Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add modified audit suid privilege function rule for CIS #10729

Merged
merged 5 commits into from
Jun 29, 2023
Merged

Add modified audit suid privilege function rule for CIS #10729

merged 5 commits into from
Jun 29, 2023

Conversation

Mackemania
Copy link
Contributor

Description:

Add a new rule to accommodate the differences between STIG and CIS regarding execve audit in RHEL8 and RHEL9.

When analyzing a RHEL8 or RHEL9 server with the CIS Workbench after remidiation it fails the settings of audit execve because of a difference between STIG and CIS in recommended settings.

Review Hints:

The new rule is a modified copy of the rule audit_rules_suid_privilege_function.

@Mackemania Mackemania requested a review from a team as a code owner June 19, 2023 09:36
@openshift-ci openshift-ci bot added the needs-ok-to-test Used by openshift-ci bot. label Jun 19, 2023
@openshift-ci
Copy link

openshift-ci bot commented Jun 19, 2023

Hi @Mackemania. Thanks for your PR.

I'm waiting for a ComplianceAsCode member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@github-actions
Copy link

Start a new ephemeral environment with changes proposed in this pull request:

rhel8 (from CTF) Environment (using Fedora as testing environment)
Open in Gitpod

Fedora Testing Environment
Open in Gitpod

Oracle Linux 8 Environment
Open in Gitpod

@Mackemania Mackemania force-pushed the cis_rhel8_rhel9_audit_suid branch 2 times, most recently from a6e4d80 to 38076ee Compare June 19, 2023 09:50
@github-actions
Copy link

This datastream diff is auto generated by the check Compare DS/Generate Diff

Click here to see the full diff 
New content has different text for rule 'xccdf_org.ssgproject.content_rule_audit_rules_suid_privilege_function'.
--- xccdf_org.ssgproject.content_rule_audit_rules_suid_privilege_function
+++ xccdf_org.ssgproject.content_rule_audit_rules_suid_privilege_function
@@ -91,9 +91,6 @@
 RHEL-08-030000
 
 [reference]:
-4.1.3.2
-
-[reference]:
 SV-230386r854037_rule
 
 [rationale]:

@marcusburghardt
Copy link
Member

Could you provide more details about the differences between STIG and CIS regarding the audit_rules_suid_privilege_function rule, please?

@Mackemania
Copy link
Contributor Author

Could you provide more details about the differences between STIG and CIS regarding the audit_rules_suid_privilege_function rule, please?

STIG definition:

-a always,exit -F arch=b32 -S execve -C uid!=euid -F euid=0 -k setuid
-a always,exit -F arch=b64 -S execve -C uid!=euid -F euid=0 -k setuid
-a always,exit -F arch=b32 -S execve -C gid!=egid -F egid=0 -k setgid
-a always,exit -F arch=b64 -S execve -C gid!=egid -F egid=0 -k setgid

CIS definition

-a always,exit -F arch=b32 -C euid!=uid -F auid!=unset -S execve -k user_emulation
-a always,exit -F arch=b64 -C euid!=uid -F auid!=unset -S execve -k user_emulation

STIG has focused on both uid and gid while CIS only cares about the uid. The reason why the CIS Workbench fails the analysis is the missing auid parameter and the euid=0.

@Mackemania Mackemania force-pushed the cis_rhel8_rhel9_audit_suid branch 4 times, most recently from 89c1fbc to 2064493 Compare June 21, 2023 07:36
@Mackemania
Add modified audit suid privilege function rule for CIS
fe6384a 
Add a new rule to accommodate the differences between STIG and CIS
regarding execve audit in RHEL8 and RHEL9.

When analyzing a RHEL8 or RHEL9 server with the CIS Workbench after
remidiation it fails the settings of `audit execve` because
of a difference between STIG and CIS in recommended settings.
@openshift-ci
Copy link

openshift-ci bot commented Jun 21, 2023

@Mackemania: The label(s) /label CIS , /label Ansible , /label Bash cannot be applied. These labels are supported: platform/aws, platform/azure, platform/baremetal, platform/google, platform/libvirt, platform/openstack, ga, tide/merge-method-merge, tide/merge-method-rebase, tide/merge-method-squash, px-approved, docs-approved, qe-approved, downstream-change-needed, rebase/manual, approved, backport-risk-assessed, bugzilla/valid-bug, cherry-pick-approved, jira/valid-bug, staff-eng-approved. Is this label configured under labels -> additional_labels or labels -> restricted_labels in plugin.yaml?

In response to this:

/label CIS
/label Ansible
/label Bash

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@jan-cerny jan-cerny added New Rule Issues or pull requests related to new Rules. Ansible Ansible remediation update. Bash Bash remediation update. Update Profile Issues or pull requests related to Profiles updates. labels Jun 21, 2023
@jan-cerny jan-cerny added this to the 0.1.69 milestone Jun 21, 2023
@Mackemania
Copy link
Contributor Author

Would it be possible to rerun the checks? Automatus Fedora / Run Tests (pull_request) got a http 503 from one of the repos.

@marcusburghardt
Copy link
Member

Could you provide more details about the differences between STIG and CIS regarding the audit_rules_suid_privilege_function rule, please?

STIG definition:

-a always,exit -F arch=b32 -S execve -C uid!=euid -F euid=0 -k setuid
-a always,exit -F arch=b64 -S execve -C uid!=euid -F euid=0 -k setuid
-a always,exit -F arch=b32 -S execve -C gid!=egid -F egid=0 -k setgid
-a always,exit -F arch=b64 -S execve -C gid!=egid -F egid=0 -k setgid

CIS definition

-a always,exit -F arch=b32 -C euid!=uid -F auid!=unset -S execve -k user_emulation
-a always,exit -F arch=b64 -C euid!=uid -F auid!=unset -S execve -k user_emulation

STIG has focused on both uid and gid while CIS only cares about the uid. The reason why the CIS Workbench fails the analysis is the missing auid parameter and the euid=0.

Thanks for the context. I think this could also be resolved with variables instead of a new rule.
On the other hand, a new rule could also work but I would use a more generic name instead of fixing the benchmark name on it. Supposing the STIG adopts the same approach of CIS in the future, it would be weird to use a audit_rules_suid_privilege_function_cis rule for STIG. This is just an example.

Please, consider the introduction of a variable for this rule or renaming the new rule.

@Mackemania
Copy link
Contributor Author

Could you provide more details about the differences between STIG and CIS regarding the audit_rules_suid_privilege_function rule, please?

STIG definition:

-a always,exit -F arch=b32 -S execve -C uid!=euid -F euid=0 -k setuid
-a always,exit -F arch=b64 -S execve -C uid!=euid -F euid=0 -k setuid
-a always,exit -F arch=b32 -S execve -C gid!=egid -F egid=0 -k setgid
-a always,exit -F arch=b64 -S execve -C gid!=egid -F egid=0 -k setgid

CIS definition

-a always,exit -F arch=b32 -C euid!=uid -F auid!=unset -S execve -k user_emulation
-a always,exit -F arch=b64 -C euid!=uid -F auid!=unset -S execve -k user_emulation

STIG has focused on both uid and gid while CIS only cares about the uid. The reason why the CIS Workbench fails the analysis is the missing auid parameter and the euid=0.

Thanks for the context. I think this could also be resolved with variables instead of a new rule. On the other hand, a new rule could also work but I would use a more generic name instead of fixing the benchmark name on it. Supposing the STIG adopts the same approach of CIS in the future, it would be weird to use a audit_rules_suid_privilege_function_cis rule for STIG. This is just an example.

Please, consider the introduction of a variable for this rule or renaming the new rule.

Thank you! I will change the name, we tried introducing variables, but since the benchmark isn't available when compiling the Jinja macros for the remidiations and documentation it became impossible.

@jan-cerny jan-cerny self-assigned this Jun 26, 2023
@Mackemania @jan-cerny
Rename wrong varaible in test
85f0389 
Co-authored-by: Jan Černý <jcerny@redhat.com>
@jan-cerny
Copy link
Collaborator

The fail on Fedora Rawhide is caused by OpenSCAP/openscap#1995 and isn't related to the contents of this PR.

@codeclimate
Copy link

codeclimate bot commented Jun 27, 2023

Code Climate has analyzed commit 85f0389 and detected 0 issues on this pull request.

The test coverage on the diff in this pull request is 100.0% (50% is the threshold).

This pull request will bring the total coverage in the repository to 52.8% (0.0% change).

View more on Code Climate.

@jan-cerny
Copy link
Collaborator

/packit test

@jan-cerny jan-cerny merged commit 1c3ca48 into ComplianceAsCode:master Jun 29, 2023
30 of 33 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jan-cerny jan-cerny jan-cerny approved these changes

Assignees

@jan-cerny jan-cerny

Labels
Ansible Ansible remediation update. Bash Bash remediation update. needs-ok-to-test Used by openshift-ci bot. New Rule Issues or pull requests related to new Rules. Update Profile Issues or pull requests related to Profiles updates.
Projects
None yet
Milestone
0.1.69
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@Mackemania @marcusburghardt @jan-cerny