From f647d546d03b9296861f18673b0ac9efaa0db3ab Mon Sep 17 00:00:00 2001

From: Watson Sato <wsato@redhat.com>

Date: Wed, 3 Aug 2022 09:57:33 +0200

Subject: [PATCH 1/5] Make rule sysctl ipv4 rp_filter accept two values

This also removes value '0' from the list of possible configurations.

This change aligns the rule better with STIG.

---

 .../sysctl_net_ipv4_conf_all_rp_filter/rule.yml        |  4 ++++

 .../tests/value_1.pass.sh                              | 10 ++++++++++

 .../tests/value_2.pass.sh                              | 10 ++++++++++

 .../sysctl_net_ipv4_conf_all_rp_filter_value.var       |  2 +-

 4 files changed, 25 insertions(+), 1 deletion(-)

 create mode 100644 linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter/tests/value_1.pass.sh

 create mode 100644 linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter/tests/value_2.pass.sh

diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter/rule.yml

index 496a8491f32..697f79fa872 100644

--- a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter/rule.yml

+++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter/rule.yml

@@ -59,4 +59,8 @@ template:

     name: sysctl

     vars:

         sysctlvar: net.ipv4.conf.all.rp_filter

+        sysctlval:

+        - '1'

+        - '2'

+        wrong_sysctlval_for_testing: "0"

         datatype: int

diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter/tests/value_1.pass.sh b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter/tests/value_1.pass.sh

new file mode 100644

index 00000000000..516bfaf1369

--- /dev/null

+++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter/tests/value_1.pass.sh

@@ -0,0 +1,10 @@

+#!/bin/bash

+

+# Clean sysctl config directories

+rm -rf /usr/lib/sysctl.d/* /run/sysctl.d/* /etc/sysctl.d/*

+

+sed -i "/net.ipv4.conf.all.rp_filter/d" /etc/sysctl.conf

+echo "net.ipv4.conf.all.rp_filter = 1" >> /etc/sysctl.conf

+

+# set correct runtime value to check if the filesystem configuration is evaluated properly

+sysctl -w net.ipv4.conf.all.rp_filter="1"

diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter/tests/value_2.pass.sh b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter/tests/value_2.pass.sh

new file mode 100644

index 00000000000..ef1b8da0479

--- /dev/null

+++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter/tests/value_2.pass.sh

@@ -0,0 +1,10 @@

+#!/bin/bash

+

+# Clean sysctl config directories

+rm -rf /usr/lib/sysctl.d/* /run/sysctl.d/* /etc/sysctl.d/*

+

+sed -i "/net.ipv4.conf.all.rp_filter/d" /etc/sysctl.conf

+echo "net.ipv4.conf.all.rp_filter = 2" >> /etc/sysctl.conf

+

+# set correct runtime value to check if the filesystem configuration is evaluated properly

+sysctl -w net.ipv4.conf.all.rp_filter="2"

diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter_value.var b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter_value.var

index e3fc78e3f05..1eae854f6b0 100644

--- a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter_value.var

+++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter_value.var

@@ -17,5 +17,5 @@ interactive: false

 options:

     default: 1

-    disabled: "0"

     enabled: 1

+    loose: 2

From f903b6b257659cfe79bfd17a13ae72d1a48f40d9 Mon Sep 17 00:00:00 2001

From: Watson Sato <wsato@redhat.com>

Date: Wed, 3 Aug 2022 10:53:40 +0200

Subject: [PATCH 2/5] Make rule for kptr_restrict accept two values

This also removes value '0' from the list of possible configurations.

This change aligns the rule better with STIG.

