Coreos build - enable more rules #5018

redhatrises · 2019-11-14T23:38:35Z

Description:

Enable audit rules and audit configuration checks
Enable sysctl and kernel checks
Certain software has to be installed and running
Time has to be configured in chrony

ocp4/profiles/coreos-ncp.profile

jhrozek

LGTM. Thank you very much for working on the profile, Gabe! The profile builds and in general the added rules make sense to me.

I left a couple of questions inline. I think some rules might not be needed in an OCP environment, mostly I'm concerned about the IPv4 forwarding rule, although I have not tested out if disabling the sysctl really breaks OCP networking.

But if you want, please go ahead and merge the content. The point of the inline comments is not to block the PR, it's really just questions :-) We can (and will) iterate on the content later.

jhrozek · 2019-11-17T09:34:23Z

On 15 Nov 2019, at 17:48, Shawn Wells ***@***.***> wrote: @shawndwells commented on this pull request. In ocp4/profiles/coreos-ncp.profile: > - #- auditd_audispd_configure_remote_server - #- auditd_audispd_encrypt_sent_records - #- auditd_audispd_disk_full_action - #- auditd_audispd_network_failure_action - + - service_auditd_enabled + - var_auditd_flush=incremental_async + - auditd_data_retention_flush + - auditd_local_events + - auditd_write_logs + - auditd_log_format + - auditd_freq + - auditd_name_format + - var_auditd_action_mail_acct=root + - var_auditd_space_left_action=email + - auditd_audispd_configure_remote_server Showing my lack of product knowledge here - does that operator also pickup the CoreOS logs?

If you mean `/var/log/audit/audit.log` then yes. Otherwise, I’d have to look up the answer.

jhrozek · 2019-11-17T09:35:48Z

On 15 Nov 2019, at 17:42, Shawn Wells ***@***.***> wrote: @shawndwells commented on this pull request. In ocp4/profiles/coreos-ncp.profile: > @@ -140,75 +133,75 @@ selections: ### Kernel Config ## Boot prompt - #- grub2_audit_argument - #- grub2_audit_backlog_limit_argument - #- grub2_slub_debug_argument - #- grub2_page_poison_argument - #- grub2_vsyscall_argument - #- grub2_vsyscall_argument.role=unscored - #- grub2_vsyscall_argument.severity=info - #- grub2_pti_argument + - grub2_audit_argument + - grub2_audit_backlog_limit_argument + - grub2_slub_debug_argument + - grub2_page_poison_argument + - grub2_vsyscall_argument vsyscall is already disabled in other government profiles, such as the DoD baselines for RHEL. Having this rule in the ComplianceAsCode catalog allows for per-profile selection. For example the Government baselines may require this, and accept the implications, however more general-purpose baselines like PCI-DSS the rule may not need to be selected.

If it’s possible to opt-out in the unlikely case a customer would want to run a RHEL-6 container on an OCP4 cluster, then it’s fine. We might want to make this clear in the rule description, though. (Not as part of this PR of course)

- Remove ip_forward rule - Enable ipv6 disabling - Comment out audispd checks and add note that fluentd checks are needed

shawndwells · 2019-11-25T22:11:48Z

...de/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_ip_forward/rule.yml

+    - functionality: |-
+        Certain technologies such as virtual machines, containers, etc. rely on IPv4 forwarding to enable and use networking.
+        Disabling IPv4 forwarding would cause those technologies to stop working. Therefore, this rule should not be used in
+        profiles or benchmarks that target usage of IPv4 forwarding.


Thanks for creating this warning. Should be very helpful for those tailoring or justifying dropping this rule locally based on how the endpoint is being used.

shawndwells

With all conversations resolved, ack'ing this PR.

redhatrises added the CoreOS CoreOS product related. label Nov 14, 2019

redhatrises added this to the 0.1.48 milestone Nov 14, 2019