content icon indicating copy to clipboard operation
content copied to clipboard

Published 20 hours ago verified publisher icon ComplianceAsCode

rootfiles_configured is misaligned with DISA

Open ggbecker opened this issue 8 months ago • 4 comments

Description of problem:

The content is misaligned with an external (third party) content that targets the same policy - typically, this means that a system hardened by our content doesn't pass the scan by the external content.

Details:

This content is not aligned with content from DISA

The misalignment affects these profiles:

  • RHEL 9 STIG/ RHEL8 STIG

The misalignment affects these rules:

  • rootfiles_configured

This is the OVAL test that is failing:

<h4><span class="label label-primary">The home directories of non-system users have mode 0740 or less permissive.</span> 
        <span class="label label-default">oval:mil.disa.stig.unix:tst:23032500</span> 
        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr title="local initialization files of non-system users.">oval:mil.disa.stig.unix:obj:23032500</abbr></strong> of type
                <strong>file_object</strong></h5>
Path | Filename
-- | --
/ | ^\.[^\s\.]+

Outcome:

  • [ ] This project's content can be improved:
    • [ ] Check needs to be improved.
    • [ ] Remediation needs to be improved.
  • [ ] The external content's check is faulty - the other party needs to be notified, they have work to do.

SCAP Security Guide Version:

f5f543d16c73513163581c9a8844a5822661081d

External Content's Version:

content from f5f543d16c73513163581c9a8844a5822661081d

ggbecker avatar Mar 11 '25 10:03 ggbecker

We might need the new rootfiles_configured on RHEL 9 as well.

Mab879 avatar Mar 11 '25 12:03 Mab879

We might need the new rootfiles_configured on RHEL 9 as well.

Isn't this new rule part of the RHEL9 already? https://github.com/ComplianceAsCode/content/blob/19d56a0eeb7e13564a0b7fcccc86c7d9af088aff/controls/stig_rhel9.yml#L997

Do you mean something else than that?

ggbecker avatar Mar 11 '25 12:03 ggbecker

We might need the new rootfiles_configured on RHEL 9 as well.

Isn't this new rule part of the RHEL9 already?

content/controls/stig_rhel9.yml

Line 997 in 19d56a0

  • rootfiles_configured

Do you mean something else than that?

For some reason I thought I only added that to RHEL 8. You are correct, so my comment is invalid.

Mab879 avatar Mar 11 '25 15:03 Mab879

This problem is now manifesting on RHEL8 STIG as well.

ggbecker avatar Mar 13 '25 13:03 ggbecker

This ticket is the same misalignement as the one reported in https://github.com/ComplianceAsCode/content/issues/13033

After we started to investigate rule rootfiles_configured misaligned with DISA we quickly discovered that the rule rootfiles_configured maps to same STIG ID as file_permission_user_init_files_root. Specifically, in RHEL 8 STIG it's RHEL-08-010770 and in RHEL 9 STIG it's RHEL-09-232045. In other words, the STIG rule is implemented by 2 our rules: rootfiles_configured and file_permission_user_init_files_root. In DISA's content it's implemented by a single rule SV-257889r1044959_rule. This also means that the fail that we observed for file_permission_user_init_files_root is the same as the fail that we observed in rootfiles_configured. The fail is caused by the same bug in DISA's content.

jan-cerny avatar Jul 15 '25 11:07 jan-cerny

This no longer appears in our productization tests, closing.

vojtapolasek avatar Oct 09 '25 08:10 vojtapolasek