---

 .../sysctl_kernel_kptr_restrict/rule.yml               |  4 ++++

 .../sysctl_kernel_kptr_restrict/tests/value_1.pass.sh  | 10 ++++++++++

 .../sysctl_kernel_kptr_restrict/tests/value_2.pass.sh  | 10 ++++++++++

 .../sysctl_kernel_kptr_restrict_value.var              |  1 -

 4 files changed, 24 insertions(+), 1 deletion(-)

 create mode 100644 linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/tests/value_1.pass.sh

 create mode 100644 linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/tests/value_2.pass.sh

diff --git a/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/rule.yml b/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/rule.yml

index 1984b3c8691..5706eee0a0a 100644

--- a/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/rule.yml

+++ b/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/rule.yml

@@ -42,6 +42,10 @@ template:

     name: sysctl

     vars:

         sysctlvar: kernel.kptr_restrict

+        sysctlval:

+        - '1'

+        - '2'

+        wrong_sysctlval_for_testing: "0"

         datatype: int

 fixtext: |-

diff --git a/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/tests/value_1.pass.sh b/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/tests/value_1.pass.sh

new file mode 100644

index 00000000000..e6efae48b25

--- /dev/null

+++ b/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/tests/value_1.pass.sh

@@ -0,0 +1,10 @@

+#!/bin/bash

+

+# Clean sysctl config directories

+rm -rf /usr/lib/sysctl.d/* /run/sysctl.d/* /etc/sysctl.d/*

+

+sed -i "/kernel.kptr_restrict/d" /etc/sysctl.conf

+echo "kernel.kptr_restrict = 1" >> /etc/sysctl.conf

+

+# set correct runtime value to check if the filesystem configuration is evaluated properly

+sysctl -w kernel.kptr_restrict="1"

diff --git a/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/tests/value_2.pass.sh b/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/tests/value_2.pass.sh

new file mode 100644

index 00000000000..be3f2b743ef

--- /dev/null

+++ b/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/tests/value_2.pass.sh

@@ -0,0 +1,10 @@

+#!/bin/bash

+

+# Clean sysctl config directories

+rm -rf /usr/lib/sysctl.d/* /run/sysctl.d/* /etc/sysctl.d/*

+

+sed -i "/kernel.kptr_restrict/d" /etc/sysctl.conf

+echo "kernel.kptr_restrict = 2" >> /etc/sysctl.conf

+

+# set correct runtime value to check if the filesystem configuration is evaluated properly

+sysctl -w kernel.kptr_restrict="2"

diff --git a/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict_value.var b/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict_value.var

index 452328e3efd..268550de53d 100644

--- a/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict_value.var

+++ b/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict_value.var

@@ -12,6 +12,5 @@ interactive: false

 options:

     default: 1

-    0: 0

     1: 1

     2: 2

From 932d00c370c8dc1c964354dd4bc111fbc18b9303 Mon Sep 17 00:00:00 2001

From: Watson Sato <wsato@redhat.com>

Date: Wed, 3 Aug 2022 11:08:34 +0200

Subject: [PATCH 3/5] Remove variable selector that will result in error

The rule only accepts values 1 or 2 as compliant, the XCCDF Variable

cannot have the value 0, it will never result in pass.

---

 .../sysctl_kernel_unprivileged_bpf_disabled_value.var            | 1 -

 1 file changed, 1 deletion(-)

diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_value.var b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_value.var

index b8bf965a255..cbfd9bafa91 100644

--- a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_value.var

+++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_value.var

@@ -13,6 +13,5 @@ interactive: false

 options:

     default: 2

-    0: "0"

     1: "1"

     2: "2"

From 7127380e294a7e112fc427d0a46c21f15404aaa5 Mon Sep 17 00:00:00 2001

From: Watson Sato <wsato@redhat.com>

Date: Wed, 3 Aug 2022 11:33:03 +0200

Subject: [PATCH 4/5] Restrict sysctl multivalue compliance to rhel and ol

For now, the only STIGs I see that adopted this change were RHEL's and

OL's.

