|
 |
9be3b2 |
From 278f3b476291d69e45da4dcdfca5a308646224f2 Mon Sep 17 00:00:00 2001
|
|
|
9be3b2 |
From: Matthew Burket <mburket@redhat.com>
|
|
|
9be3b2 |
Date: Mon, 19 Jul 2021 09:49:57 -0500
|
|
|
9be3b2 |
Subject: [PATCH 1/2] Add more checks for bios_enable_execution_restrictions to
|
|
|
9be3b2 |
ensure we don't miss anything
|
|
|
9be3b2 |
|
|
|
9be3b2 |
---
|
|
|
9be3b2 |
.../oval/shared.xml | 18 ++++++++++++++++++
|
|
|
9be3b2 |
.../rule.yml | 3 ++-
|
|
|
9be3b2 |
products/rhel8/profiles/stig.profile | 1 +
|
|
|
9be3b2 |
.../data/profile_stability/rhel8/stig.profile | 1 +
|
|
|
9be3b2 |
.../profile_stability/rhel8/stig_gui.profile | 1 +
|
|
|
9be3b2 |
5 files changed, 23 insertions(+), 1 deletion(-)
|
|
|
9be3b2 |
create mode 100644 linux_os/guide/system/permissions/restrictions/enable_nx/bios_enable_execution_restrictions/oval/shared.xml
|
|
|
9be3b2 |
|
|
|
9be3b2 |
diff --git a/linux_os/guide/system/permissions/restrictions/enable_nx/bios_enable_execution_restrictions/oval/shared.xml b/linux_os/guide/system/permissions/restrictions/enable_nx/bios_enable_execution_restrictions/oval/shared.xml
|
|
|
9be3b2 |
new file mode 100644
|
|
|
9be3b2 |
index 00000000000..622a183f99f
|
|
|
9be3b2 |
--- /dev/null
|
|
|
9be3b2 |
+++ b/linux_os/guide/system/permissions/restrictions/enable_nx/bios_enable_execution_restrictions/oval/shared.xml
|
|
|
9be3b2 |
@@ -0,0 +1,18 @@
|
|
|
9be3b2 |
+<def-group>
|
|
|
9be3b2 |
+ <definition class="compliance" id="bios_enable_execution_restrictions" version="2">
|
|
|
9be3b2 |
+ {{{ oval_metadata("The NX (no-execution) bit flag should be set on the system.") }}}
|
|
|
9be3b2 |
+ <criteria>
|
|
|
9be3b2 |
+ <criterion comment="NX bit is set" test_ref="test_NX_cpu_support" />
|
|
|
9be3b2 |
+ </criteria>
|
|
|
9be3b2 |
+ </definition>
|
|
|
9be3b2 |
+
|
|
|
9be3b2 |
+ <ind:textfilecontent54_test check="all" check_existence="all_exist" comment="CPUs support for NX bit" id="test_NX_cpu_support" version="1">
|
|
|
9be3b2 |
+ <ind:object object_ref="obj_NX_cpu_support" />
|
|
|
9be3b2 |
+ </ind:textfilecontent54_test>
|
|
|
9be3b2 |
+
|
|
|
9be3b2 |
+ <ind:textfilecontent54_object id="obj_NX_cpu_support" version="1">
|
|
|
9be3b2 |
+ <ind:filepath>/proc/cpuinfo</ind:filepath>
|
|
|
9be3b2 |
+ <ind:pattern operation="pattern match">^flags[\s]+:.*[\s]+nx[\s]+.*$</ind:pattern>
|
|
|
9be3b2 |
+ <ind:instance datatype="int">1</ind:instance>
|
|
|
9be3b2 |
+ </ind:textfilecontent54_object>
|
|
|
9be3b2 |
+</def-group>
|
|
|
9be3b2 |
diff --git a/linux_os/guide/system/permissions/restrictions/enable_nx/bios_enable_execution_restrictions/rule.yml b/linux_os/guide/system/permissions/restrictions/enable_nx/bios_enable_execution_restrictions/rule.yml
|
|
|
9be3b2 |
index 4ca003520ac..b037e374f5b 100644
|
|
|
9be3b2 |
--- a/linux_os/guide/system/permissions/restrictions/enable_nx/bios_enable_execution_restrictions/rule.yml
|
|
|
9be3b2 |
+++ b/linux_os/guide/system/permissions/restrictions/enable_nx/bios_enable_execution_restrictions/rule.yml
|
|
|
9be3b2 |
@@ -14,7 +14,7 @@ rationale: |-
|
|
|
9be3b2 |
Computers with the ability to prevent this type of code execution frequently put an option in the BIOS that will
|
|
|
9be3b2 |
allow users to turn the feature on or off at will.
