From 22946b0d98e86d7f552e1fb6a2d1520be951be56 Mon Sep 17 00:00:00 2001 From: Watson Sato Date: Fri, 26 Jul 2019 17:15:45 +0200 Subject: [PATCH 1/7] This is not present in RHEL8 --- rhel8/profiles/ospp.profile | 3 --- 1 file changed, 3 deletions(-) diff --git a/rhel8/profiles/ospp.profile b/rhel8/profiles/ospp.profile index 2f6928e8bef4..de68a0cdcc60 100644 --- a/rhel8/profiles/ospp.profile +++ b/rhel8/profiles/ospp.profile @@ -871,9 +871,6 @@ selections: ## Enable Kernel Parameter to Ignore ICMP Broadcast Echo Requests on IPv4 Interfaces - sysctl_net_ipv4_icmp_echo_ignore_broadcasts - ## TO DO: NEED SCAP RULE - #echo "net.ipv6.icmp.echo_ignore_all = 0" >> $CONFIG - ## Disable Kernel Parameter for IP Forwarding on IPv4 Interfaces - sysctl_net_ipv4_ip_forward From c0f76b9f12d94c9b475d0ceb3c7fe8ca69dc0ea9 Mon Sep 17 00:00:00 2001 From: Watson Sato Date: Fri, 26 Jul 2019 17:16:51 +0200 Subject: [PATCH 2/7] Remove TODO for bootloader fips argument is handled by rule enable_fips_mode, the other settings are not directly related to security --- rhel8/profiles/ospp.profile | 1 - 1 file changed, 1 deletion(-) diff --git a/rhel8/profiles/ospp.profile b/rhel8/profiles/ospp.profile index de68a0cdcc60..a5d4fb61328c 100644 --- a/rhel8/profiles/ospp.profile +++ b/rhel8/profiles/ospp.profile @@ -25,7 +25,6 @@ selections: ################################################################# ## Bootloader Configuration ################################################################# - #TO DO: bootloader --location=mbr --append="boot=/dev/vda1 fips=1 " ## Set the UEFI Boot Loader Password - grub2_uefi_password From 54165b1b89d7093d137fea40cb68ead5bb709bbf Mon Sep 17 00:00:00 2001 From: Watson Sato Date: Fri, 26 Jul 2019 17:29:57 +0200 Subject: [PATCH 3/7] Requirements for partitions are the mount options /dev/shm and /tmp with nodev,noexec,nosuid mount options --- rhel8/profiles/ospp.profile | 8 -------- 1 file changed, 8 deletions(-) diff --git a/rhel8/profiles/ospp.profile b/rhel8/profiles/ospp.profile index a5d4fb61328c..5962070def8f 100644 --- a/rhel8/profiles/ospp.profile +++ b/rhel8/profiles/ospp.profile @@ -144,11 +144,6 @@ selections: ## /tmp ########### - ## Setup a couple mountpoints by hand to ensure correctness - #touch /etc/fstab - ## Ensure /tmp Located On Separate Partition - #echo -e "tmpfs\t/tmp\t\t\t\ttmpfs\tdefaults,mode=1777,,,nodev,strictatime,size=512M\t0 0" >> /etc/fstab - ## Add nodev Option to /tmp - mount_option_tmp_nodev @@ -168,9 +163,6 @@ selections: ########### ## /dev/shm ########### - ## Make sure /dev/shm is restricted - #echo -e "tmpfs\t/dev/shm\t\t\t\ttmpfs\tdefaults,mode=1777,,,strictatime\t0 0" >> /etc/fstab - ## Add nodev Option to /dev/shm - mount_option_dev_shm_nodev From 098824bd7b46cd29485addebe34105510afebee9 Mon Sep 17 00:00:00 2001 From: Watson Sato Date: Fri, 26 Jul 2019 17:33:02 +0200 Subject: [PATCH 4/7] No need to require SWAP partition --- rhel8/profiles/ospp.profile | 7 ------- 1 file changed, 7 deletions(-) diff --git a/rhel8/profiles/ospp.profile b/rhel8/profiles/ospp.profile index 5962070def8f..ceedb64b85bb 100644 --- a/rhel8/profiles/ospp.profile +++ b/rhel8/profiles/ospp.profile @@ -153,13 +153,6 @@ selections: ## Add nosuid Option to /tmp - mount_option_tmp_nosuid - ########### - ## /swap - ########### - ## TO DO: https://github.com/ComplianceAsCode/content/issues/4490 - ## do we need a swap partition (for security reasons)? - #logvol swap --name=lv_swap --vgname=VolGroup --size=2016 - ########### ## /dev/shm ########### From 98da621079586e6f23b1683b36593ecb214630bf Mon Sep 17 00:00:00 2001 From: Watson Sato Date: Fri, 26 Jul 2019 17:58:17 +0200 Subject: [PATCH 5/7] There is no claim to setup PATH --- rhel8/profiles/ospp.profile | 9 --------- 1 file changed, 9 deletions(-) diff --git a/rhel8/profiles/ospp.profile b/rhel8/profiles/ospp.profile index ceedb64b85bb..c1eba20e3082 100644 --- a/rhel8/profiles/ospp.profile +++ b/rhel8/profiles/ospp.profile @@ -275,15 +275,6 @@ selections: ## Uninstall Automatic Bug Reporting Tool (abrt) - package_abrt_removed - ################################################################# - ## - ## Set PATH correctly - ## - ################################################################# - - ## TO DO - #PATH=/bin:/usr/bin:/sbin:/usr/sbin:$PATH - ################################################################# ## ## Configure Audit Daemon From b722ed944f66421f6b3b77c6946ceca8cd588d2a Mon Sep 17 00:00:00 2001 From: Watson Sato Date: Fri, 26 Jul 2019 18:11:22 +0200 Subject: [PATCH 6/7] This is just a comestic change --- rhel8/profiles/ospp.profile | 3 --- 1 file changed, 3 deletions(-) diff --git a/rhel8/profiles/ospp.profile b/rhel8/profiles/ospp.profile index c1eba20e3082..f9b875eb7ee9 100644 --- a/rhel8/profiles/ospp.profile +++ b/rhel8/profiles/ospp.profile @@ -717,9 +717,6 @@ selections: ## Configure the tmux Lock Command - configure_tmux_lock_command - ## TO DO: https://github.com/ComplianceAsCode/content/issues/4499 - #set -g status off - ## TO DO: https://github.com/ComplianceAsCode/content/issues/4496 #cat << EOF > /tmp/rules.conf #allow with-interface equals { 09:00:* } From 92a18ab58f5af22f60ec1fb64958d10d37b502e7 Mon Sep 17 00:00:00 2001 From: Watson Sato Date: Fri, 26 Jul 2019 18:36:49 +0200 Subject: [PATCH 7/7] Use crypto-policies to configure RHEL8 sshd algos --- .../ssh/ssh_server/sshd_use_approved_ciphers/rule.yml | 2 +- .../ssh/ssh_server/sshd_use_approved_macs/rule.yml | 2 +- rhel8/profiles/ospp.profile | 11 ++++------- 3 files changed, 6 insertions(+), 9 deletions(-) diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/rule.yml index c3a892312d71..91bb30a4057f 100644 --- a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/rule.yml +++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: wrlinux8,wrlinux1019,rhel6,rhel7,rhel8,ol7,rhv4 +prodtype: wrlinux8,wrlinux1019,rhel6,rhel7,ol7,rhv4 title: 'Use Only FIPS 140-2 Validated Ciphers' diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs/rule.yml index a5ad34d76088..390e71cc7966 100644 --- a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs/rule.yml +++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: wrlinux1019,rhel6,rhel7,rhel8,ol7,rhv4 +prodtype: wrlinux1019,rhel6,rhel7,ol7,rhv4 title: 'Use Only FIPS 140-2 Validated MACs' diff --git a/rhel8/profiles/ospp.profile b/rhel8/profiles/ospp.profile index f9b875eb7ee9..2a81b70ff59f 100644 --- a/rhel8/profiles/ospp.profile +++ b/rhel8/profiles/ospp.profile @@ -1003,16 +1003,9 @@ selections: ## Enable SSH Warning Banner - sshd_enable_warning_banner - ## Use Only FIPS 140-2 Validated Ciphers - - sshd_use_approved_ciphers - ## TO DO: https://github.com/ComplianceAsCode/content/issues/4469 #echo -e "PubkeyAcceptedKeyTypes ssh-rsa,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384" >> $CONFIG - ## Use Only FIPS 140-2 Validated MACs - ## SEE ALSO: https://github.com/ComplianceAsCode/content/issues/4470 - - sshd_use_approved_macs - ## TO DO: https://github.com/ComplianceAsCode/content/issues/4471 #echo -e "KexAlgorithms diffie-hellman-group14-sha1,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521" >> $CONFIG @@ -1060,6 +1053,10 @@ selections: ## Enable FIPS Mode - enable_fips_mode + ## Set up Crypto policy + - var_system_crypto_policy=fips + - configure_crypto_policy + ## TO DO: https://github.com/ComplianceAsCode/content/issues/4500 # - sysctl_crypto_fips_enabled