Merge pull request ComplianceAsCode#11423 from yuumasato/fix_stig_ctr…

…_selections OCPBUGS-26193: Fix missing OCP4 STIG selections
a-skr · Feb 13, 2024 · 4539cdd · 4539cdd
2 parents 1c86e52 + b05da3d
commit 4539cdd
Show file tree

Hide file tree

Showing 23 changed files with 51 additions and 21 deletions.
diff --git a/applications/openshift/authentication/oauth_or_oauthclient_token_maxage/rule.yml b/applications/openshift/authentication/oauth_or_oauthclient_token_maxage/rule.yml
@@ -51,6 +51,7 @@ rationale: |-
 
 references:
   nist: AC-12
+  srg: SRG-APP-000400-CTR-000960
 
 identifiers:
     cce@ocp4: CCE-84162-7

diff --git a/applications/openshift/authentication/oauth_token_maxage/rule.yml b/applications/openshift/authentication/oauth_token_maxage/rule.yml
@@ -68,6 +68,4 @@ template:
         filepath: {{{ openshift_filtered_path(default_api_path, default_jqfilter) }}}
         yamlpath: ".tokenConfig.accessTokenMaxAgeSeconds"
         check_existence: "only_one_exists"
-        values:
-          - value: ".*"
-            operation: "pattern match"
+        xccdf_variable: var_oauth_token_maxage
diff --git a/applications/openshift/authentication/oauthclient_token_maxage/rule.yml b/applications/openshift/authentication/oauthclient_token_maxage/rule.yml
@@ -63,6 +63,4 @@ template:
         check_existence_yamlpath: ".items[:].grantMethod"
         check_existence: "all_exist"
         entity_check: "all"
-        values:
-            - value: ".*"
-              operation: "pattern match"
+        xccdf_variable: var_oauth_token_maxage
diff --git a/applications/openshift/authentication/var_oauth_token_maxage.var b/applications/openshift/authentication/var_oauth_token_maxage.var
@@ -0,0 +1,16 @@
+documentation_complete: true
+
+title: 'OAuth Token Maximum Age'
+
+description: 'Enter OAuth Token Maximum Age Timeout'
+
+type: number
+
+operator: equals
+
+interactive: true
+
+options:
+    default: 86400
+    24h: 86400
+    8h: 28800
diff --git a/controls/srg_ctr/SRG-APP-000092-CTR-000165.yml b/controls/srg_ctr/SRG-APP-000092-CTR-000165.yml
@@ -7,5 +7,6 @@ controls:
   - cluster_logging_operator_exist
   - audit_log_forwarding_enabled
   - coreos_audit_option
+  - coreos_audit_backlog_limit_kernel_argument
   status: automated
 
diff --git a/controls/srg_ctr/SRG-APP-000141-CTR-000315.yml b/controls/srg_ctr/SRG-APP-000141-CTR-000315.yml
@@ -3,11 +3,12 @@ controls:
   levels:
   - medium
   title: {{{ full_name }}} must be configured with only essential configurations.
-  related_rules:
+  rules:
   - service_sshd_disabled
   - kernel_module_usb-storage_disabled
   - package_usbguard_installed
   - service_usbguard_enabled
   - configure_usbguard_auditbackend
+  - usbguard_allow_hid_and_hub
   status: automated
 
diff --git a/controls/srg_ctr/SRG-APP-000400-CTR-000960.yml b/controls/srg_ctr/SRG-APP-000400-CTR-000960.yml
@@ -4,7 +4,7 @@ controls:
   - medium
   title: {{{ full_name }}} must prohibit the use of cached authenticators after
     an organization-defined time period.
-  status: inherently met
+  status: automated
   artifact_description: |-
     Supporting evidence is in the following documentation
 
@@ -18,4 +18,5 @@ controls:
     `oc edit oauth.config.openshift.io/cluster`
     See:
     https://docs.openshift.com/container-platform/latest/authentication/configuring-internal-oauth.html#oauth-configuring-internal-oauth_configuring-internal-oauth
-
+  rules:
+  - oauth_or_oauthclient_token_maxage
diff --git a/controls/srg_ctr/SRG-APP-000499-CTR-001255.yml b/controls/srg_ctr/SRG-APP-000499-CTR-001255.yml
@@ -23,6 +23,7 @@ controls:
   - audit_rules_file_deletion_events_rmdir
   - audit_rules_file_deletion_events_unlink
   - audit_rules_file_deletion_events_unlinkat
+  - audit_rules_privileged_commands_pt_chown
   - audit_rules_privileged_commands_su
   - audit_rules_privileged_commands_sudo
   - audit_rules_privileged_commands_usermod

