From 5739fdb5b64838699a46bab6071103af316451c5 Mon Sep 17 00:00:00 2001 From: Watson Sato Date: Fri, 5 Jan 2024 14:31:13 +0100 Subject: [PATCH 1/8] OCP4 STIG: add rule for accessTokenMaxAgeSeconds Select rule oauth_or_oauthclient_token_maxage to satisfy SRG-APP-000400-CTR-000960. The default value is 24h (86400 seconds), but the STIG requires 8h (28800 seconds). --- .../oauth_or_oauthclient_token_maxage/rule.yml | 1 + controls/srg_ctr/SRG-APP-000400-CTR-000960.yml | 5 +++-- 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/applications/openshift/authentication/oauth_or_oauthclient_token_maxage/rule.yml b/applications/openshift/authentication/oauth_or_oauthclient_token_maxage/rule.yml index 8145422ff0b..04e06dfbd40 100644 --- a/applications/openshift/authentication/oauth_or_oauthclient_token_maxage/rule.yml +++ b/applications/openshift/authentication/oauth_or_oauthclient_token_maxage/rule.yml @@ -51,6 +51,7 @@ rationale: |- references: nist: AC-12 + srg: SRG-APP-000400-CTR-000960 identifiers: cce@ocp4: CCE-84162-7 diff --git a/controls/srg_ctr/SRG-APP-000400-CTR-000960.yml b/controls/srg_ctr/SRG-APP-000400-CTR-000960.yml index 484579bfe0b..401913b232c 100644 --- a/controls/srg_ctr/SRG-APP-000400-CTR-000960.yml +++ b/controls/srg_ctr/SRG-APP-000400-CTR-000960.yml @@ -4,7 +4,7 @@ controls: - medium title: {{{ full_name }}} must prohibit the use of cached authenticators after an organization-defined time period. - status: inherently met + status: automated artifact_description: |- Supporting evidence is in the following documentation @@ -18,4 +18,5 @@ controls: `oc edit oauth.config.openshift.io/cluster` See: https://docs.openshift.com/container-platform/latest/authentication/configuring-internal-oauth.html#oauth-configuring-internal-oauth_configuring-internal-oauth - + rules: + - oauth_or_oauthclient_token_maxage From 9985df0a3b56a7b98df7af633a50bb08ab895b1a Mon Sep 17 00:00:00 2001 From: Watson Sato Date: Fri, 5 Jan 2024 15:07:03 +0100 Subject: [PATCH 2/8] OCP4 STIG: audit for unsuccessful deletion Select rules for to generate audit records for unsuccessful attempts to delete objects and catergories of information. --- controls/srg_ctr/SRG-APP-000501-CTR-001265.yml | 5 +++++ controls/srg_ctr/SRG-APP-000502-CTR-001270.yml | 5 +++++ .../rule.yml | 2 +- .../rule.yml | 2 +- .../rule.yml | 2 +- .../rule.yml | 2 +- .../auditing/policy_rules/audit_delete_failed/rule.yml | 2 +- 7 files changed, 15 insertions(+), 5 deletions(-) diff --git a/controls/srg_ctr/SRG-APP-000501-CTR-001265.yml b/controls/srg_ctr/SRG-APP-000501-CTR-001265.yml index fcece9b8ca7..43559871873 100644 --- a/controls/srg_ctr/SRG-APP-000501-CTR-001265.yml +++ b/controls/srg_ctr/SRG-APP-000501-CTR-001265.yml @@ -18,4 +18,9 @@ controls: - audit_rules_file_deletion_events_unlink - audit_rules_file_deletion_events_unlinkat - audit_rules_privileged_commands_chage + - audit_delete_failed + - audit_rules_unsuccessful_file_modification_unlink + - audit_rules_unsuccessful_file_modification_unlinkat + - audit_rules_unsuccessful_file_modification_rename + - audit_rules_unsuccessful_file_modification_renameat status: automated diff --git a/controls/srg_ctr/SRG-APP-000502-CTR-001270.yml