content
content copied to clipboard
ComplianceAsCode
RHEL7 and RHEL8 CUI rules - missing references
Description of problem:
A lot of rules from rhel7 and rhel8 cui profile miss a reference.
List of rhel7 rules:
*** rules of 'cui' profile missing CUI Refs: 66 of 104 have them [36% missing]
accounts_max_concurrent_login_sessions
accounts_password_pam_dcredit
accounts_password_pam_difok
accounts_password_pam_lcredit
accounts_password_pam_maxclassrepeat
accounts_password_pam_maxrepeat
accounts_password_pam_minlen
accounts_password_pam_ocredit
accounts_password_pam_ucredit
accounts_passwords_pam_faillock_interval accounts_umask_etc_bashrc
accounts_umask_etc_csh_cshrc
accounts_umask_etc_profile audit_rules_for_ospp
disable_users_coredumps
grub2_audit_backlog_limit_argument
grub2_page_poison_argument grub2_slub_debug_argument
grub2_vsyscall_argument
mount_option_dev_shm_nodev
mount_option_dev_shm_noexec
mount_option_dev_shm_nosuid mount_option_home_nodev
mount_option_home_nosuid mount_option_tmp_nodev
mount_option_tmp_noexec mount_option_tmp_nosuid
mount_option_var_tmp_nodev
mount_option_var_tmp_noexec
mount_option_var_tmp_nosuid package_abrt_removed
service_kdump_disabled service_rpcbind_disabled
sysctl_fs_protected_hardlinks
sysctl_fs_protected_symlinks
sysctl_kernel_kexec_load_disabled
sysctl_kernel_kptr_restrict
sysctl_kernel_yama_ptrace_scope
List of rhel8 rules:
*** rules of 'cui' profile missing CUI Refs: 58 of 215 have them [73% missing]
accounts_max_concurrent_login_sessions
accounts_password_pam_dcredit
accounts_password_pam_difok
accounts_password_pam_lcredit
accounts_password_pam_maxclassrepeat
accounts_password_pam_maxrepeat
accounts_password_pam_minlen
accounts_password_pam_ocredit
accounts_password_pam_ucredit
accounts_passwords_pam_faillock_interval accounts_umask_etc_bashrc
accounts_umask_etc_csh_cshrc
accounts_umask_etc_profile audit_access_failed
audit_access_success audit_basic_configuration
audit_create_failed audit_create_success
audit_delete_failed audit_delete_success
audit_immutable_login_uids audit_modify_failed
audit_modify_success audit_module_load
audit_ospp_general audit_owner_change_failed
audit_owner_change_success audit_perm_change_failed
audit_perm_change_success auditd_freq
auditd_local_events auditd_log_format
auditd_name_format auditd_write_logs
chronyd_client_only
chronyd_no_chronyc_network
configure_bashrc_exec_tmux
configure_bind_crypto_policy configure_crypto_policy
configure_kerberos_crypto_policy
configure_libreswan_crypto_policy
configure_openssl_crypto_policy
configure_ssh_crypto_policy
configure_tmux_lock_after_time
configure_tmux_lock_command
configure_usbguard_auditbackend
coredump_disable_backtraces coredump_disable_storage
disable_users_coredumps
dnf-automatic_apply_updates
dnf-automatic_security_updates_only enable_dracut_fips_module
enable_fips_mode
grub2_audit_backlog_limit_argument
grub2_kernel_trust_cpu_rng
grub2_page_poison_argument grub2_pti_argument
grub2_slub_debug_argument grub2_vsyscall_argument
kerberos_disable_no_keytab
kernel_module_atm_disabled
kernel_module_can_disabled
kernel_module_firewire-core_disabled
kernel_module_tipc_disabled mount_option_boot_nodev
mount_option_boot_nosuid
mount_option_dev_shm_nodev
mount_option_dev_shm_noexec
mount_option_dev_shm_nosuid mount_option_home_nodev
mount_option_home_nosuid
mount_option_nodev_nonroot_local_partitions mount_option_tmp_nodev
mount_option_tmp_noexec mount_option_tmp_nosuid
mount_option_var_log_audit_nodev
mount_option_var_log_audit_noexec
mount_option_var_log_audit_nosuid
mount_option_var_log_nodev
mount_option_var_log_noexec
mount_option_var_log_nosuid mount_option_var_nodev
mount_option_var_tmp_nodev
mount_option_var_tmp_noexec
mount_option_var_tmp_nosuid no_tmux_in_shells
openssl_use_strong_entropy
package_abrt-addon-ccpp_removed
package_abrt-addon-kerneloops_removed