---

 .../sysctl_net_ipv4_conf_all_rp_filter/rule.yml                 | 2 ++

 .../sysctl_net_ipv4_conf_all_rp_filter/tests/value_1.pass.sh    | 1 +

 .../sysctl_net_ipv4_conf_all_rp_filter/tests/value_2.pass.sh    | 1 +

 .../sysctl_kernel_kptr_restrict/rule.yml                        | 2 ++

 .../sysctl_kernel_kptr_restrict/tests/value_1.pass.sh           | 1 +

 .../sysctl_kernel_kptr_restrict/tests/value_2.pass.sh           | 1 +

 6 files changed, 8 insertions(+)

diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter/rule.yml

index 697f79fa872..f04ae37c13d 100644

--- a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter/rule.yml

+++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter/rule.yml

@@ -59,8 +59,10 @@ template:

     name: sysctl

     vars:

         sysctlvar: net.ipv4.conf.all.rp_filter

+        {{% if 'ol' in product or 'rhel' in product %}}

         sysctlval:

         - '1'

         - '2'

         wrong_sysctlval_for_testing: "0"

+        {{% endif %}}

         datatype: int

diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter/tests/value_1.pass.sh b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter/tests/value_1.pass.sh

index 516bfaf1369..583b70a3b97 100644

--- a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter/tests/value_1.pass.sh

+++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter/tests/value_1.pass.sh

@@ -1,4 +1,5 @@

 #!/bin/bash

+# platform = multi_platform_ol,multi_platform_rhel

 # Clean sysctl config directories

 rm -rf /usr/lib/sysctl.d/* /run/sysctl.d/* /etc/sysctl.d/*

diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter/tests/value_2.pass.sh b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter/tests/value_2.pass.sh

index ef1b8da0479..ef545976dc6 100644

--- a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter/tests/value_2.pass.sh

+++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter/tests/value_2.pass.sh

@@ -1,4 +1,5 @@

 #!/bin/bash

+# platform = multi_platform_ol,multi_platform_rhel

 # Clean sysctl config directories

 rm -rf /usr/lib/sysctl.d/* /run/sysctl.d/* /etc/sysctl.d/*

diff --git a/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/rule.yml b/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/rule.yml

index 5706eee0a0a..f53e035effa 100644

--- a/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/rule.yml

+++ b/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/rule.yml

@@ -42,10 +42,12 @@ template:

     name: sysctl

     vars:

         sysctlvar: kernel.kptr_restrict

+        {{% if 'ol' in product or 'rhel' in product %}}

         sysctlval:

         - '1'

         - '2'

         wrong_sysctlval_for_testing: "0"

+        {{% endif %}}

         datatype: int

 fixtext: |-

diff --git a/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/tests/value_1.pass.sh b/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/tests/value_1.pass.sh

index e6efae48b25..70189666c16 100644

--- a/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/tests/value_1.pass.sh

+++ b/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/tests/value_1.pass.sh

@@ -1,4 +1,5 @@

 #!/bin/bash

+# platform = multi_platform_ol,multi_platform_rhel

 # Clean sysctl config directories

 rm -rf /usr/lib/sysctl.d/* /run/sysctl.d/* /etc/sysctl.d/*

diff --git a/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/tests/value_2.pass.sh b/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/tests/value_2.pass.sh

index be3f2b743ef..209395fa9a1 100644

--- a/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/tests/value_2.pass.sh

+++ b/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/tests/value_2.pass.sh

@@ -1,4 +1,5 @@

 #!/bin/bash

+# platform = multi_platform_ol,multi_platform_rhel

 # Clean sysctl config directories

 rm -rf /usr/lib/sysctl.d/* /run/sysctl.d/* /etc/sysctl.d/*

From a159f7d62b200c79b6ec2b47ffa643ed6219f35b Mon Sep 17 00:00:00 2001

From: Watson Sato <wsato@redhat.com>

Date: Wed, 3 Aug 2022 14:01:40 +0200

Subject: [PATCH 5/5] Update OCIL check along with the rule

The OCIL should should mention both compliant values.