b/controls/srg_ctr/SRG-APP-000502-CTR-001270.yml index 7973a1b7876..20eb7d9ffbb 100644 --- a/controls/srg_ctr/SRG-APP-000502-CTR-001270.yml +++ b/controls/srg_ctr/SRG-APP-000502-CTR-001270.yml @@ -18,4 +18,9 @@ controls: - audit_rules_file_deletion_events_unlink - audit_rules_file_deletion_events_unlinkat - audit_rules_privileged_commands_chage + - audit_delete_failed + - audit_rules_unsuccessful_file_modification_unlink + - audit_rules_unsuccessful_file_modification_unlinkat + - audit_rules_unsuccessful_file_modification_rename + - audit_rules_unsuccessful_file_modification_renameat status: automated diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_rename/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_rename/rule.yml index 2d7a75567fa..4e9159267bd 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_rename/rule.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_rename/rule.yml @@ -50,7 +50,7 @@ references: nist@sle15: AU-12(c),AU-12.1(iv) ospp: FAU_GEN.1.1.c pcidss: Req-10.2.4,Req-10.2.1 - srg: SRG-OS-000064-GPOS-00033,SRG-OS-000392-GPOS-00172,SRG-OS-000458-GPOS-00203,SRG-OS-000461-GPOS-00205,SRG-OS-000468-GPOS-00212 + srg: SRG-OS-000064-GPOS-00033,SRG-OS-000392-GPOS-00172,SRG-OS-000458-GPOS-00203,SRG-OS-000461-GPOS-00205,SRG-OS-000468-GPOS-00212,SRG-APP-000501-CTR-001265,SRG-APP-000502-CTR-001270 stigid@sle12: SLES-12-020411 stigid@sle15: SLES-15-030740 diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_renameat/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_renameat/rule.yml index 51e43372b84..32eb5378a05 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_renameat/rule.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_renameat/rule.yml @@ -58,7 +58,7 @@ references: nist@sle15: AU-12(c),AU-12.1(iv) ospp: FAU_GEN.1.1.c pcidss: Req-10.2.4,Req-10.2.1 - srg: SRG-OS-000064-GPOS-00033,SRG-OS-000392-GPOS-00172,SRG-OS-000458-GPOS-00203,SRG-OS-000461-GPOS-00205,SRG-OS-000468-GPOS-00212 + srg: SRG-OS-000064-GPOS-00033,SRG-OS-000392-GPOS-00172,SRG-OS-000458-GPOS-00203,SRG-OS-000461-GPOS-00205,SRG-OS-000468-GPOS-00212,SRG-APP-000501-CTR-001265,SRG-APP-000502-CTR-001270 stigid@sle12: SLES-12-020411 stigid@sle15: SLES-15-030740 diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_unlink/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_unlink/rule.yml index 203229194dc..a26d8ac12ff 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_unlink/rule.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_unlink/rule.yml @@ -64,7 +64,7 @@ references: nist@sle15: AU-12(c),AU-12.1(iv) ospp: FAU_GEN.1.1.c pcidss: Req-10.2.4,Req-10.2.1 - srg: SRG-OS-000064-GPOS-00033,SRG-OS-000392-GPOS-00172,SRG-OS-000458-GPOS-00203,SRG-OS-000461-GPOS-00205,SRG-OS-000468-GPOS-00212 + srg: SRG-OS-000064-GPOS-00033,SRG-OS-000392-GPOS-00172,SRG-OS-000458-GPOS-00203,SRG-OS-000461-GPOS-00205,SRG-OS-000468-GPOS-00212,SRG-APP-000501-CTR-001265,SRG-APP-000502-CTR-001270 stigid@sle12: SLES-12-020411 stigid@sle15: SLES-15-030740 diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_unlinkat/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_unlinkat/rule.yml index f213556c103..4c574a3bd5f 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_unlinkat/rule.