-
Notifications
You must be signed in to change notification settings - Fork 794
Add 'bls_audit_option' rule #5793
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Merged
Merged
Changes from all commits
Commits
File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
6 changes: 6 additions & 0 deletions
6
linux_os/guide/system/auditing/bls_audit_option/kubernetes/shared.yml
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,6 @@ | ||
| # platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ocp,multi_platform_rhcos | ||
| apiVersion: machineconfiguration.openshift.io/v1 | ||
| kind: MachineConfig | ||
| spec: | ||
| kernelArguments: | ||
| - audit=1 |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,54 @@ | ||
| documentation_complete: true | ||
|
|
||
| prodtype: rhcos4 | ||
|
|
||
| title: 'Enable Auditing for Processes Which Start Prior to the Audit Daemon' | ||
|
|
||
| description: |- | ||
| To ensure all processes can be audited, even those which start | ||
| prior to the audit daemon, add the argument <tt>audit=1</tt> to all | ||
| BLS (Boot Loader Specification) entries ('options' line) for the Linux | ||
| operating system in <tt>/boot/loader/entries/*.conf</tt>. | ||
|
|
||
| rationale: |- | ||
| Each process on the system carries an "auditable" flag which indicates whether | ||
| its activities can be audited. Although <tt>auditd</tt> takes care of enabling | ||
| this for all processes which launch after it does, adding the kernel argument | ||
| ensures it is set for every process during boot. | ||
|
|
||
| severity: medium | ||
|
|
||
| identifiers: | ||
| cce@ocp4: 83550-4 | ||
|
|
||
| references: | ||
| cis@rhel8: 4.1.1.3 | ||
| cjis: 5.4.1.1 | ||
| cui: 3.3.1 | ||
| disa: 1464,130 | ||
| hipaa: 164.308(a)(1)(ii)(D),164.308(a)(5)(ii)(C),164.310(a)(2)(iv),164.310(d)(2)(iii),164.312(b) | ||
| nist: AC-17(1),AU-14(1),AU-10,CM-6(a),IR-5(1) | ||
| nist-csf: DE.AE-3,DE.AE-5,ID.SC-4,PR.AC-3,PR.PT-1,PR.PT-4,RS.AN-1,RS.AN-4 | ||
| vmmsrg: SRG-OS-000254-VMM-000880 | ||
| pcidss: Req-10.3 | ||
| isa-62443-2013: 'SR 1.13,SR 2.10,SR 2.11,SR 2.12,SR 2.6,SR 2.8,SR 2.9,SR 3.1,SR 3.5,SR 3.8,SR 4.1,SR 4.3,SR 5.1,SR 5.2,SR 5.3,SR 6.1,SR 7.1,SR 7.6' | ||
| isa-62443-2009: 4.2.3.10,4.3.2.6.7,4.3.3.3.9,4.3.3.5.8,4.3.3.6.6,4.3.4.4.7,4.3.4.5.6,4.3.4.5.7,4.3.4.5.8,4.4.2.1,4.4.2.2,4.4.2.4 | ||
| cobit5: APO10.01,APO10.03,APO10.04,APO10.05,APO11.04,APO12.06,APO13.01,BAI03.05,BAI08.02,DSS01.04,DSS02.02,DSS02.04,DSS02.07,DSS03.01,DSS05.02,DSS05.03,DSS05.04,DSS05.07,MEA01.01,MEA01.02,MEA01.03,MEA01.04,MEA01.05,MEA02.01 | ||
| iso27001-2013: A.11.2.6,A.12.4.1,A.12.4.2,A.12.4.3,A.12.4.4,A.12.7.1,A.13.1.1,A.13.2.1,A.14.1.3,A.15.2.1,A.15.2.2,A.16.1.4,A.16.1.5,A.16.1.7,A.6.2.1,A.6.2.2 | ||
| cis-csc: 1,11,12,13,14,15,16,19,3,4,5,6,7,8 | ||
| srg: SRG-OS-000254-GPOS-00095 | ||
|
|
||
| ocil_clause: 'auditing is not enabled at boot time' | ||
|
|
||
| ocil: |- | ||
| Inspect the form of BLS (Boot Loader Specification) options lines for the Linux operating system | ||
| in <tt>/boot/loader/entries/*.conf</tt>. If they include <tt>audit=1</tt>, then auditing | ||
| is enabled at boot time. | ||
| <pre># grep 'options.*audit=1.*' /boot/loader/entires/*.conf</pre> | ||
| <br /> | ||
|
|
||
| template: | ||
| name: bls_entries_option | ||
| vars: | ||
| arg_name: audit | ||
| arg_value: '1' |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -198,7 +198,6 @@ CCE-83546-2 | |
| CCE-83547-0 | ||
| CCE-83548-8 | ||
| CCE-83549-6 | ||
| CCE-83550-4 | ||
| CCE-83551-2 | ||
| CCE-83552-0 | ||
| CCE-83553-8 | ||
|
|
||
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,32 @@ | ||
| <def-group> | ||
| <definition class="compliance" id="{{{ _RULE_ID }}}" version="2"> | ||
| <metadata> | ||
| <title>Ensure that BLS-compatible boot loader is configured to run Linux operating system with argument {{{ ARG_NAME_VALUE }}}</title> | ||
