New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add more SLE-15 stigs and CCE IDs to existing rules #6778
Add more SLE-15 stigs and CCE IDs to existing rules #6778
Conversation
- Change is to add SLE-15 stigs to existing rule. - No new rules are added - SLES-12-03040 should have been attached to sysctl_net_ipv6_conf_default_accept_redirects - Added SLE-15 stigs - SLES-15-040440 'Disable SSH Access via Empty Passwords' - SLES-15-040290 'Disable X11 Forwarding' - SLES-15-040440 'Do Not Allow SSH Environment Options' - SLES-15-010050 'Display the Standard Mandatory DoD Notice and Consent Banner until Explicit Acknowledgement' - SLES-15-020250 'Limit Password Reuse' - SLES-15-020160 'Set Password Strength Minimum Different Characters' - SLES-15-020140 'Set Password Strength Minimum Lowercase Characters' - SLES-15-020130 'Set Password Strength Minimum Uppercase Characters' - SLES-15-040062 'Disable Ctrl-Alt-Del Burst Action' - SLES-15-020200 'Set Password Minimum Age' - SLES-15-020100 'Verify Only Root Has UID 0' - SLES-15-020091 'Ensure that System Accounts Do Not Run a Shell Upon Login' - SLES-15-040100 'All Interactive User Home Directories Must Be Group-Owned By The Primary User' - SLES-15-030250 'Record Events that Modify the System''s Discretionary Access Controls - chown' - SLES-15-030300 'Record Events that Modify the System''s Discretionary Access Controls - fchmod' - SLES-12-030310 'Record Events that Modify the System''s Discretionary Access Controls - fchmodat' - SLES-15-030260 'Record Events that Modify the System''s Discretionary Access Controls - fchown' - SLES-15-030280 'Record Events that Modify the System''s Discretionary Access Controls - fchownat' - SLES-15-030210 'Record Events that Modify the System''s Discretionary Access Controls - fremovexattr' - SLES-15-030230 'Record Events that Modify the System''s Discretionary Access Controls - fsetxattr' - SLES-15-030270 'Record Events that Modify the System''s Discretionary Access Controls - lchown' - SLES-15-030200 'Record Events that Modify the System''s Discretionary Access Controls - lremovexattr' - SLES-15-030240 'Record Events that Modify the System''s Discretionary Access Controls - lsetxattr' - SLES-15-030190 'Record Events that Modify the System''s Discretionary Access Controls - removexattr' - SLES-15-030220 'Record Events that Modify the System''s Discretionary Access Controls - setxattr' - SLES-15-030160 'Record Unsuccessful Access Attempts to Files - creat' - SLES-15-030320 'Record Unsuccessful Access Attempts to Files - ftruncate' - SLES-15-030150 'Record Unsuccessful Access Attempts to Files - open' - SLES-15-030180 'Record Unsuccessful Access Attempts to Files - open_by_handle_at' - SLES-15-030170 'Record Unsuccessful Access Attempts to Files - openat' - SLES-15-030710 'Record Unsuccessul Delete Attempts to Files - rename' - SLES-15-030720 'Record Unsuccessul Delete Attempts to Files - renameat' - SLES-15-030740 'Record Unsuccessul Delete Attempts to Files - unlink' - SLES-15-030750 'Record Unsuccessul Delete Attempts to Files - unlinkat' - SLES-15-030350 'Ensure auditd Collects Information on the Use of Privileged Commands - mount' - SLES-15-030330 'Ensure auditd Collects Information on the Use of Privileged Commands - sudoedit' - SLES-15-030500 'Ensure auditd Collects Information on the Use of Privileged Commands - usermod' - SLES-15-030820 'Remove Default Configuration to Disable Syscall Auditing' - SLES-15-030140 'Ensure auditd Collects System Administrator Actions' - SLES-15-030660 'Configure a Sufficiently Large Partition for Audit Logs' - SLES-15-030790 'Configure audispd''s Plugin network_failure_action On Network Failure' - SLES-15-040341 'Disable Accepting ICMP Redirects for All IPv6 Interfaces' - SLES-15-040350 'Disable Kernel Parameter for Accepting ICMP Redirects by Default on IPv6 Interfaces' - SLES-15-040380 'Disable Kernel Parameter for IP Forwarding on IPv4 Interfaces' - SLES-15-010351 'Verify that Shared Library Files Have Restrictive Permissions' - SLES-15-010570 'Configure Periodic Execution of AIDE'
Hi @brett060102. Thanks for your PR. I'm waiting for a ComplianceAsCode member to verify that this patch is reasonable to test. If it is, they should reply with Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
Changes identified: Show detailsRule no_shelllogin_for_systemaccounts: Recommended tests to execute: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Tests have revealed duplicated CCEs in:
cce CCE-85678-1 is included in files:
- linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/rule.yml
- linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_minimum_age_login_defs/rule.yml
cce CCE-85691-4 is included in files:
- linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchown/rule.yml
- linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_lchown/rule.yml
@@ -34,12 +35,14 @@ references: | |||
disa: CCI-000366,CCI-000766 | |||
hipaa: 164.308(a)(4)(i),164.308(b)(1),164.308(b)(3),164.310(b),164.312(e)(1),164.312(e)(2)(ii) | |||
nist: AC-17(a),CM-7(a),CM-7(b),CM-6(a) | |||
nist@sle15: CM-6 b,CM-6.1 (iv) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
we might have to check if spaces in the references section can be a problem. I've seen that a lot of them proposed in this PR contain spaces.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@ggbecker I can update to replace with (a),(b) etc, but that would be slightly different from what is in our STIG. I did not see an issue when I built this. I know we can't have a space following the comma. I am not sure about before the comma since I have not tried that case. I am OK with removing the spaces. I do see one other nist record with spaces:
jre/guide/java/java_jre_disable_untrusted_sources_locked/rule.yml: nist: SC-18 (3)
The only other occurrences I see are in sle12 or sle15 records. Again, happy to removes, so please advise.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It seems that the build system is able to work with spaces. It splits using comma as the separator (https://github.com/ComplianceAsCode/content/blob/master/ssg/build_yaml.py#L1261).
