Add RHCOS STIG content and enable for NIST

[redhatrises]

Description:

• Enable draft STIG for RHCOS
• Enable rules for RHCOS4 that are in the draft STIG
• Enable building of NIST Refs, CCE, and STIG tables

[mildas]

Changes identified:
Profile ospp on rhcos4:
 Newly added profile.
Profile stig on rhcos4:
 STIG profile extends changed OSPP profile.
 Newly added profile.

Recommended tests to execute:
 build_product rhcos4
 tests/test_suite.py profile --libvirt qemu:///system test-suite-vm --datastream build/ssg-rhcos4-ds.xml stig
 tests/test_suite.py profile --libvirt qemu:///system test-suite-vm --datastream build/ssg-rhcos4-ds.xml ospp

[redhatrises]

Moving this out of draft mode as the content builds correctly.

[JAORMX]

if this is a draft, why not set documentation_complete: false?

[redhatrises]

@JAORMX Need it to build so that updated transmission to DISA can happen.

[JAORMX]

@evgenyz is working on an alternative for kernel parameters: #6100 perhaps those names could be added here but commented out in the meantime?

[redhatrises]

Need the rules enabled so that updated transmission to DISA can easily happen without having to enable/disable rules. Can they be enabled and updated later when completed?

[JAORMX]

Let's comment this out for now since libreswan is not available in RHCOS

[redhatrises]

Currently, no. But it was submitted as part of the draft STIG. Need the rules enabled so that updated transmission to DISA can easily happen without having to enable/disable rules.

[JAORMX]

@evgenyz is working on an alternative for kernel parameters: #6100 perhaps those names could be added here but commented out in the meantime?

[redhatrises]

Need the rules enabled so that updated transmission to DISA can easily happen without having to enable/disable rules. Can they be enabled and updated later when completed?

[jhrozek]

Are these rules relevant since fapolicyd is not part of RHCOS?

[redhatrises]

It is a requirement for STIG, yes.

[jhrozek]

Are these rules relevant since usbguard is not part of RHCOS?

[JAORMX]

We gotta research the extension mechanism in RHCOS [1], we could install usbguard nowadays with that.

[1] openshift/enhancements#317

[jhrozek]

Do we know if these rules work with the RHCOS bootloader?

[JAORMX]

That's a good question. Something we gotta research.

[jhrozek]

By default the core user is a member of the sudo group which has %sudo ALL=(ALL) NOPASSWD: ALL set in sudoers, this likely clash with the sudo rules above. Just saying.

[redhatrises]

Right, however it is a problem to just sudo without password. Also, I believe that the recommended guidance that we are going to also give is to remove the core user.

[jhrozek]

On Wed, Sep 30, 2020 at 09:15:50AM -0700, Gabe Alford wrote: @redhatrises commented on this pull request. > + - accounts_umask_etc_bashrc + - accounts_umask_etc_csh_cshrc + + ### Software update + - ensure_redhat_gpgkey_installed + + ### Kernel Config + ## Boot prompt + - grub2_audit_argument + - grub2_audit_backlog_limit_argument + - grub2_slub_debug_argument + - grub2_page_poison_argument + - grub2_vsyscall_argument + - grub2_vsyscall_argument.role=unscored + - grub2_vsyscall_argument.severity=info + - grub2_pti_argument Need the rules enabled so that updated transmission to DISA can easily happen without having to enable/disable rules. Can they be enabled and updated later when completed?

I guess? I haven't tested the rules, but I guess at worst the grub config file wouldn't be there and the result wouldn't be compliant.

[redhatrises]

On Wed, Sep 30, 2020 at 09:15:50AM -0700, Gabe Alford wrote: @redhatrises commented on this pull request. > + - accounts_umask_etc_bashrc + - accounts_umask_etc_csh_cshrc + + ### Software update + - ensure_redhat_gpgkey_installed + + ### Kernel Config + ## Boot prompt + - grub2_audit_argument + - grub2_audit_backlog_limit_argument + - grub2_slub_debug_argument + - grub2_page_poison_argument + - grub2_vsyscall_argument + - grub2_vsyscall_argument.role=unscored + - grub2_vsyscall_argument.severity=info + - grub2_pti_argument Need the rules enabled so that updated transmission to DISA can easily happen without having to enable/disable rules. Can they be enabled and updated later when completed?
I guess? I haven't tested the rules, but I guess at worst the grub config file wouldn't be there and the result wouldn't be compliant.

True. Equally, we aren't testing it yet either in CI/CD, but since this is draft and under review, which not only are there bound to be errors, but it the draft could change as well too.

[openshift-ci-robot]

@redhatrises: The following tests failed, say /retest to rerun all failed tests:

Test name	Commit	Details	Rerun command
ci/prow/e2e-aws-ocp4-cis	202807a	link	/test e2e-aws-ocp4-cis
ci/prow/e2e-aws-ocp4-cis-node	202807a	link	/test e2e-aws-ocp4-cis-node

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.

[redhatrises]

/retest

[redhatrises]

@openscap-ci test this please

[openscap-ci]

Changes identified:
Profiles:
 ospp on rhcos4
 stig on rhcos4

Show details

Profile ospp on rhcos4:
 Newly added profile.
Profile stig on rhcos4:
 Newly added profile.
 STIG profile extends changed OSPP profile.

Recommended tests to execute:
 build_product rhcos4
 tests/test_suite.py profile --libvirt qemu:///system test-suite-vm --datastream build/ssg-rhcos4-ds.xml ospp
 tests/test_suite.py profile --libvirt qemu:///system test-suite-vm --datastream build/ssg-rhcos4-ds.xml stig

[JAORMX]

Might wanna rebase this

[redhatrises]

Might wanna rebase this

Yeah... I was just wanting fresh tests.