| {{{- oval_affected(products) }}} | ||
| <description>Ensure {{{ ARG_NAME_VALUE }}} option is configured in the 'options' line in /boot/loader/entries/*.conf.</description> | ||
| </metadata> | ||
| <criteria operator="AND"> | ||
| <criterion test_ref="test_bls_{{{ SANITIZED_ARG_NAME }}}_options" | ||
| comment="Check if {{{ ARG_NAME_VALUE }}} is present in the 'options' line in /boot/loader/entries/*" /> | ||
| </criteria> | ||
| </definition> | ||
|
|
||
| <ind:textfilecontent54_test id="test_bls_{{{ SANITIZED_ARG_NAME }}}_options" | ||
| comment="check for kernel option {{{ ARG_NAME_VALUE }}} for all snippets in /boot/loader/entries" | ||
| check="all" check_existence="all_exist" version="1"> | ||
| <ind:object object_ref="object_bls_{{{ SANITIZED_ARG_NAME }}}_options" /> | ||
| <ind:state state_ref="state_bls_{{{ SANITIZED_ARG_NAME }}}_option" /> | ||
| </ind:textfilecontent54_test> | ||
|
|
||
| <ind:textfilecontent54_object id="object_bls_{{{ SANITIZED_ARG_NAME }}}_options" | ||
| version="1"> | ||
| <ind:filepath operation="pattern match">^/boot/loader/entries/.*\.conf$</ind:filepath> | ||
| <ind:pattern operation="pattern match">^options (.*)$</ind:pattern> | ||
| <ind:instance datatype="int" operation="greater than or equal">1</ind:instance> | ||
| </ind:textfilecontent54_object> | ||
|
|
||
| <ind:textfilecontent54_state id="state_bls_{{{ SANITIZED_ARG_NAME }}}_option" | ||
| version="1"> | ||
| <ind:subexpression datatype="string" operation="pattern match">^(?:.*\s)?{{{ ESCAPED_ARG_NAME_VALUE }}}(?:\s.*)?$</ind:subexpression> | ||
| </ind:textfilecontent54_state> | ||
| </def-group> |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The way how to check BLS entry options may be similar across OSes or arches, but description and OCIL can vary a lot. Take for example
zipl_audit_argument, description and OCIL mention a few commands and config files specific for zipl.So I wonder if the rule should be renamed to
grub2_bls_audit_option.And conversely,
zipl_audit_argumentrenamed tozipl_bls_audit_option.The template name can remain boot loader neutral, but I would put in singular:
bls_entry_option.@evgenyz Thoughts?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Entries are plural because we are checking ALL entries:
<ind:filepath operation="pattern match">^/boot/loader/entries/.*\.conf$</ind:filepath>.There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
oh, wouldn't it be the case that this won't pass even after the remediation is applied? The deployment keeps the previous configuration around which wouldn't have the compliant option.
Uh oh!
There was an error while loading. Please reload this page.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Now,
zipl_audit_argument(as it seems to me) holds 2 different unrelated checks: for option in BLS-compatible entry and for settings in /etc/zipl.conf. I think that they should be separated (bls_audit_option+zipl_config_blah_blah). Thebls_audit_optionis bootloader-agnostic and could be reused in that way for all BLS-compatible bootloaders.There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes, it would be the case.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Later we could add something like
current=Trueparameter to this template.There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Later, this template can also be enhanced to consider cases when
$kerneloptsis present in the entry.There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I would be careful with that, it will make the rule not compatible with BLS.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
But, on the other hand we can parametrize the template to create
grub2_bls_audit_option.There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The template can have conditionals for how different products handle BLS.
RHEL for example may check for all entries, not just the current.