-
Notifications
You must be signed in to change notification settings - Fork 671
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Updates RHEL 9 STIG: Part 3 #9489
Conversation
Add checktext and update srg_requirement
Skipping CI for Draft Pull Request. |
This datastream diff is auto generated by the check Click here to see the full diffOCIL for rule 'xccdf_org.ssgproject.content_rule_partition_for_boot' differs.
--- ocil:ssg-partition_for_boot_ocil:questionnaire:1
+++ ocil:ssg-partition_for_boot_ocil:questionnaire:1
@@ -1,7 +1,6 @@
-Run the following command to determine if /boot
-is on its own partition or logical volume:
-$ mount | grep "on /boot"
-If /boot has its own partition or volume group, a line will be returned.
+Verify that a separate file system/partition has been created for /boot with the following command:
- Is it the case that no line is returned?
+$ mountpoint /boot
+
+ Is it the case that "/boot is not a mountpoint" is returned?
OCIL for rule 'xccdf_org.ssgproject.content_rule_partition_for_home' differs.
--- ocil:ssg-partition_for_home_ocil:questionnaire:1
+++ ocil:ssg-partition_for_home_ocil:questionnaire:1
@@ -1,7 +1,6 @@
-Run the following command to determine if /home
-is on its own partition or logical volume:
-$ mount | grep "on /home"
-If /home has its own partition or volume group, a line will be returned.
+Verify that a separate file system/partition has been created for /home with the following command:
- Is it the case that no line is returned?
+$ mountpoint /home
+
+ Is it the case that "/home is not a mountpoint" is returned?
OCIL for rule 'xccdf_org.ssgproject.content_rule_partition_for_opt' differs.
--- ocil:ssg-partition_for_opt_ocil:questionnaire:1
+++ ocil:ssg-partition_for_opt_ocil:questionnaire:1
@@ -1,7 +1,6 @@
-Run the following command to determine if /opt
-is on its own partition or logical volume:
-$ mount | grep "on /opt"
-If /opt has its own partition or volume group, a line will be returned.
+Verify that a separate file system/partition has been created for /opt with the following command:
- Is it the case that no line is returned?
+$ mountpoint /opt
+
+ Is it the case that "/opt is not a mountpoint" is returned?
OCIL for rule 'xccdf_org.ssgproject.content_rule_partition_for_srv' differs.
--- ocil:ssg-partition_for_srv_ocil:questionnaire:1
+++ ocil:ssg-partition_for_srv_ocil:questionnaire:1
@@ -1,7 +1,6 @@
-Run the following command to determine if /srv
-is on its own partition or logical volume:
-$ mount | grep "on /srv"
-If /srv has its own partition or volume group, a line will be returned.
+Verify that a separate file system/partition has been created for /srv with the following command:
- Is it the case that no line is returned?
+$ mountpoint /srv
+
+ Is it the case that "/srv is not a mountpoint" is returned?
OCIL for rule 'xccdf_org.ssgproject.content_rule_partition_for_tmp' differs.
--- ocil:ssg-partition_for_tmp_ocil:questionnaire:1
+++ ocil:ssg-partition_for_tmp_ocil:questionnaire:1
@@ -1,7 +1,6 @@
-Run the following command to determine if /tmp
-is on its own partition or logical volume:
-$ mount | grep "on /tmp"
-If /tmp has its own partition or volume group, a line will be returned.
+Verify that a separate file system/partition has been created for /tmp with the following command:
- Is it the case that no line is returned?
+$ mountpoint /tmp
+
+ Is it the case that "/tmp is not a mountpoint" is returned?
OCIL for rule 'xccdf_org.ssgproject.content_rule_partition_for_usr' differs.
--- ocil:ssg-partition_for_usr_ocil:questionnaire:1
+++ ocil:ssg-partition_for_usr_ocil:questionnaire:1
@@ -1,7 +1,6 @@
-Run the following command to determine if /usr
-is on its own partition or logical volume:
-$ mount | grep "on /usr"
-If /usr has its own partition or volume group, a line will be returned.
+Verify that a separate file system/partition has been created for /usr with the following command:
- Is it the case that no line is returned?
+$ mountpoint /usr
+
+ Is it the case that "/usr is not a mountpoint" is returned?
OCIL for rule 'xccdf_org.ssgproject.content_rule_partition_for_var' differs.
--- ocil:ssg-partition_for_var_ocil:questionnaire:1
+++ ocil:ssg-partition_for_var_ocil:questionnaire:1
@@ -1,7 +1,6 @@
-Run the following command to determine if /var
-is on its own partition or logical volume:
-$ mount | grep "on /var"
-If /var has its own partition or volume group, a line will be returned.
+Verify that a separate file system/partition has been created for /var with the following command:
- Is it the case that no line is returned?
+$ mountpoint /var
+
+ Is it the case that "/var is not a mountpoint" is returned?
OCIL for rule 'xccdf_org.ssgproject.content_rule_partition_for_var_log' differs.
