Blob Blame History Raw
From 147ad40e23d8bd1c839baa001105c659e732c7cd Mon Sep 17 00:00:00 2001
From: Gabriel Becker <ggasparb@redhat.com>
Date: Mon, 21 Sep 2020 15:30:47 +0200
Subject: [PATCH 1/4] Fix severity of RHEL 7 STIG rules.

---
 rhel7/profiles/stig.profile | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/rhel7/profiles/stig.profile b/rhel7/profiles/stig.profile
index b820d30608..57e88de210 100644
--- a/rhel7/profiles/stig.profile
+++ b/rhel7/profiles/stig.profile
@@ -104,6 +104,7 @@ selections:
     - grub2_password
     - require_singleuser_auth
     - grub2_uefi_password
+    - grub2_uefi_password.severity=high
     - smartcard_auth
     - package_rsh-server_removed
     - package_ypserv_removed
@@ -157,6 +158,7 @@ selections:
     - grub2_enable_fips_mode
     - aide_verify_acls
     - aide_verify_ext_attributes
+    - aide_verify_ext_attributes.severity=low
     - aide_use_fips_hashes
     - grub2_no_removeable_media
     - uefi_no_removeable_media
@@ -297,6 +299,9 @@ selections:
     - sysctl_net_ipv4_conf_all_accept_redirects
     - wireless_disable_interfaces
     - mount_option_dev_shm_nodev
+    - mount_option_dev_shm_nodev.severity=low
     - mount_option_dev_shm_noexec
+    - mount_option_dev_shm_noexec.severity=low
     - mount_option_dev_shm_nosuid
+    - mount_option_dev_shm_nosuid.severity=low
     - audit_rules_privileged_commands_mount

From 1e6ae626c138106ec8884f0863b09d0e628ae68f Mon Sep 17 00:00:00 2001
From: Gabriel Becker <ggasparb@redhat.com>
Date: Mon, 21 Sep 2020 15:44:44 +0200
Subject: [PATCH 2/4] Revert severity of some rules and refine on a profile
 basis.

These rules had been previously severity mappings from NIST 800-53 and
we should keep them as they were and refine as needed on the profile
level.
---
 .../ftp/disabling_vsftpd/package_vsftpd_removed/rule.yml        | 2 +-
 .../accounts-session/accounts_logon_fail_delay/rule.yml         | 2 +-
 rhel7/profiles/stig.profile                                     | 2 ++
 3 files changed, 4 insertions(+), 2 deletions(-)

diff --git a/linux_os/guide/services/ftp/disabling_vsftpd/package_vsftpd_removed/rule.yml b/linux_os/guide/services/ftp/disabling_vsftpd/package_vsftpd_removed/rule.yml
index 95e11e5787..2ead6f7896 100644
--- a/linux_os/guide/services/ftp/disabling_vsftpd/package_vsftpd_removed/rule.yml
+++ b/linux_os/guide/services/ftp/disabling_vsftpd/package_vsftpd_removed/rule.yml
@@ -10,7 +10,7 @@ rationale: |-
     Removing the <tt>vsftpd</tt> package decreases the risk of its
     accidental activation.
 
-severity: high
+severity: low
 
 identifiers:
     cce@rhel6: CCE-26687-4
diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_logon_fail_delay/rule.yml b/linux_os/guide/system/accounts/accounts-session/accounts_logon_fail_delay/rule.yml
index 08f81100f4..bb7c17108a 100644
--- a/linux_os/guide/system/accounts/accounts-session/accounts_logon_fail_delay/rule.yml
+++ b/linux_os/guide/system/accounts/accounts-session/accounts_logon_fail_delay/rule.yml
@@ -11,7 +11,7 @@ rationale: |-
     Increasing the time between a failed authentication attempt and re-prompting to
     enter credentials helps to slow a single-threaded brute force attack.
 
