content
content copied to clipboard
Published
20 hours ago •
ComplianceAsCode
ComplianceAsCode
RHEL7 and RHEL8 OSPP rules - missing references
Description of problem:
A lot of rules from rhel7 and rhel8 ospp profile miss a reference.
List of rhel7 ospp rules:
*** rules of 'ospp' profile missing OSPP Refs: 29 of 104 have them [72% missing]
accounts_max_concurrent_login_sessions
accounts_password_pam_difok
accounts_password_pam_maxclassrepeat
accounts_password_pam_maxrepeat
accounts_password_pam_unix_remember accounts_umask_etc_bashrc
accounts_umask_etc_csh_cshrc
accounts_umask_etc_profile
auditd_data_retention_flush
disable_ctrlaltdel_burstaction disable_ctrlaltdel_reboot
disable_users_coredumps grub2_audit_argument
grub2_audit_backlog_limit_argument grub2_enable_fips_mode
grub2_page_poison_argument grub2_slub_debug_argument
grub2_vsyscall_argument
kernel_module_bluetooth_disabled
kernel_module_cramfs_disabled
kernel_module_dccp_disabled
kernel_module_sctp_disabled
kernel_module_usb-storage_disabled
mount_option_dev_shm_nodev
mount_option_dev_shm_noexec
mount_option_dev_shm_nosuid mount_option_home_nodev
mount_option_home_nosuid mount_option_tmp_nodev
mount_option_tmp_noexec mount_option_tmp_nosuid
mount_option_var_tmp_nodev
mount_option_var_tmp_noexec
mount_option_var_tmp_nosuid package_abrt_removed
package_dracut-fips_installed
securetty_root_login_console_only selinux_policytype
selinux_state service_auditd_enabled
service_autofs_disabled service_rpcbind_disabled
sshd_enable_strictmodes sshd_set_idle_timeout
sshd_set_keepalive_0 sshd_use_approved_ciphers
sshd_use_approved_macs
sysctl_fs_protected_hardlinks
sysctl_fs_protected_symlinks
sysctl_kernel_dmesg_restrict
sysctl_kernel_kexec_load_disabled
sysctl_kernel_kptr_restrict
sysctl_kernel_yama_ptrace_scope
sysctl_net_ipv4_conf_all_accept_redirects
sysctl_net_ipv4_conf_all_accept_source_route
sysctl_net_ipv4_conf_all_log_martians
sysctl_net_ipv4_conf_all_rp_filter
sysctl_net_ipv4_conf_all_secure_redirects
sysctl_net_ipv4_conf_all_send_redirects
sysctl_net_ipv4_conf_default_accept_redirects
sysctl_net_ipv4_conf_default_accept_source_route
sysctl_net_ipv4_conf_default_log_martians
sysctl_net_ipv4_conf_default_rp_filter
sysctl_net_ipv4_conf_default_secure_redirects
sysctl_net_ipv4_conf_default_send_redirects
sysctl_net_ipv4_icmp_echo_ignore_broadcasts
sysctl_net_ipv4_icmp_ignore_bogus_error_responses
sysctl_net_ipv4_ip_forward
sysctl_net_ipv4_tcp_syncookies
sysctl_net_ipv6_conf_all_accept_ra
sysctl_net_ipv6_conf_all_accept_redirects
sysctl_net_ipv6_conf_all_accept_source_route
sysctl_net_ipv6_conf_default_accept_ra
sysctl_net_ipv6_conf_default_accept_redirects
sysctl_net_ipv6_conf_default_accept_source_route
List of rhel8 rules that miss reference:
*** rules of 'ospp' profile missing OSPP Refs: 95 of 215 have them [55% missing]
accounts_max_concurrent_login_sessions
accounts_password_pam_difok
accounts_password_pam_maxclassrepeat
accounts_password_pam_maxrepeat
accounts_password_pam_unix_remember accounts_umask_etc_bashrc
accounts_umask_etc_csh_cshrc
accounts_umask_etc_profile
auditd_data_retention_flush
configure_bind_crypto_policy
configure_kerberos_crypto_policy
configure_openssl_crypto_policy
configure_ssh_crypto_policy
configure_tmux_lock_command
disable_ctrlaltdel_burstaction disable_ctrlaltdel_reboot
disable_users_coredumps enable_dracut_fips_module
grub2_audit_argument
grub2_audit_backlog_limit_argument
grub2_page_poison_argument grub2_pti_argument
grub2_slub_debug_argument grub2_vsyscall_argument
kernel_module_bluetooth_disabled
kernel_module_cramfs_disabled
kernel_module_sctp_disabled mount_option_boot_nodev
mount_option_boot_nosuid
mount_option_dev_shm_nodev
mount_option_dev_shm_noexec
mount_option_dev_shm_nosuid mount_option_home_nodev
mount_option_home_nosuid
mount_option_nodev_nonroot_local_partitions mount_option_tmp_nodev
mount_option_tmp_noexec mount_option_tmp_nosuid
mount_option_var_log_audit_nodev
mount_option_var_log_audit_noexec
