From b4f98a72871d3f8f277e3357eed843b041a248a3 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= <jcerny@redhat.com>
Date: Thu, 4 Aug 2022 14:20:20 +0200
Subject: [PATCH 7/8] Merge pull request #9286 from
yuumasato/update_sysctl_rules_with_new_compliant_values
Update few sysctl rules to accept multiple compliant values
Patch-name: scap-security-guide-0.1.64-add_multivalue_compliance_kptr_rp_filter-PR_9286.patch
Patch-status: Update few sysctl rules to accept multiple compliant values
---
.../rule.yml | 35 +++++++++++++++++--
.../tests/value_1.pass.sh | 11 ++++++
.../tests/value_2.pass.sh | 11 ++++++
...sctl_net_ipv4_conf_all_rp_filter_value.var | 2 +-
.../sysctl_kernel_kptr_restrict/rule.yml | 35 ++++++++++++++++++-
.../tests/value_1.pass.sh | 11 ++++++
.../tests/value_2.pass.sh | 11 ++++++
.../sysctl_kernel_kptr_restrict_value.var | 1 -
...kernel_unprivileged_bpf_disabled_value.var | 1 -
9 files changed, 112 insertions(+), 6 deletions(-)
create mode 100644 linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter/tests/value_1.pass.sh
create mode 100644 linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter/tests/value_2.pass.sh
create mode 100644 linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/tests/value_1.pass.sh
create mode 100644 linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/tests/value_2.pass.sh
diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter/rule.yml
index 496a8491f3..4d31c6c3eb 100644
--- a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter/rule.yml
+++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter/rule.yml
@@ -47,11 +47,36 @@ references:
stigid@rhel7: RHEL-07-040611
stigid@rhel8: RHEL-08-040285
-{{{ complete_ocil_entry_sysctl_option_value(sysctl="net.ipv4.conf.all.rp_filter", value="1") }}}
+ocil: |-
+ The runtime status of the <code>net.ipv4.conf.all.rp_filter</code> parameter can be queried
+ by running the following command:
+ <pre>$ sysctl net.ipv4.conf.all.rp_filter</pre>
+ The output of the command should indicate either:
+ <code>net.ipv4.conf.all.rp_filter = 1</code>
+ or:
+ <code>net.ipv4.conf.all.rp_filter = 2</code>
+ The output of the command should not indicate:
+ <code>net.ipv4.conf.all.rp_filter = 0</code>
+
+ The preferable way how to assure the runtime compliance is to have
+ correct persistent configuration, and rebooting the system.
+
+ The persistent sysctl parameter configuration is performed by specifying the appropriate
+ assignment in any file located in the <pre>/etc/sysctl.d</pre> directory.
+ Verify that there is not any existing incorrect configuration by executing the following command:
+ <pre>$ grep -r '^\s*net.ipv4.conf.all.rp_filter\s*=' /etc/sysctl.conf /etc/sysctl.d</pre>
+ The command should not find any assignments other than:
+ net.ipv4.conf.all.rp_filter = 1
+ or:
+ net.ipv4.conf.all.rp_filter = 2
+
+ Conflicting assignments are not allowed.
+
+ocil_clause: "the net.ipv4.conf.all.rp_filter is not set to 1 or 2 or is configured to be 0"
fixtext: |-
Configure {{{ full_name }}} to use reverse path filtering on all IPv4 interfaces.
- {{{ fixtext_sysctl(sysctl="net.ipv4.conf.all.rp_filter", value="1") | indent(4) }}}
+ {{{ fixtext_sysctl(sysctl="net.ipv4.conf.all.rp_filter", value=xccdf_value("sysctl_net_ipv4_conf_all_rp_filter_value")) | indent(4) }}}
srg_requirement: '{{{ full_name }}} must use reverse path filtering on all IPv4 interfaces.'
@@ -59,4 +84,10 @@ template:
name: sysctl
vars:
sysctlvar: net.ipv4.conf.all.rp_filter
+ {{% if 'ol' in product or 'rhel' in product %}}
+ sysctlval:
+ - '1'
+ - '2'
+ wrong_sysctlval_for_testing: "0"
+ {{% endif %}}
datatype: int
diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter/tests/value_1.pass.sh b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter/tests/value_1.pass.sh
new file mode 100644
index 0000000000..583b70a3b9
--- /dev/null
+++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter/tests/value_1.pass.sh
@@ -0,0 +1,11 @@
+#!/bin/bash
+# platform = multi_platform_ol,multi_platform_rhel
+
+# Clean sysctl config directories
+rm -rf /usr/lib/sysctl.d/* /run/sysctl.d/* /etc/sysctl.d/*
+
+sed -i "/net.ipv4.conf.all.rp_filter/d" /etc/sysctl.conf
+echo "net.ipv4.conf.all.rp_filter = 1" >> /etc/sysctl.conf
+
+# set correct runtime value to check if the filesystem configuration is evaluated properly
+sysctl -w net.ipv4.conf.all.rp_filter="1"
diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter/tests/value_2.pass.sh b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter/tests/value_2.pass.sh
new file mode 100644
index 0000000000..ef545976dc
--- /dev/null
+++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter/tests/value_2.pass.sh
@@ -0,0 +1,11 @@
+#!/bin/bash
+# platform = multi_platform_ol,multi_platform_rhel
+
+# Clean sysctl config directories
+rm -rf /usr/lib/sysctl.d/* /run/sysctl.d/* /etc/sysctl.d/*
+
+sed -i "/net.ipv4.conf.all.rp_filter/d" /etc/sysctl.conf
+echo "net.ipv4.conf.all.rp_filter = 2" >> /etc/sysctl.conf
+
+# set correct runtime value to check if the filesystem configuration is evaluated properly
+sysctl -w net.ipv4.conf.all.rp_filter="2"
diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter_value.var b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter_value.var
index e3fc78e3f0..1eae854f6b 100644
--- a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter_value.var
+++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter_value.var
@@ -17,5 +17,5 @@ interactive: false
options:
default: 1
- disabled: "0"
enabled: 1
+ loose: 2
diff --git a/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/rule.yml b/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/rule.yml
index 1984b3c869..367934b567 100644
--- a/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/rule.yml
+++ b/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/rule.yml
@@ -34,6 +34,33 @@ references:
{{{ complete_ocil_entry_sysctl_option_value(sysctl="kernel.kptr_restrict", value="1") }}}
+ocil: |-
+ The runtime status of the <code>kernel.kptr_restrict</code> kernel parameter can be queried
+ by running the following command:
+ <pre>$ sysctl kernel.kptr_restrict</pre>
+ The output of the command should indicate either:
+ <code>kernel.kptr_restrict = 1</code>
+ or:
+ <code>kernel.kptr_restrict = 2</code>
+ The output of the command should not indicate:
+ <code>kernel.kptr_restrict = 0</code>
+
+ The preferable way how to assure the runtime compliance is to have
+ correct persistent configuration, and rebooting the system.
+
+ The persistent kernel parameter configuration is performed by specifying the appropriate
+ assignment in any file located in the <pre>/etc/sysctl.d</pre> directory.
+ Verify that there is not any existing incorrect configuration by executing the following command:
+ <pre>$ grep -r '^\s*kernel.kptr_restrict\s*=' /etc/sysctl.conf /etc/sysctl.d</pre>
+ The command should not find any assignments other than:
+ kernel.kptr_restrict = 1
+ or:
+ kernel.kptr_restrict = 2
+
+ Conflicting assignments are not allowed.
+
+ocil_clause: "the kernel.kptr_restrict is not set to 1 or 2 or is configured to be 0"
+
srg_requirement: '{{{ full_name }}} must restrict exposed kernel pointer addresses access.'
platform: machine
@@ -42,8 +69,14 @@ template:
name: sysctl
vars:
sysctlvar: kernel.kptr_restrict
+ {{% if 'ol' in product or 'rhel' in product %}}
+ sysctlval:
+ - '1'
+ - '2'
+ wrong_sysctlval_for_testing: "0"
+ {{% endif %}}
datatype: int
fixtext: |-
Configure {{{ full_name }}} to restrict exposed kernel pointer addresses access.
- {{{ fixtext_sysctl("kernel.kptr_restrict", "1") | indent(4) }}}
+ {{{ fixtext_sysctl("kernel.kptr_restrict", value=xccdf_value("sysctl_kernel_kptr_restrict_value")) | indent(4) }}}
diff --git a/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/tests/value_1.pass.sh b/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/tests/value_1.pass.sh
new file mode 100644
index 0000000000..70189666c1
--- /dev/null
+++ b/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/tests/value_1.pass.sh
@@ -0,0 +1,11 @@
+#!/bin/bash
+# platform = multi_platform_ol,multi_platform_rhel
+
+# Clean sysctl config directories
+rm -rf /usr/lib/sysctl.d/* /run/sysctl.d/* /etc/sysctl.d/*
+
+sed -i "/kernel.kptr_restrict/d" /etc/sysctl.conf
+echo "kernel.kptr_restrict = 1" >> /etc/sysctl.conf
+
+# set correct runtime value to check if the filesystem configuration is evaluated properly
+sysctl -w kernel.kptr_restrict="1"
diff --git a/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/tests/value_2.pass.sh b/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/tests/value_2.pass.sh
new file mode 100644
index 0000000000..209395fa9a
--- /dev/null
+++ b/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/tests/value_2.pass.sh
@@ -0,0 +1,11 @@
+#!/bin/bash
+# platform = multi_platform_ol,multi_platform_rhel
+
+# Clean sysctl config directories
+rm -rf /usr/lib/sysctl.d/* /run/sysctl.d/* /etc/sysctl.d/*
+
+sed -i "/kernel.kptr_restrict/d" /etc/sysctl.conf
+echo "kernel.kptr_restrict = 2" >> /etc/sysctl.conf
+
+# set correct runtime value to check if the filesystem configuration is evaluated properly
+sysctl -w kernel.kptr_restrict="2"
diff --git a/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict_value.var b/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict_value.var
index 452328e3ef..268550de53 100644
--- a/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict_value.var
+++ b/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict_value.var
@@ -12,6 +12,5 @@ interactive: false
options:
default: 1
- 0: 0
1: 1
2: 2
diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_value.var b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_value.var
index b8bf965a25..cbfd9bafa9 100644
--- a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_value.var
+++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_value.var
@@ -13,6 +13,5 @@ interactive: false
options:
default: 2
- 0: "0"
1: "1"
2: "2"
--
2.37.1