From 278f3b476291d69e45da4dcdfca5a308646224f2 Mon Sep 17 00:00:00 2001
From: Matthew Burket <mburket@redhat.com>
Date: Mon, 19 Jul 2021 09:49:57 -0500
Subject: [PATCH 1/2] Add more checks for bios_enable_execution_restrictions to
ensure we don't miss anything
---
.../oval/shared.xml | 18 ++++++++++++++++++
.../rule.yml | 3 ++-
products/rhel8/profiles/stig.profile | 1 +
.../data/profile_stability/rhel8/stig.profile | 1 +
.../profile_stability/rhel8/stig_gui.profile | 1 +
5 files changed, 23 insertions(+), 1 deletion(-)
create mode 100644 linux_os/guide/system/permissions/restrictions/enable_nx/bios_enable_execution_restrictions/oval/shared.xml
diff --git a/linux_os/guide/system/permissions/restrictions/enable_nx/bios_enable_execution_restrictions/oval/shared.xml b/linux_os/guide/system/permissions/restrictions/enable_nx/bios_enable_execution_restrictions/oval/shared.xml
new file mode 100644
index 00000000000..622a183f99f
--- /dev/null
+++ b/linux_os/guide/system/permissions/restrictions/enable_nx/bios_enable_execution_restrictions/oval/shared.xml
@@ -0,0 +1,18 @@
+<def-group>
+ <definition class="compliance" id="bios_enable_execution_restrictions" version="2">
+ {{{ oval_metadata("The NX (no-execution) bit flag should be set on the system.") }}}
+ <criteria>
+ <criterion comment="NX bit is set" test_ref="test_NX_cpu_support" />
+ </criteria>
+ </definition>
+
+ <ind:textfilecontent54_test check="all" check_existence="all_exist" comment="CPUs support for NX bit" id="test_NX_cpu_support" version="1">
+ <ind:object object_ref="obj_NX_cpu_support" />
+ </ind:textfilecontent54_test>
+
+ <ind:textfilecontent54_object id="obj_NX_cpu_support" version="1">
+ <ind:filepath>/proc/cpuinfo</ind:filepath>
+ <ind:pattern operation="pattern match">^flags[\s]+:.*[\s]+nx[\s]+.*$</ind:pattern>
+ <ind:instance datatype="int">1</ind:instance>
+ </ind:textfilecontent54_object>
+</def-group>
diff --git a/linux_os/guide/system/permissions/restrictions/enable_nx/bios_enable_execution_restrictions/rule.yml b/linux_os/guide/system/permissions/restrictions/enable_nx/bios_enable_execution_restrictions/rule.yml
index 4ca003520ac..b037e374f5b 100644
--- a/linux_os/guide/system/permissions/restrictions/enable_nx/bios_enable_execution_restrictions/rule.yml
+++ b/linux_os/guide/system/permissions/restrictions/enable_nx/bios_enable_execution_restrictions/rule.yml
@@ -14,7 +14,7 @@ rationale: |-
Computers with the ability to prevent this type of code execution frequently put an option in the BIOS that will
allow users to turn the feature on or off at will.