-severity: medium
+severity: low
 
 identifiers:
     cce@rhel7: CCE-80352-8
diff --git a/rhel7/profiles/stig.profile b/rhel7/profiles/stig.profile
index 57e88de210..f3f94a66ba 100644
--- a/rhel7/profiles/stig.profile
+++ b/rhel7/profiles/stig.profile
@@ -97,6 +97,7 @@ selections:
     - sudo_remove_nopasswd
     - sudo_remove_no_authenticate
     - accounts_logon_fail_delay
+    - accounts_logon_fail_delay.severity=medium
     - gnome_gdm_disable_automatic_login
     - gnome_gdm_disable_guest_login
     - sshd_do_not_permit_user_env
@@ -274,6 +275,7 @@ selections:
     - network_sniffer_disabled
     - postfix_prevent_unrestricted_relay
     - package_vsftpd_removed
+    - package_vsftpd_removed.severity=high
     - package_tftp-server_removed
     - sshd_enable_x11_forwarding
     - tftpd_uses_secure_mode

From 4dcb7e0cfe8a59f7490e4eb4da18acc3a96e06a5 Mon Sep 17 00:00:00 2001
From: Gabriel Becker <ggasparb@redhat.com>
Date: Fri, 2 Oct 2020 17:18:19 +0200
Subject: [PATCH 3/4] Revert to previous severity since what's in the STIG
 takes precedence.

---
 .../ftp/disabling_vsftpd/package_vsftpd_removed/rule.yml        | 2 +-
 .../accounts-session/accounts_logon_fail_delay/rule.yml         | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/linux_os/guide/services/ftp/disabling_vsftpd/package_vsftpd_removed/rule.yml b/linux_os/guide/services/ftp/disabling_vsftpd/package_vsftpd_removed/rule.yml
index 2ead6f7896..95e11e5787 100644
--- a/linux_os/guide/services/ftp/disabling_vsftpd/package_vsftpd_removed/rule.yml
+++ b/linux_os/guide/services/ftp/disabling_vsftpd/package_vsftpd_removed/rule.yml
@@ -10,7 +10,7 @@ rationale: |-
     Removing the <tt>vsftpd</tt> package decreases the risk of its
     accidental activation.
 
-severity: low
+severity: high
 
 identifiers:
     cce@rhel6: CCE-26687-4
diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_logon_fail_delay/rule.yml b/linux_os/guide/system/accounts/accounts-session/accounts_logon_fail_delay/rule.yml
index bb7c17108a..08f81100f4 100644
--- a/linux_os/guide/system/accounts/accounts-session/accounts_logon_fail_delay/rule.yml
+++ b/linux_os/guide/system/accounts/accounts-session/accounts_logon_fail_delay/rule.yml
@@ -11,7 +11,7 @@ rationale: |-
     Increasing the time between a failed authentication attempt and re-prompting to
     enter credentials helps to slow a single-threaded brute force attack.
 
-severity: low
+severity: medium
 
 identifiers:
     cce@rhel7: CCE-80352-8

From 0da43ce6d4758a540ba3276a8c51819be643f709 Mon Sep 17 00:00:00 2001
From: Gabriel Becker <ggasparb@redhat.com>
Date: Fri, 2 Oct 2020 17:38:03 +0200
Subject: [PATCH 4/4] Remove severity refinement from profile and change on a
 rule level.

---
 .../system/bootloader-grub2/grub2_uefi_password/rule.yml   | 2 +-
 .../partitions/mount_option_dev_shm_nodev/rule.yml         | 2 +-
 .../partitions/mount_option_dev_shm_noexec/rule.yml        | 2 +-
 .../partitions/mount_option_dev_shm_nosuid/rule.yml        | 2 +-
 .../aide/aide_verify_ext_attributes/rule.yml               | 2 +-
 rhel7/profiles/stig.profile                                | 7 -------
 6 files changed, 5 insertions(+), 12 deletions(-)

diff --git a/linux_os/guide/system/bootloader-grub2/grub2_uefi_password/rule.yml b/linux_os/guide/system/bootloader-grub2/grub2_uefi_password/rule.yml
index e07094177b..0184c601a0 100644
--- a/linux_os/guide/system/bootloader-grub2/grub2_uefi_password/rule.yml
+++ b/linux_os/guide/system/bootloader-grub2/grub2_uefi_password/rule.yml
@@ -24,7 +24,7 @@ rationale: |-
     important bootloader settings. These include which kernel to use,
     and whether to enter single-user mode.
 
