Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add a security policy validation mechanism #128

Merged
merged 179 commits into from
Nov 7, 2022
Merged

Add a security policy validation mechanism #128

merged 179 commits into from
Nov 7, 2022

Conversation

imobachgs
Copy link
Contributor

@imobachgs imobachgs commented Aug 5, 2022
edited
Loading

This PR adds security policy validation to the installer (see https://www.open-scap.org/security-policies/choosing-policy/).

Related PRs:

How it works

See the screenshots below to get an idea of how it works. Once the user enables a security profile (at this point only DISA STIG), YaST:

  • Add the required package (ssg-apply) and enable the service at the end of the installation.
  • Runs a set of checks and displays the rules that are not passing.
    • If the problem can be fixed automatically, it displays a link to do it.
    • Otherwise, it might display a link to take the user to the right place of the installer to solve it.
Installation settings including a 'Security Policy' section

stig-installation-settings

Storage proposal showing found problems with the current configuration

stig-installation-summary

YaST warning about an issue in the expert partitioner

stig-partitioner

AutoYaST confirmation mode when some rule failed

stig-autoyast-confirm-mode

Do not allow installing the system until all problems are solved

stig-enabled-blocked

Enabling security policy validation

There are three different ways to enable policy checks:

What is missing?

Write the name of the enabled policies and disabled rules to the file system, so ssg-apply can take that information into account.

Implementation details

  • The API is defined in the Y2Security::SecurityPolicies module.
    • Policy represents the security policies. There is one instance for each policy.
    • Rule represents the rules to check. It implements the check and, if possible, the fix to apply.
    • Manager represents a singleton class to manage the policies. Its API allows getting the known policies, enabling or disabling a policy and getting the issues from the enabled policies.

@imobachgs imobachgs changed the title [WIP] Add a security policy [WIP] Add a security policy validation mechanism Aug 5, 2022
@imobachgs imobachgs mentioned this pull request Aug 5, 2022
Closed
@kobliha

This comment was marked as outdated.

Sign in to view
@mvidner
Copy link
Member

mvidner commented Aug 8, 2022

Not so stupid question: who is STIG and what are they doing in YaST?!

@mvidner
Copy link
Member

mvidner commented Aug 8, 2022

I guess it is a Security Technical Implementation Guide but the Wikipedia article is quite vague. I assume we have openSUSE/SLE specific pointers, please add them.

@dgdavid

This comment was marked as outdated.

Sign in to view
@imobachgs imobachgs changed the base branch from master to SLE-15-SP4 August 9, 2022 07:25
imobachgs and others added 17 commits August 9, 2022 08:26
@imobachgs
Add basic classes to handle security policies
9ebc0fa
@imobachgs
Add a basic security policy proposal
caaafe2
@imobachgs
Add a list of security policies issues
7123b30
@imobachgs
Keep the policy status (enabled/disabled) at instance level
dc1a2f7
@imobachgs
New SecurityPolicy API
f18af13 
* SecurityPolicy#validate: runs the validation for the given scope.
* Issues are kept in the SecurityPolicy instance.
@imobachgs
Adapt the security_policy_proposal to the new API
53950d9
@imobachgs
Add a simple Stig validation regarding networking
608094f
@imobachgs
Add yast2-network as dependency
35b8928
@imobachgs
Make RuboCop happy
0d08437
@imobachgs
Fix documentation
f955972
@imobachgs
Fix SecurityPolicy#enabled
87d272e
@imobachgs
Use a list in the security_policy_proposal client
7a874d4
@imobachgs
Add storage helpers for RSpec
1208e93
@imobachgs
Translate STIG validation issues
1a4440e
@imobachgs
Add a basic STIG check for full encrypted devices
8c879d8
@teclator @imobachgs
STIG: firewall need to be enabled validation
c655068
@teclator @imobachgs
Mock Installation::SecuritySettings instance
dcdcba8
@joseivanlopez joseivanlopez mentioned this pull request Oct 4, 2022
Merged
ancorgs and others added 15 commits October 4, 2022 12:00
@ancorgs @imobachgs
Help text for SecurityPolicyProposal
190360d
@imobachgs
Update from code review
8133f67
@imobachgs
Do not catch failing rules
904462f
@joseivanlopez
Merge pull request #141 from joseivanlopez/rule-presenter
61bd760 
Expose RulePresenter class
@imobachgs
Merge pull request #142 from yast/installation-actions
49a6f4b 
Set the action to be performed by SCAP on first boot
@imobachgs
Use "stig" as profile name for DISA STIG
a771a51
@imobachgs
Merge pull request #144 from yast/fix-stig-profile-name
0196b70 
Use "stig" as profile name for DISA STIG
@imobachgs
AutoYaST: adapt to the new schema of the security_policies section
7ec8ee5
@imobachgs
Update AutoYaST schema
617868e
@imobachgs
AutoYaST: do not crash if the SCAP action is invalid
c2dfa93
@imobachgs
AutoYaST: allow enabling just one security policy
d705468
@imobachgs
Replace YAST_SECURITY_POLICIES with YAST_SECURITY_POLICY
84b2d35
@imobachgs
Fix import_security_policy documentation
783088a
@imobachgs
Merge pull request #146 from yast/ay-security-policies
16bd109 
AutoYaST: adapt to the new schema of the security_policies section
@joseivanlopez
Update documentation
a9d276d
@imobachgs imobachgs mentioned this pull request Nov 4, 2022
Merged
ancorgs
ancorgs reviewed Nov 7, 2022
View reviewed changes
src/lib/y2security/security_policies/encrypted_filesystems_rule.rb
def missing_encryption?(blk_filesystem)
return false if blk_filesystem.encrypted? || blk_filesystem.mount_point.nil?

!PLAIN_MOUNT_POINTS.include?(blk_filesystem.mount_path)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I guess we are sure there are enough validations in place (in AutoYaST and in the UI) to ensure we never get something like "/boot/efi/" here (trailing bar).

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I hope so ...

ancorgs
ancorgs approved these changes Nov 7, 2022
View reviewed changes
Copy link
Contributor

@ancorgs ancorgs left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I did a quick check since I hope most code to be already double-checked due to the amount of people already involved in the pull request. That being said, it looks good.

@joseivanlopez joseivanlopez merged commit 9cad641 into SLE-15-SP4 Nov 7, 2022
@joseivanlopez joseivanlopez deleted the security-policy branch November 7, 2022 17:05
@yast-bot
Copy link
Contributor

yast-bot commented Nov 7, 2022

✔️ Internal Jenkins job #5 successfully finished
✔️ Created IBS submit request #283897

@teclator teclator mentioned this pull request Jun 14, 2023
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@mvidner mvidner mvidner left review comments

@jreidinger jreidinger jreidinger left review comments

@joseivanlopez joseivanlopez joseivanlopez left review comments

@ancorgs ancorgs ancorgs approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
9 participants
@imobachgs @kobliha @mvidner @dgdavid @yast-bot @jreidinger @joseivanlopez @ancorgs @teclator