From 742e103392746dac771663247d169cfe498ee658 Mon Sep 17 00:00:00 2001

From: Vojtech Polasek <vpolasek@redhat.com>

Date: Fri, 21 Jan 2022 14:02:16 +0100

Subject: [PATCH 1/7] modify vsyscall rules according to rhel9 ospp

add references

make rules scored in th e profile

---

 .../system/bootloader-grub2/grub2_vsyscall_argument/rule.yml  | 1 +

 .../system/bootloader-zipl/zipl_vsyscall_argument/rule.yml    | 3 +++

 products/rhel9/profiles/ospp.profile                          | 4 ----

 3 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/linux_os/guide/system/bootloader-grub2/grub2_vsyscall_argument/rule.yml b/linux_os/guide/system/bootloader-grub2/grub2_vsyscall_argument/rule.yml

index 1dd26fea9b6..9f38a1c13b9 100644

--- a/linux_os/guide/system/bootloader-grub2/grub2_vsyscall_argument/rule.yml

+++ b/linux_os/guide/system/bootloader-grub2/grub2_vsyscall_argument/rule.yml

@@ -25,6 +25,7 @@ identifiers:

 references:

     disa: CCI-001084

     nist: CM-7(a)

+    ospp: FPT_ASLR_EXT.1

     srg: SRG-OS-000480-GPOS-00227,SRG-OS-000134-GPOS-00068

     stigid@ol8: OL08-00-010422

     stigid@rhel8: RHEL-08-010422

diff --git a/linux_os/guide/system/bootloader-zipl/zipl_vsyscall_argument/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_vsyscall_argument/rule.yml

index 52b192ffc52..9d645c8876e 100644

--- a/linux_os/guide/system/bootloader-zipl/zipl_vsyscall_argument/rule.yml

+++ b/linux_os/guide/system/bootloader-zipl/zipl_vsyscall_argument/rule.yml

@@ -21,6 +21,9 @@ identifiers:

     cce@rhel8: CCE-83381-4

     cce@rhel9: CCE-84100-7

+references:

+    ospp: FPT_ASLR_EXT.1

+

 ocil_clause: 'vsyscalls are enabled'

 ocil: |-

diff --git a/products/rhel9/profiles/ospp.profile b/products/rhel9/profiles/ospp.profile

index 287a28c43c5..f0b850a4ced 100644

--- a/products/rhel9/profiles/ospp.profile

+++ b/products/rhel9/profiles/ospp.profile

@@ -128,8 +128,6 @@ selections:

     - grub2_slub_debug_argument

     - grub2_page_poison_argument

     - grub2_vsyscall_argument

-    - grub2_vsyscall_argument.role=unscored

-    - grub2_vsyscall_argument.severity=info

     - grub2_pti_argument

     - grub2_kernel_trust_cpu_rng

@@ -421,5 +419,3 @@ selections:

     - zipl_slub_debug_argument

     - zipl_page_poison_argument

     - zipl_vsyscall_argument

-    - zipl_vsyscall_argument.role=unscored

-    - zipl_vsyscall_argument.severity=info

From d167658d46accbc75200a5d145a746322f1c2d4a Mon Sep 17 00:00:00 2001

From: Vojtech Polasek <vpolasek@redhat.com>

Date: Fri, 21 Jan 2022 14:05:24 +0100

Subject: [PATCH 2/7] add ospp references to fips rules

---

 .../software/integrity/fips/enable_dracut_fips_module/rule.yml  | 1 +

 .../system/software/integrity/fips/enable_fips_mode/rule.yml    | 2 +-

 2 files changed, 2 insertions(+), 1 deletion(-)

diff --git a/linux_os/guide/system/software/integrity/fips/enable_dracut_fips_module/rule.yml b/linux_os/guide/system/software/integrity/fips/enable_dracut_fips_module/rule.yml

index f342b9b8d95..3b7c3229b6f 100644

--- a/linux_os/guide/system/software/integrity/fips/enable_dracut_fips_module/rule.yml

+++ b/linux_os/guide/system/software/integrity/fips/enable_dracut_fips_module/rule.yml