mount_option_var_log_audit_nosuid
mount_option_var_log_nodev
mount_option_var_log_noexec
mount_option_var_log_nosuid mount_option_var_nodev
mount_option_var_tmp_nodev
mount_option_var_tmp_noexec
mount_option_var_tmp_nosuid
package_abrt-addon-ccpp_removed
package_abrt-addon-kerneloops_removed
package_abrt-addon-python_removed package_abrt-cli_removed
package_abrt-plugin-logger_removed
package_abrt-plugin-rhtsupport_removed
package_abrt-plugin-sosreport_removed package_abrt_removed
package_aide_installed package_audit_installed
package_dnf-automatic_installed
package_fapolicyd_installed
package_firewalld_installed package_gssproxy_removed
package_iprutils_removed
package_krb5-workstation_removed package_nfs-utils_removed
package_openscap-scanner_installed
package_policycoreutils-python-utils_installed
package_policycoreutils_installed package_rsyslog_installed
package_scap-security-guide_installed package_sendmail_removed
package_sudo_installed
package_usbguard_installed partition_for_home
partition_for_var partition_for_var_log
partition_for_var_log_audit partition_for_var_tmp
securetty_root_login_console_only selinux_policytype
selinux_state service_auditd_enabled
sshd_enable_strictmodes sshd_set_idle_timeout
sshd_set_keepalive_0
sysctl_fs_protected_hardlinks
sysctl_fs_protected_symlinks
sysctl_kernel_dmesg_restrict
sysctl_kernel_kexec_load_disabled
sysctl_kernel_kptr_restrict
sysctl_kernel_yama_ptrace_scope
sysctl_net_ipv4_conf_all_accept_redirects
sysctl_net_ipv4_conf_all_accept_source_route
sysctl_net_ipv4_conf_all_log_martians
sysctl_net_ipv4_conf_all_rp_filter
sysctl_net_ipv4_conf_all_secure_redirects
sysctl_net_ipv4_conf_all_send_redirects
sysctl_net_ipv4_conf_default_accept_redirects
sysctl_net_ipv4_conf_default_accept_source_route
sysctl_net_ipv4_conf_default_log_martians
sysctl_net_ipv4_conf_default_rp_filter
sysctl_net_ipv4_conf_default_secure_redirects
sysctl_net_ipv4_conf_default_send_redirects
sysctl_net_ipv4_icmp_echo_ignore_broadcasts
sysctl_net_ipv4_icmp_ignore_bogus_error_responses
sysctl_net_ipv4_ip_forward
sysctl_net_ipv4_tcp_syncookies
sysctl_net_ipv6_conf_all_accept_ra
sysctl_net_ipv6_conf_all_accept_redirects
sysctl_net_ipv6_conf_all_accept_source_route
sysctl_net_ipv6_conf_default_accept_ra
sysctl_net_ipv6_conf_default_accept_redirects
sysctl_net_ipv6_conf_default_accept_source_route zipl_audit_argument
zipl_audit_backlog_limit_argument zipl_bls_entries_only
zipl_bootmap_is_up_to_date zipl_page_poison_argument
zipl_slub_debug_argument zipl_vsyscall_argument
SCAP Security Guide Version:
master
Steps to Reproduce:
RHEL7 $ python3 build-scripts/profile_tool.py stats --benchmark build/ssg-rhel7-xccdf.xml --profile ospp --missing-ospp-refs --skip-stats
RHEL8 $ python3 build-scripts/profile_tool.py stats --benchmark build/ssg-rhel8-xccdf.xml --profile ospp --missing-ospp-refs --skip-stats
Actual Results:
Rules miss references.
Expected Results:
No rule misses reference.
Additional Information/Debugging Steps:
When we have OSPP rules with references, we can add the profile references check to gating and check if newly added rule to the OSPP profile has reference. Now, we don't want to have the OSPP references test because it would block all PRs caused by missing references.
Ping me, if you want me to update the list of rules. I'm checking references against master branch.
@carlosmmatos can you please look at it as one of ospp SMEs mentioned in the profile? It would be great if all ospp rules have references because then we can add the check to gating and prevent missing references in future.
@ggbecker , @comps and @matusmarhefka could you take a look on this issue, please? I believe it is worth to keep these references updated.
This can take quite some time to update all the references, considering that you need to find the correct one in the first place. I don't see this as a critical thing at this moment to resolved. Let's keep in the backlog though.
