From 38cc9c9eb785f17fbc23a2e7ccbb9902d069f4b3 Mon Sep 17 00:00:00 2001

From: Vojtech Polasek <vpolasek@redhat.com>

Date: Mon, 10 Feb 2020 16:16:17 +0100

Subject: [PATCH 1/4] create new rules, add missing reference to older rule

---

 .../rule.yml                                  | 26 +++++++++++++++

 .../package_openssh-server_installed/rule.yml |  1 +

 .../rule.yml                                  | 32 +++++++++++++++++++

 .../rule.yml                                  | 29 +++++++++++++++++

 5 files changed, 88 insertions(+), 3 deletions(-)

 create mode 100644 linux_os/guide/services/ssh/package_openssh-clients_installed/rule.yml

 create mode 100644 linux_os/guide/system/selinux/package_policycoreutils-python-utils_installed/rule.yml

 create mode 100644 linux_os/guide/system/software/integrity/crypto/package_crypto-policies_installed/rule.yml

diff --git a/linux_os/guide/services/ssh/package_openssh-clients_installed/rule.yml b/linux_os/guide/services/ssh/package_openssh-clients_installed/rule.yml

new file mode 100644

index 0000000000..9b3c55f23b

--- /dev/null

+++ b/linux_os/guide/services/ssh/package_openssh-clients_installed/rule.yml

@@ -0,0 +1,26 @@

+documentation_complete: true

+

+prodtype: rhel8

+

+title: 'Install OpenSSH client software'

+

+description: |-

+    {{{ describe_package_install(package="openssh-clients") }}}

+

+rationale: 'The <tt>openssh-clients</tt> package needs to be installed to meet OSPP criteria.'

+

+severity: medium

+

+identifiers:

+    cce@rhel8: 82722-0

+

+references:

+    srg: SRG-OS-000480-GPOS-00227

+    ospp: FIA_UAU.5,FTP_ITC_EXT.1

+

+{{{ complete_ocil_entry_package(package='openssh-clients') }}}

+

+template:

+    name: package_installed

+    vars:

+        pkgname: openssh-clients

diff --git a/linux_os/guide/services/ssh/package_openssh-server_installed/rule.yml b/linux_os/guide/services/ssh/package_openssh-server_installed/rule.yml

index c18e604a5c..ba013ec509 100644

--- a/linux_os/guide/services/ssh/package_openssh-server_installed/rule.yml

+++ b/linux_os/guide/services/ssh/package_openssh-server_installed/rule.yml

@@ -28,6 +28,7 @@ references:

     cobit5: APO01.06,DSS05.02,DSS05.04,DSS05.07,DSS06.02,DSS06.06

     iso27001-2013: A.10.1.1,A.11.1.4,A.11.1.5,A.11.2.1,A.13.1.1,A.13.1.3,A.13.2.1,A.13.2.3,A.13.2.4,A.14.1.2,A.14.1.3,A.6.1.2,A.7.1.1,A.7.1.2,A.7.3.1,A.8.2.2,A.8.2.3,A.9.1.1,A.9.1.2,A.9.2.3,A.9.4.1,A.9.4.4,A.9.4.5

     cis-csc: 13,14

+    ospp: FIA_UAU.5,FTP_ITC_EXT.1

 ocil_clause: 'the package is not installed'

diff --git a/linux_os/guide/system/selinux/package_policycoreutils-python-utils_installed/rule.yml b/linux_os/guide/system/selinux/package_policycoreutils-python-utils_installed/rule.yml

new file mode 100644

index 0000000000..6025f0cd33

--- /dev/null

+++ b/linux_os/guide/system/selinux/package_policycoreutils-python-utils_installed/rule.yml

@@ -0,0 +1,32 @@

+documentation_complete: true

+

+prodtype: rhel8

+

+title: 'Install policycoreutils-python-utils package'

+

+description: |-

+    {{{ describe_package_install(package="policycoreutils-python-utils") }}}

+

+rationale: |-

+    Security-enhanced Linux is a feature of the Linux kernel and a number of utilities

+    with enhanced security functionality designed to add mandatory access controls to Linux.

+    The Security-enhanced Linux kernel contains new architectural components originally

+    developed to improve security of the Flask operating system. These architectural components

+    provide general support for the enforcement of many kinds of mandatory access control

+    policies, including those based on the concepts of Type Enforcement, Role-based Access

+    Control, and Multi-level Security. 

+

+severity: medium

+

+identifiers:

+    cce@rhel8: 82724-6

+

+references:

+    srg: SRG-OS-000480-GPOS-00227 

+

+{{{ complete_ocil_entry_package(package='policycoreutils-python-utils') }}}

+

+template:

+    name: package_installed

+    vars:

+        pkgname: policycoreutils-python-utils

diff --git a/linux_os/guide/system/software/integrity/crypto/package_crypto-policies_installed/rule.yml b/linux_os/guide/system/software/integrity/crypto/package_crypto-policies_installed/rule.yml

new file mode 100644

index 0000000000..c418518e7a

--- /dev/null

+++ b/linux_os/guide/system/software/integrity/crypto/package_crypto-policies_installed/rule.yml

@@ -0,0 +1,29 @@

+documentation_complete: true

+

+prodtype: rhel8

+

+title: 'Install crypto-policies package'

+

+description: |-

+    {{{ describe_package_install(package="crypto-policies") }}}

+

+rationale: |-

+    The <tt>crypto-policies</tt> package provides configuration and tools to

+    apply centralizet cryptographic policies for backends such as SSL/TLS libraries.

+    

+

+severity: medium

+

+identifiers:

+    cce@rhel8: 82723-8

+

+references:

+    ospp: FCS_COP*

+    srg: SRG-OS-000396-GPOS-00176,SRG-OS-000393-GPOS-00173,SRG-OS-000394-GPOS-00174

+

+{{{ complete_ocil_entry_package(package='crypto-policies') }}}

+

+template:

+    name: package_installed

+    vars:

+        pkgname: crypto-policies

From 0c54cbf24a83e38c89841d4dc65a5fbe51fd2f99 Mon Sep 17 00:00:00 2001

From: Vojtech Polasek <vpolasek@redhat.com>

Date: Mon, 10 Feb 2020 16:18:03 +0100

Subject: [PATCH 2/4] modify ospp profile

---

 rhel8/profiles/ospp.profile | 10 +++++-----

 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/rhel8/profiles/ospp.profile b/rhel8/profiles/ospp.profile

index 4d5a9edd8e..c672066050 100644

--- a/rhel8/profiles/ospp.profile

+++ b/rhel8/profiles/ospp.profile

@@ -169,17 +169,17 @@ selections:

     - package_dnf-plugin-subscription-manager_installed

     - package_firewalld_installed

     - package_iptables_installed

-    - package_libcap-ng-utils_installed

     - package_openscap-scanner_installed

     - package_policycoreutils_installed

     - package_rng-tools_installed

     - package_sudo_installed

     - package_usbguard_installed

-    - package_audispd-plugins_installed

     - package_scap-security-guide_installed

     - package_audit_installed

-    - package_gnutls-utils_installed

-    - package_nss-tools_installed

+    - package_crypto-policies_installed

+    - package_openssh-server_installed

+    - package_openssh-clients_installed

+    - package_policycoreutils-python-utils_installed

     ### Remove Prohibited Packages

     - package_sendmail_removed

@@ -316,7 +316,7 @@ selections:

     ## Configure the System to Offload Audit Records to a Log

     ##  Server

     ## AU-4(1) / FAU_GEN.1.1.c

-    - auditd_audispd_syslog_plugin_activated

+    # temporarily dropped

     ## Set Logon Warning Banner

     ## AC-8(a) / FMT_MOF_EXT.1

From 105efe3a51118eca22c36771ce22d45778a4c34f Mon Sep 17 00:00:00 2001

From: Vojtech Polasek <vpolasek@redhat.com>

Date: Mon, 10 Feb 2020 16:18:52 +0100

Subject: [PATCH 3/4] add rules to rhel8 stig profile

---

 rhel8/profiles/stig.profile | 3 +++

 1 file changed, 3 insertions(+)

diff --git a/rhel8/profiles/stig.profile b/rhel8/profiles/stig.profile

index 821cc26914..7eb1869a3c 100644

--- a/rhel8/profiles/stig.profile

+++ b/rhel8/profiles/stig.profile

@@ -33,6 +33,9 @@ selections:

     - encrypt_partitions

     - sysctl_net_ipv4_tcp_syncookies

     - clean_components_post_updating

+    - package_audispd-plugins_installed

+    - package_libcap-ng-utils_installed

+    - auditd_audispd_syslog_plugin_activated

     # Configure TLS for remote logging

     - package_rsyslog_installed

From 1a5e17c9a6e3cb3ad6cc2cc4601ea49f2f6278ce Mon Sep 17 00:00:00 2001

From: Vojtech Polasek <vpolasek@redhat.com>

Date: Mon, 10 Feb 2020 17:42:43 +0100

Subject: [PATCH 4/4] rephrase some rationales, fix SFR

---

 .../ssh/package_openssh-clients_installed/rule.yml       | 4 +++-

 .../rule.yml                                             | 9 ++-------

 .../crypto/package_crypto-policies_installed/rule.yml    | 8 ++++----

 3 files changed, 9 insertions(+), 12 deletions(-)

diff --git a/linux_os/guide/services/ssh/package_openssh-clients_installed/rule.yml b/linux_os/guide/services/ssh/package_openssh-clients_installed/rule.yml

index 9b3c55f23b..f5b29d32e8 100644

--- a/linux_os/guide/services/ssh/package_openssh-clients_installed/rule.yml

+++ b/linux_os/guide/services/ssh/package_openssh-clients_installed/rule.yml

@@ -7,7 +7,9 @@ title: 'Install OpenSSH client software'

 description: |-

     {{{ describe_package_install(package="openssh-clients") }}}

-rationale: 'The <tt>openssh-clients</tt> package needs to be installed to meet OSPP criteria.'

+rationale: |-

+    This package includes utilities to make encrypted connections and transfer

+    files securely to SSH servers. 

 severity: medium

diff --git a/linux_os/guide/system/selinux/package_policycoreutils-python-utils_installed/rule.yml b/linux_os/guide/system/selinux/package_policycoreutils-python-utils_installed/rule.yml

index 6025f0cd33..7ae7461077 100644

--- a/linux_os/guide/system/selinux/package_policycoreutils-python-utils_installed/rule.yml

+++ b/linux_os/guide/system/selinux/package_policycoreutils-python-utils_installed/rule.yml

@@ -8,13 +8,8 @@ description: |-

     {{{ describe_package_install(package="policycoreutils-python-utils") }}}

 rationale: |-

-    Security-enhanced Linux is a feature of the Linux kernel and a number of utilities

-    with enhanced security functionality designed to add mandatory access controls to Linux.

-    The Security-enhanced Linux kernel contains new architectural components originally

-    developed to improve security of the Flask operating system. These architectural components

-    provide general support for the enforcement of many kinds of mandatory access control

-    policies, including those based on the concepts of Type Enforcement, Role-based Access

-    Control, and Multi-level Security. 

+    This package is required to operate and manage an SELinux environment and its policies.

+    It provides utilities such as semanage, audit2allow, audit2why, chcat and sandbox.

 severity: medium

diff --git a/linux_os/guide/system/software/integrity/crypto/package_crypto-policies_installed/rule.yml b/linux_os/guide/system/software/integrity/crypto/package_crypto-policies_installed/rule.yml

index c418518e7a..bb07f9d617 100644

--- a/linux_os/guide/system/software/integrity/crypto/package_crypto-policies_installed/rule.yml

+++ b/linux_os/guide/system/software/integrity/crypto/package_crypto-policies_installed/rule.yml

@@ -8,9 +8,9 @@ description: |-

     {{{ describe_package_install(package="crypto-policies") }}}

 rationale: |-

-    The <tt>crypto-policies</tt> package provides configuration and tools to

-    apply centralizet cryptographic policies for backends such as SSL/TLS libraries.

-    

+    Centralized cryptographic policies simplify applying secure ciphers across an operating system and

+    the applications that run on that operating system. Use of weak or untested encryption algorithms

+    undermines the purposes of utilizing encryption to protect data.

 severity: medium

@@ -18,7 +18,7 @@ identifiers:

     cce@rhel8: 82723-8

 references:

-    ospp: FCS_COP*

+    ospp: FCS_COP.1(1),FCS_COP.1(2),FCS_COP.1(3),FCS_COP.1(4)

     srg: SRG-OS-000396-GPOS-00176,SRG-OS-000393-GPOS-00173,SRG-OS-000394-GPOS-00174

 {{{ complete_ocil_entry_package(package='crypto-policies') }}}