package_abrt-addon-python_removed package_abrt-cli_removed
package_abrt-plugin-logger_removed
package_abrt-plugin-rhtsupport_removed
package_abrt-plugin-sosreport_removed package_abrt_removed
package_aide_installed
package_audispd-plugins_installed package_audit_installed
package_chrony_installed
package_crypto-policies_installed
package_dnf-automatic_installed
package_dnf-plugin-subscription-manager_installed
package_fapolicyd_installed
package_firewalld_installed
package_gnutls-utils_installed package_gssproxy_removed
package_iprutils_removed
package_krb5-workstation_removed package_nfs-utils_removed
package_openscap-scanner_installed
package_openssh-clients_installed
package_openssh-server_installed
package_policycoreutils-python-utils_installed
package_policycoreutils_installed
package_rsyslog-gnutls_installed package_rsyslog_installed
package_scap-security-guide_installed package_sendmail_removed
package_subscription-manager_installed package_sudo_installed
package_usbguard_installed partition_for_home
partition_for_var partition_for_var_log
partition_for_var_log_audit partition_for_var_tmp
rsyslog_remote_tls rsyslog_remote_tls_cacert
service_fapolicyd_enabled service_kdump_disabled
service_systemd-coredump_disabled service_usbguard_enabled
ssh_client_rekey_limit
ssh_client_use_strong_rng_csh
ssh_client_use_strong_rng_sh sshd_rekey_limit
sshd_use_strong_rng
sysctl_fs_protected_hardlinks
sysctl_fs_protected_symlinks
sysctl_kernel_core_pattern
sysctl_kernel_kexec_load_disabled
sysctl_kernel_kptr_restrict
sysctl_kernel_perf_event_paranoid
sysctl_kernel_unprivileged_bpf_disabled
sysctl_kernel_yama_ptrace_scope
sysctl_net_core_bpf_jit_harden
sysctl_user_max_user_namespaces
timer_dnf-automatic_enabled
usbguard_allow_hid_and_hub use_pam_wheel_for_su
zipl_audit_argument
zipl_audit_backlog_limit_argument zipl_bls_entries_only
zipl_bootmap_is_up_to_date zipl_page_poison_argument
zipl_slub_debug_argument zipl_vsyscall_argument
SCAP Security Guide Version:
master
Steps to Reproduce:
RHEL7 $ python3 build-scripts/profile_tool.py stats --benchmark build/ssg-rhel7-xccdf.xml --profile cui --missing-cui-refs --skip-stats
RHEL8 $ python3 build-scripts/profile_tool.py stats --benchmark build/ssg-rhel8-xccdf.xml --profile cui --missing-cui-refs --skip-stats
Actual Results:
Rules miss references.
Expected Results:
No rule misses reference.
Additional Information/Debugging Steps:
When we have CUI rules with references, we can add the profile references check to gating and check if newly added rule to the CUI profile has reference.
Ping me, if you want me to update the list of rules. I'm checking references against master branch.
@comps I see you are the SME in cui profile. Could you take a look on this, please?
@marcusburghardt Sorry, I barely know about the existence of cui, are you sure you haven't confused me with somebody else?
@marcusburghardt Sorry, I barely know about the existence of
cui, are you sure you haven't confused me with somebody else?
I found your GH handle here: https://github.com/ComplianceAsCode/content/blob/master/products/rhel7/profiles/cui.profile#L6
Can you help with this @ggbecker ?
I found your GH handle here: https://github.com/ComplianceAsCode/content/blob/master/products/rhel7/profiles/cui.profile#L6
Ah, somebody probably wanted to extend the ospp profile and copy/pasted me and Steve to SMEs, despite the profile not being related to OSPP (as far as I know). RHEL-8 and 9 have @ggbecker .
The SME can probably be changed, no problem. But as I stated in https://github.com/ComplianceAsCode/content/issues/6842#issuecomment-1687980458, this references are usually a nice to have and spending time fixing them is not a critical thing IMO. And due to the amount of rules without references, it can take quite a lot time to go through every one of them, so we would need to plan this in advance.
