Update ANSSI R67 requirement

[vojtapolasek]

Description:

• add RHEL specific rules for the requirement
• change the platform OVAL for sssd-ldap to be applicable ONLY in case the id_provider is ldap, previously it was appplicable if the provider was not ACtive directory

Rationale:

• ANSSI alignment

[github-actions]

Start a new ephemeral environment with changes proposed in this pull request:

rhel8 (from CTF) Environment (using Fedora as testing environment)

Fedora Testing Environment

Oracle Linux 8 Environment

[github-actions]

🤖 A k8s content image for this PR is available at:
ghcr.io/complianceascode/k8scontent:11642
This image was built from commit: 812469a

Click here to see how to deploy it

If you alread have Compliance Operator deployed:
utils/build_ds_container.py -i ghcr.io/complianceascode/k8scontent:11642

Otherwise deploy the content and operator together by checking out ComplianceAsCode/compliance-operator and:
CONTENT_IMAGE=ghcr.io/complianceascode/k8scontent:11642 make deploy-local

[marcusburghardt]

Two rules are failing in testing-farm tests:

xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands - fail
xccdf_org.ssgproject.content_rule_service_sssd_enabled - fail 

The issue seems legit, but needs more investigation.

[Mab879]

Please take a took at the CI failures.

[vojtapolasek]

During investigation of a different requirement, I found out that this requirement needs few more rules for the case of nss-pam-ldapd in RHEL 7. Marking as draft for now.

[Mab879]

Please update the components files.

[Mab879]

content_rule_audit_rules_privileged_commands

@vojtapolasek this comment is still valid.

[vojtapolasek]

So the audit_rules_privileged_commands is fixed by second remediation. The fail is caused by installation of sssd which brings bunch of privileged commands.
This diff shows the changes. The audit_1 directory is copy of /etc/audit after the first remediation. The audit_2 is copy of /etc/audit after second remediation.

diff -u audit_1/audit.rules audit_2/audit.rules
--- audit_1/audit.rules 2024-03-11 17:16:01.548651263 +0100
+++ audit_2/audit.rules 2024-03-11 17:17:51.379142220 +0100
@@ -75,3 +75,7 @@
 -a always,exit -F arch=b32 -S clock_settime -F a0=0x0 -F key=time-change
 -a always,exit -F arch=b64 -S clock_settime -F a0=0x0 -F key=time-change
 -w /etc/localtime -p wa -k audit_time_rules
+-a always,exit -F path=/usr/libexec/sssd/krb5_child -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+-a always,exit -F path=/usr/libexec/sssd/ldap_child -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+-a always,exit -F path=/usr/libexec/sssd/proxy_child -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
+-a always,exit -F path=/usr/libexec/sssd/selinux_child -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged

The rule service_sssd_enabled fails I think because the sssd service fails to start. This is because there are no sssd domains configured. This I think deserves a warning to the rule. I will add it. Do you agree?

[github-actions]

This datastream diff is auto generated by the check Compare DS/Generate Diff

Click here to see the full diff

New content has different text for rule 'xccdf_org.ssgproject.content_rule_ldap_client_start_tls'.
--- xccdf_org.ssgproject.content_rule_ldap_client_start_tls
+++ xccdf_org.ssgproject.content_rule_ldap_client_start_tls
@@ -298,6 +298,9 @@
 [reference]:
 SRG-OS-000250-GPOS-00093
 
+[reference]:
+R67
+
 [rationale]:
 Without cryptographic integrity protections, information can be altered by
 unauthorized users without detection. The ssl directive specifies whether

New content has different text for rule 'xccdf_org.ssgproject.content_rule_ldap_client_tls_cacertpath'.
--- xccdf_org.ssgproject.content_rule_ldap_client_tls_cacertpath
+++ xccdf_org.ssgproject.content_rule_ldap_client_tls_cacertpath
@@ -215,6 +215,9 @@
 [reference]:
 PR.PT-3
 
+[reference]:
+R67
+
 [rationale]:
 The tls_cacertdir or tls_cacertfile directives are required when
 tls_checkpeer is configured (which is the default for openldap versions 2.1 and