@@ -29,6 +29,7 @@ references:

     ism: "1446"

     nerc-cip: CIP-003-8 R4.2,CIP-007-3 R5.1

     nist: SC-12(2),SC-12(3),IA-7,SC-13,CM-6(a),SC-12

+    ospp: FCS_RBG_EXT.1

     srg: SRG-OS-000478-GPOS-00223

     stigid@ol8: OL08-00-010020

     stigid@rhel8: RHEL-08-010020

diff --git a/linux_os/guide/system/software/integrity/fips/enable_fips_mode/rule.yml b/linux_os/guide/system/software/integrity/fips/enable_fips_mode/rule.yml

index 7559e61600d..9d89114b07f 100644

--- a/linux_os/guide/system/software/integrity/fips/enable_fips_mode/rule.yml

+++ b/linux_os/guide/system/software/integrity/fips/enable_fips_mode/rule.yml

@@ -39,7 +39,7 @@ references:

     ism: "1446"

     nerc-cip: CIP-003-8 R4.2,CIP-007-3 R5.1

     nist: SC-12(2),SC-12(3),IA-7,SC-13,CM-6(a),SC-12

-    ospp: FCS_COP.1(1),FCS_COP.1(2),FCS_COP.1(3),FCS_COP.1(4),FCS_CKM.1,FCS_CKM.2,FCS_TLSC_EXT.1

+    ospp: FCS_COP.1(1),FCS_COP.1(2),FCS_COP.1(3),FCS_COP.1(4),FCS_CKM.1,FCS_CKM.2,FCS_TLSC_EXT.1,FCS_RBG_EXT.1

     srg: SRG-OS-000478-GPOS-00223,SRG-OS-000396-GPOS-00176

     stigid@ol8: OL08-00-010020

     stigid@rhel8: RHEL-08-010020

From f05e895bb96b64a5142e62e3dd0f7208633d5c23 Mon Sep 17 00:00:00 2001

From: Vojtech Polasek <vpolasek@redhat.com>

Date: Fri, 21 Jan 2022 14:08:36 +0100

Subject: [PATCH 3/7] drop no longer needed rules from ospp rhel9 profile

---

 products/rhel9/profiles/ospp.profile | 6 ------

 1 file changed, 6 deletions(-)

diff --git a/products/rhel9/profiles/ospp.profile b/products/rhel9/profiles/ospp.profile

index f0b850a4ced..7e30054bc98 100644

--- a/products/rhel9/profiles/ospp.profile

+++ b/products/rhel9/profiles/ospp.profile

@@ -125,11 +125,7 @@ selections:

     ## Boot prompt

     - grub2_audit_argument

     - grub2_audit_backlog_limit_argument

-    - grub2_slub_debug_argument

-    - grub2_page_poison_argument

     - grub2_vsyscall_argument

-    - grub2_pti_argument

-    - grub2_kernel_trust_cpu_rng

     ## Security Settings

     - sysctl_kernel_kptr_restrict

@@ -416,6 +412,4 @@ selections:

     - zipl_bootmap_is_up_to_date

     - zipl_audit_argument

     - zipl_audit_backlog_limit_argument

-    - zipl_slub_debug_argument

-    - zipl_page_poison_argument

     - zipl_vsyscall_argument

From 972ae269eff95de8a6914056d38e58b7aeafb8c3 Mon Sep 17 00:00:00 2001

From: Vojtech Polasek <vpolasek@redhat.com>

Date: Fri, 21 Jan 2022 15:12:46 +0100

Subject: [PATCH 4/7] add grub2_init_on_alloc rule

---

 .../grub2_init_on_alloc_argument/rule.yml     | 46 +++++++++++++++++++

 shared/references/cce-redhat-avail.txt        |  1 -

 2 files changed, 46 insertions(+), 1 deletion(-)

 create mode 100644 linux_os/guide/system/bootloader-grub2/grub2_init_on_alloc_argument/rule.yml

diff --git a/linux_os/guide/system/bootloader-grub2/grub2_init_on_alloc_argument/rule.yml b/linux_os/guide/system/bootloader-grub2/grub2_init_on_alloc_argument/rule.yml

new file mode 100644

index 00000000000..592e2fb117d

--- /dev/null

+++ b/linux_os/guide/system/bootloader-grub2/grub2_init_on_alloc_argument/rule.yml

@@ -0,0 +1,46 @@

+documentation_complete: true

+

+prodtype: rhel9

+

+title: 'Configure kernel to zero out memory before allocation (through Grub2)'

