common: OpenSCAP

[JGoutin]

• [x] Run checks
• [x] Add auditd rules
• [x] Fix DNF related rules
• [x] Fix kernel related rules

Install scanner and try to fix resulting findings.

https://www.open-scap.org/

# Install
sudo dnf install openscap-scanner scap-security-guide -y

# List Policies
ls -1 /usr/share/xml/scap/ssg/content/ssg-*-ds.xml | grep fedora

# Get policy information (With policy path listed in previous command)
oscap info /usr/share/xml/scap/ssg/content/ssg-fedora-ds.xml

# Run check (With profile listed in previous command)
oscap xccdf eval --profile xccdf_org.ssgproject.content_profile_ospp --report /tmp/report_ospp.html /usr/share/xml/scap/ssg/content/ssg-fedora-ds.xml &
oscap xccdf eval --profile xccdf_org.ssgproject.content_profile_pci-dss --report /tmp/report_pci-dss.html /usr/share/xml/scap/ssg/content/ssg-fedora-ds.xml &
oscap xccdf eval --profile xccdf_org.ssgproject.content_profile_standard --report /tmp/report_standard.html /usr/share/xml/scap/ssg/content/ssg-fedora-ds.xml &
wait

To skip slow check --skip-rule xccdf_org.ssgproject.content_rule_rpm_verify_hashes --skip-rule xccdf_org.ssgproject.content_rule_rpm_verify_permissions.

Rules details here: https://www.open-scap.org/security-policies/choosing-policy

---

Rules fixed by optional switches:

• xccdf_org.ssgproject.content_rule_enable_fips_mode: common_os_hardening_fips: true
• xccdf_org.ssgproject.content_rule_configure_crypto_policy: common_os_hardening_fips: true
• xccdf_org.ssgproject.content_rule_dnf-automatic_security_updates_only: common_dnf_automatic_upgrade_type: security
• xccdf_org.ssgproject.content_rule_grub2_nousb_argument: common_allow_usb: false
• xccdf_org.ssgproject.content_rule_grub2_uefi_password: common_grub_password: PASSWORD
• xccdf_org.ssgproject.content_rule_sysctl_user_max_user_namespaces: common_os_hardening_disable_user_namespaces: true

Rules that cannot be remediated:

• xccdf_org.ssgproject.content_rule_installed_OS_is_vendor_supported

Ignored rules:

• xccdf_org.ssgproject.content_rule_banner_etc_issue
• xccdf_org.ssgproject.content_rule_set_firewalld_default_zone
• xccdf_org.ssgproject.content_rule_package_libreswan_installed
• xccdf_org.ssgproject.content_rule_package_screen_installed
• xccdf_org.ssgproject.content_rule_security_patches_up_to_date
• xccdf_org.ssgproject.content_rule_selinux_confinement_of_daemons

Rules that should "pass" but are detected as "fail", and requires to be investigated:

• xccdf_org.ssgproject.content_rule_grub2_nousb_argument
• xccdf_org.ssgproject.content_rule_grub2_audit_argument
• xccdf_org.ssgproject.content_rule_grub2_audit_backlog_limit_argument
• xccdf_org.ssgproject.content_rule_grub2_uefi_password
• xccdf_org.ssgproject.content_rule_grub2_page_poison_argument
• xccdf_org.ssgproject.content_rule_grub2_slub_debug_argument

Rules that should "pass" but are detected as "fail" in OpenSCAP:

• xccdf_org.ssgproject.content_rule_sysctl_kernel_core_pattern
• xccdf_org.ssgproject.content_rule_sysctl_kernel_yama_ptrace_scope (We use stricter value) https://github.com/ComplianceAsCode/content/issues/11217
• xccdf_org.ssgproject.content_rule_sysctl_kernel_kptr_restrict (We use stricter value) https://github.com/ComplianceAsCode/content/issues/11216
• xccdf_org.ssgproject.content_rule_coredump_disable_backtraces (Using coredump.conf.d/) https://github.com/ComplianceAsCode/content/issues/10686
• xccdf_org.ssgproject.content_rule_coredump_disable_storage (Using coredump.conf.d/) https://github.com/ComplianceAsCode/content/issues/10686
• xccdf_org.ssgproject.content_rule_sshd_disable_gssapi_auth (Override value in /etc/ssh/sshd_config.d/50-redhat.conf, confirmed by sshd -T) https://github.com/ComplianceAsCode/content/issues/11221
• xccdf_org.ssgproject.content_rule_set_password_hashing_algorithm_libuserconf (Default fedora algorithm "Yescrypt" is stronger than request SHA512) https://github.com/ComplianceAsCode/content/issues/11215
• xccdf_org.ssgproject.content_rule_set_password_hashing_algorithm_logindefs (Default fedora algorithm "Yescrypt" is stronger than request SHA512) https://github.com/ComplianceAsCode/content/issues/11215
• xccdf_org.ssgproject.content_rule_set_password_hashing_algorithm_systemauth (Default fedora algorithm "Yescrypt" is stronger than request SHA512) https://github.com/ComplianceAsCode/content/issues/11215
• timer_dnf-automatic_enabled/dnf-automatic_apply_updates: Should pass when using dnf-automatic-install.timer https://github.com/ComplianceAsCode/content/issues/5180

scratch.txt