Platform has been changed for rule 'xccdf_org.ssgproject.content_rule_ldap_client_tls_cacertpath'
--- xccdf_org.ssgproject.content_rule_ldap_client_tls_cacertpath
+++ xccdf_org.ssgproject.content_rule_ldap_client_tls_cacertpath
@@ -1 +1 @@
-
+oval:ssg-package_nss-pam-ldapd:def:1

New content has different text for rule 'xccdf_org.ssgproject.content_rule_package_sssd_installed'.
--- xccdf_org.ssgproject.content_rule_package_sssd_installed
+++ xccdf_org.ssgproject.content_rule_package_sssd_installed
@@ -155,5 +155,8 @@
 [reference]:
 PR.AC-7
 
+[reference]:
+R67
+
 [ident]:
 CCE-82444-1

New content has different text for rule 'xccdf_org.ssgproject.content_rule_service_sssd_enabled'.
--- xccdf_org.ssgproject.content_rule_service_sssd_enabled
+++ xccdf_org.ssgproject.content_rule_service_sssd_enabled
@@ -7,6 +7,9 @@
 
 The sssd service can be enabled with the following command:
 $ sudo systemctl enable sssd.service
+
+[warning]:
+The service requires a valid sssd configuration. If the configuration is not present, the service will fail to start and consequently this rule will will be reported as failing. The configuration shipped in your distribution package might not be sufficient. Manual modification of configuration files might be required.
 
 [reference]:
 1
@@ -158,5 +161,8 @@
 [reference]:
 PR.AC-7
 
+[reference]:
+R67
+
 [ident]:
 CCE-82440-9

New content has different text for rule 'xccdf_org.ssgproject.content_rule_sssd_enable_pam_services'.
--- xccdf_org.ssgproject.content_rule_sssd_enable_pam_services
+++ xccdf_org.ssgproject.content_rule_sssd_enable_pam_services
@@ -178,6 +178,9 @@
 [reference]:
 SRG-OS-000377-GPOS-00162
 
+[reference]:
+R67
+
 [rationale]:
 Using an authentication device, such as a CAC or token that is separate from
 the information system, ensures that even if the information system is

New content has different text for rule 'xccdf_org.ssgproject.content_rule_sssd_ldap_configure_tls_reqcert'.
--- xccdf_org.ssgproject.content_rule_sssd_ldap_configure_tls_reqcert
+++ xccdf_org.ssgproject.content_rule_sssd_ldap_configure_tls_reqcert
@@ -20,6 +20,9 @@
 [reference]:
 SRG-OS-000250-GPOS-00093
 
+[reference]:
+R67
+
 [rationale]:
 Without a valid certificate presented to the LDAP client backend, the identity of a
 server can be forged compromising LDAP remote access sessions.

New content has different text for rule 'xccdf_org.ssgproject.content_rule_sssd_ldap_start_tls'.
--- xccdf_org.ssgproject.content_rule_sssd_ldap_start_tls
+++ xccdf_org.ssgproject.content_rule_sssd_ldap_start_tls
@@ -290,6 +290,9 @@
 [reference]:
 SRG-OS-000250-GPOS-00093
 
+[reference]:
+R67
+
 [rationale]:
 Without cryptographic integrity protections, information can be
 altered by unauthorized users without detection. The ssl directive specifies

[Mab879]

The failures still look valid:

:: [ 09:45:37 ] :: [   FAIL   ] :: Rules not passing after remediation:
xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands - fail
xccdf_org.ssgproject.content_rule_service_sssd_enabled - fail 

[vojtapolasek]

@Mab879 I think this comment explains it. Any additional questions?
#11642 (comment)

[Mab879]

@Mab879 I think this comment explains it. Any additional questions? #11642 (comment)

Those make sense. I would feel a bit more comfortable if we their was a PR with these waivers before we merge. I don't to fail everyone's CI for days.

[codeclimate]

Code Climate has analyzed commit 812469a and detected 0 issues on this pull request.

The test coverage on the diff in this pull request is 100.0% (50% is the threshold).

This pull request will bring the total coverage in the repository to 59.3% (0.0% change).

View more on Code Climate.

[vojtapolasek]

@Mab879 I rebased and now the test is passing because there is double remediation used and this fixes the failing rule.

[Mab879]

Waving the SLES 15 Automatus as these rules are not in SLES 15.