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_unlinkat/rule.yml @@ -61,7 +61,7 @@ references: nist@sle15: AU-12(c),AU-12.1(iv) ospp: FAU_GEN.1.1.c pcidss: Req-10.2.4,Req-10.2.1 - srg: SRG-OS-000064-GPOS-00033,SRG-OS-000392-GPOS-00172,SRG-OS-000458-GPOS-00203,SRG-OS-000461-GPOS-00205,SRG-OS-000468-GPOS-00212 + srg: SRG-OS-000064-GPOS-00033,SRG-OS-000392-GPOS-00172,SRG-OS-000458-GPOS-00203,SRG-OS-000461-GPOS-00205,SRG-OS-000468-GPOS-00212,SRG-APP-000501-CTR-001265,SRG-APP-000502-CTR-001270 stigid@sle12: SLES-12-020411 stigid@sle15: SLES-15-030740 diff --git a/linux_os/guide/system/auditing/policy_rules/audit_delete_failed/rule.yml b/linux_os/guide/system/auditing/policy_rules/audit_delete_failed/rule.yml index 9369175a0d8..aa45717ffd6 100644 --- a/linux_os/guide/system/auditing/policy_rules/audit_delete_failed/rule.yml +++ b/linux_os/guide/system/auditing/policy_rules/audit_delete_failed/rule.yml @@ -40,7 +40,7 @@ identifiers: references: nist: AU-2(a) ospp: FAU_GEN.1.1.c - srg: SRG-OS-000458-GPOS-00203,SRG-OS-000474-GPOS-00219,SRG-OS-000475-GPOS-00220,SRG-OS-000463-GPOS-00207,SRG-OS-000465-GPOS-00209,SRG-OS-000461-GPOS-00205,SRG-OS-000468-GPOS-00212 + srg: SRG-OS-000458-GPOS-00203,SRG-OS-000474-GPOS-00219,SRG-OS-000475-GPOS-00220,SRG-OS-000463-GPOS-00207,SRG-OS-000465-GPOS-00209,SRG-OS-000461-GPOS-00205,SRG-OS-000468-GPOS-00212,SRG-APP-000501-CTR-001265,SRG-APP-000502-CTR-001270 ocil_clause: 'the file does not exist or the content differs' From d4f093005afe03b81122ce7415dbebc957bf6f0c Mon Sep 17 00:00:00 2001 From: Watson Sato Date: Fri, 5 Jan 2024 15:21:34 +0100 Subject: [PATCH 3/8] OCP4 STIG: select rule to audit pt_chown binary Select rule to generate audit records for the use of pt_chown binary. --- controls/srg_ctr/SRG-APP-000499-CTR-001255.yml | 1 + controls/srg_ctr/SRG-APP-000501-CTR-001265.yml | 1 + controls/srg_ctr/SRG-APP-000502-CTR-001270.yml | 1 + .../audit_rules_privileged_commands_pt_chown/rule.yml | 2 +- 4 files changed, 4 insertions(+), 1 deletion(-) diff --git a/controls/srg_ctr/SRG-APP-000499-CTR-001255.yml b/controls/srg_ctr/SRG-APP-000499-CTR-001255.yml index 6de12b0ad49..04f11355b2b 100644 --- a/controls/srg_ctr/SRG-APP-000499-CTR-001255.yml +++ b/controls/srg_ctr/SRG-APP-000499-CTR-001255.yml @@ -23,6 +23,7 @@ controls: - audit_rules_file_deletion_events_rmdir - audit_rules_file_deletion_events_unlink - audit_rules_file_deletion_events_unlinkat + - audit_rules_privileged_commands_pt_chown - audit_rules_privileged_commands_su - audit_rules_privileged_commands_sudo - audit_rules_privileged_commands_usermod diff --git a/controls/srg_ctr/SRG-APP-000501-CTR-001265.yml b/controls/srg_ctr/SRG-APP-000501-CTR-001265.yml index 43559871873..c32097948da 100644 --- a/controls/srg_ctr/SRG-APP-000501-CTR-001265.yml +++ b/controls/srg_ctr/SRG-APP-000501-CTR-001265.yml @@ -18,6 +18,7 @@ controls: - audit_rules_file_deletion_events_unlink - audit_rules_file_deletion_events_unlinkat - audit_rules_privileged_commands_chage + - audit_rules_privileged_commands_pt_chown - audit_delete_failed - audit_rules_unsuccessful_file_modification_unlink - audit_rules_unsuccessful_file_modification_unlinkat diff --git