|
|
|
9be3b2 |
|
|
|
9be3b2 |
-severity: unknown
|
|
|
9be3b2 |
+severity: medium
|
|
|
9be3b2 |
|
|
|
9be3b2 |
identifiers:
|
|
|
9be3b2 |
cce@rhel7: CCE-27099-1
|
|
|
9be3b2 |
@@ -31,5 +31,6 @@ references:
|
|
|
9be3b2 |
iso27001-2013: A.12.1.2,A.12.5.1,A.12.6.2,A.14.2.2,A.14.2.3,A.14.2.4
|
|
|
9be3b2 |
nist: SC-39,CM-6(a)
|
|
|
9be3b2 |
nist-csf: PR.IP-1
|
|
|
9be3b2 |
+ stig@rhel8: RHEL-08-010420
|
|
|
9be3b2 |
|
|
|
9be3b2 |
platform: machine
|
|
|
9be3b2 |
diff --git a/products/rhel8/profiles/stig.profile b/products/rhel8/profiles/stig.profile
|
|
|
9be3b2 |
index 5a0a520ee0a..6372d13cfc9 100644
|
|
|
9be3b2 |
--- a/products/rhel8/profiles/stig.profile
|
|
|
9be3b2 |
+++ b/products/rhel8/profiles/stig.profile
|
|
|
9be3b2 |
@@ -260,6 +260,7 @@ selections:
|
|
|
9be3b2 |
- package_opensc_installed
|
|
|
9be3b2 |
|
|
|
9be3b2 |
# RHEL-08-010420
|
|
|
9be3b2 |
+ - bios_enable_execution_restrictions
|
|
|
9be3b2 |
|
|
|
9be3b2 |
# RHEL-08-010421
|
|
|
9be3b2 |
- grub2_page_poison_argument
|
|
|
9be3b2 |
diff --git a/tests/data/profile_stability/rhel8/stig.profile b/tests/data/profile_stability/rhel8/stig.profile
|
|
|
9be3b2 |
index 4be3cf93c25..32f1a24a7a4 100644
|
|
|
9be3b2 |
--- a/tests/data/profile_stability/rhel8/stig.profile
|
|
|
9be3b2 |
+++ b/tests/data/profile_stability/rhel8/stig.profile
|
|
|
9be3b2 |
@@ -74,6 +74,7 @@ selections:
|
|
|
9be3b2 |
- auditd_log_format
|
|
|
9be3b2 |
- auditd_name_format
|
|
|
9be3b2 |
- banner_etc_issue
|
|
|
9be3b2 |
+- bios_enable_execution_restrictions
|
|
|
9be3b2 |
- chronyd_client_only
|
|
|
9be3b2 |
- chronyd_no_chronyc_network
|
|
|
9be3b2 |
- chronyd_or_ntpd_set_maxpoll
|
|
|
9be3b2 |
diff --git a/tests/data/profile_stability/rhel8/stig_gui.profile b/tests/data/profile_stability/rhel8/stig_gui.profile
|
|
|
9be3b2 |
index 20b8a54861e..d6a27c67dc0 100644
|
|
|
9be3b2 |
--- a/tests/data/profile_stability/rhel8/stig_gui.profile
|
|
|
9be3b2 |
+++ b/tests/data/profile_stability/rhel8/stig_gui.profile
|
|
|
9be3b2 |
@@ -85,6 +85,7 @@ selections:
|
|
|
9be3b2 |
- auditd_log_format
|
|
|
9be3b2 |
- auditd_name_format
|
|
|
9be3b2 |
- banner_etc_issue
|
|
|
9be3b2 |
+- bios_enable_execution_restrictions
|
|
|
9be3b2 |
- chronyd_client_only
|
|
|
9be3b2 |
- chronyd_no_chronyc_network
|
|
|
9be3b2 |
- chronyd_or_ntpd_set_maxpoll
|
|
|
9be3b2 |
|
|
|
9be3b2 |
From dac8111b4d89a31cbaa5648f876bd58575a93e86 Mon Sep 17 00:00:00 2001
|
|
|
9be3b2 |
From: Matthew Burket <mburket@redhat.com>
|
|
|
9be3b2 |
Date: Mon, 19 Jul 2021 09:51:34 -0500
|
|
|
9be3b2 |
Subject: [PATCH 2/2] Add oval check for bios_enable_execution_restrictions
|
|
|
9be3b2 |
|
|
|
9be3b2 |
---
|
|
|
9be3b2 |
.../oval/shared.xml | 24 ++++++++++++++++++-
|
|
|
9be3b2 |
1 file changed, 23 insertions(+), 1 deletion(-)
|
|
|
9be3b2 |
|
|
|
9be3b2 |
diff --git a/linux_os/guide/system/permissions/restrictions/enable_nx/bios_enable_execution_restrictions/oval/shared.xml b/linux_os/guide/system/permissions/restrictions/enable_nx/bios_enable_execution_restrictions/oval/shared.xml