---

 .../rule.yml                                  | 29 +++++++++++++++++--

 .../sysctl_kernel_kptr_restrict/rule.yml      | 29 ++++++++++++++++++-

 2 files changed, 55 insertions(+), 3 deletions(-)

diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter/rule.yml

index f04ae37c13d..4d31c6c3ebd 100644

--- a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter/rule.yml

+++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter/rule.yml

@@ -47,11 +47,36 @@ references:

     stigid@rhel7: RHEL-07-040611

     stigid@rhel8: RHEL-08-040285

-{{{ complete_ocil_entry_sysctl_option_value(sysctl="net.ipv4.conf.all.rp_filter", value="1") }}}

+ocil: |-

+    The runtime status of the net.ipv4.conf.all.rp_filter parameter can be queried

+    by running the following command:

+    
$ sysctl net.ipv4.conf.all.rp_filter

+    The output of the command should indicate either:

+    net.ipv4.conf.all.rp_filter = 1

+    or:

+    net.ipv4.conf.all.rp_filter = 2

+    The output of the command should not indicate:

+    net.ipv4.conf.all.rp_filter = 0

+

+    The preferable way how to assure the runtime compliance is to have

+    correct persistent configuration, and rebooting the system.

+

+    The persistent sysctl parameter configuration is performed by specifying the appropriate

+    assignment in any file located in the 
/etc/sysctl.d
 directory.

+    Verify that there is not any existing incorrect configuration by executing the following command:

+    
$ grep -r '^\s*net.ipv4.conf.all.rp_filter\s*=' /etc/sysctl.conf /etc/sysctl.d

+    The command should not find any assignments other than:

+    net.ipv4.conf.all.rp_filter = 1

+    or:

+    net.ipv4.conf.all.rp_filter = 2

+

+    Conflicting assignments are not allowed.

+

+ocil_clause: "the net.ipv4.conf.all.rp_filter is not set to 1 or 2 or is configured to be 0"

 fixtext: |-

     Configure {{{ full_name }}} to use reverse path filtering on all IPv4 interfaces.

-    {{{ fixtext_sysctl(sysctl="net.ipv4.conf.all.rp_filter", value="1") | indent(4) }}}

+    {{{ fixtext_sysctl(sysctl="net.ipv4.conf.all.rp_filter", value=xccdf_value("sysctl_net_ipv4_conf_all_rp_filter_value")) | indent(4) }}}

 srg_requirement: '{{{ full_name }}} must use reverse path filtering on all IPv4 interfaces.'

diff --git a/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/rule.yml b/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/rule.yml

index f53e035effa..367934b5672 100644

--- a/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/rule.yml

+++ b/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/rule.yml

@@ -34,6 +34,33 @@ references:

 {{{ complete_ocil_entry_sysctl_option_value(sysctl="kernel.kptr_restrict", value="1") }}}

+ocil: |-

+    The runtime status of the kernel.kptr_restrict kernel parameter can be queried

+    by running the following command:

+    
$ sysctl kernel.kptr_restrict

+    The output of the command should indicate either:

+    kernel.kptr_restrict = 1

+    or:

+    kernel.kptr_restrict = 2

+    The output of the command should not indicate:

+    kernel.kptr_restrict = 0

+

+    The preferable way how to assure the runtime compliance is to have

+    correct persistent configuration, and rebooting the system.

+

+    The persistent kernel parameter configuration is performed by specifying the appropriate

+    assignment in any file located in the 
/etc/sysctl.d
 directory.

+    Verify that there is not any existing incorrect configuration by executing the following command:

+    
$ grep -r '^\s*kernel.kptr_restrict\s*=' /etc/sysctl.conf /etc/sysctl.d

+    The command should not find any assignments other than:

+    kernel.kptr_restrict = 1

+    or:

+    kernel.kptr_restrict = 2

+

+    Conflicting assignments are not allowed.

+

+ocil_clause: "the kernel.kptr_restrict is not set to 1 or 2 or is configured to be 0"

+

 srg_requirement: '{{{ full_name }}} must restrict exposed kernel pointer addresses access.'

 platform: machine

@@ -52,4 +79,4 @@ template:

 fixtext: |-

     Configure {{{ full_name }}} to restrict exposed kernel pointer addresses access.

-    {{{ fixtext_sysctl("kernel.kptr_restrict", "1") | indent(4) }}}

+    {{{ fixtext_sysctl("kernel.kptr_restrict", value=xccdf_value("sysctl_kernel_kptr_restrict_value")) | indent(4) }}}