Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

RHEL9 STIG profile difference from SRG mapping controls #8580

Closed
ggbecker opened this issue Apr 20, 2022 · 7 comments
Closed

RHEL9 STIG profile difference from SRG mapping controls #8580

ggbecker opened this issue Apr 20, 2022 · 7 comments
Assignees
@marcusburghardt
Labels
RHEL9 Red Hat Enterprise Linux 9 product related. STIG STIG Benchmark related.

Comments

@ggbecker
Copy link
Member

ggbecker commented Apr 20, 2022
edited
Loading

These are the list of rules/variables that are in the RHEL9 stig.profile but are not selected by the SRG mapping.
as of 95dbc54

selections:
- accounts_password_pam_pwquality_password_auth
- accounts_password_pam_pwquality_system_auth
- agent_mfetpd_running
- auditd_data_disk_error_action
- auditd_data_disk_full_action
- chronyd_server_directive
- dir_permissions_library_dirs
- harden_sshd_ciphers_openssh_conf_crypto_policy
- harden_sshd_ciphers_opensshserver_conf_crypto_policy
- harden_sshd_macs_openssh_conf_crypto_policy
- harden_sshd_macs_opensshserver_conf_crypto_policy
- kernel_module_firewire-core_disabled
- kernel_module_sctp_disabled
- package_mcafeetp_installed
- package_rsh-server_removed
- set_password_hashing_algorithm_passwordauth
- set_password_hashing_min_rounds_logindefs
- sysctl_net_ipv4_conf_default_accept_redirects
- sysctl_net_ipv4_conf_default_accept_source_route
- var_sssd_certificate_verification_digest_function=sha1 (we are using sha512 in RHEL9 SRGs, so it should be fine)

updated: Jun 21 2022
@ggbecker
Copy link
Member Author

@Mab879 FYI

@ggbecker
Copy link
Member Author

How to reproduce
./build_product rhel9 --debug --datastream-only

python build-scripts/profile_tool.py sub --profile2 build/rhel9/profiles/srg_gpos.profile --profile1 build/rhel9/profiles/stig.profile --ssg-root . --product rhel9 --build-config-yaml build/build_config.yml

@ggbecker ggbecker mentioned this issue May 3, 2022
Merged
@marcusburghardt marcusburghardt added RHEL9 Red Hat Enterprise Linux 9 product related. STIG STIG Benchmark related. and removed DISA RHEL9 STIG Alignment labels Jun 23, 2022
@marcusburghardt
Copy link
Member

How to reproduce ./build_product rhel9 --debug --datastream-only

python build-scripts/profile_tool.py sub --profile2 build/rhel9/profiles/srg_gpos.profile --profile1 build/rhel9/profiles/stig.profile --ssg-root . --product rhel9 --build-config-yaml build/build_config.yml

I tried to reproduce using this command but it returned this error:

RuntimeError: Error loading a Profile from build/rhel9/profiles/srg_gpos.profile: .../ComplianceAsCode/content/build/rhel9/profiles/srg_gpos.profile

The srg_gpos.profile is not found. I seems something was changed this meantime.
@ggbecker , could you check this and confirm if this issue is still relevant, please?

@marcusburghardt marcusburghardt mentioned this issue Aug 9, 2023
Merged
@ggbecker
Copy link
Member Author

ggbecker commented Aug 22, 2023
edited
Loading

I have updated the list of rules that were in the original RHEL9 draft profile but are not in the profile that is generated from the control file srg_pos.

- agent_mfetpd_running
- harden_sshd_ciphers_openssh_conf_crypto_policy
- harden_sshd_ciphers_opensshserver_conf_crypto_policy
- harden_sshd_macs_openssh_conf_crypto_policy
- harden_sshd_macs_opensshserver_conf_crypto_policy
- kernel_module_firewire-core_disabled
- package_mcafeetp_installed
- package_rsh-server_removed

Some of these rules don't necessarily need to be present in the RHEL9 profile as they can be notapplicable for example.

The easiest way to check if the rules are not there is to build the RHEL9 content and inspect the build/rhel9/profiles/stig.profile file and see if the built profile contains these rules.

I guess at this point in time we are mostly waiting for the official RHEL9 STIG to be released and if they for some reason include any of these missing rules, we should readd them to the profile. But there is no need to keep this issue open, since when we get the official release we will compare with what we have and detect any inconsistencies. I propose to close this one.

The only concern I have is that we submitted the STIG profile with the following:

- harden_sshd_ciphers_openssh_conf_crypto_policy
- harden_sshd_ciphers_opensshserver_conf_crypto_policy
- harden_sshd_macs_openssh_conf_crypto_policy
- harden_sshd_macs_opensshserver_conf_crypto_policy

If I'm not mistaken, and they were then later removed from the profile because they were not working properly. But if DISA has already accepted this, it might mean we will need to readd them back.

@Mab879 Feel free to close this one.

@marcusburghardt
Copy link
Member

If I'm not mistaken, and they were then later removed from the profile because they were not working properly. But if DISA has already accepted this, it might mean we will need to readd them back.

To include these rules, first the #10978 should be fixed.
We can close this issue and track these rules only in #10978.

@marcusburghardt marcusburghardt self-assigned this Sep 12, 2023
@marcusburghardt
Copy link
Member

I will close this issue for now based on the discussion. In short, once DISA releases the STIG for RHEL9 we check if any change is necessary. Ok for you @Mab879 ?

@Mab879
Copy link
Member

Mab879 commented Sep 12, 2023

Works for me.

@ggbecker ggbecker mentioned this issue Oct 24, 2023
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@marcusburghardt marcusburghardt

Labels
RHEL9 Red Hat Enterprise Linux 9 product related. STIG STIG Benchmark related.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@Mab879 @marcusburghardt @ggbecker