Filter out RHEL8 STIG rules on RHV hosts #7961
Conversation
|
Skipping CI for Draft Pull Request. |
openshift-ci
bot
added
the
do-not-merge/work-in-progress
|
Here is an example report in a RHVH host: (GH doesn't support HTML attachments, just download and rename it to |
| warnings: | ||
| - general: |- | ||
| This rule is disabled on Red Hat Virtualization Hosts, it will report not applicable. | ||
| RHV hosts require root access to be managed by RHV Manager. |
There was a problem hiding this comment.
@almusil Let me know precise this is.
Any info about other rule is appreciated too.
| <linux:object object_ref="obj_env_has_ovirt-host_installed" /> | ||
| </linux:rpminfo_test> | ||
| <linux:rpminfo_object id="obj_env_has_ovirt-host_installed" version="1"> | ||
| <linux:name>ovirt-host</linux:name> |
There was a problem hiding this comment.
Can this rule check multiple packages? Sorry I did not emphasize this enough, but the profile should apply to both hosts and manager, that would mean having installed ovirt-host OR ovirt-engine. Does it make sense?
There was a problem hiding this comment.
Can this rule check multiple packages?
Yes, it is possible to check for multiple packages.
Sorry I did not emphasize this enough, but the profile should apply to both hosts and manager, that would mean having installed
ovirt-host OR ovirt-engine. Does it make sense?
It makes sense, but then the question I have is if the hosts and the manager will always have the same restrictions. Could a rule be ok for the manager but not for the host? Or vice-versa?
For example, does the system acting as the manager also need to allow for root login?
I guess one complicator is that the manager can be self-hosted right?
In this case a single system acts both as the manager and the host.
So it should be simpler to extend the platform to identify both host and manager.
There was a problem hiding this comment.
It makes sense, but then the question I have is if the hosts and the manager will always have the same restrictions. Could a rule be ok for the manager but not for the host? Or vice-versa?
It should not hurt if the rule applies for both.
For example, does the system acting as the manager also need to allow for root login?
Regular manager does not, but as you have mentioned the HE needs it.
I guess one complicator is that the manager can be self-hosted right?
In this case a single system acts both as the manager and the host.
So it should be simpler to extend the platform to identify both host and manager.
We have counted 6 or 7 rules that will be excluded (the 7th is not yet decided if we can fix it). And ~half of them is common for both I am not sure if it makes sense to split it. If it does I won't have anything against that.
There was a problem hiding this comment.
One problem of having the same restrictions for both the manager and hosts is that they will not be as much aligned/hardened to the STIG standard as they could be. It could end up also misleading sys admins and auditors.
On a second thought, it is probably not that much complicated to distinguish rules that don't work for the manager, don't work for the hosts, or don't work for both.
On the self-hosted engine case (HE), are both ovirt-host and ovirt-engine installed on the machine?
There was a problem hiding this comment.
No HE has only ovirt-engine installed because it as a VM running on the first host.
Edit: Sorry I have changed ovirt-host and ovirt-engine, HE has only ovirt-engine not ovirt-host.
There was a problem hiding this comment.
So I guess the Host running the virtualized Manager needs the some kind of "freedom" as the Manager?
Anyway, we can go with simpler approach and improve if necessary.
There was a problem hiding this comment.
Except some installation steps the host is not that special. But I agree, let's have common exclude for both.
| warnings: | ||
| - general: |- | ||
| This rule is disabled on Red Hat Virtualization Hosts, it will report not applicable. | ||
| RHV hosts require root access to be managed by RHV Manager. |
linux_os/guide/system/software/sudo/sudo_remove_nopasswd/rule.yml
Outdated
Show resolved
Hide resolved
linux_os/guide/system/software/system-tools/package_gssproxy_removed/rule.yml
Outdated
Show resolved
Hide resolved
linux_os/guide/system/software/system-tools/package_tuned_removed/rule.yml
Outdated
Show resolved
Hide resolved
yuumasato
force-pushed
the
filter_stig_rhv_rules
branch
from
5c7c811
to
7f2e053
Compare
openshift-ci
bot
removed
the
do-not-merge/work-in-progress
|
/retest |
|
@yuumasato Can we please add:
That should be everything for now, thank you |
Just small rephrase, I'd change it to:
|
|
@yuumasato Also just for clarification, this skips will happen on all profiles right? Not only the DISA STIG. We are also interestedin PCI DSS, so if we need to also something specific to that profile or we would be good to go with those rules applying to it also. |
|
@almusil Hi, I have filtered out the two rules you mention.