a/controls/srg_ctr/SRG-APP-000502-CTR-001270.yml b/controls/srg_ctr/SRG-APP-000502-CTR-001270.yml index 20eb7d9ffbb..d1a364e5e4b 100644 --- a/controls/srg_ctr/SRG-APP-000502-CTR-001270.yml +++ b/controls/srg_ctr/SRG-APP-000502-CTR-001270.yml @@ -18,6 +18,7 @@ controls: - audit_rules_file_deletion_events_unlink - audit_rules_file_deletion_events_unlinkat - audit_rules_privileged_commands_chage + - audit_rules_privileged_commands_pt_chown - audit_delete_failed - audit_rules_unsuccessful_file_modification_unlink - audit_rules_unsuccessful_file_modification_unlinkat diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_pt_chown/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_pt_chown/rule.yml index 35e31c1405f..a33830c58e7 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_pt_chown/rule.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_pt_chown/rule.yml @@ -49,7 +49,7 @@ references: iso27001-2013: A.12.4.1,A.12.4.2,A.12.4.3,A.12.4.4,A.12.7.1,A.14.2.7,A.15.2.1,A.15.2.2 nist: AU-2(d),AU-12(c),AC-6(9),CM-6(a) nist-csf: DE.CM-1,DE.CM-3,DE.CM-7,ID.SC-4,PR.PT-1 - srg: SRG-OS-000042-GPOS-00020,SRG-OS-000392-GPOS-00172,SRG-OS-000471-GPOS-00215 + srg: SRG-OS-000042-GPOS-00020,SRG-OS-000392-GPOS-00172,SRG-OS-000471-GPOS-00215,SRG-APP-000499-CTR-001255,SRG-APP-000501-CTR-001265,SRG-APP-000502-CTR-001270 {{{ ocil_fix_srg_privileged_command("pt_chown", "/usr/libexec/") }}} From 6f6a229162c76cf3883e466a2850e77d19bd4287 Mon Sep 17 00:00:00 2001 From: Watson Sato Date: Fri, 5 Jan 2024 15:51:49 +0100 Subject: [PATCH 4/8] OCP4 STIG: Enable SRG-APP-000141-CTR-000315 rules The rules for control SRG-APP-000141-CTR-000315 were defined as related, instead of being atually selected. --- controls/srg_ctr/SRG-APP-000141-CTR-000315.yml | 2 +- .../guide/services/usbguard/package_usbguard_installed/rule.yml | 2 +- .../guide/services/usbguard/service_usbguard_enabled/rule.yml | 2 +- .../mounting/kernel_module_usb-storage_disabled/rule.yml | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-) diff --git a/controls/srg_ctr/SRG-APP-000141-CTR-000315.yml b/controls/srg_ctr/SRG-APP-000141-CTR-000315.yml index f92c38bc8b1..8b9a6c52c1e 100644 --- a/controls/srg_ctr/SRG-APP-000141-CTR-000315.yml +++ b/controls/srg_ctr/SRG-APP-000141-CTR-000315.yml @@ -3,7 +3,7 @@ controls: levels: - medium title: {{{ full_name }}} must be configured with only essential configurations. - related_rules: + rules: - service_sshd_disabled - kernel_module_usb-storage_disabled - package_usbguard_installed diff --git a/linux_os/guide/services/usbguard/package_usbguard_installed/rule.yml b/linux_os/guide/services/usbguard/package_usbguard_installed/rule.yml index e9e56f1240e..c5b55207f54 100644 --- a/linux_os/guide/services/usbguard/package_usbguard_installed/rule.yml +++ b/linux_os/guide/services/usbguard/package_usbguard_installed/rule.yml @@ -48,7 +48,7 @@ references: disa: CCI-001958 ism: "1418" nist: CM-8(3),IA-3 - srg: SRG-OS-000378-GPOS-00163 + srg: SRG-OS-000378-GPOS-00163,SRG-APP-000141-CTR-000315 stigid@ol8: OL08-00-040139 stigid@rhel8: RHEL-08-040139 stigid@rhel9: RHEL-09-291015 diff --git a/linux_os/guide/services/usbguard/service_usbguard_enabled/rule.yml b/linux_os/guide/services/usbguard/service_usbguard_enabled/rule.yml