Updates RHEL 9 STIG: Part 3

[Mab879]

Description:

Various updates to rules based on external review.

Rationale:

Updates are needed to match external changes.

[openshift-ci]

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

[github-actions]

Start a new ephemeral environment with changes proposed in this pull request:

rhel8 (from CTF) Environment (using Fedora as testing environment)

Fedora Testing Environment

Oracle Linux 8 Environment

[github-actions]

This datastream diff is auto generated by the check Compare DS/Generate Diff

Click here to see the full diff

OCIL for rule 'xccdf_org.ssgproject.content_rule_partition_for_boot' differs.
--- ocil:ssg-partition_for_boot_ocil:questionnaire:1
+++ ocil:ssg-partition_for_boot_ocil:questionnaire:1
@@ -1,7 +1,6 @@
-Run the following command to determine if /boot
-is on its own partition or logical volume:
-$ mount | grep "on /boot"
-If /boot has its own partition or volume group, a line will be returned.
+Verify that a separate file system/partition has been created for /boot with the following command:
 
- Is it the case that no line is returned?
+$ mountpoint /boot
+
+ Is it the case that "/boot is not a mountpoint" is returned?
 
OCIL for rule 'xccdf_org.ssgproject.content_rule_partition_for_home' differs.
--- ocil:ssg-partition_for_home_ocil:questionnaire:1
+++ ocil:ssg-partition_for_home_ocil:questionnaire:1
@@ -1,7 +1,6 @@
-Run the following command to determine if /home
-is on its own partition or logical volume:
-$ mount | grep "on /home"
-If /home has its own partition or volume group, a line will be returned.
+Verify that a separate file system/partition has been created for /home with the following command:
 
- Is it the case that no line is returned?
+$ mountpoint /home
+
+ Is it the case that "/home is not a mountpoint" is returned?
 
OCIL for rule 'xccdf_org.ssgproject.content_rule_partition_for_opt' differs.
--- ocil:ssg-partition_for_opt_ocil:questionnaire:1
+++ ocil:ssg-partition_for_opt_ocil:questionnaire:1
@@ -1,7 +1,6 @@
-Run the following command to determine if /opt
-is on its own partition or logical volume:
-$ mount | grep "on /opt"
-If /opt has its own partition or volume group, a line will be returned.
+Verify that a separate file system/partition has been created for /opt with the following command:
 
- Is it the case that no line is returned?
+$ mountpoint /opt
+
+ Is it the case that "/opt is not a mountpoint" is returned?
 
OCIL for rule 'xccdf_org.ssgproject.content_rule_partition_for_srv' differs.
--- ocil:ssg-partition_for_srv_ocil:questionnaire:1
+++ ocil:ssg-partition_for_srv_ocil:questionnaire:1
@@ -1,7 +1,6 @@
-Run the following command to determine if /srv
-is on its own partition or logical volume:
-$ mount | grep "on /srv"
-If /srv has its own partition or volume group, a line will be returned.
+Verify that a separate file system/partition has been created for /srv with the following command:
 
- Is it the case that no line is returned?
+$ mountpoint /srv
+
+ Is it the case that "/srv is not a mountpoint" is returned?
 
OCIL for rule 'xccdf_org.ssgproject.content_rule_partition_for_tmp' differs.
--- ocil:ssg-partition_for_tmp_ocil:questionnaire:1
+++ ocil:ssg-partition_for_tmp_ocil:questionnaire:1
@@ -1,7 +1,6 @@
-Run the following command to determine if /tmp
-is on its own partition or logical volume:
-$ mount | grep "on /tmp"
-If /tmp has its own partition or volume group, a line will be returned.
+Verify that a separate file system/partition has been created for /tmp with the following command:
 
- Is it the case that no line is returned?
+$ mountpoint /tmp
+
+ Is it the case that "/tmp is not a mountpoint" is returned?
 
OCIL for rule 'xccdf_org.ssgproject.content_rule_partition_for_usr' differs.
--- ocil:ssg-partition_for_usr_ocil:questionnaire:1
+++ ocil:ssg-partition_for_usr_ocil:questionnaire:1
@@ -1,7 +1,6 @@
-Run the following command to determine if /usr
-is on its own partition or logical volume:
-$ mount | grep "on /usr"
-If /usr has its own partition or volume group, a line will be returned.
+Verify that a separate file system/partition has been created for /usr with the following command:
 
- Is it the case that no line is returned?
+$ mountpoint /usr
+
+ Is it the case that "/usr is not a mountpoint" is returned?
 
OCIL for rule 'xccdf_org.ssgproject.content_rule_partition_for_var' differs.
--- ocil:ssg-partition_for_var_ocil:questionnaire:1
+++ ocil:ssg-partition_for_var_ocil:questionnaire:1
@@ -1,7 +1,6 @@
-Run the following command to determine if /var
-is on its own partition or logical volume:
-$ mount | grep "on /var"
-If /var has its own partition or volume group, a line will be returned.
+Verify that a separate file system/partition has been created for /var with the following command:
 
- Is it the case that no line is returned?
+$ mountpoint /var
+
+ Is it the case that "/var is not a mountpoint" is returned?
 