Yes, rule will be skipped no matter the profile. There is no need for something specific for PCI-DSS. |
|
I see that for PCI-DSS profile we only removed libreswan related rules: |
|
/retest |
1 similar comment
|
/retest |
There was a problem hiding this comment.
LGTM, I have these questions/suggestions:
- Would it make sense to reformulate the condition as
if "rhel" in productto be more future-proof? - What about introducing helper macros
rhel_not_ovirt_platform()andrhel_not_ovirt_warning(define_warning_block=true)that would add a platform, and that would define the whole warning block or provide just the "general" warning for cases when there already is one. Having a lot of code copy-pasted around is prone to copy-paste errors and typos.
yuumasato
force-pushed
the
filter_stig_rhv_rules
branch
from
cb061ca
to
b36487f
Compare
|
@matejak Thank you for your review and questions/suggestions.
Probably not, each release of RHV is based on a specific version of RHEL.
I have added two macros, one for the platform and another for the warning, together with a change in the build to make the rules mores readable. |
|
This datastream diff is auto generated by the check Click here to see the full diffbash remediation for rule 'xccdf_org.ssgproject.content_rule_sudo_remove_nopasswd' differs:
--- old datastream
+++ new datastream
@@ -1,3 +1,5 @@
+# Remediation is applicable only in certain platforms
+if rpm --quiet -q no_ovirt; then
for f in /etc/sudoers /etc/sudoers.d/* ; do
if [ ! -e "$f" ] ; then
@@ -13,3 +15,7 @@
/usr/sbin/visudo -cf $f &> /dev/null || echo "Fail to validate $f with visudo"
fi
done
+
+else
+ >&2 echo 'Remediation is not applicable, nothing was done'
+fi
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_sudo_remove_nopasswd' differs:
--- old datastream
+++ new datastream
@@ -1,8 +1,24 @@
+- name: Gather the package facts
+ package_facts:
+ manager: auto
+ tags:
+ - CCE-82197-5
+ - DISA-STIG-RHEL-08-010380
+ - NIST-800-53-CM-6(a)
+ - NIST-800-53-IA-11
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - no_reboot_needed
+ - restrict_strategy
+ - sudo_remove_nopasswd
+
- name: Find /etc/sudoers.d/ files
find:
paths:
- /etc/sudoers.d/
register: sudoers
+ when: '"no_ovirt" in ansible_facts.packages'
tags:
- CCE-82197-5
- DISA-STIG-RHEL-08-010380
@@ -24,6 +40,7 @@
with_items:
- path: /etc/sudoers
- '{{ sudoers.files }}'
+ when: '"no_ovirt" in ansible_facts.packages'
tags:
- CCE-82197-5
- DISA-STIG-RHEL-08-010380
Platform has been changed for rule 'xccdf_org.ssgproject.content_rule_sudo_remove_nopasswd'
--- old datastream
+++ new datastream
-[]
+['cpe:/a:no_ovirt']
bash remediation for rule 'xccdf_org.ssgproject.content_rule_package_gssproxy_removed' differs:
--- old datastream
+++ new datastream
@@ -1,3 +1,5 @@
+# Remediation is applicable only in certain platforms
+if rpm --quiet -q no_ovirt; then
# CAUTION: This remediation script will remove gssproxy
# from the system, and may remove any packages
@@ -10,3 +12,7 @@
yum remove -y "gssproxy"
fi
+
+else
+ >&2 echo 'Remediation is not applicable, nothing was done'
+fi
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_package_gssproxy_removed' differs:
--- old datastream
+++ new datastream
@@ -1,7 +1,6 @@
-- name: Ensure gssproxy is removed
- package:
- name: gssproxy
- state: absent
+- name: Gather the package facts
+ package_facts:
+ manager: auto
tags:
- CCE-82943-2
- DISA-STIG-RHEL-08-040370
@@ -11,3 +10,18 @@
- low_severity
- no_reboot_needed
- package_gssproxy_removed
+
+- name: Ensure gssproxy is removed
+ package:
+ name: gssproxy
+ state: absent
+ when: '"no_ovirt" in ansible_facts.packages'
+ tags:
+ - CCE-82943-2
+ - DISA-STIG-RHEL-08-040370
+ - disable_strategy
+ - low_complexity
+ - low_disruption
+ - low_severity
+ - no_reboot_needed
+ - package_gssproxy_removed
Platform has been changed for rule 'xccdf_org.ssgproject.content_rule_package_gssproxy_removed'
--- old datastream
+++ new datastream
-[]
+['cpe:/a:no_ovirt']
bash remediation for rule 'xccdf_org.ssgproject.content_rule_package_tuned_removed' differs:
--- old datastream
+++ new datastream
@@ -1,3 +1,5 @@
+# Remediation is applicable only in certain platforms
+if rpm --quiet -q no_ovirt; then
# CAUTION: This remediation script will remove tuned
# from the system, and may remove any packages
@@ -10,3 +12,7 @@
yum remove -y "tuned"
fi
+
+else
+ >&2 echo 'Remediation is not applicable, nothing was done'
+fi
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_package_tuned_removed' differs:
--- old datastream
+++ new datastream
@@ -1,7 +1,6 @@
-- name: Ensure tuned is removed
- package:
- name: tuned
- state: absent
+- name: Gather the package facts
+ package_facts:
+ manager: auto
tags:
- CCE-82904-4
- DISA-STIG-RHEL-08-040390
@@ -11,3 +10,18 @@
- low_severity
- no_reboot_needed
- package_tuned_removed
+
+- name: Ensure tuned is removed
+ package:
+ name: tuned
+ state: absent
+ when: '"no_ovirt" in ansible_facts.packages'
+ tags:
+ - CCE-82904-4
+ - DISA-STIG-RHEL-08-040390
+ - disable_strategy
+ - low_complexity
+ - low_disruption
+ - low_severity
+ - no_reboot_needed
+ - package_tuned_removed
Platform has been changed for rule 'xccdf_org.ssgproject.content_rule_package_tuned_removed'
--- old datastream
+++ new datastream
-[]
+['cpe:/a:no_ovirt']
bash remediation for rule 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_ip_forward' differs:
--- old datastream
+++ new datastream
@@ -1,5 +1,5 @@
# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && { rpm --quiet -q no_ovirt; }; then
# Comment out any occurrences of net.ipv4.ip_forward from /etc/sysctl.d/*.conf files
for f in /etc/sysctl.d/*.conf ; do
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_ip_forward' differs:
--- old datastream
+++ new datastream
@@ -1,10 +1,31 @@
+- name: Gather the package facts
+ package_facts:
+ manager: auto
+ tags:
+ - CCE-81024-2
+ - DISA-STIG-RHEL-08-040260
+ - NIST-800-171-3.1.20
+ - NIST-800-53-CM-6(a)
+ - NIST-800-53-CM-7(a)
+ - NIST-800-53-CM-7(b)
+ - NIST-800-53-SC-5
+ - NIST-800-53-SC-7(a)
+ - disable_strategy
+ - low_complexity
+ - medium_disruption
+ - medium_severity
+ - reboot_required
+ - sysctl_net_ipv4_ip_forward
+
- name: List /etc/sysctl.d/*.conf files
find:
paths: /etc/sysctl.d/
contains: ^[\s]*net.ipv4.ip_forward.*$
patterns: '*.conf'
register: find_sysctl_d
- when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ when:
+ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ - '"no_ovirt" in ansible_facts.packages'
tags:
- CCE-81024-2
- DISA-STIG-RHEL-08-040260
@@ -28,7 +49,9 @@
regexp: ^[\s]*net.ipv4.ip_forward
replace: '#net.ipv4.ip_forward'
loop: '{{ find_sysctl_d.files }}'
- when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ when:
+ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ - '"no_ovirt" in ansible_facts.packages'
tags:
- CCE-81024-2
- DISA-STIG-RHEL-08-040260
@@ -51,7 +74,9 @@
value: '0'
state: present
reload: true
- when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ when:
+ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ - '"no_ovirt" in ansible_facts.packages'
tags:
- CCE-81024-2
- DISA-STIG-RHEL-08-040260
Platform has been changed for rule 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_ip_forward'
--- old datastream
+++ new datastream
-['cpe:/a:machine']
+['cpe:/a:no_ovirt']
bash remediation for rule 'xccdf_org.ssgproject.content_rule_sshd_disable_root_login' differs:
--- old datastream
+++ new datastream
@@ -1,5 +1,5 @@
# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && { rpm --quiet -q no_ovirt; }; then
if [ -e "/etc/ssh/sshd_config" ] ; then
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_sshd_disable_root_login' differs:
--- old datastream
+++ new datastream
@@ -1,3 +1,26 @@
+- name: Gather the package facts
+ package_facts:
+ manager: auto
+ tags:
+ - CCE-80901-2
+ - CJIS-5.5.6
+ - DISA-STIG-RHEL-08-010550
+ - NIST-800-171-3.1.1
+ - NIST-800-171-3.1.5
+ - NIST-800-53-AC-17(a)
+ - NIST-800-53-AC-6(2)
+ - NIST-800-53-CM-6(a)
+ - NIST-800-53-CM-7(a)
+ - NIST-800-53-CM-7(b)
+ - NIST-800-53-IA-2
+ - NIST-800-53-IA-2(5)
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - no_reboot_needed