+

+description: |-

+    To configure the kernel to zero out memory before allocating it, add the

+    <tt>init_on_alloc=1</tt> argument to the default GRUB 2 command line for

+    the Linux operating system in <tt>/etc/default/grub</tt>, in the manner

+    below:

+    
GRUB_CMDLINE_LINUX="crashkernel=auto quiet rd.shell=0 audit=1 audit_backlog_limit=8192 init_on_alloc=1"

+    Update the boot parameter for existing kernels by running the following command:

+    
# grubby --update-kernel=ALL --args="init_on_alloc=1"

+

+rationale: |-

+    When the kernel configuration option <tt>init_on_alloc</tt> is enabled,

+    all page allocator and slab allocator memory will be zeroed when allocated,

+    eliminating many kinds of "uninitialized heap memory" flaws, effectively

+    preventing data leaks.

+

+severity: medium

+

+identifiers:

+    cce@rhel9: CCE-85867-0

+

+ocil_clause: 'the kernel is not configured to zero out memory before allocation'

+

+ocil: |-

+    Make sure that the kernel is configured to zero out memory before

+    allocation. Ensure that the parameter is configured in

+    <tt>/etc/default/grub</tt>:

+    
grep GRUB_CMDLINE_LINUX /etc/default/grub

+    The output should contain <tt>init_on_alloc=1</tt>.

+    Run the following command to display command line parameters of all

+    installed kernels:

+    
# grubby --info=ALL | grep args

+    Ensure that each line contains the <tt>init_on_alloc=1</tt> parameter.

+

+platform: machine

+

+template:

+    name: grub2_bootloader_argument

+    vars:

+        arg_name: init_on_alloc

+        arg_value: '1'

diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt

index 8aad24b20f7..6835189cd99 100644

--- a/shared/references/cce-redhat-avail.txt

+++ b/shared/references/cce-redhat-avail.txt

@@ -1,4 +1,3 @@

-CCE-85867-0

 CCE-85868-8

 CCE-85872-0

 CCE-85873-8

From a865514257c85d79aaf7e4286d8723aa1ad8de03 Mon Sep 17 00:00:00 2001

From: Vojtech Polasek <vpolasek@redhat.com>

Date: Mon, 24 Jan 2022 10:01:23 +0100

Subject: [PATCH 5/7] add zipl_init_on_alloc_argument rule

---

 .../zipl_init_on_alloc_argument/rule.yml      | 41 +++++++++++++++++++

 .../tests/correct_option.pass.sh              | 15 +++++++

 .../tests/missing_in_cmdline.fail.sh          | 13 ++++++

 .../tests/missing_in_entry.fail.sh            | 13 ++++++

 shared/references/cce-redhat-avail.txt        |  1 -

 5 files changed, 82 insertions(+), 1 deletion(-)

 create mode 100644 linux_os/guide/system/bootloader-zipl/zipl_init_on_alloc_argument/rule.yml

 create mode 100644 linux_os/guide/system/bootloader-zipl/zipl_init_on_alloc_argument/tests/correct_option.pass.sh

 create mode 100644 linux_os/guide/system/bootloader-zipl/zipl_init_on_alloc_argument/tests/missing_in_cmdline.fail.sh

 create mode 100644 linux_os/guide/system/bootloader-zipl/zipl_init_on_alloc_argument/tests/missing_in_entry.fail.sh

diff --git a/linux_os/guide/system/bootloader-zipl/zipl_init_on_alloc_argument/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_init_on_alloc_argument/rule.yml

new file mode 100644

index 00000000000..b47a7757327

--- /dev/null

+++ b/linux_os/guide/system/bootloader-zipl/zipl_init_on_alloc_argument/rule.yml

@@ -0,0 +1,41 @@

+documentation_complete: true

+

+prodtype: rhel9

+

+title: 'Configure kernel to zero out memory before allocation (through zIPl)'

+

+description: |-

+    To ensure that the kernel is configured to zero out memory before

+    allocation, check that all boot entries in

+    <tt>/boot/loader/entries/*.conf</tt> have <tt>init_on_alloc=1</tt>

+    included in its options.

