274 lines
11 KiB
Diff
274 lines
11 KiB
Diff
From 38cc9c9eb785f17fbc23a2e7ccbb9902d069f4b3 Mon Sep 17 00:00:00 2001
|
|
From: Vojtech Polasek <vpolasek@redhat.com>
|
|
Date: Mon, 10 Feb 2020 16:16:17 +0100
|
|
Subject: [PATCH 1/4] create new rules, add missing reference to older rule
|
|
|
|
---
|
|
.../rule.yml | 26 +++++++++++++++
|
|
.../package_openssh-server_installed/rule.yml | 1 +
|
|
.../rule.yml | 32 +++++++++++++++++++
|
|
.../rule.yml | 29 +++++++++++++++++
|
|
5 files changed, 88 insertions(+), 3 deletions(-)
|
|
create mode 100644 linux_os/guide/services/ssh/package_openssh-clients_installed/rule.yml
|
|
create mode 100644 linux_os/guide/system/selinux/package_policycoreutils-python-utils_installed/rule.yml
|
|
create mode 100644 linux_os/guide/system/software/integrity/crypto/package_crypto-policies_installed/rule.yml
|
|
|
|
diff --git a/linux_os/guide/services/ssh/package_openssh-clients_installed/rule.yml b/linux_os/guide/services/ssh/package_openssh-clients_installed/rule.yml
|
|
new file mode 100644
|
|
index 0000000000..9b3c55f23b
|
|
--- /dev/null
|
|
+++ b/linux_os/guide/services/ssh/package_openssh-clients_installed/rule.yml
|
|
@@ -0,0 +1,26 @@
|
|
+documentation_complete: true
|
|
+
|
|
+prodtype: rhel8
|
|
+
|
|
+title: 'Install OpenSSH client software'
|
|
+
|
|
+description: |-
|
|
+ {{{ describe_package_install(package="openssh-clients") }}}
|
|
+
|
|
+rationale: 'The <tt>openssh-clients</tt> package needs to be installed to meet OSPP criteria.'
|
|
+
|
|
+severity: medium
|
|
+
|
|
+identifiers:
|
|
+ cce@rhel8: 82722-0
|
|
+
|
|
+references:
|
|
+ srg: SRG-OS-000480-GPOS-00227
|
|
+ ospp: FIA_UAU.5,FTP_ITC_EXT.1
|
|
+
|
|
+{{{ complete_ocil_entry_package(package='openssh-clients') }}}
|
|
+
|
|
+template:
|
|
+ name: package_installed
|
|
+ vars:
|
|
+ pkgname: openssh-clients
|
|
diff --git a/linux_os/guide/services/ssh/package_openssh-server_installed/rule.yml b/linux_os/guide/services/ssh/package_openssh-server_installed/rule.yml
|
|
index c18e604a5c..ba013ec509 100644
|
|
--- a/linux_os/guide/services/ssh/package_openssh-server_installed/rule.yml
|
|
+++ b/linux_os/guide/services/ssh/package_openssh-server_installed/rule.yml
|
|
@@ -28,6 +28,7 @@ references:
|
|
cobit5: APO01.06,DSS05.02,DSS05.04,DSS05.07,DSS06.02,DSS06.06
|
|
iso27001-2013: A.10.1.1,A.11.1.4,A.11.1.5,A.11.2.1,A.13.1.1,A.13.1.3,A.13.2.1,A.13.2.3,A.13.2.4,A.14.1.2,A.14.1.3,A.6.1.2,A.7.1.1,A.7.1.2,A.7.3.1,A.8.2.2,A.8.2.3,A.9.1.1,A.9.1.2,A.9.2.3,A.9.4.1,A.9.4.4,A.9.4.5
|
|
cis-csc: 13,14
|
|
+ ospp: FIA_UAU.5,FTP_ITC_EXT.1
|
|
|
|
ocil_clause: 'the package is not installed'
|
|
|
|
diff --git a/linux_os/guide/system/selinux/package_policycoreutils-python-utils_installed/rule.yml b/linux_os/guide/system/selinux/package_policycoreutils-python-utils_installed/rule.yml
|
|
new file mode 100644
|
|
index 0000000000..6025f0cd33
|
|
--- /dev/null
|
|
+++ b/linux_os/guide/system/selinux/package_policycoreutils-python-utils_installed/rule.yml
|
|
@@ -0,0 +1,32 @@
|
|
+documentation_complete: true
|
|
+
|
|
+prodtype: rhel8
|
|
+
|
|
+title: 'Install policycoreutils-python-utils package'
|
|
+
|
|
+description: |-
|
|
+ {{{ describe_package_install(package="policycoreutils-python-utils") }}}
|
|
+
|
|
+rationale: |-
|
|
+ Security-enhanced Linux is a feature of the Linux kernel and a number of utilities
|
|
+ with enhanced security functionality designed to add mandatory access controls to Linux.
|
|
+ The Security-enhanced Linux kernel contains new architectural components originally
|
|
+ developed to improve security of the Flask operating system. These architectural components
|
|
+ provide general support for the enforcement of many kinds of mandatory access control
|
|
+ policies, including those based on the concepts of Type Enforcement, Role-based Access
|
|
+ Control, and Multi-level Security.
|
|
+
|
|
+severity: medium
|
|
+
|
|
+identifiers:
|
|
+ cce@rhel8: 82724-6
|
|
+
|
|
+references:
|
|
+ srg: SRG-OS-000480-GPOS-00227
|
|
+
|
|
+{{{ complete_ocil_entry_package(package='policycoreutils-python-utils') }}}
|
|
+
|
|
+template:
|
|
+ name: package_installed
|
|
+ vars:
|
|
+ pkgname: policycoreutils-python-utils
|
|
diff --git a/linux_os/guide/system/software/integrity/crypto/package_crypto-policies_installed/rule.yml b/linux_os/guide/system/software/integrity/crypto/package_crypto-policies_installed/rule.yml
|
|
new file mode 100644
|
|
index 0000000000..c418518e7a
|
|
--- /dev/null
|
|
+++ b/linux_os/guide/system/software/integrity/crypto/package_crypto-policies_installed/rule.yml
|
|
@@ -0,0 +1,29 @@
|
|
+documentation_complete: true
|
|
+
|
|
+prodtype: rhel8
|
|
+
|
|
+title: 'Install crypto-policies package'
|
|
+
|
|
+description: |-
|
|
+ {{{ describe_package_install(package="crypto-policies") }}}
|
|
+
|
|
+rationale: |-
|
|
+ The <tt>crypto-policies</tt> package provides configuration and tools to
|
|
+ apply centralizet cryptographic policies for backends such as SSL/TLS libraries.
|
|
+
|
|
+
|
|
+severity: medium
|
|
+
|
|
+identifiers:
|
|
+ cce@rhel8: 82723-8
|
|
+
|
|
+references:
|
|
+ ospp: FCS_COP*
|
|
+ srg: SRG-OS-000396-GPOS-00176,SRG-OS-000393-GPOS-00173,SRG-OS-000394-GPOS-00174
|
|
+
|
|
+{{{ complete_ocil_entry_package(package='crypto-policies') }}}
|
|
+
|
|
+template:
|
|
+ name: package_installed
|
|
+ vars:
|
|
+ pkgname: crypto-policies
|
|
From 0c54cbf24a83e38c89841d4dc65a5fbe51fd2f99 Mon Sep 17 00:00:00 2001
|
|
From: Vojtech Polasek <vpolasek@redhat.com>
|
|
Date: Mon, 10 Feb 2020 16:18:03 +0100
|
|
Subject: [PATCH 2/4] modify ospp profile
|
|
|
|
---
|
|
rhel8/profiles/ospp.profile | 10 +++++-----
|
|
1 file changed, 5 insertions(+), 5 deletions(-)
|
|
|
|
diff --git a/rhel8/profiles/ospp.profile b/rhel8/profiles/ospp.profile
|
|
index 4d5a9edd8e..c672066050 100644
|
|
--- a/rhel8/profiles/ospp.profile
|
|
+++ b/rhel8/profiles/ospp.profile
|
|
@@ -169,17 +169,17 @@ selections:
|
|
- package_dnf-plugin-subscription-manager_installed
|
|
- package_firewalld_installed
|
|
- package_iptables_installed
|
|
- - package_libcap-ng-utils_installed
|
|
- package_openscap-scanner_installed
|
|
- package_policycoreutils_installed
|
|
- package_rng-tools_installed
|
|
- package_sudo_installed
|
|
- package_usbguard_installed
|
|
- - package_audispd-plugins_installed
|
|
- package_scap-security-guide_installed
|
|
- package_audit_installed
|
|
- - package_gnutls-utils_installed
|
|
- - package_nss-tools_installed
|
|
+ - package_crypto-policies_installed
|
|
+ - package_openssh-server_installed
|
|
+ - package_openssh-clients_installed
|
|
+ - package_policycoreutils-python-utils_installed
|
|
|
|
### Remove Prohibited Packages
|
|
- package_sendmail_removed
|
|
@@ -316,7 +316,7 @@ selections:
|
|
## Configure the System to Offload Audit Records to a Log
|
|
## Server
|
|
## AU-4(1) / FAU_GEN.1.1.c
|
|
- - auditd_audispd_syslog_plugin_activated
|
|
+ # temporarily dropped
|
|
|
|
## Set Logon Warning Banner
|
|
## AC-8(a) / FMT_MOF_EXT.1
|
|
|
|
From 105efe3a51118eca22c36771ce22d45778a4c34f Mon Sep 17 00:00:00 2001
|
|
From: Vojtech Polasek <vpolasek@redhat.com>
|
|
Date: Mon, 10 Feb 2020 16:18:52 +0100
|
|
Subject: [PATCH 3/4] add rules to rhel8 stig profile
|
|
|
|
---
|
|
rhel8/profiles/stig.profile | 3 +++
|
|
1 file changed, 3 insertions(+)
|
|
|
|
diff --git a/rhel8/profiles/stig.profile b/rhel8/profiles/stig.profile
|
|
index 821cc26914..7eb1869a3c 100644
|
|
--- a/rhel8/profiles/stig.profile
|
|
+++ b/rhel8/profiles/stig.profile
|
|
@@ -33,6 +33,9 @@ selections:
|
|
- encrypt_partitions
|
|
- sysctl_net_ipv4_tcp_syncookies
|
|
- clean_components_post_updating
|
|
+ - package_audispd-plugins_installed
|
|
+ - package_libcap-ng-utils_installed
|
|
+ - auditd_audispd_syslog_plugin_activated
|
|
|
|
# Configure TLS for remote logging
|
|
- package_rsyslog_installed
|
|
|
|
From 1a5e17c9a6e3cb3ad6cc2cc4601ea49f2f6278ce Mon Sep 17 00:00:00 2001
|
|
From: Vojtech Polasek <vpolasek@redhat.com>
|
|
Date: Mon, 10 Feb 2020 17:42:43 +0100
|
|
Subject: [PATCH 4/4] rephrase some rationales, fix SFR
|
|
|
|
---
|
|
.../ssh/package_openssh-clients_installed/rule.yml | 4 +++-
|
|
.../rule.yml | 9 ++-------
|
|
.../crypto/package_crypto-policies_installed/rule.yml | 8 ++++----
|
|
3 files changed, 9 insertions(+), 12 deletions(-)
|
|
|
|
diff --git a/linux_os/guide/services/ssh/package_openssh-clients_installed/rule.yml b/linux_os/guide/services/ssh/package_openssh-clients_installed/rule.yml
|
|
index 9b3c55f23b..f5b29d32e8 100644
|
|
--- a/linux_os/guide/services/ssh/package_openssh-clients_installed/rule.yml
|
|
+++ b/linux_os/guide/services/ssh/package_openssh-clients_installed/rule.yml
|
|
@@ -7,7 +7,9 @@ title: 'Install OpenSSH client software'
|
|
description: |-
|
|
{{{ describe_package_install(package="openssh-clients") }}}
|
|
|
|
-rationale: 'The <tt>openssh-clients</tt> package needs to be installed to meet OSPP criteria.'
|
|
+rationale: |-
|
|
+ This package includes utilities to make encrypted connections and transfer
|
|
+ files securely to SSH servers.
|
|
|
|
severity: medium
|
|
|
|
diff --git a/linux_os/guide/system/selinux/package_policycoreutils-python-utils_installed/rule.yml b/linux_os/guide/system/selinux/package_policycoreutils-python-utils_installed/rule.yml
|
|
index 6025f0cd33..7ae7461077 100644
|
|
--- a/linux_os/guide/system/selinux/package_policycoreutils-python-utils_installed/rule.yml
|
|
+++ b/linux_os/guide/system/selinux/package_policycoreutils-python-utils_installed/rule.yml
|
|
@@ -8,13 +8,8 @@ description: |-
|
|
{{{ describe_package_install(package="policycoreutils-python-utils") }}}
|
|
|
|
rationale: |-
|
|
- Security-enhanced Linux is a feature of the Linux kernel and a number of utilities
|
|
- with enhanced security functionality designed to add mandatory access controls to Linux.
|
|
- The Security-enhanced Linux kernel contains new architectural components originally
|
|
- developed to improve security of the Flask operating system. These architectural components
|
|
- provide general support for the enforcement of many kinds of mandatory access control
|
|
- policies, including those based on the concepts of Type Enforcement, Role-based Access
|
|
- Control, and Multi-level Security.
|
|
+ This package is required to operate and manage an SELinux environment and its policies.
|
|
+ It provides utilities such as semanage, audit2allow, audit2why, chcat and sandbox.
|
|
|
|
severity: medium
|
|
|
|
diff --git a/linux_os/guide/system/software/integrity/crypto/package_crypto-policies_installed/rule.yml b/linux_os/guide/system/software/integrity/crypto/package_crypto-policies_installed/rule.yml
|
|
index c418518e7a..bb07f9d617 100644
|
|
--- a/linux_os/guide/system/software/integrity/crypto/package_crypto-policies_installed/rule.yml
|
|
+++ b/linux_os/guide/system/software/integrity/crypto/package_crypto-policies_installed/rule.yml
|
|
@@ -8,9 +8,9 @@ description: |-
|
|
{{{ describe_package_install(package="crypto-policies") }}}
|
|
|
|
rationale: |-
|
|
- The <tt>crypto-policies</tt> package provides configuration and tools to
|
|
- apply centralizet cryptographic policies for backends such as SSL/TLS libraries.
|
|
-
|
|
+ Centralized cryptographic policies simplify applying secure ciphers across an operating system and
|
|
+ the applications that run on that operating system. Use of weak or untested encryption algorithms
|
|
+ undermines the purposes of utilizing encryption to protect data.
|
|
|
|
severity: medium
|
|
|
|
@@ -18,7 +18,7 @@ identifiers:
|
|
cce@rhel8: 82723-8
|
|
|
|
references:
|
|
- ospp: FCS_COP*
|
|
+ ospp: FCS_COP.1(1),FCS_COP.1(2),FCS_COP.1(3),FCS_COP.1(4)
|
|
srg: SRG-OS-000396-GPOS-00176,SRG-OS-000393-GPOS-00173,SRG-OS-000394-GPOS-00174
|
|
|
|
{{{ complete_ocil_entry_package(package='crypto-policies') }}}
|