OCIL for rule 'xccdf_org.ssgproject.content_rule_partition_for_var_log' differs.
--- ocil:ssg-partition_for_var_log_ocil:questionnaire:1
+++ ocil:ssg-partition_for_var_log_ocil:questionnaire:1
@@ -1,7 +1,6 @@
-Run the following command to determine if /var/log
-is on its own partition or logical volume:
-$ mount | grep "on /var/log"
-If /var/log has its own partition or volume group, a line will be returned.
+Verify that a separate file system/partition has been created for /var/log with the following command:
 
- Is it the case that no line is returned?
+$ mountpoint /var/log
+
+ Is it the case that "/var/log is not a mountpoint" is returned?
 
OCIL for rule 'xccdf_org.ssgproject.content_rule_partition_for_var_log_audit' differs.
--- ocil:ssg-partition_for_var_log_audit_ocil:questionnaire:1
+++ ocil:ssg-partition_for_var_log_audit_ocil:questionnaire:1
@@ -1,7 +1,6 @@
-Run the following command to determine if /var/log/audit
-is on its own partition or logical volume:
-$ mount | grep "on /var/log/audit"
-If /var/log/audit has its own partition or volume group, a line will be returned.
+Verify that a separate file system/partition has been created for /var/log/audit with the following command:
 
- Is it the case that no line is returned?
+$ mountpoint /var/log/audit
+
+ Is it the case that "/var/log/audit is not a mountpoint" is returned?
 
OCIL for rule 'xccdf_org.ssgproject.content_rule_partition_for_var_tmp' differs.
--- ocil:ssg-partition_for_var_tmp_ocil:questionnaire:1
+++ ocil:ssg-partition_for_var_tmp_ocil:questionnaire:1
@@ -1,7 +1,6 @@
-Run the following command to determine if /var/tmp
-is on its own partition or logical volume:
-$ mount | grep "on /var/tmp"
-If /var/tmp has its own partition or volume group, a line will be returned.
+Verify that a separate file system/partition has been created for /var/tmp with the following command:
 
- Is it the case that no line is returned?
+$ mountpoint /var/tmp
+
+ Is it the case that "/var/tmp is not a mountpoint" is returned?
 
OCIL for rule 'xccdf_org.ssgproject.content_rule_coredump_disable_storage' differs.
--- ocil:ssg-coredump_disable_storage_ocil:questionnaire:1
+++ ocil:ssg-coredump_disable_storage_ocil:questionnaire:1
@@ -1,4 +1,7 @@
-Verify that storing core dumps are disabled, run the following command:
-$ grep Storage /etc/systemd/coredump.conf
+Verify Red Hat Enterprise Linux 8 disables storing core dumps for all users by issuing the following command:
+
+$ grep -i storage /etc/systemd/coredump.conf
+
+Storage=none
 Is it the case that Storage is not set to none or is commented out and the need for core dumps is not documented with the Information System Security Officer (ISSO) as an operational requirement for all domains that have the "core" item assigned?
 
OCIL for rule 'xccdf_org.ssgproject.content_rule_package_policycoreutils_installed' differs.
--- ocil:ssg-package_policycoreutils_installed_ocil:questionnaire:1
+++ ocil:ssg-package_policycoreutils_installed_ocil:questionnaire:1
@@ -1,3 +1,3 @@
 Run the following command to determine if the policycoreutils package is installed: $ rpm -q policycoreutils
- Is it the case that the package is not installed?
+ Is it the case that the policycoreutils package is not installed?
 
OCIL for rule 'xccdf_org.ssgproject.content_rule_selinux_policytype' differs.
--- ocil:ssg-selinux_policytype_ocil:questionnaire:1
+++ ocil:ssg-selinux_policytype_ocil:questionnaire:1
@@ -1,6 +1,7 @@
-Ensure that Red Hat Enterprise Linux 8 verifies correct operation of security functions.
+Verify the SELINUX on Red Hat Enterprise Linux 8 is using the policy with the following command:
 
-Check the file /etc/selinux/config and ensure the following line appears:
-SELINUXTYPE=
- Is it the case that SELINUXTYPE is set to the wrong value?
+$ sestatus | grep policy
+
+Loaded policy name: 
+ Is it the case that the loaded policy name is not "<sub idref="var_selinux_policy_name" />"?

[marcusburghardt]

I only found some small details

[codeclimate]

Code Climate has analyzed commit 18f3904 and detected 0 issues on this pull request.

The test coverage on the diff in this pull request is 100.0% (50% is the threshold).

This pull request will bring the total coverage in the repository to 40.4% (0.0% change).

View more on Code Climate.

[openshift-ci]

@Mab879: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/e2e-aws-ocp4-pci-dss-node	18f3904	link	true	/test e2e-aws-ocp4-pci-dss-node
ci/prow/e2e-aws-rhcos4-moderate	18f3904	link	true	/test e2e-aws-rhcos4-moderate
ci/prow/e2e-aws-rhcos4-high	18f3904	link	true	/test e2e-aws-rhcos4-high

Full PR test history. Your PR dashboard.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.