diff --git a/controls/srg_ctr/SRG-APP-000501-CTR-001265.yml b/controls/srg_ctr/SRG-APP-000501-CTR-001265.yml
@@ -18,4 +18,10 @@ controls:
   - audit_rules_file_deletion_events_unlink
   - audit_rules_file_deletion_events_unlinkat
   - audit_rules_privileged_commands_chage
+  - audit_rules_privileged_commands_pt_chown
+  - audit_delete_failed
+  - audit_rules_unsuccessful_file_modification_unlink
+  - audit_rules_unsuccessful_file_modification_unlinkat
+  - audit_rules_unsuccessful_file_modification_rename
+  - audit_rules_unsuccessful_file_modification_renameat
   status: automated
diff --git a/controls/srg_ctr/SRG-APP-000502-CTR-001270.yml b/controls/srg_ctr/SRG-APP-000502-CTR-001270.yml
@@ -18,4 +18,10 @@ controls:
   - audit_rules_file_deletion_events_unlink
   - audit_rules_file_deletion_events_unlinkat
   - audit_rules_privileged_commands_chage
+  - audit_rules_privileged_commands_pt_chown
+  - audit_delete_failed
+  - audit_rules_unsuccessful_file_modification_unlink
+  - audit_rules_unsuccessful_file_modification_unlinkat
+  - audit_rules_unsuccessful_file_modification_rename
+  - audit_rules_unsuccessful_file_modification_renameat
   status: automated
diff --git a/linux_os/guide/services/usbguard/package_usbguard_installed/rule.yml b/linux_os/guide/services/usbguard/package_usbguard_installed/rule.yml
@@ -48,7 +48,7 @@ references:
     disa: CCI-001958
     ism: "1418"
     nist: CM-8(3),IA-3
-    srg: SRG-OS-000378-GPOS-00163
+    srg: SRG-OS-000378-GPOS-00163,SRG-APP-000141-CTR-000315
     stigid@ol8: OL08-00-040139
     stigid@rhel8: RHEL-08-040139
     stigid@rhel9: RHEL-09-291015

diff --git a/linux_os/guide/services/usbguard/service_usbguard_enabled/rule.yml b/linux_os/guide/services/usbguard/service_usbguard_enabled/rule.yml
@@ -24,7 +24,7 @@ references:
     ism: "1418"
     nist: CM-8(3)(a),IA-3
     ospp: FMT_SMF_EXT.1
-    srg: SRG-OS-000378-GPOS-00163
+    srg: SRG-OS-000378-GPOS-00163,SRG-APP-000141-CTR-000315
     stigid@ol8: OL08-00-040141
     stigid@rhel8: RHEL-08-040141
     stigid@rhel9: RHEL-09-291020

diff --git a/linux_os/guide/services/usbguard/usbguard_allow_hid_and_hub/rule.yml b/linux_os/guide/services/usbguard/usbguard_allow_hid_and_hub/rule.yml
@@ -29,7 +29,7 @@ identifiers:
 references:
     nist: CM-8(3),IA-3
     ospp: FMT_SMF_EXT.1
-    srg: SRG-OS-000114-GPOS-00059
+    srg: SRG-OS-000114-GPOS-00059,SRG-APP-000092-CTR-000165
 
 ocil_clause: 'USB devices of class 3 and 9:00 are not authorized'
 

diff --git a/..._rules/audit_file_modification/audit_rules_unsuccessful_file_modification_rename/rule.yml b/..._rules/audit_file_modification/audit_rules_unsuccessful_file_modification_rename/rule.yml
@@ -50,7 +50,7 @@ references:
     nist@sle15: AU-12(c),AU-12.1(iv)
     ospp: FAU_GEN.1.1.c
     pcidss: Req-10.2.4,Req-10.2.1
-    srg: SRG-OS-000064-GPOS-00033,SRG-OS-000392-GPOS-00172,SRG-OS-000458-GPOS-00203,SRG-OS-000461-GPOS-00205,SRG-OS-000468-GPOS-00212
+    srg: SRG-OS-000064-GPOS-00033,SRG-OS-000392-GPOS-00172,SRG-OS-000458-GPOS-00203,SRG-OS-000461-GPOS-00205,SRG-OS-000468-GPOS-00212,SRG-APP-000501-CTR-001265,SRG-APP-000502-CTR-001270
     stigid@sle12: SLES-12-020411
     stigid@sle15: SLES-15-030740
 

diff --git a/...ules/audit_file_modification/audit_rules_unsuccessful_file_modification_renameat/rule.yml b/...ules/audit_file_modification/audit_rules_unsuccessful_file_modification_renameat/rule.yml
@@ -58,7 +58,7 @@ references:
     nist@sle15: AU-12(c),AU-12.1(iv)
     ospp: FAU_GEN.1.1.c
     pcidss: Req-10.2.4,Req-10.2.1
-    srg: SRG-OS-000064-GPOS-00033,SRG-OS-000392-GPOS-00172,SRG-OS-000458-GPOS-00203,SRG-OS-000461-GPOS-00205,SRG-OS-000468-GPOS-00212
+    srg: SRG-OS-000064-GPOS-00033,SRG-OS-000392-GPOS-00172,SRG-OS-000458-GPOS-00203,SRG-OS-000461-GPOS-00205,SRG-OS-000468-GPOS-00212,SRG-APP-000501-CTR-001265,SRG-APP-000502-CTR-001270
     stigid@sle12: SLES-12-020411
     stigid@sle15: SLES-15-030740
 

diff --git a/..._rules/audit_file_modification/audit_rules_unsuccessful_file_modification_unlink/rule.yml b/..._rules/audit_file_modification/audit_rules_unsuccessful_file_modification_unlink/rule.yml
@@ -64,7 +64,7 @@ references:
     nist@sle15: AU-12(c),AU-12.1(iv)
     ospp: FAU_GEN.1.1.c
     pcidss: Req-10.2.4,Req-10.2.1
-    srg: SRG-OS-000064-GPOS-00033,SRG-OS-000392-GPOS-00172,SRG-OS-000458-GPOS-00203,SRG-OS-000461-GPOS-00205,SRG-OS-000468-GPOS-00212
+    srg: SRG-OS-000064-GPOS-00033,SRG-OS-000392-GPOS-00172,SRG-OS-000458-GPOS-00203,SRG-OS-000461-GPOS-00205,SRG-OS-000468-GPOS-00212,SRG-APP-000501-CTR-001265,SRG-APP-000502-CTR-001270
     stigid@sle12: SLES-12-020411
     stigid@sle15: SLES-15-030740
 

diff --git a/...ules/audit_file_modification/audit_rules_unsuccessful_file_modification_unlinkat/rule.yml b/...ules/audit_file_modification/audit_rules_unsuccessful_file_modification_unlinkat/rule.yml
@@ -61,7 +61,7 @@ references:
     nist@sle15: AU-12(c),AU-12.1(iv)
     ospp: FAU_GEN.1.1.c
     pcidss: Req-10.2.4,Req-10.2.1
-    srg: SRG-OS-000064-GPOS-00033,SRG-OS-000392-GPOS-00172,SRG-OS-000458-GPOS-00203,SRG-OS-000461-GPOS-00205,SRG-OS-000468-GPOS-00212
+    srg: SRG-OS-000064-GPOS-00033,SRG-OS-000392-GPOS-00172,SRG-OS-000458-GPOS-00203,SRG-OS-000461-GPOS-00205,SRG-OS-000468-GPOS-00212,SRG-APP-000501-CTR-001265,SRG-APP-000502-CTR-001270
     stigid@sle12: SLES-12-020411
     stigid@sle15: SLES-15-030740
 

diff --git a/...nfigure_rules/audit_privileged_commands/audit_rules_privileged_commands_pt_chown/rule.yml b/...nfigure_rules/audit_privileged_commands/audit_rules_privileged_commands_pt_chown/rule.yml
@@ -49,7 +49,7 @@ references:
     iso27001-2013: A.12.4.1,A.12.4.2,A.12.4.3,A.12.4.4,A.12.7.1,A.14.2.7,A.15.2.1,A.15.2.2
     nist: AU-2(d),AU-12(c),AC-6(9),CM-6(a)
     nist-csf: DE.CM-1,DE.CM-3,DE.CM-7,ID.SC-4,PR.PT-1
-    srg: SRG-OS-000042-GPOS-00020,SRG-OS-000392-GPOS-00172,SRG-OS-000471-GPOS-00215
+    srg: SRG-OS-000042-GPOS-00020,SRG-OS-000392-GPOS-00172,SRG-OS-000471-GPOS-00215,SRG-APP-000499-CTR-001255,SRG-APP-000501-CTR-001265,SRG-APP-000502-CTR-001270
 
 {{{ ocil_fix_srg_privileged_command("pt_chown", "/usr/libexec/") }}}
 

diff --git a/linux_os/guide/system/auditing/coreos_audit_backlog_limit_kernel_argument/rule.yml b/linux_os/guide/system/auditing/coreos_audit_backlog_limit_kernel_argument/rule.yml
@@ -22,7 +22,7 @@ identifiers:
 
 references:
     nist: CM-6(a)
-    srg: SRG-OS-000254-GPOS-00095
+    srg: SRG-OS-000254-GPOS-00095,SRG-APP-000092-CTR-000165
 
 ocil_clause: 'audit backlog limit is not configured'
 

diff --git a/linux_os/guide/system/auditing/policy_rules/audit_delete_failed/kubernetes/shared.yml b/linux_os/guide/system/auditing/policy_rules/audit_delete_failed/kubernetes/shared.yml
@@ -9,7 +9,7 @@ spec:
     storage:
       files:
       - contents:
-          source: data:,%23%23%20Unsuccessful%20file%20delete%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20unlink%2Cunlinkat%2Crename%2Crenameat%20-F%20exit%3D-EACCES%20-F%20auid%26gt%3B%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccessful-delete%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20unlink%2Cunlinkat%2Crename%2Crenameat%20-F%20exit%3D-EACCES%20-F%20auid%26gt%3B%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccessful-delete%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20unlink%2Cunlinkat%2Crename%2Crenameat%20-F%20exit%3D-EPERM%20-F%20auid%26gt%3B%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccessful-delete%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20unlink%2Cunlinkat%2Crename%2Crenameat%20-F%20exit%3D-EPERM%20-F%20auid%26gt%3B%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccessful-delete
+          source: data:,%23%23%20Unsuccessful%20file%20delete%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20unlink%2Cunlinkat%2Crename%2Crenameat%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccessful-delete%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20unlink%2Cunlinkat%2Crename%2Crenameat%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccessful-delete%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20unlink%2Cunlinkat%2Crename%2Crenameat%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccessful-delete%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20unlink%2Cunlinkat%2Crename%2Crenameat%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccessful-delete%0A
         mode: 0600
         path: /etc/audit/rules.d/30-ospp-v42-4-delete-failed.rules
         overwrite: true
diff --git a/linux_os/guide/system/auditing/policy_rules/audit_delete_failed/rule.yml b/linux_os/guide/system/auditing/policy_rules/audit_delete_failed/rule.yml
@@ -40,7 +40,7 @@ identifiers:
 references:
     nist: AU-2(a)
     ospp: FAU_GEN.1.1.c
-    srg: SRG-OS-000458-GPOS-00203,SRG-OS-000474-GPOS-00219,SRG-OS-000475-GPOS-00220,SRG-OS-000463-GPOS-00207,SRG-OS-000465-GPOS-00209,SRG-OS-000461-GPOS-00205,SRG-OS-000468-GPOS-00212
+    srg: SRG-OS-000458-GPOS-00203,SRG-OS-000474-GPOS-00219,SRG-OS-000475-GPOS-00220,SRG-OS-000463-GPOS-00207,SRG-OS-000465-GPOS-00209,SRG-OS-000461-GPOS-00205,SRG-OS-000468-GPOS-00212,SRG-APP-000501-CTR-001265,SRG-APP-000502-CTR-001270
 
 ocil_clause: 'the file does not exist or the content differs'
 

diff --git a/linux_os/guide/system/permissions/mounting/kernel_module_usb-storage_disabled/rule.yml b/linux_os/guide/system/permissions/mounting/kernel_module_usb-storage_disabled/rule.yml
@@ -42,7 +42,7 @@ references:
     nist: CM-7(a),CM-7(b),CM-6(a),MP-7
     nist-csf: PR.AC-1,PR.AC-3,PR.AC-6,PR.AC-7
     pcidss4: '3.4.2'
-    srg: SRG-OS-000114-GPOS-00059,SRG-OS-000378-GPOS-00163,SRG-OS-000480-GPOS-00227
+    srg: SRG-OS-000114-GPOS-00059,SRG-OS-000378-GPOS-00163,SRG-OS-000480-GPOS-00227,SRG-APP-000141-CTR-000315
     stigid@ol7: OL07-00-020100
     stigid@ol8: OL08-00-040080
     stigid@rhel7: RHEL-07-020100

diff --git a/products/ocp4/profiles/stig-v1r1.profile b/products/ocp4/profiles/stig-v1r1.profile
@@ -25,6 +25,7 @@ selections:
     - srg_ctr:all
   ### Variables
     - var_openshift_audit_profile=WriteRequestBodies
+    - var_oauth_token_maxage=8h
   ### Helper Rules
   ### This is a helper rule to fetch the required api resource for detecting OCP version
     - version_detect_in_ocp