|
|
|
9be3b2 |
index 622a183f99f..7cc448f8cce 100644
|
|
|
9be3b2 |
--- a/linux_os/guide/system/permissions/restrictions/enable_nx/bios_enable_execution_restrictions/oval/shared.xml
|
|
|
9be3b2 |
+++ b/linux_os/guide/system/permissions/restrictions/enable_nx/bios_enable_execution_restrictions/oval/shared.xml
|
|
|
9be3b2 |
@@ -1,8 +1,10 @@
|
|
|
9be3b2 |
<def-group>
|
|
|
9be3b2 |
<definition class="compliance" id="bios_enable_execution_restrictions" version="2">
|
|
|
9be3b2 |
{{{ oval_metadata("The NX (no-execution) bit flag should be set on the system.") }}}
|
|
|
9be3b2 |
- <criteria>
|
|
|
9be3b2 |
+ <criteria operator="AND">
|
|
|
9be3b2 |
<criterion comment="NX bit is set" test_ref="test_NX_cpu_support" />
|
|
|
9be3b2 |
+ <criterion comment="No log messages about NX being disabled" test_ref="test_messages_nx_active" />
|
|
|
9be3b2 |
+ <criterion comment="NX is not disabled in the kernel command line" test_ref="test_noexec_cmd_line" />
|
|
|
9be3b2 |
</criteria>
|
|
|
9be3b2 |
</definition>
|
|
|
9be3b2 |
|
|
|
9be3b2 |
@@ -10,9 +12,29 @@
|
|
|
9be3b2 |
<ind:object object_ref="obj_NX_cpu_support" />
|
|
|
9be3b2 |
</ind:textfilecontent54_test>
|
|
|
9be3b2 |
|
|
|
9be3b2 |
+ <ind:textfilecontent54_test check="all" check_existence="none_exist" id="test_messages_nx_active" version="1" comment="No log messages about NX being disabled">
|
|
|
9be3b2 |
+ <ind:object object_ref="obj_messages_nx_active" />
|
|
|
9be3b2 |
+ </ind:textfilecontent54_test>
|
|
|
9be3b2 |
+
|
|
|
9be3b2 |
+ <ind:textfilecontent54_test check="all" check_existence="none_exist" id="test_noexec_cmd_line" version="1" comment="NX is not disabled in the kernel command line">
|
|
|
9be3b2 |
+ <ind:object object_ref="obj_noexec_cmd_line" />
|
|
|
9be3b2 |
+ </ind:textfilecontent54_test>
|
|
|
9be3b2 |
+
|
|
|
9be3b2 |
<ind:textfilecontent54_object id="obj_NX_cpu_support" version="1">
|
|
|
9be3b2 |
<ind:filepath>/proc/cpuinfo</ind:filepath>
|
|
|
9be3b2 |
<ind:pattern operation="pattern match">^flags[\s]+:.*[\s]+nx[\s]+.*$</ind:pattern>
|
|
|
9be3b2 |
<ind:instance datatype="int">1</ind:instance>
|
|
|
9be3b2 |
</ind:textfilecontent54_object>
|
|
|
9be3b2 |
+
|
|
|
9be3b2 |
+ <ind:textfilecontent54_object id="obj_messages_nx_active" version="1">
|
|
|
9be3b2 |
+ <ind:filepath>/var/log/messages</ind:filepath>
|
|
|
9be3b2 |
+ <ind:pattern operation="pattern match">^.+protection: disabled.+</ind:pattern>
|
|
|
9be3b2 |
+ <ind:instance datatype="int">1</ind:instance>
|
|
|
9be3b2 |
+ </ind:textfilecontent54_object>
|
|
|
9be3b2 |
+
|
|
|
9be3b2 |
+ <ind:textfilecontent54_object id="obj_noexec_cmd_line" version="1">
|
|
|
9be3b2 |
+ <ind:filepath>/proc/cmdline</ind:filepath>
|
|
|
9be3b2 |
+ <ind:pattern operation="pattern match">.+noexec[0-9]*=off.+</ind:pattern>
|
|
|
9be3b2 |
+ <ind:instance datatype="int">1</ind:instance>
|
|
|
9be3b2 |
+ </ind:textfilecontent54_object>
|
|
|
9be3b2 |
</def-group>
|