Blame SOURCES/scap-security-guide-0.1.58-RHEL_08_040286-PR_7354.patch

76240a
From 994b50e9a47e222c2a27fde231cbf3e2f6f77aed Mon Sep 17 00:00:00 2001
76240a
From: Matthew Burket <mburket@redhat.com>
76240a
Date: Fri, 6 Aug 2021 15:26:28 -0500
76240a
Subject: [PATCH] Select sysctl_net_core_bpf_jit_harden for RHEL-08-040286
76240a
76240a
---
76240a
 .../restrictions/sysctl_net_core_bpf_jit_harden/rule.yml       | 3 +++
76240a
 products/rhel8/profiles/stig.profile                           | 3 +++
76240a
 tests/data/profile_stability/rhel8/stig.profile                | 1 +
76240a
 tests/data/profile_stability/rhel8/stig_gui.profile            | 1 +
76240a
 4 files changed, 8 insertions(+)
76240a
76240a
diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_net_core_bpf_jit_harden/rule.yml b/linux_os/guide/system/permissions/restrictions/sysctl_net_core_bpf_jit_harden/rule.yml
76240a
index 9a1096cc72..31b7183b87 100644
76240a
--- a/linux_os/guide/system/permissions/restrictions/sysctl_net_core_bpf_jit_harden/rule.yml
76240a
+++ b/linux_os/guide/system/permissions/restrictions/sysctl_net_core_bpf_jit_harden/rule.yml
76240a
@@ -19,8 +19,11 @@ identifiers:
76240a
     cce@rhel9: CCE-83966-2
76240a
 
76240a
 references:
76240a
+    disa: CCI-000366
76240a
+    nist: CM-6b
76240a
     ospp: FMT_SMF_EXT.1
76240a
     srg: SRG-OS-000480-GPOS-00227
76240a
+    stigid@rhel8: RHEL-08-040286
76240a
 
76240a
 {{{ complete_ocil_entry_sysctl_option_value(sysctl="net.core.bpf_jit_harden", value="2") }}}
76240a
 
76240a
diff --git a/products/rhel8/profiles/stig.profile b/products/rhel8/profiles/stig.profile
76240a
index 0a1fdd15ca..a358f61dba 100644
76240a
--- a/products/rhel8/profiles/stig.profile
76240a
+++ b/products/rhel8/profiles/stig.profile
76240a
@@ -1149,6 +1149,9 @@ selections:
76240a
     # RHEL-08-040285
76240a
     - sysctl_net_ipv4_conf_all_rp_filter
76240a
 
76240a
+    # RHEL-08-040286
76240a
+    - sysctl_net_core_bpf_jit_harden
76240a
+
76240a
     # RHEL-08-040290
76240a
     # /etc/postfix/main.cf does not exist on default installation resulting in error during remediation
76240a
     # there needs to be a new platform check to identify when postfix is installed or not
76240a
diff --git a/tests/data/profile_stability/rhel8/stig.profile b/tests/data/profile_stability/rhel8/stig.profile
76240a
index d7e2f71376..7d54a7505f 100644
76240a
--- a/tests/data/profile_stability/rhel8/stig.profile
76240a
+++ b/tests/data/profile_stability/rhel8/stig.profile
76240a
@@ -359,6 +359,7 @@ selections:
76240a
 - sysctl_kernel_randomize_va_space
76240a
 - sysctl_kernel_unprivileged_bpf_disabled
76240a
 - sysctl_kernel_yama_ptrace_scope
76240a
+- sysctl_net_core_bpf_jit_harden
76240a
 - sysctl_net_ipv4_conf_all_accept_redirects
76240a
 - sysctl_net_ipv4_conf_all_accept_source_route
76240a
 - sysctl_net_ipv4_conf_all_rp_filter
76240a
diff --git a/tests/data/profile_stability/rhel8/stig_gui.profile b/tests/data/profile_stability/rhel8/stig_gui.profile
76240a
index 7c95e31545..97291230e7 100644
76240a
--- a/tests/data/profile_stability/rhel8/stig_gui.profile
76240a
+++ b/tests/data/profile_stability/rhel8/stig_gui.profile
76240a
@@ -370,6 +370,7 @@ selections:
76240a
 - sysctl_kernel_randomize_va_space
76240a
 - sysctl_kernel_unprivileged_bpf_disabled
76240a
 - sysctl_kernel_yama_ptrace_scope
76240a
+- sysctl_net_core_bpf_jit_harden
76240a
 - sysctl_net_ipv4_conf_all_accept_redirects
76240a
 - sysctl_net_ipv4_conf_all_accept_source_route
76240a
 - sysctl_net_ipv4_conf_all_rp_filter