ b/linux_os/guide/system/bootloader-zipl/zipl_init_on_alloc_argument/tests/missing_in_entry.fail.sh @@ -0,0 +1,13 @@ +#!/bin/bash +# platform = multi_platform_fedora,Red Hat Enterprise Linux 8, Red Hat Enterprise Linux 9 + +# Remove init_on_alloc=1 from all boot entries +sed -Ei 's/(^options.*\s)init_on_alloc=1(.*?)$/\1\2/' /boot/loader/entries/* +# But make sure one boot loader entry contains init_on_alloc=1 +sed -i '/^options / s/$/ init_on_alloc=1/' /boot/loader/entries/*rescue.conf +sed -Ei 's/(^options.*\s)\$kernelopts(.*?)$/\1\2/' /boot/loader/entries/*rescue.conf + +# Make sure /etc/kernel/cmdline contains init_on_alloc=1 +if ! grep -qs '^(.*\s)?init_on_alloc=1(\s.*)?$' /etc/kernel/cmdline ; then + echo "init_on_alloc=1" >> /etc/kernel/cmdline +fi diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt index 6835189cd99..05a641aeaf0 100644 --- a/shared/references/cce-redhat-avail.txt +++ b/shared/references/cce-redhat-avail.txt @@ -1,4 +1,3 @@ -CCE-85868-8 CCE-85872-0 CCE-85873-8 CCE-85874-6 From 9ca5ec04e734941b1c401369b6da6672b42824b1 Mon Sep 17 00:00:00 2001 From: Vojtech Polasek Date: Mon, 24 Jan 2022 10:07:24 +0100 Subject: [PATCH 6/7] add new rules to rhel9 ospp --- products/rhel9/profiles/ospp.profile | 2 ++ 1 file changed, 2 insertions(+) diff --git a/products/rhel9/profiles/ospp.profile b/products/rhel9/profiles/ospp.profile index 7e30054bc98..28c7e92d298 100644 --- a/products/rhel9/profiles/ospp.profile +++ b/products/rhel9/profiles/ospp.profile @@ -126,6 +126,7 @@ selections: - grub2_audit_argument - grub2_audit_backlog_limit_argument - grub2_vsyscall_argument + - grub2_init_on_alloc_argument ## Security Settings - sysctl_kernel_kptr_restrict @@ -413,3 +414,4 @@ selections: - zipl_audit_argument - zipl_audit_backlog_limit_argument - zipl_vsyscall_argument + - zipl_init_on_alloc_argument From 42a118bcc615051ae4cd268a5fc758aa5d75108d Mon Sep 17 00:00:00 2001 From: Vojtech Polasek Date: Thu, 27 Jan 2022 14:08:20 +0100 Subject: [PATCH 7/7] make rule names consistent --- .../bootloader-grub2/grub2_init_on_alloc_argument/rule.yml | 2 +- .../system/bootloader-zipl/zipl_init_on_alloc_argument/rule.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/linux_os/guide/system/bootloader-grub2/grub2_init_on_alloc_argument/rule.yml b/linux_os/guide/system/bootloader-grub2/grub2_init_on_alloc_argument/rule.yml index 592e2fb117d..a9253c74cc6 100644 --- a/linux_os/guide/system/bootloader-grub2/grub2_init_on_alloc_argument/rule.yml +++ b/linux_os/guide/system/bootloader-grub2/grub2_init_on_alloc_argument/rule.yml @@ -2,7 +2,7 @@ documentation_complete: true prodtype: rhel9 -title: 'Configure kernel to zero out memory before allocation (through Grub2)' +title: 'Configure kernel to zero out memory before allocation' description: |- To configure the kernel to zero out memory before allocating it, add the diff --git a/linux_os/guide/system/bootloader-zipl/zipl_init_on_alloc_argument/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_init_on_alloc_argument/rule.yml index b47a7757327..fa272250a28 100644 --- a/linux_os/guide/system/bootloader-zipl/zipl_init_on_alloc_argument/rule.yml +++ b/linux_os/guide/system/bootloader-zipl/zipl_init_on_alloc_argument/rule.yml @@ -2,7 +2,7 @@ documentation_complete: true prodtype: rhel9 -title: 'Configure kernel to zero out memory before allocation (through zIPl)' +title: 'Configure kernel to zero out memory before allocation in zIPL' description: |- To ensure that the kernel is configured to zero out memory before