content
content copied to clipboard
ComplianceAsCode
RHEL9 STIG profile difference from SRG mapping controls
These are the list of rules/variables that are in the RHEL9 stig.profile but are not selected by the SRG mapping.
as of 95dbc546d9b6a746c22a2a8ec2bf97a0238d316c
selections:
- accounts_password_pam_pwquality_password_auth
- accounts_password_pam_pwquality_system_auth
- agent_mfetpd_running
- auditd_data_disk_error_action
- auditd_data_disk_full_action
- chronyd_server_directive
- dir_permissions_library_dirs
- harden_sshd_ciphers_openssh_conf_crypto_policy
- harden_sshd_ciphers_opensshserver_conf_crypto_policy
- harden_sshd_macs_openssh_conf_crypto_policy
- harden_sshd_macs_opensshserver_conf_crypto_policy
- kernel_module_firewire-core_disabled
- kernel_module_sctp_disabled
- package_mcafeetp_installed
- package_rsh-server_removed
- set_password_hashing_algorithm_passwordauth
- set_password_hashing_min_rounds_logindefs
- sysctl_net_ipv4_conf_default_accept_redirects
- sysctl_net_ipv4_conf_default_accept_source_route
- var_sssd_certificate_verification_digest_function=sha1 (we are using sha512 in RHEL9 SRGs, so it should be fine)
updated: Jun 21 2022
How to reproduce
./build_product rhel9 --debug --datastream-only
python build-scripts/profile_tool.py sub --profile2 build/rhel9/profiles/srg_gpos.profile --profile1 build/rhel9/profiles/stig.profile --ssg-root . --product rhel9 --build-config-yaml build/build_config.yml
How to reproduce
./build_product rhel9 --debug --datastream-only
python build-scripts/profile_tool.py sub --profile2 build/rhel9/profiles/srg_gpos.profile --profile1 build/rhel9/profiles/stig.profile --ssg-root . --product rhel9 --build-config-yaml build/build_config.yml
I tried to reproduce using this command but it returned this error:
RuntimeError: Error loading a Profile from build/rhel9/profiles/srg_gpos.profile: .../ComplianceAsCode/content/build/rhel9/profiles/srg_gpos.profile
The srg_gpos.profile is not found. I seems something was changed this meantime.
@ggbecker , could you check this and confirm if this issue is still relevant, please?
I have updated the list of rules that were in the original RHEL9 draft profile but are not in the profile that is generated from the control file srg_pos.
- agent_mfetpd_running
- harden_sshd_ciphers_openssh_conf_crypto_policy
- harden_sshd_ciphers_opensshserver_conf_crypto_policy
- harden_sshd_macs_openssh_conf_crypto_policy
- harden_sshd_macs_opensshserver_conf_crypto_policy
- kernel_module_firewire-core_disabled
- package_mcafeetp_installed
- package_rsh-server_removed
Some of these rules don't necessarily need to be present in the RHEL9 profile as they can be notapplicable for example.
The easiest way to check if the rules are not there is to build the RHEL9 content and inspect the build/rhel9/profiles/stig.profile file and see if the built profile contains these rules.
I guess at this point in time we are mostly waiting for the official RHEL9 STIG to be released and if they for some reason include any of these missing rules, we should readd them to the profile. But there is no need to keep this issue open, since when we get the official release we will compare with what we have and detect any inconsistencies. I propose to close this one.
The only concern I have is that we submitted the STIG profile with the following:
- harden_sshd_ciphers_openssh_conf_crypto_policy
- harden_sshd_ciphers_opensshserver_conf_crypto_policy
- harden_sshd_macs_openssh_conf_crypto_policy
- harden_sshd_macs_opensshserver_conf_crypto_policy
If I'm not mistaken, and they were then later removed from the profile because they were not working properly. But if DISA has already accepted this, it might mean we will need to readd them back.
@Mab879 Feel free to close this one.
If I'm not mistaken, and they were then later removed from the profile because they were not working properly. But if DISA has already accepted this, it might mean we will need to readd them back.
To include these rules, first the https://github.com/ComplianceAsCode/content/issues/10978 should be fixed. We can close this issue and track these rules only in https://github.com/ComplianceAsCode/content/issues/10978.
I will close this issue for now based on the discussion. In short, once DISA releases the STIG for RHEL9 we check if any change is necessary. Ok for you @Mab879 ?