-severity: medium
+severity: high
 
 identifiers:
     cce@rhel7: CCE-80354-4
diff --git a/linux_os/guide/system/permissions/partitions/mount_option_dev_shm_nodev/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_dev_shm_nodev/rule.yml
index 4f01edeebc..4a06fd5f2f 100644
--- a/linux_os/guide/system/permissions/partitions/mount_option_dev_shm_nodev/rule.yml
+++ b/linux_os/guide/system/permissions/partitions/mount_option_dev_shm_nodev/rule.yml
@@ -14,7 +14,7 @@ rationale: |-
 
 {{{ complete_ocil_entry_mount_option("/dev/shm", "nodev") }}}
 
-severity: medium
+severity: low
 
 identifiers:
     cce@rhel6: CCE-26778-1
diff --git a/linux_os/guide/system/permissions/partitions/mount_option_dev_shm_noexec/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_dev_shm_noexec/rule.yml
index 0074e898c6..eaab02ff6d 100644
--- a/linux_os/guide/system/permissions/partitions/mount_option_dev_shm_noexec/rule.yml
+++ b/linux_os/guide/system/permissions/partitions/mount_option_dev_shm_noexec/rule.yml
@@ -17,7 +17,7 @@ rationale: |-
 
 {{{ complete_ocil_entry_mount_option("/dev/shm", "noexec") }}}
 
-severity: medium
+severity: low
 
 identifiers:
     cce@rhel6: CCE-26622-1
diff --git a/linux_os/guide/system/permissions/partitions/mount_option_dev_shm_nosuid/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_dev_shm_nosuid/rule.yml
index e0eabc2a9e..3771bf2451 100644
--- a/linux_os/guide/system/permissions/partitions/mount_option_dev_shm_nosuid/rule.yml
+++ b/linux_os/guide/system/permissions/partitions/mount_option_dev_shm_nosuid/rule.yml
@@ -14,7 +14,7 @@ rationale: |-
 
 {{{ complete_ocil_entry_mount_option("/dev/shm", "nosuid") }}}
 
-severity: medium
+severity: low
 
 identifiers:
     cce@rhel6: CCE-26486-1
diff --git a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_verify_ext_attributes/rule.yml b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_verify_ext_attributes/rule.yml
index 9dba1deca5..2e81a270c5 100644
--- a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_verify_ext_attributes/rule.yml
+++ b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_verify_ext_attributes/rule.yml
@@ -17,7 +17,7 @@ rationale: |-
     Extended attributes in file systems are used to contain arbitrary data and file metadata
     with security implications.
 
-severity: medium
+severity: low
 
 identifiers:
     cce@rhel7: CCE-80376-7
diff --git a/rhel7/profiles/stig.profile b/rhel7/profiles/stig.profile
index f3f94a66ba..b820d30608 100644
--- a/rhel7/profiles/stig.profile
+++ b/rhel7/profiles/stig.profile
@@ -97,7 +97,6 @@ selections:
     - sudo_remove_nopasswd
     - sudo_remove_no_authenticate
     - accounts_logon_fail_delay
-    - accounts_logon_fail_delay.severity=medium
     - gnome_gdm_disable_automatic_login
     - gnome_gdm_disable_guest_login
     - sshd_do_not_permit_user_env
@@ -105,7 +104,6 @@ selections:
     - grub2_password
     - require_singleuser_auth
     - grub2_uefi_password
-    - grub2_uefi_password.severity=high
     - smartcard_auth
     - package_rsh-server_removed
     - package_ypserv_removed
@@ -159,7 +157,6 @@ selections:
     - grub2_enable_fips_mode
     - aide_verify_acls
     - aide_verify_ext_attributes
-    - aide_verify_ext_attributes.severity=low
     - aide_use_fips_hashes
     - grub2_no_removeable_media
     - uefi_no_removeable_media
@@ -275,7 +272,6 @@ selections:
     - network_sniffer_disabled
     - postfix_prevent_unrestricted_relay
     - package_vsftpd_removed
-    - package_vsftpd_removed.severity=high
     - package_tftp-server_removed
     - sshd_enable_x11_forwarding
     - tftpd_uses_secure_mode
@@ -301,9 +297,6 @@ selections:
     - sysctl_net_ipv4_conf_all_accept_redirects
     - wireless_disable_interfaces
     - mount_option_dev_shm_nodev
-    - mount_option_dev_shm_nodev.severity=low
     - mount_option_dev_shm_noexec
-    - mount_option_dev_shm_noexec.severity=low
     - mount_option_dev_shm_nosuid
-    - mount_option_dev_shm_nosuid.severity=low
     - audit_rules_privileged_commands_mount