+

+    To ensure that new kernels and boot entries continue to zero out memory

+    before allocation, add <tt>init_on_alloc=1</tt> to <tt>/etc/kernel/cmdline</tt>.

+

+rationale: |-

+    When the kernel configuration option <tt>init_on_alloc</tt> is enabled,

+    all page allocator and slab allocator memory will be zeroed when allocated,

+    eliminating many kinds of "uninitialized heap memory" flaws, effectively

+    preventing data leaks.

+

+severity: medium

+

+identifiers:

+    cce@rhel9: CCE-85868-8

+

+ocil_clause: 'the kernel is not configured to zero out memory before allocation'

+

+ocil: |-

+  To check that the kernel is configured to zero out memory before allocation

+  time, check all boot entries with following command:

+  
sudo grep -L"^options\s+.*\binit_on_alloc=1\b" /boot/loader/entries/*.conf

+  No line should be returned, each line returned is a boot entry that doesn't enable audit.

+

+platform: machine

+

+template:

+  name: zipl_bls_entries_option

+  vars:

+    arg_name: init_on_alloc

+    arg_value: '1'

diff --git a/linux_os/guide/system/bootloader-zipl/zipl_init_on_alloc_argument/tests/correct_option.pass.sh b/linux_os/guide/system/bootloader-zipl/zipl_init_on_alloc_argument/tests/correct_option.pass.sh

new file mode 100644

index 00000000000..50cf1b78f70

--- /dev/null

+++ b/linux_os/guide/system/bootloader-zipl/zipl_init_on_alloc_argument/tests/correct_option.pass.sh

@@ -0,0 +1,15 @@

+#!/bin/bash

+# platform = multi_platform_fedora,Red Hat Enterprise Linux 8, Red Hat Enterprise Linux 9

+

+# Make sure boot loader entries contain init_on_alloc=1

+for file in /boot/loader/entries/*.conf

+do

+    if ! grep -q '^options.*init_on_alloc=1.*$' "$file" ; then

+        sed -i '/^options / s/$/ init_on_alloc=1/' "$file"

+    fi

+done

+

+# Make sure /etc/kernel/cmdline contains init_on_alloc=1

+if ! grep -qs '^(.*\s)?init_on_alloc=1(\s.*)?$' /etc/kernel/cmdline ; then

+    echo "init_on_alloc=1" >> /etc/kernel/cmdline

+fi

diff --git a/linux_os/guide/system/bootloader-zipl/zipl_init_on_alloc_argument/tests/missing_in_cmdline.fail.sh b/linux_os/guide/system/bootloader-zipl/zipl_init_on_alloc_argument/tests/missing_in_cmdline.fail.sh

new file mode 100644

index 00000000000..7c0d9154776

--- /dev/null

+++ b/linux_os/guide/system/bootloader-zipl/zipl_init_on_alloc_argument/tests/missing_in_cmdline.fail.sh

@@ -0,0 +1,13 @@

+#!/bin/bash

+# platform = multi_platform_fedora,Red Hat Enterprise Linux 8, Red Hat Enterprise Linux 9

+

+# Make sure boot loader entries contain init_on_alloc=1

+for file in /boot/loader/entries/*.conf

+do

+    if ! grep -q '^options.*init_on_alloc=1.*$' "$file" ; then

+        sed -i '/^options / s/$/ init_on_alloc=1/' "$file"

+    fi

+done

+

+# Make sure /etc/kernel/cmdline doesn't contain init_on_alloc=1

+sed -Ei 's/(^.*)init_on_alloc=1(.*?)$/\1\2/' /etc/kernel/cmdline || true

diff --git a/linux_os/guide/system/bootloader-zipl/zipl_init_on_alloc_argument/tests/missing_in_entry.fail.sh b/linux_os/guide/system/bootloader-zipl/zipl_init_on_alloc_argument/tests/missing_in_entry.fail.sh

new file mode 100644

index 00000000000..9d330c9192d

--- /dev/null

+++ b/linux_os/guide/system/bootloader-zipl/zipl_init_on_alloc_argument/tests/missing_in_entry.fail.sh

@@ -0,0 +1,13 @@

+#!/bin/bash

+# platform = multi_platform_fedora,Red Hat Enterprise Linux 8, Red Hat Enterprise Linux 9