--- ocil:ssg-partition_for_var_log_ocil:questionnaire:1
+++ ocil:ssg-partition_for_var_log_ocil:questionnaire:1
@@ -1,7 +1,6 @@
-Run the following command to determine if /var/log
-is on its own partition or logical volume:
-$ mount | grep "on /var/log"
-If /var/log has its own partition or volume group, a line will be returned.
+Verify that a separate file system/partition has been created for /var/log with the following command:
- Is it the case that no line is returned?
+$ mountpoint /var/log
+
+ Is it the case that "/var/log is not a mountpoint" is returned?
OCIL for rule 'xccdf_org.ssgproject.content_rule_partition_for_var_log_audit' differs.
--- ocil:ssg-partition_for_var_log_audit_ocil:questionnaire:1
+++ ocil:ssg-partition_for_var_log_audit_ocil:questionnaire:1
@@ -1,7 +1,6 @@
-Run the following command to determine if /var/log/audit
-is on its own partition or logical volume:
-$ mount | grep "on /var/log/audit"
-If /var/log/audit has its own partition or volume group, a line will be returned.
+Verify that a separate file system/partition has been created for /var/log/audit with the following command:
- Is it the case that no line is returned?
+$ mountpoint /var/log/audit
+
+ Is it the case that "/var/log/audit is not a mountpoint" is returned?
OCIL for rule 'xccdf_org.ssgproject.content_rule_partition_for_var_tmp' differs.
--- ocil:ssg-partition_for_var_tmp_ocil:questionnaire:1
+++ ocil:ssg-partition_for_var_tmp_ocil:questionnaire:1
@@ -1,7 +1,6 @@
-Run the following command to determine if /var/tmp
-is on its own partition or logical volume:
-$ mount | grep "on /var/tmp"
-If /var/tmp has its own partition or volume group, a line will be returned.
+Verify that a separate file system/partition has been created for /var/tmp with the following command:
- Is it the case that no line is returned?
+$ mountpoint /var/tmp
+
+ Is it the case that "/var/tmp is not a mountpoint" is returned?
OCIL for rule 'xccdf_org.ssgproject.content_rule_coredump_disable_storage' differs.
--- ocil:ssg-coredump_disable_storage_ocil:questionnaire:1
+++ ocil:ssg-coredump_disable_storage_ocil:questionnaire:1
@@ -1,4 +1,7 @@
-Verify that storing core dumps are disabled, run the following command:
-$ grep Storage /etc/systemd/coredump.conf
+Verify Red Hat Enterprise Linux 8 disables storing core dumps for all users by issuing the following command:
+
+$ grep -i storage /etc/systemd/coredump.conf
+
+Storage=none
Is it the case that Storage is not set to none or is commented out and the need for core dumps is not documented with the Information System Security Officer (ISSO) as an operational requirement for all domains that have the "core" item assigned?
OCIL for rule 'xccdf_org.ssgproject.content_rule_package_policycoreutils_installed' differs.
--- ocil:ssg-package_policycoreutils_installed_ocil:questionnaire:1
+++ ocil:ssg-package_policycoreutils_installed_ocil:questionnaire:1
@@ -1,3 +1,3 @@
Run the following command to determine if the policycoreutils package is installed: $ rpm -q policycoreutils
- Is it the case that the package is not installed?
+ Is it the case that the policycoreutils package is not installed?
OCIL for rule 'xccdf_org.ssgproject.content_rule_selinux_policytype' differs.
--- ocil:ssg-selinux_policytype_ocil:questionnaire:1
+++ ocil:ssg-selinux_policytype_ocil:questionnaire:1
@@ -1,6 +1,7 @@
-Ensure that Red Hat Enterprise Linux 8 verifies correct operation of security functions.
+Verify the SELINUX on Red Hat Enterprise Linux 8 is using the policy with the following command:
-Check the file /etc/selinux/config and ensure the following line appears:
-SELINUXTYPE=
- Is it the case that SELINUXTYPE is set to the wrong value?
+$ sestatus | grep policy
+
+Loaded policy name:
+ Is it the case that the loaded policy name is not "<sub idref="var_selinux_policy_name" />"?
|
Update * fixtext * srg_requirement
Add * srg_requirement * checktext * fixtext
Update * fixtext
Update * fixtext * ocil * ocil_clause
Update * fixtext * ocil_clause
Update * ocil
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I only found some small details
linux_os/guide/system/software/disk_partitioning/encrypt_partitions/rule.yml
Outdated
Show resolved
Hide resolved
Code Climate has analyzed commit 18f3904 and detected 0 issues on this pull request. The test coverage on the diff in this pull request is 100.0% (50% is the threshold). This pull request will bring the total coverage in the repository to 40.4% (0.0% change). View more on Code Climate. |
@Mab879: The following tests failed, say
Full PR test history. Your PR dashboard. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
Description:
Various updates to rules based on external review.
Rationale:
Updates are needed to match external changes.