search

ComplianceAsCode / content

Security automation content in SCAP, Bash, Ansible, and other formats
https://complianceascode.readthedocs.io/en/latest/
Other
2.21k stars 697 forks source link

Rules configuring tmux are misaligned with DISA #9533

Open jan-cerny opened 2 years ago

jan-cerny commented 2 years ago

Description of problem:

For the RHEL 9 STIG, DISA wants to remove file mode and file permissions related text from rules related to TMUX, eg. configure_tmux_lock_command, configure_tmux_lock_after_time, configure_bashrc_exec_tmux. However, the permissions checks are an integral part of rules, the configuration would not work without that. So the attempt to align the rules with the STIG will cause an internal misalignment within the rule.

The content related permissions has been added to the rules because of https://bugzilla.redhat.com/show_bug.cgi?id=2064696. Also keep in mind to not introduce a regression from the BZ when fixing this issue..

GitHub conversation: https://github.com/ComplianceAsCode/content/pull/9527/files#r970678041

SCAP Security Guide Version:

current upstream master as of 2022-09-15 as of 480dd9bbfeb2267c1fde582e6c0d2bd2b7d54122

Operating System Version:

RHEL 9

Steps to Reproduce:

  1. Open rule.yml of the aforementioned rules and read the prose there (fixtext, OCIL)

Actual Results:

the content is misaligned with DISA but at the same time the rules are functional

Expected Results:

the content is aligned with DISA but at the same time the rules are kept functional

Additional Information/Debugging Steps:

The file mode related text will not be removed by https://github.com/ComplianceAsCode/content/pull/9527.

ggbecker commented 2 years ago

Report back to DISA about the permissions of /etc/tmux.conf file

jan-cerny commented 2 years ago

Yes, that seems to be a good step forward.

marcusburghardt commented 1 year ago

Was it already reported to DISA?

yuumasato commented 1 year ago

Is this about suggesting DISA to add in their verbiage that /etc/tmux.conf should be created with 0644 permissions?

jan-cerny commented 1 year ago

Yes, it is. But also /etc/profile.d/tmux.sh should be created with 0644 permissions (see linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_bashrc_exec_tmux/rule.yml). The point of the issue is that we have some permissions checks in our rules and remediations but DISA in STIG doesn't have them. These permission changes are needed to make the tmux actually work as expected, without them you would get permission denied error as described in https://bugzilla.redhat.com/show_bug.cgi?id=2064696.