Closed linuxdan closed 4 years ago
linuxdan
commented
6 years ago @shawndwells This appears to live near https://github.com/ComplianceAsCode/content/blob/master/shared/references/disa-stig-rhel7-v1r4-xccdf-manual.xml#L4535
Is that correct ?
shawndwells
commented
6 years ago That file is where we keep a local copy of the DISA content, should developers need to refer to it.
In terms of project content, the XCCDF is here: https://github.com/ComplianceAsCode/content/blob/master/linux_os/guide/system/network/network-uncommon/kernel_module_dccp_disabled/rule.yml
Instead of having an OVAL file for every single kernel module disablement, the build system automatically generates them for us. The OVAL template is here: https://github.com/ComplianceAsCode/content/blob/master/shared/templates/template_OVAL_kernel_module_disabled
The template OVAL only looks for files ending in .conf, so Problem #1 should be satisfied.
Kernel module blacklisting does not prevent an admin from insmod'ing modules or for modules being loaded as a dependency for another kernel module that's not blacklisted. For this reason things should be explicitly disabled
shawndwells
commented
6 years ago Looks like our paths crossed! The DISA stig file in shared/references is just a local copy -- not DISA's upstream file :) Shouldn't be edited directly (only rebased when DISA releases a new version). Went ahead and closed https://github.com/ComplianceAsCode/content/pull/3349 because of this.
However, in terms of PR process, you were spot and did everything right!
linuxdan
commented
6 years ago OK. I am learning. Where do I propose changes to the actual DISA content ? That's the big problem, cuz Tenable does exactly what the STIG says. It's their mantra :)
linuxdan
commented
6 years ago And thanks for the info about blacklist's limitation. I was planning to research that. You saved me a bunch of time.
shawndwells
commented
6 years ago On 9/19/18 8:25 PM, Daniel E. White wrote:
And thanks for the info about blacklist's limitation. I was planning to research that. You saved me a bunch of time. Docs can be found here: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/deployment_guide/blacklisting_a_module
Specifically:
The|blacklist/<module_name>/|command, however, does not prevent the
module from being loaded manually, or from being loaded as a dependency
for another kernel module that is not blacklisted. To ensure that a
module cannot be loaded on the system at all, modify the specified
configuration file in the|/etc/modprobe.d/|directory as root with the
following line:
|install /<module_name>//bin/true|
Bash
Description of problem:
STIG says: Check Text: Verify the operating system disables the ability to load the DCCP kernel module. Check to see if the DCCP kernel module is disabled with the following command:
grep -r dccp /etc/modprobe.d/* | grep -i "/bin/true" | grep -v "^#"
install dccp /bin/true
If the command does not return any output, or the line is commented out, and use of DCCP is not documented with the Information System Security Officer (ISSO) as an operational requirement, this is a finding.
Fix Text: Configure the operating system to disable the ability to use the DCCP kernel module. Create a file under "/etc/modprobe.d" with the following command:
touch /etc/modprobe.d/nodccp
Add the following line to the created file:
install dccp /bin/true
SCAP Security Guide Version:
Red Hat Enterprise Linux 7 Security Technical Implementation Guide :: Release: 4 Benchmark Date: 26 Jan 2018
Problem 1: A file has to end in ".conf" for the system to pick it up under "/etc/modprobe.d"
Problem 2: The kernel itself includes a file /etc/modprobe.d/dccp-blacklist.conf containing
blacklist dccp blacklist dccp_diag blacklist dccp_ipv4 blacklist dccp_ipv6
I expect this has the same effect as "install dccp /bin/true"
So then the STIG should "allow" these blacklist lines as well as the other method and change the file name