index 703949026db..bbc76cd0945 100644 --- a/linux_os/guide/services/usbguard/service_usbguard_enabled/rule.yml +++ b/linux_os/guide/services/usbguard/service_usbguard_enabled/rule.yml @@ -24,7 +24,7 @@ references: ism: "1418" nist: CM-8(3)(a),IA-3 ospp: FMT_SMF_EXT.1 - srg: SRG-OS-000378-GPOS-00163 + srg: SRG-OS-000378-GPOS-00163,SRG-APP-000141-CTR-000315 stigid@ol8: OL08-00-040141 stigid@rhel8: RHEL-08-040141 stigid@rhel9: RHEL-09-291020 diff --git a/linux_os/guide/system/permissions/mounting/kernel_module_usb-storage_disabled/rule.yml b/linux_os/guide/system/permissions/mounting/kernel_module_usb-storage_disabled/rule.yml index da4bc659139..acf169a4281 100644 --- a/linux_os/guide/system/permissions/mounting/kernel_module_usb-storage_disabled/rule.yml +++ b/linux_os/guide/system/permissions/mounting/kernel_module_usb-storage_disabled/rule.yml @@ -45,7 +45,7 @@ references: nist: CM-7(a),CM-7(b),CM-6(a),MP-7 nist-csf: PR.AC-1,PR.AC-3,PR.AC-6,PR.AC-7 pcidss4: '3.4.2' - srg: SRG-OS-000114-GPOS-00059,SRG-OS-000378-GPOS-00163,SRG-OS-000480-GPOS-00227 + srg: SRG-OS-000114-GPOS-00059,SRG-OS-000378-GPOS-00163,SRG-OS-000480-GPOS-00227,SRG-APP-000141-CTR-000315 stigid@ol7: OL07-00-020100 stigid@ol8: OL08-00-040080 stigid@rhel7: RHEL-07-020100 From 6c867ce5f8d1e0ef661d5cb2c4ed4f076b7e30a3 Mon Sep 17 00:00:00 2001 From: Watson Sato Date: Fri, 5 Jan 2024 15:56:51 +0100 Subject: [PATCH 5/8] OCP4 STIG: select rule for audit backlog limit SRG-APP-000092-CTR-000165 is about setting 'audit' and 'audit_backlog_limit' options. Only one of them was being set. --- controls/srg_ctr/SRG-APP-000092-CTR-000165.yml | 1 + .../coreos_audit_backlog_limit_kernel_argument/rule.yml | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/controls/srg_ctr/SRG-APP-000092-CTR-000165.yml b/controls/srg_ctr/SRG-APP-000092-CTR-000165.yml index 2eb8e6f6368..f754f37bb16 100644 --- a/controls/srg_ctr/SRG-APP-000092-CTR-000165.yml +++ b/controls/srg_ctr/SRG-APP-000092-CTR-000165.yml @@ -7,5 +7,6 @@ controls: - cluster_logging_operator_exist - audit_log_forwarding_enabled - coreos_audit_option + - coreos_audit_backlog_limit_kernel_argument status: automated diff --git a/linux_os/guide/system/auditing/coreos_audit_backlog_limit_kernel_argument/rule.yml b/linux_os/guide/system/auditing/coreos_audit_backlog_limit_kernel_argument/rule.yml index 537a2d3c3fe..82417916fa0 100644 --- a/linux_os/guide/system/auditing/coreos_audit_backlog_limit_kernel_argument/rule.yml +++ b/linux_os/guide/system/auditing/coreos_audit_backlog_limit_kernel_argument/rule.yml @@ -23,7 +23,7 @@ identifiers: references: cis@rhel8: 4.1.1.4 nist: CM-6(a) - srg: SRG-OS-000254-GPOS-00095 + srg: SRG-OS-000254-GPOS-00095,SRG-APP-000092-CTR-000165 ocil_clause: 'audit backlog limit is not configured' From db5c285977fb8023341ed727ea60ea14f09f3abb Mon Sep 17 00:00:00 2001 From: Watson Sato Date: Fri, 5 Jan 2024 16:03:41 +0100 Subject: [PATCH 6/8] SRG-APP-000141-CTR-000315: allow hid and hub Select rule USBGuard that authorizes hid and hub devices. --- controls/srg_ctr/SRG-APP-000141-CTR-000315.yml | 1 + .../guide/services/usbguard/usbguard_allow_hid_and_hub/rule.yml | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/controls/srg_ctr/SRG-APP-000141-CTR-000315.yml b/controls/srg_ctr/SRG-APP-000141-CTR-000315.yml index 8b9a6c52c1e..a8e21dd0222 100644 --- a/controls/srg_ctr/SRG-APP-000141-CTR-000315.yml +++ b/controls/srg_ctr/SRG-APP-000141-CTR-000315.yml @@ -9,5 +9,6 @@ controls: - package_usbguard_installed - service_usbguard_enabled - configure_usbguard_auditbackend + - usbguard_allow_hid_and_hub status: automated diff --git a/linux_os/guide/services/usbguard/usbguard_allow_hid_and_hub/rule.yml b/linux_os/guide/services/usbguard/usbguard_allow_hid_and_hub/rule.yml index 9c8f78df519..376f524af24 100644 --- a/linux_os/guide/services/usbguard/usbguard_allow_hid_and_hub/rule.yml +++ b/linux_os/guide/services/usbguard/usbguard_allow_hid_and_hub/rule.yml @@ -29,7 +29,7 @@ identifiers: references: nist: CM-8(3),IA-3 ospp: FMT_SMF_EXT.1 - srg: SRG-OS-000114-GPOS-00059 + srg: SRG-OS-000114-GPOS-00059,SRG-APP-000092-CTR-000165 ocil_clause: 'USB devices of class 3 and 9:00 are not authorized' From 883a29322e38cdd747a2320bafec83dc5899540d Mon Sep 17 00:00:00 2001 From: Watson Sato Date: Tue, 23 Jan 2024 13:36:36 +0100 Subject: [PATCH 7/8] Adjust kube remediation to urlencoding Fix kubernetes remediation for audit_delete_failed. --- .../policy_rules/audit_delete_failed/kubernetes/shared.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/linux_os/guide/system/auditing/policy_rules/audit_delete_failed/kubernetes/shared.yml b/linux_os/guide/system/auditing/policy_rules/audit_delete_failed/kubernetes/shared.yml index 023388b6682..dab3d0eaa96 100644 --- a/linux_os/guide/system/auditing/policy_rules/audit_delete_failed/kubernetes/shared.yml +++ b/linux_os/guide/system/auditing/policy_rules/audit_delete_failed/kubernetes/shared.yml @@ -9,7 +9,7 @@ spec: storage: files: - contents: - source: data:,%23%23%20Unsuccessful%20file%20delete%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20unlink%2Cunlinkat%2Crename%2Crenameat%20-F%20exit%3D-EACCES%20-F%20auid%26gt%3B%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccessful-delete%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20unlink%2Cunlinkat%2Crename%2Crenameat%20-F%20exit%3D-EACCES%20-F%20auid%26gt%3B%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccessful-delete%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20unlink%2Cunlinkat%2Crename%2Crenameat%20-F%20exit%3D-EPERM%20-F%20auid%26gt%3B%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccessful-delete%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20unlink%2Cunlinkat%2Crename%2Crenameat%20-F%20exit%3D-EPERM%20-F%20auid%26gt%3B%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccessful-delete + source: data:,%23%23%20Unsuccessful%20file%20delete%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20unlink%2Cunlinkat%2Crename%2Crenameat%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccessful-delete%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20unlink%2Cunlinkat%2Crename%2Crenameat%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccessful-delete%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20unlink%2Cunlinkat%2Crename%2Crenameat%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccessful-delete%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20unlink%2Cunlinkat%2Crename%2Crenameat%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccessful-delete%0A