-severity: unknown
+severity: medium
identifiers:
cce@rhel7: CCE-27099-1
@@ -31,5 +31,6 @@ references:
iso27001-2013: A.12.1.2,A.12.5.1,A.12.6.2,A.14.2.2,A.14.2.3,A.14.2.4
nist: SC-39,CM-6(a)
nist-csf: PR.IP-1
+ stig@rhel8: RHEL-08-010420
platform: machine
diff --git a/products/rhel8/profiles/stig.profile b/products/rhel8/profiles/stig.profile
index 5a0a520ee0a..6372d13cfc9 100644
--- a/products/rhel8/profiles/stig.profile
+++ b/products/rhel8/profiles/stig.profile
@@ -260,6 +260,7 @@ selections:
- package_opensc_installed
# RHEL-08-010420
+ - bios_enable_execution_restrictions
# RHEL-08-010421
- grub2_page_poison_argument
diff --git a/tests/data/profile_stability/rhel8/stig.profile b/tests/data/profile_stability/rhel8/stig.profile
index 4be3cf93c25..32f1a24a7a4 100644
--- a/tests/data/profile_stability/rhel8/stig.profile
+++ b/tests/data/profile_stability/rhel8/stig.profile
@@ -74,6 +74,7 @@ selections:
- auditd_log_format
- auditd_name_format
- banner_etc_issue
+- bios_enable_execution_restrictions
- chronyd_client_only
- chronyd_no_chronyc_network
- chronyd_or_ntpd_set_maxpoll
diff --git a/tests/data/profile_stability/rhel8/stig_gui.profile b/tests/data/profile_stability/rhel8/stig_gui.profile
index 20b8a54861e..d6a27c67dc0 100644
--- a/tests/data/profile_stability/rhel8/stig_gui.profile
+++ b/tests/data/profile_stability/rhel8/stig_gui.profile
@@ -85,6 +85,7 @@ selections:
- auditd_log_format
- auditd_name_format
- banner_etc_issue
+- bios_enable_execution_restrictions
- chronyd_client_only
- chronyd_no_chronyc_network
- chronyd_or_ntpd_set_maxpoll
From dac8111b4d89a31cbaa5648f876bd58575a93e86 Mon Sep 17 00:00:00 2001
From: Matthew Burket <mburket@redhat.com>
Date: Mon, 19 Jul 2021 09:51:34 -0500
Subject: [PATCH 2/2] Add oval check for bios_enable_execution_restrictions
---
.../oval/shared.xml | 24 ++++++++++++++++++-
1 file changed, 23 insertions(+), 1 deletion(-)
diff --git a/linux_os/guide/system/permissions/restrictions/enable_nx/bios_enable_execution_restrictions/oval/shared.xml b/linux_os/guide/system/permissions/restrictions/enable_nx/bios_enable_execution_restrictions/oval/shared.xml
index 622a183f99f..7cc448f8cce 100644
--- a/linux_os/guide/system/permissions/restrictions/enable_nx/bios_enable_execution_restrictions/oval/shared.xml
+++ b/linux_os/guide/system/permissions/restrictions/enable_nx/bios_enable_execution_restrictions/oval/shared.xml
@@ -1,8 +1,10 @@
<def-group>
<definition class="compliance" id="bios_enable_execution_restrictions" version="2">
{{{ oval_metadata("The NX (no-execution) bit flag should be set on the system.") }}}
- <criteria>
+ <criteria operator="AND">
<criterion comment="NX bit is set" test_ref="test_NX_cpu_support" />
+ <criterion comment="No log messages about NX being disabled" test_ref="test_messages_nx_active" />
+ <criterion comment="NX is not disabled in the kernel command line" test_ref="test_noexec_cmd_line" />
</criteria>
</definition>
@@ -10,9 +12,29 @@
<ind:object object_ref="obj_NX_cpu_support" />
</ind:textfilecontent54_test>
+ <ind:textfilecontent54_test check="all" check_existence="none_exist" id="test_messages_nx_active" version="1" comment="No log messages about NX being disabled">
+ <ind:object object_ref="obj_messages_nx_active" />
+ </ind:textfilecontent54_test>
+
+ <ind:textfilecontent54_test check="all" check_existence="none_exist" id="test_noexec_cmd_line" version="1" comment="NX is not disabled in the kernel command line">
+ <ind:object object_ref="obj_noexec_cmd_line" />
+ </ind:textfilecontent54_test>
+
<ind:textfilecontent54_object id="obj_NX_cpu_support" version="1">
<ind:filepath>/proc/cpuinfo</ind:filepath>
<ind:pattern operation="pattern match">^flags[\s]+:.*[\s]+nx[\s]+.*$</ind:pattern>
<ind:instance datatype="int">1</ind:instance>
</ind:textfilecontent54_object>
+
+ <ind:textfilecontent54_object id="obj_messages_nx_active" version="1">
+ <ind:filepath>/var/log/messages</ind:filepath>
+ <ind:pattern operation="pattern match">^.+protection: disabled.+</ind:pattern>
+ <ind:instance datatype="int">1</ind:instance>
+ </ind:textfilecontent54_object>
+
+ <ind:textfilecontent54_object id="obj_noexec_cmd_line" version="1">
+ <ind:filepath>/proc/cmdline</ind:filepath>
+ <ind:pattern operation="pattern match">.+noexec[0-9]*=off.+</ind:pattern>
+ <ind:instance datatype="int">1</ind:instance>
+ </ind:textfilecontent54_object>
</def-group>