So, I don't have any strong opinions against it. It's just for the sake of consistency, and I do understand that in the original NIST references the spaces are present. To be honest, I don't know if there was a reason to strip these whitespaces, it goes beyond my time in this project.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@ggbecker The spaces should be gone now.
Will address the cce issue. Are there directions on running that test locally. I would really like to avoid that in the future. |
From
or tests labeled as
More details on: https://complianceascode.readthedocs.io/en/latest/manual/developer/02_building_complianceascode.html?highlight=ctest#testing |
@ggbecker Is this one OK now? |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@brett060102 Yes, it's ok now. Thanks.
/ok-to-test |
Changes here are mostly to SLE content, changes to break something OCP is low and we can tackle any problem later if there is any. |
- SLES-15-040440 'Disable SSH Access via Empty Passwords'
- SLES-15-040290 'Disable X11 Forwarding'
- SLES-15-040440 'Do Not Allow SSH Environment Options'
- SLES-15-010050 'Display the Standard Mandatory DoD Notice and Consent Banner until Explicit Acknowledgement'
- SLES-15-020250 'Limit Password Reuse'
- SLES-15-020160 'Set Password Strength Minimum Different Characters'
- SLES-15-020140 'Set Password Strength Minimum Lowercase Characters'
- SLES-15-020130 'Set Password Strength Minimum Uppercase Characters'
- SLES-15-040062 'Disable Ctrl-Alt-Del Burst Action'
- SLES-15-020200 'Set Password Minimum Age'
- SLES-15-020100 'Verify Only Root Has UID 0'
- SLES-15-020091 'Ensure that System Accounts Do Not Run a Shell Upon Login'
- SLES-15-040100 'All Interactive User Home Directories Must Be Group-Owned By The Primary User'
- SLES-15-030250 'Record Events that Modify the System''s Discretionary Access Controls - chown'
- SLES-15-030300 'Record Events that Modify the System''s Discretionary Access Controls - fchmod'
- SLES-12-030310 'Record Events that Modify the System''s Discretionary Access Controls - fchmodat'
- SLES-15-030260 'Record Events that Modify the System''s Discretionary Access Controls - fchown'
- SLES-15-030280 'Record Events that Modify the System''s Discretionary Access Controls - fchownat'
- SLES-15-030210 'Record Events that Modify the System''s Discretionary Access Controls - fremovexattr'
- SLES-15-030230 'Record Events that Modify the System''s Discretionary Access Controls - fsetxattr'
- SLES-15-030270 'Record Events that Modify the System''s Discretionary Access Controls - lchown'
- SLES-15-030200 'Record Events that Modify the System''s Discretionary Access Controls - lremovexattr'
- SLES-15-030240 'Record Events that Modify the System''s Discretionary Access Controls - lsetxattr'
- SLES-15-030190 'Record Events that Modify the System''s Discretionary Access Controls - removexattr'
- SLES-15-030220 'Record Events that Modify the System''s Discretionary Access Controls - setxattr'
- SLES-15-030160 'Record Unsuccessful Access Attempts to Files - creat'
- SLES-15-030320 'Record Unsuccessful Access Attempts to Files - ftruncate'
- SLES-15-030150 'Record Unsuccessful Access Attempts to Files - open'
- SLES-15-030180 'Record Unsuccessful Access Attempts to Files - open_by_handle_at'
- SLES-15-030170 'Record Unsuccessful Access Attempts to Files - openat'
- SLES-15-030710 'Record Unsuccessul Delete Attempts to Files - rename'
- SLES-15-030720 'Record Unsuccessul Delete Attempts to Files - renameat'
- SLES-15-030740 'Record Unsuccessul Delete Attempts to Files - unlink'
- SLES-15-030750 'Record Unsuccessul Delete Attempts to Files - unlinkat'
- SLES-15-030350 'Ensure auditd Collects Information on the Use of Privileged Commands - mount'
- SLES-15-030330 'Ensure auditd Collects Information on the Use of Privileged Commands - sudoedit'
- SLES-15-030500 'Ensure auditd Collects Information on the Use of Privileged Commands - usermod'
- SLES-15-030820 'Remove Default Configuration to Disable Syscall Auditing'
- SLES-15-030140 'Ensure auditd Collects System Administrator Actions'
- SLES-15-030660 'Configure a Sufficiently Large Partition for Audit Logs'
- SLES-15-030790 'Configure audispd''s Plugin network_failure_action On Network Failure'
- SLES-15-040341 'Disable Accepting ICMP Redirects for All IPv6 Interfaces'
- SLES-15-040350 'Disable Kernel Parameter for Accepting ICMP Redirects by Default on IPv6 Interfaces'
- SLES-15-040380 'Disable Kernel Parameter for IP Forwarding on IPv4 Interfaces'
- SLES-15-010351 'Verify that Shared Library Files Have Restrictive Permissions'
- SLES-15-010570 'Configure Periodic Execution of AIDE'
Description:
Rationale: