From 38cc9c9eb785f17fbc23a2e7ccbb9902d069f4b3 Mon Sep 17 00:00:00 2001 From: Vojtech Polasek Date: Mon, 10 Feb 2020 16:16:17 +0100 Subject: [PATCH 1/4] create new rules, add missing reference to older rule --- .../rule.yml | 26 +++++++++++++++ .../package_openssh-server_installed/rule.yml | 1 + .../rule.yml | 32 +++++++++++++++++++ .../rule.yml | 29 +++++++++++++++++ 5 files changed, 88 insertions(+), 3 deletions(-) create mode 100644 linux_os/guide/services/ssh/package_openssh-clients_installed/rule.yml create mode 100644 linux_os/guide/system/selinux/package_policycoreutils-python-utils_installed/rule.yml create mode 100644 linux_os/guide/system/software/integrity/crypto/package_crypto-policies_installed/rule.yml diff --git a/linux_os/guide/services/ssh/package_openssh-clients_installed/rule.yml b/linux_os/guide/services/ssh/package_openssh-clients_installed/rule.yml new file mode 100644 index 0000000000..9b3c55f23b --- /dev/null +++ b/linux_os/guide/services/ssh/package_openssh-clients_installed/rule.yml @@ -0,0 +1,26 @@ +documentation_complete: true + +prodtype: rhel8 + +title: 'Install OpenSSH client software' + +description: |- + {{{ describe_package_install(package="openssh-clients") }}} + +rationale: 'The openssh-clients package needs to be installed to meet OSPP criteria.' + +severity: medium + +identifiers: + cce@rhel8: 82722-0 + +references: + srg: SRG-OS-000480-GPOS-00227 + ospp: FIA_UAU.5,FTP_ITC_EXT.1 + +{{{ complete_ocil_entry_package(package='openssh-clients') }}} + +template: + name: package_installed + vars: + pkgname: openssh-clients diff --git a/linux_os/guide/services/ssh/package_openssh-server_installed/rule.yml b/linux_os/guide/services/ssh/package_openssh-server_installed/rule.yml index c18e604a5c..ba013ec509 100644 --- a/linux_os/guide/services/ssh/package_openssh-server_installed/rule.yml +++ b/linux_os/guide/services/ssh/package_openssh-server_installed/rule.yml @@ -28,6 +28,7 @@ references: cobit5: APO01.06,DSS05.02,DSS05.04,DSS05.07,DSS06.02,DSS06.06 iso27001-2013: A.10.1.1,A.11.1.4,A.11.1.5,A.11.2.1,A.13.1.1,A.13.1.3,A.13.2.1,A.13.2.3,A.13.2.4,A.14.1.2,A.14.1.3,A.6.1.2,A.7.1.1,A.7.1.2,A.7.3.1,A.8.2.2,A.8.2.3,A.9.1.1,A.9.1.2,A.9.2.3,A.9.4.1,A.9.4.4,A.9.4.5 cis-csc: 13,14 + ospp: FIA_UAU.5,FTP_ITC_EXT.1 ocil_clause: 'the package is not installed' diff --git a/linux_os/guide/system/selinux/package_policycoreutils-python-utils_installed/rule.yml b/linux_os/guide/system/selinux/package_policycoreutils-python-utils_installed/rule.yml new file mode 100644 index 0000000000..6025f0cd33 --- /dev/null +++ b/linux_os/guide/system/selinux/package_policycoreutils-python-utils_installed/rule.yml @@ -0,0 +1,32 @@ +documentation_complete: true + +prodtype: rhel8 + +title: 'Install policycoreutils-python-utils package' + +description: |- + {{{ describe_package_install(package="policycoreutils-python-utils") }}} + +rationale: |- + Security-enhanced Linux is a feature of the Linux kernel and a number of utilities + with enhanced security functionality designed to add mandatory access controls to Linux. + The Security-enhanced Linux kernel contains new architectural components originally + developed to improve security of the Flask operating system. These architectural components + provide general support for the enforcement of many kinds of mandatory access control + policies, including those based on the concepts of Type Enforcement, Role-based Access + Control, and Multi-level Security. + +severity: medium + +identifiers: + cce@rhel8: 82724-6 + +references: + srg: SRG-OS-000480-GPOS-00227 + +{{{ complete_ocil_entry_package(package='policycoreutils-python-utils') }}} + +template: + name: package_installed + vars: + pkgname: policycoreutils-python-utils diff --git a/linux_os/guide/system/software/integrity/crypto/package_crypto-policies_installed/rule.yml b/linux_os/guide/system/software/integrity/crypto/package_crypto-policies_installed/rule.yml new file mode 100644 index 0000000000..c418518e7a --- /dev/null +++ b/linux_os/guide/system/software/integrity/crypto/package_crypto-policies_installed/rule.yml @@ -0,0 +1,29 @@ +documentation_complete: true + +prodtype: rhel8 + +title: 'Install crypto-policies package' + +description: |- + {{{ describe_package_install(package="crypto-policies") }}} + +rationale: |- + The crypto-policies package provides configuration and tools to + apply centralizet cryptographic policies for backends such as SSL/TLS libraries. + + +severity: medium + +identifiers: + cce@rhel8: 82723-8 + +references: + ospp: FCS_COP* + srg: SRG-OS-000396-GPOS-00176,SRG-OS-000393-GPOS-00173,SRG-OS-000394-GPOS-00174 + +{{{ complete_ocil_entry_package(package='crypto-policies') }}} + +template: + name: package_installed + vars: + pkgname: crypto-policies From 0c54cbf24a83e38c89841d4dc65a5fbe51fd2f99 Mon Sep 17 00:00:00 2001 From: Vojtech Polasek Date: Mon, 10 Feb 2020 16:18:03 +0100 Subject: [PATCH 2/4] modify ospp profile --- rhel8/profiles/ospp.profile | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/rhel8/profiles/ospp.profile b/rhel8/profiles/ospp.profile index 4d5a9edd8e..c672066050 100644 --- a/rhel8/profiles/ospp.profile +++ b/rhel8/profiles/ospp.profile @@ -169,17 +169,17 @@ selections: - package_dnf-plugin-subscription-manager_installed - package_firewalld_installed - package_iptables_installed - - package_libcap-ng-utils_installed - package_openscap-scanner_installed - package_policycoreutils_installed - package_rng-tools_installed - package_sudo_installed - package_usbguard_installed - - package_audispd-plugins_installed - package_scap-security-guide_installed - package_audit_installed - - package_gnutls-utils_installed - - package_nss-tools_installed + - package_crypto-policies_installed + - package_openssh-server_installed + - package_openssh-clients_installed + - package_policycoreutils-python-utils_installed ### Remove Prohibited Packages - package_sendmail_removed @@ -316,7 +316,7 @@ selections: ## Configure the System to Offload Audit Records to a Log ## Server ## AU-4(1) / FAU_GEN.1.1.c - - auditd_audispd_syslog_plugin_activated + # temporarily dropped ## Set Logon Warning Banner ## AC-8(a) / FMT_MOF_EXT.1 From 105efe3a51118eca22c36771ce22d45778a4c34f Mon Sep 17 00:00:00 2001 From: Vojtech Polasek Date: Mon, 10 Feb 2020 16:18:52 +0100 Subject: [PATCH 3/4] add rules to rhel8 stig profile --- rhel8/profiles/stig.profile | 3 +++ 1 file changed, 3 insertions(+) diff --git a/rhel8/profiles/stig.profile b/rhel8/profiles/stig.profile index 821cc26914..7eb1869a3c 100644 --- a/rhel8/profiles/stig.profile +++ b/rhel8/profiles/stig.profile @@ -33,6 +33,9 @@ selections: - encrypt_partitions - sysctl_net_ipv4_tcp_syncookies - clean_components_post_updating + - package_audispd-plugins_installed + - package_libcap-ng-utils_installed + - auditd_audispd_syslog_plugin_activated # Configure TLS for remote logging - package_rsyslog_installed From 1a5e17c9a6e3cb3ad6cc2cc4601ea49f2f6278ce Mon Sep 17 00:00:00 2001 From: Vojtech Polasek Date: Mon, 10 Feb 2020 17:42:43 +0100 Subject: [PATCH 4/4] rephrase some rationales, fix SFR --- .../ssh/package_openssh-clients_installed/rule.yml | 4 +++- .../rule.yml | 9 ++------- .../crypto/package_crypto-policies_installed/rule.yml | 8 ++++---- 3 files changed, 9 insertions(+), 12 deletions(-) diff --git a/linux_os/guide/services/ssh/package_openssh-clients_installed/rule.yml b/linux_os/guide/services/ssh/package_openssh-clients_installed/rule.yml index 9b3c55f23b..f5b29d32e8 100644 --- a/linux_os/guide/services/ssh/package_openssh-clients_installed/rule.yml +++ b/linux_os/guide/services/ssh/package_openssh-clients_installed/rule.yml @@ -7,7 +7,9 @@ title: 'Install OpenSSH client software' description: |- {{{ describe_package_install(package="openssh-clients") }}} -rationale: 'The openssh-clients package needs to be installed to meet OSPP criteria.' +rationale: |- + This package includes utilities to make encrypted connections and transfer + files securely to SSH servers. severity: medium diff --git a/linux_os/guide/system/selinux/package_policycoreutils-python-utils_installed/rule.yml b/linux_os/guide/system/selinux/package_policycoreutils-python-utils_installed/rule.yml index 6025f0cd33..7ae7461077 100644 --- a/linux_os/guide/system/selinux/package_policycoreutils-python-utils_installed/rule.yml +++ b/linux_os/guide/system/selinux/package_policycoreutils-python-utils_installed/rule.yml @@ -8,13 +8,8 @@ description: |- {{{ describe_package_install(package="policycoreutils-python-utils") }}} rationale: |- - Security-enhanced Linux is a feature of the Linux kernel and a number of utilities - with enhanced security functionality designed to add mandatory access controls to Linux. - The Security-enhanced Linux kernel contains new architectural components originally - developed to improve security of the Flask operating system. These architectural components - provide general support for the enforcement of many kinds of mandatory access control - policies, including those based on the concepts of Type Enforcement, Role-based Access - Control, and Multi-level Security. + This package is required to operate and manage an SELinux environment and its policies. + It provides utilities such as semanage, audit2allow, audit2why, chcat and sandbox. severity: medium diff --git a/linux_os/guide/system/software/integrity/crypto/package_crypto-policies_installed/rule.yml b/linux_os/guide/system/software/integrity/crypto/package_crypto-policies_installed/rule.yml index c418518e7a..bb07f9d617 100644 --- a/linux_os/guide/system/software/integrity/crypto/package_crypto-policies_installed/rule.yml +++ b/linux_os/guide/system/software/integrity/crypto/package_crypto-policies_installed/rule.yml @@ -8,9 +8,9 @@ description: |- {{{ describe_package_install(package="crypto-policies") }}} rationale: |- - The crypto-policies package provides configuration and tools to - apply centralizet cryptographic policies for backends such as SSL/TLS libraries. - + Centralized cryptographic policies simplify applying secure ciphers across an operating system and + the applications that run on that operating system. Use of weak or untested encryption algorithms + undermines the purposes of utilizing encryption to protect data. severity: medium @@ -18,7 +18,7 @@ identifiers: cce@rhel8: 82723-8 references: - ospp: FCS_COP* + ospp: FCS_COP.1(1),FCS_COP.1(2),FCS_COP.1(3),FCS_COP.1(4) srg: SRG-OS-000396-GPOS-00176,SRG-OS-000393-GPOS-00173,SRG-OS-000394-GPOS-00174 {{{ complete_ocil_entry_package(package='crypto-policies') }}}