mode: 0600 path: /etc/audit/rules.d/30-ospp-v42-4-delete-failed.rules overwrite: true From b05da3de9c99dadcd84f117686ba508b6d556dcf Mon Sep 17 00:00:00 2001 From: Watson Sato Date: Tue, 23 Jan 2024 18:02:22 +0100 Subject: [PATCH 8/8] Parametrize rule oauth token maxage rules Make rules `oauth_token_maxage` and `oauthclient_token_maxage` check the token expiry timeout based on a variable. Default timeout is 24h, but STIG requires it to be 8h. --- .../authentication/oauth_token_maxage/rule.yml | 4 +--- .../oauthclient_token_maxage/rule.yml | 4 +--- .../authentication/var_oauth_token_maxage.var | 16 ++++++++++++++++ products/ocp4/profiles/stig-v1r1.profile | 1 + 4 files changed, 19 insertions(+), 6 deletions(-) create mode 100644 applications/openshift/authentication/var_oauth_token_maxage.var diff --git a/applications/openshift/authentication/oauth_token_maxage/rule.yml b/applications/openshift/authentication/oauth_token_maxage/rule.yml index e40f9415471..68d80cbeef5 100644 --- a/applications/openshift/authentication/oauth_token_maxage/rule.yml +++ b/applications/openshift/authentication/oauth_token_maxage/rule.yml @@ -68,6 +68,4 @@ template: filepath: {{{ openshift_filtered_path(default_api_path, default_jqfilter) }}} yamlpath: ".tokenConfig.accessTokenMaxAgeSeconds" check_existence: "only_one_exists" - values: - - value: ".*" - operation: "pattern match" + xccdf_variable: var_oauth_token_maxage diff --git a/applications/openshift/authentication/oauthclient_token_maxage/rule.yml b/applications/openshift/authentication/oauthclient_token_maxage/rule.yml index 51595d807cd..3255bd63883 100644 --- a/applications/openshift/authentication/oauthclient_token_maxage/rule.yml +++ b/applications/openshift/authentication/oauthclient_token_maxage/rule.yml @@ -63,6 +63,4 @@ template: check_existence_yamlpath: ".items[:].grantMethod" check_existence: "all_exist" entity_check: "all" - values: - - value: ".*" - operation: "pattern match" + xccdf_variable: var_oauth_token_maxage diff --git a/applications/openshift/authentication/var_oauth_token_maxage.var b/applications/openshift/authentication/var_oauth_token_maxage.var new file mode 100644 index 00000000000..9f52243ab43 --- /dev/null +++ b/applications/openshift/authentication/var_oauth_token_maxage.var @@ -0,0 +1,16 @@ +documentation_complete: true + +title: 'OAuth Token Maximum Age' + +description: 'Enter OAuth Token Maximum Age Timeout' + +type: number + +operator: equals + +interactive: true + +options: + default: 86400 + 24h: 86400 + 8h: 28800 diff --git a/products/ocp4/profiles/stig-v1r1.profile b/products/ocp4/profiles/stig-v1r1.profile index 96056451d63..6c70dba5801 100644 --- a/products/ocp4/profiles/stig-v1r1.profile +++ b/products/ocp4/profiles/stig-v1r1.profile @@ -25,6 +25,7 @@ selections: - srg_ctr:all ### Variables - var_openshift_audit_profile=WriteRequestBodies + - var_oauth_token_maxage=8h ### Helper Rules ### This is a helper rule to fetch the required api resource for detecting OCP version - version_detect_in_ocp