+ - restrict_strategy
+ - sshd_disable_root_login
+
- name: Disable SSH Root Login
block:
@@ -28,7 +51,9 @@
state: present
insertbefore: ^[#\s]*Match
validate: /usr/sbin/sshd -t -f %s
- when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ when:
+ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ - '"no_ovirt" in ansible_facts.packages'
tags:
- CCE-80901-2
- CJIS-5.5.6
Platform has been changed for rule 'xccdf_org.ssgproject.content_rule_sshd_disable_root_login'
--- old datastream
+++ new datastream
-['cpe:/a:machine']
+['cpe:/a:no_ovirt']
bash remediation for rule 'xccdf_org.ssgproject.content_rule_xwindows_remove_packages' differs:
--- old datastream
+++ new datastream
@@ -1,4 +1,5 @@
-
+# Remediation is applicable only in certain platforms
+if rpm --quiet -q no_ovirt; then
# remove packages
if rpm -q --quiet "xorg-x11-server-Xorg" ; then
@@ -26,3 +27,7 @@
# configure run level
systemctl set-default multi-user.target
+
+else
+ >&2 echo 'Remediation is not applicable, nothing was done'
+fi
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_xwindows_remove_packages' differs:
--- old datastream
+++ new datastream
@@ -1,3 +1,17 @@
+- name: Gather the package facts
+ package_facts:
+ manager: auto
+ tags:
+ - CCE-83411-9
+ - DISA-STIG-RHEL-08-040320
+ - NIST-800-53-CM-6(b)
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - reboot_required
+ - restrict_strategy
+ - xwindows_remove_packages
+
- name: Ensure xorg packages are removed
package:
name:
@@ -6,6 +20,7 @@
- xorg-x11-server-utils
- xorg-x11-server-Xwayland
state: absent
+ when: '"no_ovirt" in ansible_facts.packages'
tags:
- CCE-83411-9
- DISA-STIG-RHEL-08-040320
@@ -23,6 +38,7 @@
dest: /etc/systemd/system/default.target
state: link
force: true
+ when: '"no_ovirt" in ansible_facts.packages'
tags:
- CCE-83411-9
- DISA-STIG-RHEL-08-040320
Platform has been changed for rule 'xccdf_org.ssgproject.content_rule_xwindows_remove_packages'
--- old datastream
+++ new datastream
-[]
+['cpe:/a:no_ovirt'] |
Yes as we need to be sure that this applies to specific version.
|
We are good then, moreover as those conditions are now defined in macros, they are concentrated in one place, so future adjustments will be cheap and not error-prone. |
|
/retest |
|
The ocp4 CI failures are related to #8012 |
Adds a platform that checks if ovirt-host package is installed. This is used to define applicability of rules in RHV hosts.
Adds a warning to the rule clarifying that it can result in notapplicable in RHV hosts.
These rules impact on RHV functionality, these warning should help clarify why they result in notapplicable when scanning RHV hosts.
This updates and renames the CPE oVirt platforms to identify systems acting as a Host or Manager. (ovirt) And aplatform to identify systems with no oVirt role. The rule warnings are updated to reflect its applicability on Hosts and Managers. This also remove dpkg tests, as they are not needed.
These libraries are a dependency of OpenStack Cinderlib storage provider.
IPv4 forwarding is required for Hosted Engine bootstrap VM to reach network outside of the initial host.
This macro takes in a rationale for why the rule is disabled for RHV and adds a 'general' warning together with a boilerplate text.
This macro makes a rule not applicable on systems where oVirt is installed.
Empty keys where being added as None, but this can mess up loading of content where a list is expected. Not adding empty non-mandatory keys allows the keys to be empty in the rule.yml, making it possible to have cleaner rules when macros ovirt_rule_notapplicable_warning() and rule_notapplicable_when_ovirt_installed() are used.
yuumasato
force-pushed
the
filter_stig_rhv_rules
branch
from
b36487f
to
df24004
Compare
|
Rebased to include #8020 |
|
|
|
@yuumasato: The following tests failed, say
Full PR test history. Your PR dashboard. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
Indeed, those errors are unrelated, so I merge the PR. |
Description:
ovirt-host, which is the base package for RHV virtualization hosts.Rationale: