From 6f72c4bda4825293c39d32373040b4c049a0615b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= Date: Wed, 5 Dec 2018 10:47:34 +0100 Subject: [PATCH] Split rule installed_OS_is certified Split rule installed_OS_is certified to 2 rules: * installed OS is vendor supported (is RHEL) * installed OS has received FIPS certification The original intention of the rule installed_OS_is_certified was to serve as dependency for FIPS-related checks such as grub2_enable_FIPS_mode. Over the time new requirements have been added to ensure Red Hat Enterprise Linux is evaluated (and not CentOS). The rules that require FIPS certification will now depend on 'installed_OS_is_FIPS_certified'. The profiles will contain 'installed_OS_is_vendor_supported' --- fedora/profiles/ospp.profile | 2 +- .../sshd_use_approved_ciphers/oval/shared.xml | 2 +- .../sshd_use_approved_macs/oval/shared.xml | 2 +- .../oval/shared.xml | 11 +++-- .../installed_OS_is_FIPS_certified/rule.yml | 44 +++++++++++++++++++ .../oval/shared.xml | 21 +++++++++ .../rule.yml | 25 +++++------ .../grub2_enable_fips_mode/oval/shared.xml | 2 +- .../oval/shared.xml | 2 +- .../aide/aide_use_fips_hashes/oval/shared.xml | 2 +- rhel7/profiles/ospp.profile | 2 +- rhel7/profiles/ospp42.profile | 2 +- rhel7/profiles/stig-rhel7-disa.profile | 2 +- rhel8/profiles/ospp.profile | 2 +- 14 files changed, 90 insertions(+), 31 deletions(-) rename linux_os/guide/system/software/integrity/certified-vendor/{installed_OS_is_certified => installed_OS_is_FIPS_certified}/oval/shared.xml (69%) create mode 100644 linux_os/guide/system/software/integrity/certified-vendor/installed_OS_is_FIPS_certified/rule.yml create mode 100644 linux_os/guide/system/software/integrity/certified-vendor/installed_OS_is_vendor_supported/oval/shared.xml rename linux_os/guide/system/software/integrity/certified-vendor/{installed_OS_is_certified => installed_OS_is_vendor_supported}/rule.yml (54%) diff --git a/fedora/profiles/ospp.profile b/fedora/profiles/ospp.profile index c115ab6bce..0ba407bfc8 100644 --- a/fedora/profiles/ospp.profile +++ b/fedora/profiles/ospp.profile @@ -13,7 +13,7 @@ description: |- similar to the one mandated by US National Security Systems. selections: - - installed_OS_is_certified + - installed_OS_is_vendor_supported - grub2_audit_argument - grub2_audit_backlog_limit_argument - service_auditd_enabled diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/oval/shared.xml b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/oval/shared.xml index 5a4e3a1f9b..0e66bbee28 100644 --- a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/oval/shared.xml +++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/oval/shared.xml @@ -8,7 +8,7 @@ Limit the ciphers to those which are FIPS-approved. - + diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs/oval/shared.xml b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs/oval/shared.xml index 2aed2ec9ad..0e6d1e88ce 100644 --- a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs/oval/shared.xml +++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs/oval/shared.xml @@ -9,7 +9,7 @@ Limit the Message Authentication Codes (MACs) to those which are FIPS-approved. - + diff --git a/linux_os/guide/system/software/integrity/certified-vendor/installed_OS_is_certified/oval/shared.xml b/linux_os/guide/system/software/integrity/certified-vendor/installed_OS_is_FIPS_certified/oval/shared.xml similarity index 69% rename from linux_os/guide/system/software/integrity/certified-vendor/installed_OS_is_certified/oval/shared.xml rename to linux_os/guide/system/software/integrity/certified-vendor/installed_OS_is_FIPS_certified/oval/shared.xml index 256c3b289c..6599c3eeee 100644 --- a/linux_os/guide/system/software/integrity/certified-vendor/installed_OS_is_certified/oval/shared.xml +++ b/linux_os/guide/system/software/integrity/certified-vendor/installed_OS_is_FIPS_certified/oval/shared.xml @@ -1,16 +1,15 @@ - + - Vendor Certified Operating System + FIPS 140-2 Certified Operating System multi_platform_rhel multi_platform_rhosp multi_platform_fedora - The operating system installed on the system is - a certified vendor operating system and meets government - requirements/certifications such as FIPS, NIAP, etc. + + The operating system installed on the system is a certified operating system that meets FIPS 140-2 requirements. + diff --git a/linux_os/guide/system/software/integrity/certified-vendor/installed_OS_is_FIPS_certified/rule.yml b/linux_os/guide/system/software/integrity/certified-vendor/installed_OS_is_FIPS_certified/rule.yml new file mode 100644 index 0000000000..ffdc4825d6 --- /dev/null +++ b/linux_os/guide/system/software/integrity/certified-vendor/installed_OS_is_FIPS_certified/rule.yml @@ -0,0 +1,44 @@ +documentation_complete: true + +prodtype: rhel6,rhel7,rhel8,fedora,ol7 + +title: 'The Installed Operating System Is FIPS 140-2 Certified' + +description: |- + To enable processing of sensitive information the operating system must + provide certified cryptographic modules compliant with FIPS 140-2 + standard. + {{% if product in ["rhel6", "rhel7"] %}} + Red Hat Enterprise Linux is supported by Red Hat, Inc. As the Red Hat Enterprise + Linux vendor, Red Hat, Inc. is responsible for maintaining government certifications and standards. + {{% endif %}} + +rationale: |- + The Federal Information Processing Standard (FIPS) Publication 140-2, (FIPS + PUB 140-2) is a computer security standard. The standard specifies security + requirements for cryptographic modules used to protect sensitive + unclassified information. Refer to the full FIPS 140-2 standard at + {{{ weblink(link="http://csrc.nist.gov/publications/fips/fips140-2/fips1402.pdf") }}} + for further details on the requirements. + FIPS 140-2 validation is required by U.S. law when information systems use + cryptography to protect sensitive government information. In order to + achieve FIPS 140-2 certification, cryptographic modules are subject to + extensive testing by independent laboratories, accredited by National + Institute of Standards and Technology (NIST). + +warnings: + - general: |- + There is no remediation besides switching to a different operating system. + +severity: high + +ocil_clause: 'the installed operating system is not FIPS 140-2 certified' + +{{% if product in ["rhel6", "rhel7"] %}} +ocil: |- + To verify that the installed operating system is supported or certified, run + the following command: + 
$ grep -i "red hat" /etc/redhat-release
+ The output should contain something similar to: + 
{{{ full_name }}}
+{{% endif %}} diff --git a/linux_os/guide/system/software/integrity/certified-vendor/installed_OS_is_vendor_supported/oval/shared.xml b/linux_os/guide/system/software/integrity/certified-vendor/installed_OS_is_vendor_supported/oval/shared.xml new file mode 100644 index 0000000000..37f55dfa8c --- /dev/null +++ b/linux_os/guide/system/software/integrity/certified-vendor/installed_OS_is_vendor_supported/oval/shared.xml @@ -0,0 +1,21 @@ + + + + Vendor Supported Operating System + + multi_platform_rhel + multi_platform_rhosp + multi_platform_fedora + + + The operating system installed on the system is supported by a vendor that provides security patches. + + + + + + + + + + diff --git a/linux_os/guide/system/software/integrity/certified-vendor/installed_OS_is_certified/rule.yml b/linux_os/guide/system/software/integrity/certified-vendor/installed_OS_is_vendor_supported/rule.yml similarity index 54% rename from linux_os/guide/system/software/integrity/certified-vendor/installed_OS_is_certified/rule.yml rename to linux_os/guide/system/software/integrity/certified-vendor/installed_OS_is_vendor_supported/rule.yml index bfec874ff7..6c5afede5d 100644 --- a/linux_os/guide/system/software/integrity/certified-vendor/installed_OS_is_certified/rule.yml +++ b/linux_os/guide/system/software/integrity/certified-vendor/installed_OS_is_vendor_supported/rule.yml @@ -2,26 +2,24 @@ documentation_complete: true prodtype: rhel6,rhel7,rhel8,fedora,ol7 -title: 'The Installed Operating System Is Vendor Supported and Certified' +title: 'The Installed Operating System Is Vendor Supported' description: |- - The installed operating system must be maintained and certified by a vendor. + The installed operating system must be maintained by a vendor. {{% if product == "ol7" %}} Oracle Linux is supported by Oracle Corporation. As the Oracle - Linux vendor, Oracle Corporation is responsible for providing security patches as well - as meeting and maintaining goverment certifications and standards. + Linux vendor, Oracle Corporation is responsible for providing security patches. {{% else %}} Red Hat Enterprise Linux is supported by Red Hat, Inc. As the Red Hat Enterprise - Linux vendor, Red Hat, Inc. is responsible for providing security patches as well - as meeting and maintaining goverment certifications and standards. + Linux vendor, Red Hat, Inc. is responsible for providing security patches. {{% endif %}} rationale: |- - An operating system is considered "supported" if the vendor continues to provide - security patches for the product as well as maintain government certification requirements. - With an unsupported release, it will not be possible to resolve security issue discovered in - the system software as well as meet government certifications. + An operating system is considered "supported" if the vendor continues to + provide security patches for the product. With an unsupported release, it + will not be possible to resolve any security issue discovered in the system + software. warnings: - general: |- @@ -29,20 +27,17 @@ warnings: severity: high -identifiers: - cce@rhel7: 80349-4 - references: disa: "366" nist: SI-2(c) srg: SRG-OS-000480-GPOS-00227 stigid@rhel7: "020250" -ocil_clause: 'the installed operating system is not supported or certified' +ocil_clause: 'the installed operating system is not supported' {{% if product in ["rhel6", "rhel7"] %}} ocil: |- - To verify that the installed operating system is supported or certified, run + To verify that the installed operating system is supported, run the following command: 
$ grep -i "red hat" /etc/redhat-release
The output should contain something similar to: diff --git a/linux_os/guide/system/software/integrity/fips/grub2_enable_fips_mode/oval/shared.xml b/linux_os/guide/system/software/integrity/fips/grub2_enable_fips_mode/oval/shared.xml index b8f84e32d3..0ce11f6eef 100644 --- a/linux_os/guide/system/software/integrity/fips/grub2_enable_fips_mode/oval/shared.xml +++ b/linux_os/guide/system/software/integrity/fips/grub2_enable_fips_mode/oval/shared.xml @@ -10,7 +10,7 @@ Look for argument fips=1 in the kernel line in /etc/default/grub. - + diff --git a/linux_os/guide/system/software/integrity/fips/package_dracut-fips_installed/oval/shared.xml b/linux_os/guide/system/software/integrity/fips/package_dracut-fips_installed/oval/shared.xml index 1483429a6a..69a42f9a11 100644 --- a/linux_os/guide/system/software/integrity/fips/package_dracut-fips_installed/oval/shared.xml +++ b/linux_os/guide/system/software/integrity/fips/package_dracut-fips_installed/oval/shared.xml @@ -14,7 +14,7 @@ The RPM package dracut-fips should be installed. - + diff --git a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_use_fips_hashes/oval/shared.xml b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_use_fips_hashes/oval/shared.xml index 037b22e945..de1bba8c27 100644 --- a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_use_fips_hashes/oval/shared.xml +++ b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_use_fips_hashes/oval/shared.xml @@ -9,7 +9,7 @@ cryptographic hashes. - + diff --git a/rhel7/profiles/ospp.profile b/rhel7/profiles/ospp.profile index e0d9b02c38..d978c16a21 100644 --- a/rhel7/profiles/ospp.profile +++ b/rhel7/profiles/ospp.profile @@ -33,7 +33,7 @@ description: |- consensus and release processes. selections: - - installed_OS_is_certified + - installed_OS_is_vendor_supported - login_banner_text=usgcb_default - inactivity_timeout_value=15_minutes - var_password_pam_minlen=15 diff --git a/rhel7/profiles/ospp42.profile b/rhel7/profiles/ospp42.profile index dd157a6e5b..dbd19355ac 100644 --- a/rhel7/profiles/ospp42.profile +++ b/rhel7/profiles/ospp42.profile @@ -13,7 +13,7 @@ description: |- in US National Security Systems. selections: - - installed_OS_is_certified + - installed_OS_is_vendor_supported - grub2_audit_argument - grub2_audit_backlog_limit_argument - service_auditd_enabled diff --git a/rhel7/profiles/stig-rhel7-disa.profile b/rhel7/profiles/stig-rhel7-disa.profile index 3fe2869f69..7200e9dc8a 100644 --- a/rhel7/profiles/stig-rhel7-disa.profile +++ b/rhel7/profiles/stig-rhel7-disa.profile @@ -119,7 +119,7 @@ selections: - selinux_policytype - disable_ctrlaltdel_reboot - accounts_umask_etc_login_defs - - installed_OS_is_certified + - installed_OS_is_vendor_supported - security_patches_up_to_date - gid_passwd_group_same - accounts_no_uid_except_zero diff --git a/rhel8/profiles/ospp.profile b/rhel8/profiles/ospp.profile index 27613eee55..ee1dcbe227 100644 --- a/rhel8/profiles/ospp.profile +++ b/rhel8/profiles/ospp.profile @@ -8,7 +8,7 @@ description: |- Operating Systems (Protection Profile Version 4.2). selections: - - installed_OS_is_certified + - installed_OS_is_vendor_supported - grub2_audit_argument - grub2_audit_backlog_limit_argument - service_auditd_enabled