Update SRG-OS-000096-GPOS-00050 for RHEL 9 STIG #8497
Merged
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
Start a new ephemeral environment with changes proposed in this pull request: |
jan-cerny
commented
Apr 6, 2022
|
This datastream diff is auto generated by the check Click here to see the full diffNew datastream is missing OVAL for rule 'xccdf_org.ssgproject.content_rule_configure_firewalld_ports'.
New datastream is missing bash remediation for rule 'xccdf_org.ssgproject.content_rule_configure_firewalld_ports'.
OCIL for rule 'xccdf_org.ssgproject.content_rule_chronyd_client_only' differs:
--- old datastream
+++ new datastream
@@ -2,5 +2,5 @@
$ grep '\bport\b' /etc/chrony.conf
The output should return
port 0
- Is it the case that it does not exist or port is set to non-zero value?
+ Is it the case that port is not set or port is set to non-zero value?
New datastream adds ansible remediation for rule 'xccdf_org.ssgproject.content_rule_chronyd_client_only'.
OCIL for rule 'xccdf_org.ssgproject.content_rule_chronyd_no_chronyc_network' differs:
--- old datastream
+++ new datastream
@@ -2,5 +2,5 @@
$ grep '\bcmdport\b' /etc/chrony.conf
The output should return
cmdport 0
- Is it the case that it does not exist or port is set to non-zero value?
+ Is it the case that cmdport is not set or cmdport is set to non-zero value?
New datastream adds ansible remediation for rule 'xccdf_org.ssgproject.content_rule_chronyd_no_chronyc_network'.
OCIL for rule 'xccdf_org.ssgproject.content_rule_firewalld_sshd_port_enabled' differs:
--- old datastream
+++ new datastream
@@ -17,5 +17,5 @@
If it is a port:
22/tcp
- Is it the case that ?
+ Is it the case that sshd service is disabled by firewall?
New datastream adds bash remediation for rule 'xccdf_org.ssgproject.content_rule_firewalld_sshd_port_enabled'. |
Member
|
/retest |
jan-cerny
added a commit
to jan-cerny/scap-security-guide
that referenced
this pull request
Apr 13, 2022
…enabled During our work on SRG-OS-000096-GPOS-00050 we have discovered the following: - The requirement "The firewall should be configured sanely" isn't possible to be automated by SCAP because services and ports differ on different systems. - At the same time there is rule "configure_firewalld_ports" that tries to implement it. - The rule "configure_firewalld_ports" is internally inconsistent - its rationale and description are about generic firewall configuration, but OVAL and bash check and configure that sshd service is enabled in firewall. - But we also have rule firewalld_sshd_port_enabled which checks that sshd service is enabled in firewall. - Our STIG workflow recommends us that OCIL and fix should be aligned with bash and OVAL which means if we create OCIL and fix for rule configure_firewalld_ports according to this rule's existing bash and OVAL the rule would be even more internally inconsistent - it would be basically a copy of firewalld_sshd_port_enabled with a misleading generic title. Therefore, in this commit, we make the rule configure_firewalld_ports generic, remove everything related to sshd from this rule, remove OVAL and bash because of non-automated character of this rule, and instead update rule firewalld_sshd_port_enabled with the remediation. See discussion in the pull request: ComplianceAsCode#8497
Member
|
/retest |
Member
|
@jan-cerny looks like this PR needs a rebase. Not sure why the boot hasn't told you about that. |
jan-cerny
added a commit
to jan-cerny/scap-security-guide
that referenced
this pull request
Apr 19, 2022
…enabled During our work on SRG-OS-000096-GPOS-00050 we have discovered the following: - The requirement "The firewall should be configured sanely" isn't possible to be automated by SCAP because services and ports differ on different systems. - At the same time there is rule "configure_firewalld_ports" that tries to implement it. - The rule "configure_firewalld_ports" is internally inconsistent - its rationale and description are about generic firewall configuration, but OVAL and bash check and configure that sshd service is enabled in firewall. - But we also have rule firewalld_sshd_port_enabled which checks that sshd service is enabled in firewall. - Our STIG workflow recommends us that OCIL and fix should be aligned with bash and OVAL which means if we create OCIL and fix for rule configure_firewalld_ports according to this rule's existing bash and OVAL the rule would be even more internally inconsistent - it would be basically a copy of firewalld_sshd_port_enabled with a misleading generic title. Therefore, in this commit, we make the rule configure_firewalld_ports generic, remove everything related to sshd from this rule, remove OVAL and bash because of non-automated character of this rule, and instead update rule firewalld_sshd_port_enabled with the remediation. See discussion in the pull request: ComplianceAsCode#8497
jan-cerny
force-pushed
the
SRG-OS-000096-GPOS-00050
branch
from
0d7fea8 to
0e27fe0
Compare
Collaborator
Author
|
I have rebased this pull request on the top of the current upstream master branch and I have changed fix to fixtext. |
jan-cerny
added a commit
to jan-cerny/scap-security-guide
that referenced
this pull request
Apr 19, 2022
…enabled During our work on SRG-OS-000096-GPOS-00050 we have discovered the following: - The requirement "The firewall should be configured sanely" isn't possible to be automated by SCAP because services and ports differ on different systems. - At the same time there is rule "configure_firewalld_ports" that tries to implement it. - The rule "configure_firewalld_ports" is internally inconsistent - its rationale and description are about generic firewall configuration, but OVAL and bash check and configure that sshd service is enabled in firewall. - But we also have rule firewalld_sshd_port_enabled which checks that sshd service is enabled in firewall. - Our STIG workflow recommends us that OCIL and fix should be aligned with bash and OVAL which means if we create OCIL and fix for rule configure_firewalld_ports according to this rule's existing bash and OVAL the rule would be even more internally inconsistent - it would be basically a copy of firewalld_sshd_port_enabled with a misleading generic title. Therefore, in this commit, we make the rule configure_firewalld_ports generic, remove everything related to sshd from this rule, remove OVAL and bash because of non-automated character of this rule, and instead update rule firewalld_sshd_port_enabled with the remediation. See discussion in the pull request: ComplianceAsCode#8497
jan-cerny
force-pushed
the
SRG-OS-000096-GPOS-00050
branch
from
0e27fe0 to
e5af623
Compare
Mab879
requested changes
Apr 19, 2022
...de/system/network/network-firewalld/ruleset_modifications/configure_firewalld_ports/rule.yml
Show resolved
Hide resolved
Collaborator
Author
|
I have add fixtext to configure_firewalld_ports |
This will make the macro text aligned with the bash remediation in the template shared/templates/kernel_module_disabled/bash.template.