+

+# Remove init_on_alloc=1 from all boot entries

+sed -Ei 's/(^options.*\s)init_on_alloc=1(.*?)$/\1\2/' /boot/loader/entries/*

+# But make sure one boot loader entry contains init_on_alloc=1

+sed -i '/^options / s/$/ init_on_alloc=1/' /boot/loader/entries/*rescue.conf

+sed -Ei 's/(^options.*\s)\$kernelopts(.*?)$/\1\2/' /boot/loader/entries/*rescue.conf

+

+# Make sure /etc/kernel/cmdline contains init_on_alloc=1

+if ! grep -qs '^(.*\s)?init_on_alloc=1(\s.*)?$' /etc/kernel/cmdline ; then

+    echo "init_on_alloc=1" >> /etc/kernel/cmdline

+fi

diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt

index 6835189cd99..05a641aeaf0 100644

--- a/shared/references/cce-redhat-avail.txt

+++ b/shared/references/cce-redhat-avail.txt

@@ -1,4 +1,3 @@

-CCE-85868-8

 CCE-85872-0

 CCE-85873-8

 CCE-85874-6

From 9ca5ec04e734941b1c401369b6da6672b42824b1 Mon Sep 17 00:00:00 2001

From: Vojtech Polasek <vpolasek@redhat.com>

Date: Mon, 24 Jan 2022 10:07:24 +0100

Subject: [PATCH 6/7] add new rules to rhel9 ospp

---

 products/rhel9/profiles/ospp.profile | 2 ++

 1 file changed, 2 insertions(+)

diff --git a/products/rhel9/profiles/ospp.profile b/products/rhel9/profiles/ospp.profile

index 7e30054bc98..28c7e92d298 100644

--- a/products/rhel9/profiles/ospp.profile

+++ b/products/rhel9/profiles/ospp.profile

@@ -126,6 +126,7 @@ selections:

     - grub2_audit_argument

     - grub2_audit_backlog_limit_argument

     - grub2_vsyscall_argument

+    - grub2_init_on_alloc_argument

     ## Security Settings

     - sysctl_kernel_kptr_restrict

@@ -413,3 +414,4 @@ selections:

     - zipl_audit_argument

     - zipl_audit_backlog_limit_argument

     - zipl_vsyscall_argument

+    - zipl_init_on_alloc_argument

From 42a118bcc615051ae4cd268a5fc758aa5d75108d Mon Sep 17 00:00:00 2001

From: Vojtech Polasek <vpolasek@redhat.com>

Date: Thu, 27 Jan 2022 14:08:20 +0100

Subject: [PATCH 7/7] make rule names consistent

---

 .../bootloader-grub2/grub2_init_on_alloc_argument/rule.yml      | 2 +-

 .../system/bootloader-zipl/zipl_init_on_alloc_argument/rule.yml | 2 +-

 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/linux_os/guide/system/bootloader-grub2/grub2_init_on_alloc_argument/rule.yml b/linux_os/guide/system/bootloader-grub2/grub2_init_on_alloc_argument/rule.yml

index 592e2fb117d..a9253c74cc6 100644

--- a/linux_os/guide/system/bootloader-grub2/grub2_init_on_alloc_argument/rule.yml

+++ b/linux_os/guide/system/bootloader-grub2/grub2_init_on_alloc_argument/rule.yml

@@ -2,7 +2,7 @@ documentation_complete: true

 prodtype: rhel9

-title: 'Configure kernel to zero out memory before allocation (through Grub2)'

+title: 'Configure kernel to zero out memory before allocation'

 description: |-

     To configure the kernel to zero out memory before allocating it, add the

diff --git a/linux_os/guide/system/bootloader-zipl/zipl_init_on_alloc_argument/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_init_on_alloc_argument/rule.yml

index b47a7757327..fa272250a28 100644

--- a/linux_os/guide/system/bootloader-zipl/zipl_init_on_alloc_argument/rule.yml

+++ b/linux_os/guide/system/bootloader-zipl/zipl_init_on_alloc_argument/rule.yml

@@ -2,7 +2,7 @@ documentation_complete: true

 prodtype: rhel9

-title: 'Configure kernel to zero out memory before allocation (through zIPl)'

+title: 'Configure kernel to zero out memory before allocation in zIPL'

 description: |-

     To ensure that the kernel is configured to zero out memory before