DISA STIG RHEL8 V1R3 questions (scap-security-guide/ansible roles/DISA SCAP content)

[robertaspinall]

Hi,

I'm trying to map the checks I find in the DISA STIG for RHEL8 vs the checks in the role at https://github.com/RedHatOfficial/ansible-role-rhel8-stig.

The tasks within that role when following the directions and running "ansible-galaxy install RedHatOfficial.rhel8_stig"
include multiple settings that don't appear to be within the actual STIG, and I'm trying to determine where they come from.

An example is:

• name: Ensure sysctl net.core.bpf_jit_harden is set to 2
  sysctl:
  name: net.core.bpf_jit_harden
  value: '2'
  state: present
  reload: true

Does anyone know where this sysctl setting originated? I can't find it anywhere within the published DISA STIG for RHEL8.

[ggbecker]

This is a new item part of DISA STIG for RHEL8 V1R3 here is the XML text (STIG id: RHEL-08-040286) of it:

<Group id="V-244554">
	<title>SRG-OS-000480-GPOS-00227</title>
	<description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description>
	<Rule id="SV-244554r743911_rule" weight="10.0" severity="medium">
		<version>RHEL-08-040286</version>
		<title>RHEL 8 must enable hardening for the Berkeley Packet Filter Just-in-time compiler.</title>
		<description>&lt;VulnDiscussion&gt;It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors.
Enabling hardening for the Berkeley Packet Filter (BPF) Just-in-time (JIT) compiler aids in mitigating JIT spraying attacks.  Setting the value to "2" enables JIT hardening for all users.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description>
		<reference>
			<dc:title>DPMS Target Red Hat Enterprise Linux 8</dc:title>
			<dc:publisher>DISA</dc:publisher>
			<dc:type>DPMS Target</dc:type>
			<dc:subject>Red Hat Enterprise Linux 8</dc:subject>
			<dc:identifier>2921</dc:identifier>
		</reference>
		<ident system="http://cyber.mil/cci">CCI-000366</ident>
		<fixtext fixref="F-47786r743910_fix">Configure RHEL 8 to enable hardening for the BPF JIT compiler by adding the following line to a file in the "/etc/sysctl.d" directory:

net.core.bpf_jit_harden = 2

The system configuration files need to be reloaded for the changes to take effect. To reload the contents of the files, run the following command:

$ sudo sysctl --system</fixtext>
		<fix id="F-47786r743910_fix" />
		<check system="C-47829r743909_chk">
			<check-content-ref href="Red_Hat_Enterprise_Linux_8_STIG.xml" name="M" />
			<check-content>Verify RHEL 8 enables hardening for the BPF JIT with the following commands:

$ sudo sysctl net.core.bpf_jit_harden

net.core.bpf_jit_harden = 2

If the returned line does not have a value of "2", or a line is not returned, this is a finding.</check-content>
		</check>
	</Rule>
</Group>

[robertaspinall]

Thanks, but is there a way to audit this using oscap? Without a way of generating a compliance report making a system compliant to V1R3 isn't very useful. When we try, we get errors, and we found this RHN article: https://access.redhat.com/solutions/2484341 which states:
"One cannot use the STIGs from the DISA site. One should instead use the STIG profile that ships in RHEL via the scap-security-guide RPM. It contains automation content and is supported by Red Hat."

However, the files included in that package don't appear to include any of the items from V1R3.

[ggbecker]

You actually can use this file from DISA (but it's still in V1R2): https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_RHEL_8_V1R2_STIG_SCAP_1-2_Benchmark.zip it contains only the OVAL checks. They don't include any remediation scripts.

This is the manual STIG benchmark published by DISA V1R3 for reference: https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_RHEL_8_V1R3_STIG.zip

You can also find Ansible content provided by DISA: https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_RHEL_8_V1R3_STIG_Ansible.zip

Note that these links might go 404 when new versions are released.

and more here:
https://public.cyber.mil/stigs/downloads/

Now talking about scap-security-guide package and RHEL, next RHEL 8 updates should get a new package version that will contain the STIG V1R3 content.

[robertaspinall]

To further confuse the issue, the page at https://github.com/RedHatOfficial/ansible-role-rhel8-stig states that "This profile contains configuration checks that align to the DISA STIG for Red Hat Enterprise Linux 8 V1R2.", and then includes instructions to run "Run ansible-galaxy install RedHatOfficial.rhel8_stig to download and install the role.", but this role actually includes checks for V1R3? We could really use some clarity on this.

[ggbecker]

Unfortunately https://github.com/RedHatOfficial/ansible-role-rhel8-stig and galaxy ansible roles are not frequently updated and are not the official way to get supported content. If you would like to use upstream versions of ComplianceAsCode/content, I'd recommend using artifacts from latest releases page: https://github.com/ComplianceAsCode/content/releases