content icon indicating copy to clipboard operation
content copied to clipboard
verified publisher icon ComplianceAsCode

RHEL-08-010671 and RHEL-08-040282 missing paths per STIG

Open GitYukari opened this issue 1 year ago • 0 comments

Description of problem:

The DISA STIG for RHEL-08-010671 (RHEL 8 must disable the kernel.core_pattern) is here: https://www.stigviewer.com/stig/red_hat_enterprise_linux_8/2023-09-11/finding/V-230311

The DISA STIG for RHEL-08-040282 (RHEL 8 must restrict usage of ptrace to descendant processes) is here: https://www.stigviewer.com/stig/red_hat_enterprise_linux_8/2023-09-11/finding/V-230546

These are two separate STIGs, but they are related because they suffer the same issue.

The SCAP Security Guide only searches the paths for:

  • /etc/sysctl.d/
  • /run/sysctl.d/
  • /usr/local/lib/sysctl.d/

In RHEL-08-010671, the check text requires that all instances of kernel.core_pattern must be exactly kernel.core_pattern=|/bin/false even if the files are not loaded by sysctl --system

However, per the STIG, it requires all conf files to be updated in the following directories:

Check that the configuration files are present to enable this kernel parameter. $ sudo grep -r kernel.core_pattern /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf /etc/sysctl.d/*.conf

Likewise in RHEL-08-040282, the check text specifies the same paths to verify kernel.yama.ptrace_scope = 1

Check that the configuration files are present to enable this network parameter. $ sudo grep -r kernel.yama.ptrace_scope /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf /etc/sysctl.d/*.conf

From the above, we can see the following paths are missing from the SCAP Security Guide:

  • /usr/lib/sysctl.d/
  • /lib/sysctl.d/

The result is the following two findings for RHEL-08-010671:

  • /usr/lib/sysctl.d/50-coredump.conf:kernel.core_pattern=|/usr/lib/systemd/systemd-coredump %P %u %g %s %t %c %h %e
  • /lib/sysctl.d/50-coredump.conf:kernel.core_pattern=|/usr/lib/systemd/systemd-coredump %P %u %g %s %t %c %h %e

And the following two findings for RHEL-08-040282:

  • /usr/lib/sysctl.d/10-default-yama-scope.conf:kernel.yama.ptrace_scope = 0
  • /lib/sysctl.d/10-default-yama-scope.conf:kernel.yama.ptrace_scope = 0

SCAP Security Guide Version:

  • 0.1.72 (Feb 2024)

Operating System Version:

  • RHEL 8 (confirmed)
  • (Possibly RHEL 7 and 9?)

GitYukari avatar Mar 23 '24 19:03 GitYukari