Blame SOURCES/scap-security-guide-0.1.58-RHEL_08_010420-PR_7227.patch

76240a
From 278f3b476291d69e45da4dcdfca5a308646224f2 Mon Sep 17 00:00:00 2001
76240a
From: Matthew Burket <mburket@redhat.com>
76240a
Date: Mon, 19 Jul 2021 09:49:57 -0500
76240a
Subject: [PATCH 1/2] Add more checks for bios_enable_execution_restrictions to
76240a
 ensure we don't miss anything
76240a
76240a
---
76240a
 .../oval/shared.xml                            | 18 ++++++++++++++++++
76240a
 .../rule.yml                                   |  3 ++-
76240a
 products/rhel8/profiles/stig.profile           |  1 +
76240a
 .../data/profile_stability/rhel8/stig.profile  |  1 +
76240a
 .../profile_stability/rhel8/stig_gui.profile   |  1 +
76240a
 5 files changed, 23 insertions(+), 1 deletion(-)
76240a
 create mode 100644 linux_os/guide/system/permissions/restrictions/enable_nx/bios_enable_execution_restrictions/oval/shared.xml
76240a
76240a
diff --git a/linux_os/guide/system/permissions/restrictions/enable_nx/bios_enable_execution_restrictions/oval/shared.xml b/linux_os/guide/system/permissions/restrictions/enable_nx/bios_enable_execution_restrictions/oval/shared.xml
76240a
new file mode 100644
76240a
index 00000000000..622a183f99f
76240a
--- /dev/null
76240a
+++ b/linux_os/guide/system/permissions/restrictions/enable_nx/bios_enable_execution_restrictions/oval/shared.xml
76240a
@@ -0,0 +1,18 @@
76240a
+<def-group>
76240a
+    <definition class="compliance" id="bios_enable_execution_restrictions" version="2">
76240a
+        {{{ oval_metadata("The NX (no-execution) bit flag should be set on the system.") }}}
76240a
+        <criteria>
76240a
+            <criterion comment="NX bit is set" test_ref="test_NX_cpu_support" />
76240a
+        </criteria>
76240a
+    </definition>
76240a
+
76240a
+    <ind:textfilecontent54_test check="all" check_existence="all_exist" comment="CPUs support for NX bit" id="test_NX_cpu_support" version="1">
76240a
+        <ind:object object_ref="obj_NX_cpu_support" />
76240a
+    </ind:textfilecontent54_test>
76240a
+
76240a
+    <ind:textfilecontent54_object id="obj_NX_cpu_support" version="1">
76240a
+        <ind:filepath>/proc/cpuinfo</ind:filepath>
76240a
+        <ind:pattern operation="pattern match">^flags[\s]+:.*[\s]+nx[\s]+.*$</ind:pattern>
76240a
+        <ind:instance datatype="int">1</ind:instance>
76240a
+    </ind:textfilecontent54_object>
76240a
+</def-group>
76240a
diff --git a/linux_os/guide/system/permissions/restrictions/enable_nx/bios_enable_execution_restrictions/rule.yml b/linux_os/guide/system/permissions/restrictions/enable_nx/bios_enable_execution_restrictions/rule.yml
76240a
index 4ca003520ac..b037e374f5b 100644
76240a
--- a/linux_os/guide/system/permissions/restrictions/enable_nx/bios_enable_execution_restrictions/rule.yml
76240a
+++ b/linux_os/guide/system/permissions/restrictions/enable_nx/bios_enable_execution_restrictions/rule.yml
76240a
@@ -14,7 +14,7 @@ rationale: |-
76240a
     Computers with the ability to prevent this type of code execution frequently put an option in the BIOS that will
76240a
     allow users to turn the feature on or off at will.
76240a
 
76240a
-severity: unknown
76240a
+severity: medium
76240a
 
76240a
 identifiers:
76240a
     cce@rhel7: CCE-27099-1
76240a
@@ -31,5 +31,6 @@ references:
76240a
     iso27001-2013: A.12.1.2,A.12.5.1,A.12.6.2,A.14.2.2,A.14.2.3,A.14.2.4
76240a
     nist: SC-39,CM-6(a)
76240a
     nist-csf: PR.IP-1
76240a
+    stig@rhel8: RHEL-08-010420
76240a
 
76240a
 platform: machine
76240a
diff --git a/products/rhel8/profiles/stig.profile b/products/rhel8/profiles/stig.profile
76240a
index 5a0a520ee0a..6372d13cfc9 100644
76240a
--- a/products/rhel8/profiles/stig.profile
76240a
+++ b/products/rhel8/profiles/stig.profile
76240a
@@ -260,6 +260,7 @@ selections:
76240a
     - package_opensc_installed
76240a
 
76240a
     # RHEL-08-010420
76240a
+    - bios_enable_execution_restrictions
76240a
 
76240a
     # RHEL-08-010421
76240a
     - grub2_page_poison_argument
76240a
diff --git a/tests/data/profile_stability/rhel8/stig.profile b/tests/data/profile_stability/rhel8/stig.profile
76240a
index 4be3cf93c25..32f1a24a7a4 100644
76240a
--- a/tests/data/profile_stability/rhel8/stig.profile
76240a
+++ b/tests/data/profile_stability/rhel8/stig.profile
76240a
@@ -74,6 +74,7 @@ selections:
76240a
 - auditd_log_format
76240a
 - auditd_name_format
76240a
 - banner_etc_issue
76240a
+- bios_enable_execution_restrictions
76240a
 - chronyd_client_only
76240a
 - chronyd_no_chronyc_network
76240a
 - chronyd_or_ntpd_set_maxpoll
76240a
diff --git a/tests/data/profile_stability/rhel8/stig_gui.profile b/tests/data/profile_stability/rhel8/stig_gui.profile
76240a
index 20b8a54861e..d6a27c67dc0 100644
76240a
--- a/tests/data/profile_stability/rhel8/stig_gui.profile
76240a
+++ b/tests/data/profile_stability/rhel8/stig_gui.profile
76240a
@@ -85,6 +85,7 @@ selections:
76240a
 - auditd_log_format
76240a
 - auditd_name_format
76240a
 - banner_etc_issue
76240a
+- bios_enable_execution_restrictions
76240a
 - chronyd_client_only
76240a
 - chronyd_no_chronyc_network
76240a
 - chronyd_or_ntpd_set_maxpoll
76240a
76240a
From dac8111b4d89a31cbaa5648f876bd58575a93e86 Mon Sep 17 00:00:00 2001
76240a
From: Matthew Burket <mburket@redhat.com>
76240a
Date: Mon, 19 Jul 2021 09:51:34 -0500
76240a
Subject: [PATCH 2/2] Add oval check for bios_enable_execution_restrictions
76240a
76240a
---
76240a
 .../oval/shared.xml                           | 24 ++++++++++++++++++-
76240a
 1 file changed, 23 insertions(+), 1 deletion(-)
76240a
76240a
diff --git a/linux_os/guide/system/permissions/restrictions/enable_nx/bios_enable_execution_restrictions/oval/shared.xml b/linux_os/guide/system/permissions/restrictions/enable_nx/bios_enable_execution_restrictions/oval/shared.xml
76240a
index 622a183f99f..7cc448f8cce 100644
76240a
--- a/linux_os/guide/system/permissions/restrictions/enable_nx/bios_enable_execution_restrictions/oval/shared.xml
76240a
+++ b/linux_os/guide/system/permissions/restrictions/enable_nx/bios_enable_execution_restrictions/oval/shared.xml
76240a
@@ -1,8 +1,10 @@
76240a
 <def-group>
76240a
     <definition class="compliance" id="bios_enable_execution_restrictions" version="2">
76240a
         {{{ oval_metadata("The NX (no-execution) bit flag should be set on the system.") }}}
76240a
-        <criteria>
76240a
+        <criteria operator="AND">
76240a
             <criterion comment="NX bit is set" test_ref="test_NX_cpu_support" />
76240a
+            <criterion comment="No log messages about NX being disabled" test_ref="test_messages_nx_active" />
76240a
+            <criterion comment="NX is not disabled in the kernel command line" test_ref="test_noexec_cmd_line" />
76240a
         </criteria>
76240a
     </definition>
76240a
 
76240a
@@ -10,9 +12,29 @@
76240a
         <ind:object object_ref="obj_NX_cpu_support" />
76240a
     </ind:textfilecontent54_test>
76240a
 
76240a
+    <ind:textfilecontent54_test check="all" check_existence="none_exist" id="test_messages_nx_active" version="1" comment="No log messages about NX being disabled">
76240a
+        <ind:object object_ref="obj_messages_nx_active" />
76240a
+    </ind:textfilecontent54_test>
76240a
+
76240a
+    <ind:textfilecontent54_test check="all" check_existence="none_exist" id="test_noexec_cmd_line" version="1" comment="NX is not disabled in the kernel command line">
76240a
+        <ind:object object_ref="obj_noexec_cmd_line" />
76240a
+    </ind:textfilecontent54_test>
76240a
+
76240a
     <ind:textfilecontent54_object id="obj_NX_cpu_support" version="1">
76240a
         <ind:filepath>/proc/cpuinfo</ind:filepath>
76240a
         <ind:pattern operation="pattern match">^flags[\s]+:.*[\s]+nx[\s]+.*$</ind:pattern>
76240a
         <ind:instance datatype="int">1</ind:instance>
76240a
     </ind:textfilecontent54_object>
76240a
+
76240a
+    <ind:textfilecontent54_object id="obj_messages_nx_active" version="1">
76240a
+        <ind:filepath>/var/log/messages</ind:filepath>
76240a
+        <ind:pattern operation="pattern match">^.+protection: disabled.+</ind:pattern>
76240a
+        <ind:instance datatype="int">1</ind:instance>
76240a
+    </ind:textfilecontent54_object>
76240a
+
76240a
+    <ind:textfilecontent54_object id="obj_noexec_cmd_line" version="1">
76240a
+        <ind:filepath>/proc/cmdline</ind:filepath>
76240a
+        <ind:pattern operation="pattern match">.+noexec[0-9]*=off.+</ind:pattern>
76240a
+        <ind:instance datatype="int">1</ind:instance>
76240a
+    </ind:textfilecontent54_object>
76240a
 </def-group>