search

ComplianceAsCode / content

Security automation content in SCAP, Bash, Ansible, and other formats
https://complianceascode.readthedocs.io/en/latest/
Other
2.21k stars 697 forks source link

RHEL7 and RHEL8 CUI rules - missing references #6843

Open mildas opened 3 years ago

mildas commented 3 years ago

Description of problem:

A lot of rules from rhel7 and rhel8 cui profile miss a reference.

List of rhel7 rules:

*** rules of 'cui' profile missing CUI Refs: 66 of 104 have them [36% missing]
   accounts_max_concurrent_login_sessions       
   accounts_password_pam_dcredit                
   accounts_password_pam_difok                  
   accounts_password_pam_lcredit                
   accounts_password_pam_maxclassrepeat         
   accounts_password_pam_maxrepeat              
   accounts_password_pam_minlen                 
   accounts_password_pam_ocredit                
   accounts_password_pam_ucredit                
   accounts_passwords_pam_faillock_interval        accounts_umask_etc_bashrc                    
   accounts_umask_etc_csh_cshrc                 
   accounts_umask_etc_profile                      audit_rules_for_ospp                         
   disable_users_coredumps                      
   grub2_audit_backlog_limit_argument           
   grub2_page_poison_argument                      grub2_slub_debug_argument                    
   grub2_vsyscall_argument                      
   mount_option_dev_shm_nodev                   
   mount_option_dev_shm_noexec                  
   mount_option_dev_shm_nosuid                     mount_option_home_nodev                      
   mount_option_home_nosuid                        mount_option_tmp_nodev                       
   mount_option_tmp_noexec                         mount_option_tmp_nosuid                      
   mount_option_var_tmp_nodev                   
   mount_option_var_tmp_noexec                  
   mount_option_var_tmp_nosuid                     package_abrt_removed                         
   service_kdump_disabled                          service_rpcbind_disabled                     
   sysctl_fs_protected_hardlinks                
   sysctl_fs_protected_symlinks                 
   sysctl_kernel_kexec_load_disabled            
   sysctl_kernel_kptr_restrict                  
   sysctl_kernel_yama_ptrace_scope

List of rhel8 rules:

*** rules of 'cui' profile missing CUI Refs: 58 of 215 have them [73% missing]
   accounts_max_concurrent_login_sessions       
   accounts_password_pam_dcredit                
   accounts_password_pam_difok                  
   accounts_password_pam_lcredit                
   accounts_password_pam_maxclassrepeat         
   accounts_password_pam_maxrepeat              
   accounts_password_pam_minlen                 
   accounts_password_pam_ocredit                
   accounts_password_pam_ucredit                
   accounts_passwords_pam_faillock_interval        accounts_umask_etc_bashrc                    
   accounts_umask_etc_csh_cshrc                 
   accounts_umask_etc_profile                      audit_access_failed                          
   audit_access_success                            audit_basic_configuration                    
   audit_create_failed                             audit_create_success                         
   audit_delete_failed                             audit_delete_success                         
   audit_immutable_login_uids                      audit_modify_failed                          
   audit_modify_success                            audit_module_load                            
   audit_ospp_general                              audit_owner_change_failed                    
   audit_owner_change_success                      audit_perm_change_failed                     
   audit_perm_change_success                       auditd_freq                                  
   auditd_local_events                             auditd_log_format                            
   auditd_name_format                              auditd_write_logs                            
   chronyd_client_only                          
   chronyd_no_chronyc_network                   
   configure_bashrc_exec_tmux                   
   configure_bind_crypto_policy                    configure_crypto_policy                      
   configure_kerberos_crypto_policy             
   configure_libreswan_crypto_policy            
   configure_openssl_crypto_policy              
   configure_ssh_crypto_policy                  
   configure_tmux_lock_after_time               
   configure_tmux_lock_command                  
   configure_usbguard_auditbackend              
   coredump_disable_backtraces                     coredump_disable_storage                     
   disable_users_coredumps                      
   dnf-automatic_apply_updates                  
   dnf-automatic_security_updates_only             enable_dracut_fips_module                    
   enable_fips_mode                             
   grub2_audit_backlog_limit_argument           
   grub2_kernel_trust_cpu_rng                   
   grub2_page_poison_argument                      grub2_pti_argument                           
   grub2_slub_debug_argument                       grub2_vsyscall_argument                      
   kerberos_disable_no_keytab                   
   kernel_module_atm_disabled                   
   kernel_module_can_disabled                   
   kernel_module_firewire-core_disabled         
   kernel_module_tipc_disabled                     mount_option_boot_nodev                      
   mount_option_boot_nosuid                     
   mount_option_dev_shm_nodev                   
   mount_option_dev_shm_noexec                  
   mount_option_dev_shm_nosuid                     mount_option_home_nodev                      
   mount_option_home_nosuid                     
   mount_option_nodev_nonroot_local_partitions     mount_option_tmp_nodev                       
   mount_option_tmp_noexec                         mount_option_tmp_nosuid                      
   mount_option_var_log_audit_nodev             
   mount_option_var_log_audit_noexec            
   mount_option_var_log_audit_nosuid            
   mount_option_var_log_nodev                   
   mount_option_var_log_noexec                  
   mount_option_var_log_nosuid                     mount_option_var_nodev                       
   mount_option_var_tmp_nodev                   
   mount_option_var_tmp_noexec                  
   mount_option_var_tmp_nosuid                     no_tmux_in_shells                            
   openssl_use_strong_entropy                   
   package_abrt-addon-ccpp_removed              
   package_abrt-addon-kerneloops_removed        
   package_abrt-addon-python_removed               package_abrt-cli_removed                     
   package_abrt-plugin-logger_removed           
   package_abrt-plugin-rhtsupport_removed       
   package_abrt-plugin-sosreport_removed           package_abrt_removed                         
   package_aide_installed                       
   package_audispd-plugins_installed               package_audit_installed                      
   package_chrony_installed                     
   package_crypto-policies_installed            
   package_dnf-automatic_installed              
   package_dnf-plugin-subscription-manager_installed
   package_fapolicyd_installed                  
   package_firewalld_installed                  
   package_gnutls-utils_installed                  package_gssproxy_removed                     
   package_iprutils_removed                     
   package_krb5-workstation_removed                package_nfs-utils_removed                    
   package_openscap-scanner_installed           
   package_openssh-clients_installed            
   package_openssh-server_installed             
   package_policycoreutils-python-utils_installed
   package_policycoreutils_installed            
   package_rsyslog-gnutls_installed                package_rsyslog_installed                    
   package_scap-security-guide_installed           package_sendmail_removed                     
   package_subscription-manager_installed          package_sudo_installed                       
   package_usbguard_installed                      partition_for_home                           
   partition_for_var                               partition_for_var_log                        
   partition_for_var_log_audit                     partition_for_var_tmp                        
   rsyslog_remote_tls                              rsyslog_remote_tls_cacert                    
   service_fapolicyd_enabled                       service_kdump_disabled                       
   service_systemd-coredump_disabled               service_usbguard_enabled                     
   ssh_client_rekey_limit                       
   ssh_client_use_strong_rng_csh                
   ssh_client_use_strong_rng_sh                    sshd_rekey_limit                             
   sshd_use_strong_rng                          
   sysctl_fs_protected_hardlinks                
   sysctl_fs_protected_symlinks                 
   sysctl_kernel_core_pattern                   
   sysctl_kernel_kexec_load_disabled            
   sysctl_kernel_kptr_restrict                  
   sysctl_kernel_perf_event_paranoid            
   sysctl_kernel_unprivileged_bpf_disabled      
   sysctl_kernel_yama_ptrace_scope              
   sysctl_net_core_bpf_jit_harden               
   sysctl_user_max_user_namespaces              
   timer_dnf-automatic_enabled                  
   usbguard_allow_hid_and_hub                      use_pam_wheel_for_su                         
   zipl_audit_argument                          
   zipl_audit_backlog_limit_argument               zipl_bls_entries_only                        
   zipl_bootmap_is_up_to_date                      zipl_page_poison_argument                    
   zipl_slub_debug_argument                        zipl_vsyscall_argument

SCAP Security Guide Version:

master

Steps to Reproduce:

RHEL7 $ python3 build-scripts/profile_tool.py stats --benchmark build/ssg-rhel7-xccdf.xml --profile cui --missing-cui-refs --skip-stats RHEL8 $ python3 build-scripts/profile_tool.py stats --benchmark build/ssg-rhel8-xccdf.xml --profile cui --missing-cui-refs --skip-stats

Actual Results:

Rules miss references.

Expected Results:

No rule misses reference.

Additional Information/Debugging Steps:

When we have CUI rules with references, we can add the profile references check to gating and check if newly added rule to the CUI profile has reference.

Ping me, if you want me to update the list of rules. I'm checking references against master branch.

mildas commented 3 years ago

@carlosmmatos similar as the #6842, can you check it?

marcusburghardt commented 1 year ago

@comps I see you are the SME in cui profile. Could you take a look on this, please?

comps commented 1 year ago

@marcusburghardt Sorry, I barely know about the existence of cui, are you sure you haven't confused me with somebody else?

marcusburghardt commented 1 year ago

@marcusburghardt Sorry, I barely know about the existence of cui, are you sure you haven't confused me with somebody else?

I found your GH handle here: https://github.com/ComplianceAsCode/content/blob/master/products/rhel7/profiles/cui.profile#L6

Can you help with this @ggbecker ?

comps commented 1 year ago

I found your GH handle here: https://github.com/ComplianceAsCode/content/blob/master/products/rhel7/profiles/cui.profile#L6

Ah, somebody probably wanted to extend the ospp profile and copy/pasted me and Steve to SMEs, despite the profile not being related to OSPP (as far as I know). RHEL-8 and 9 have @ggbecker .

ggbecker commented 1 year ago

The SME can probably be changed, no problem. But as I stated in https://github.com/ComplianceAsCode/content/issues/6842#issuecomment-1687980458, this references are usually a nice to have and spending time fixing them is not a critical thing IMO. And due to the amount of rules without references, it can take quite a lot time to go through every one of them, so we would need to plan this in advance.