…enabled During our work on SRG-OS-000096-GPOS-00050 we have discovered the following: - The requirement "The firewall should be configured sanely" isn't possible to be automated by SCAP because services and ports differ on different systems. - At the same time there is rule "configure_firewalld_ports" that tries to implement it. - The rule "configure_firewalld_ports" is internally inconsistent - its rationale and description are about generic firewall configuration, but OVAL and bash check and configure that sshd service is enabled in firewall. - But we also have rule firewalld_sshd_port_enabled which checks that sshd service is enabled in firewall. - Our STIG workflow recommends us that OCIL and fix should be aligned with bash and OVAL which means if we create OCIL and fix for rule configure_firewalld_ports according to this rule's existing bash and OVAL the rule would be even more internally inconsistent - it would be basically a copy of firewalld_sshd_port_enabled with a misleading generic title. Therefore, in this commit, we make the rule configure_firewalld_ports generic, remove everything related to sshd from this rule, remove OVAL and bash because of non-automated character of this rule, and instead update rule firewalld_sshd_port_enabled with the remediation. See discussion in the pull request: ComplianceAsCode#8497
Originally, check and remediation for enabling sshd ports were a part of rule configure_firewalld_ports, but that rule was meant to be generic. We moved these checks and remediations to firewalld_sshd_port_enabled. So we add firewalld_sshd_port_enabled to this control to keep the original intent.
jan-cerny
force-pushed
the
SRG-OS-000096-GPOS-00050
branch
from
35388d2 to
44697ba
Compare
Collaborator
Author
|
/retest |
marcusburghardt
requested changes
Apr 28, 2022
...de/system/network/network-firewalld/ruleset_modifications/configure_firewalld_ports/rule.yml
Outdated
Show resolved
Hide resolved
...de/system/network/network-firewalld/ruleset_modifications/configure_firewalld_ports/rule.yml
Show resolved
Hide resolved
Collaborator
Author
|
I have Fix firewalld command for adding services |
|
@jan-cerny: The following tests failed, say
Full PR test history. Your PR dashboard. DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
Member
|
@Mab879 , I didn't merge so you also have opportunity to update your last review. Thanks |
Mab879
approved these changes
May 2, 2022
Member
|
Tests pass locally. |
lonicerae
pushed a commit
to lonicerae/content
that referenced
this pull request
May 18, 2022
…enabled During our work on SRG-OS-000096-GPOS-00050 we have discovered the following: - The requirement "The firewall should be configured sanely" isn't possible to be automated by SCAP because services and ports differ on different systems. - At the same time there is rule "configure_firewalld_ports" that tries to implement it. - The rule "configure_firewalld_ports" is internally inconsistent - its rationale and description are about generic firewall configuration, but OVAL and bash check and configure that sshd service is enabled in firewall. - But we also have rule firewalld_sshd_port_enabled which checks that sshd service is enabled in firewall. - Our STIG workflow recommends us that OCIL and fix should be aligned with bash and OVAL which means if we create OCIL and fix for rule configure_firewalld_ports according to this rule's existing bash and OVAL the rule would be even more internally inconsistent - it would be basically a copy of firewalld_sshd_port_enabled with a misleading generic title. Therefore, in this commit, we make the rule configure_firewalld_ports generic, remove everything related to sshd from this rule, remove OVAL and bash because of non-automated character of this rule, and instead update rule firewalld_sshd_port_enabled with the remediation. See discussion in the pull request: ComplianceAsCode#8497
Vincent056
pushed a commit
to Vincent056/cac-content-fork
that referenced
this pull request
May 24, 2022
…enabled During our work on SRG-OS-000096-GPOS-00050 we have discovered the following: - The requirement "The firewall should be configured sanely" isn't possible to be automated by SCAP because services and ports differ on different systems. - At the same time there is rule "configure_firewalld_ports" that tries to implement it. - The rule "configure_firewalld_ports" is internally inconsistent - its rationale and description are about generic firewall configuration, but OVAL and bash check and configure that sshd service is enabled in firewall. - But we also have rule firewalld_sshd_port_enabled which checks that sshd service is enabled in firewall. - Our STIG workflow recommends us that OCIL and fix should be aligned with bash and OVAL which means if we create OCIL and fix for rule configure_firewalld_ports according to this rule's existing bash and OVAL the rule would be even more internally inconsistent - it would be basically a copy of firewalld_sshd_port_enabled with a misleading generic title. Therefore, in this commit, we make the rule configure_firewalld_ports generic, remove everything related to sshd from this rule, remove OVAL and bash because of non-automated character of this rule, and instead update rule firewalld_sshd_port_enabled with the remediation. See discussion in the pull request: ComplianceAsCode#8497
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Description:
add missing fix texts, missing Ansible, improve OCIL
Rationale:
RHEL 9 STIG