From 7650bcb065d56cc5a45551b0ccfc4da570e0d4cd Mon Sep 17 00:00:00 2001 From: MITRE SAF Date: Sat, 23 Dec 2023 00:05:13 +0000 Subject: [PATCH] Automated ingestion of profiles Signed-off-by: MITRE SAF --- ...dhat-enterprise-linux-8-stig-baseline.json | 22 +++++++++---------- 1 file changed, 11 insertions(+), 11 deletions(-) diff --git a/src/assets/data/baselineProfiles/redhat-enterprise-linux-8-stig-baseline.json b/src/assets/data/baselineProfiles/redhat-enterprise-linux-8-stig-baseline.json index 768a7288..917fcd03 100644 --- a/src/assets/data/baselineProfiles/redhat-enterprise-linux-8-stig-baseline.json +++ b/src/assets/data/baselineProfiles/redhat-enterprise-linux-8-stig-baseline.json @@ -2655,8 +2655,8 @@ "desc": "It is detrimental for operating systems to provide, or install by\ndefault, functionality exceeding requirements or mission objectives. These\nunnecessary capabilities or services are often overlooked and therefore may\nremain unsecured. They increase the risk to the platform by providing\nadditional attack vectors.\n\n Failing to disconnect from collaborative computing devices (i.e., cameras)\ncan result in subsequent compromises of organizational information. Providing\neasy methods to physically disconnect from such devices after a collaborative\ncomputing session helps to ensure participants actually carry out the\ndisconnect activity without having to go through complex and tedious procedures.", "descriptions": { "default": "It is detrimental for operating systems to provide, or install by\ndefault, functionality exceeding requirements or mission objectives. These\nunnecessary capabilities or services are often overlooked and therefore may\nremain unsecured. They increase the risk to the platform by providing\nadditional attack vectors.\n\n Failing to disconnect from collaborative computing devices (i.e., cameras)\ncan result in subsequent compromises of organizational information. Providing\neasy methods to physically disconnect from such devices after a collaborative\ncomputing session helps to ensure participants actually carry out the\ndisconnect activity without having to go through complex and tedious procedures.", - "check": "If the device or operating system does not have a camera installed, this\nrequirement is not applicable.\n\n This requirement is not applicable to mobile devices (smartphones and\ntablets), where the use of the camera is a local AO decision.\n\n This requirement is not applicable to dedicated VTC suites located in\napproved VTC locations that are centrally managed.\n\n For an external camera, if there is not a method for the operator to\nmanually disconnect the camera at the end of collaborative computing sessions,\nthis is a finding.\n\n For a built-in camera, the camera must be protected by a camera cover\n(e.g., laptop camera cover slide) when not in use. If the built-in camera is\nnot protected with a camera cover, or is not physically disabled, this is a\nfinding.\n\n If the camera is not disconnected, covered, or physically disabled,\ndetermine if it is being disabled via software with the following commands:\n\n Determine if the camera is disabled via blacklist with the following\ncommand:\n\n $ sudo grep blacklist /etc/modprobe.d/*\n\n /etc/modprobe.d/blacklist.conf:blacklist uvcvideo\n\n Determine if a camera driver is in use with the following command:\n\n $ sudo dmesg | grep -i video\n\n [ 44.630131] ACPI: Video Device [VGA]\n [ 46.655714] input: Video Bus as\n/devices/LNXSYSTM:00/LNXSYBUS:00/LNXVIDEO:00/input/input7\n [ 46.670133] videodev: Linux video capture interface: v2.00\n [ 47.226424] uvcvideo: Found UVC 1.00 device WebCam (0402:7675)\n [ 47.235752] usbcore: registered new interface driver uvcvideo\n [ 47.235756] USB Video Class driver (1.1.1)\n\n If the camera driver blacklist is missing, a camera driver is determined to\nbe in use, and the collaborative computing device has not been authorized for\nuse, this is a finding.", - "fix": "Configure the operating system to disable the built-in or attached camera\nwhen not in use.\n\n First determine the driver being used by the camera with the following\ncommand:\n\n $ sudo dmesg | grep -i video\n\n [ 44.630131] ACPI: Video Device [VGA]\n [ 46.655714] input: Video Bus as\n/devices/LNXSYSTM:00/LNXSYBUS:00/LNXVIDEO:00/input/input7\n [ 46.670133] videodev: Linux video capture interface: v2.00\n [ 47.226424] uvcvideo: Found UVC 1.00 device WebCam (0402:7675)\n [ 47.235752] usbcore: registered new interface driver uvcvideo\n [ 47.235756] USB Video Class driver (1.1.1)\n\n Next, build or modify the \"/etc/modprobe.d/blacklist.conf\" file by using\nthe following example:\n\n ##Disable WebCam\n blacklist uvcvideo\n\n Reboot the system for the settings to take effect." + "check": "If the device or operating system does not have a camera installed, this requirement is not applicable.\n\nThis requirement is not applicable to mobile devices (smartphones and tablets), where the use of the camera is a local AO decision.\n\nThis requirement is not applicable to dedicated VTC suites located in approved VTC locations that are centrally managed.\n\nFor an external camera, if there is not a method for the operator to manually disconnect the camera at the end of collaborative computing sessions, this is a finding.\n\nFor a built-in camera, the camera must be protected by a camera cover (e.g., laptop camera cover slide) when not in use. If the built-in camera is not protected with a camera cover, or is not physically disabled, this is a finding.\n\nIf the camera is not disconnected, covered, or physically disabled, determine if it is being disabled via software with the following commands:\n\nVerify the operating system disables the ability to load the uvcvideo kernel module.\n\n$ sudo grep -r uvcvideo /etc/modprobe.d/* | grep \"/bin/true\"\n\ninstall uvcvideo /bin/true\n\nIf the command does not return any output, or the line is commented out, and the collaborative computing device has not been authorized for use, this is a finding.\n\nVerify the camera is disabled via blacklist with the following command:\n\n$ sudo grep -r uvcvideo /etc/modprobe.d/* | grep \"blacklist\"\n\nblacklist uvcvideo\n\nIf the command does not return any output or the output is not \"blacklist uvcvideo\", and the collaborative computing device has not been authorized for use, this is a finding.", + "fix": "Configure the operating system to disable the built-in or attached camera when not in use.\n\nBuild or modify the \"/etc/modprobe.d/blacklist.conf\" file by using the following example:\n\ninstall uvcvideo /bin/true\nblacklist uvcvideo\n\nReboot the system for the settings to take effect." }, "impact": 0.5, "refs": [], @@ -2668,9 +2668,9 @@ "SRG-OS-000370-GPOS-00155" ], "gid": "V-230493", - "rid": "SV-230493r627750_rule", + "rid": "SV-230493r809316_rule", "stig_id": "RHEL-08-040020", - "fix_id": "F-33137r568226_fix", + "fix_id": "F-33137r809315_fix", "cci": [ "CCI-000381" ], @@ -2678,7 +2678,7 @@ "CM-7 a" ] }, - "code": "control 'SV-230493' do\n title 'RHEL 8 must cover or disable the built-in or attached camera when not\nin use.'\n desc 'It is detrimental for operating systems to provide, or install by\ndefault, functionality exceeding requirements or mission objectives. These\nunnecessary capabilities or services are often overlooked and therefore may\nremain unsecured. They increase the risk to the platform by providing\nadditional attack vectors.\n\n Failing to disconnect from collaborative computing devices (i.e., cameras)\ncan result in subsequent compromises of organizational information. Providing\neasy methods to physically disconnect from such devices after a collaborative\ncomputing session helps to ensure participants actually carry out the\ndisconnect activity without having to go through complex and tedious procedures.'\n desc 'check', 'If the device or operating system does not have a camera installed, this\nrequirement is not applicable.\n\n This requirement is not applicable to mobile devices (smartphones and\ntablets), where the use of the camera is a local AO decision.\n\n This requirement is not applicable to dedicated VTC suites located in\napproved VTC locations that are centrally managed.\n\n For an external camera, if there is not a method for the operator to\nmanually disconnect the camera at the end of collaborative computing sessions,\nthis is a finding.\n\n For a built-in camera, the camera must be protected by a camera cover\n(e.g., laptop camera cover slide) when not in use. If the built-in camera is\nnot protected with a camera cover, or is not physically disabled, this is a\nfinding.\n\n If the camera is not disconnected, covered, or physically disabled,\ndetermine if it is being disabled via software with the following commands:\n\n Determine if the camera is disabled via blacklist with the following\ncommand:\n\n $ sudo grep blacklist /etc/modprobe.d/*\n\n /etc/modprobe.d/blacklist.conf:blacklist uvcvideo\n\n Determine if a camera driver is in use with the following command:\n\n $ sudo dmesg | grep -i video\n\n [ 44.630131] ACPI: Video Device [VGA]\n [ 46.655714] input: Video Bus as\n/devices/LNXSYSTM:00/LNXSYBUS:00/LNXVIDEO:00/input/input7\n [ 46.670133] videodev: Linux video capture interface: v2.00\n [ 47.226424] uvcvideo: Found UVC 1.00 device WebCam (0402:7675)\n [ 47.235752] usbcore: registered new interface driver uvcvideo\n [ 47.235756] USB Video Class driver (1.1.1)\n\n If the camera driver blacklist is missing, a camera driver is determined to\nbe in use, and the collaborative computing device has not been authorized for\nuse, this is a finding.'\n desc 'fix', 'Configure the operating system to disable the built-in or attached camera\nwhen not in use.\n\n First determine the driver being used by the camera with the following\ncommand:\n\n $ sudo dmesg | grep -i video\n\n [ 44.630131] ACPI: Video Device [VGA]\n [ 46.655714] input: Video Bus as\n/devices/LNXSYSTM:00/LNXSYBUS:00/LNXVIDEO:00/input/input7\n [ 46.670133] videodev: Linux video capture interface: v2.00\n [ 47.226424] uvcvideo: Found UVC 1.00 device WebCam (0402:7675)\n [ 47.235752] usbcore: registered new interface driver uvcvideo\n [ 47.235756] USB Video Class driver (1.1.1)\n\n Next, build or modify the \"/etc/modprobe.d/blacklist.conf\" file by using\nthe following example:\n\n ##Disable WebCam\n blacklist uvcvideo\n\n Reboot the system for the settings to take effect.'\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000095-GPOS-00049'\n tag satisfies: ['SRG-OS-000095-GPOS-00049', 'SRG-OS-000370-GPOS-00155']\n tag gid: 'V-230493'\n tag rid: 'SV-230493r627750_rule'\n tag stig_id: 'RHEL-08-040020'\n tag fix_id: 'F-33137r568226_fix'\n tag cci: ['CCI-000381']\n tag nist: ['CM-7 a']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable within a container' do\n skip 'Control not applicable within a container'\n end\n elsif input('camera_installed')\n describe kernel_module('uvcvideo') do\n it { should_not be_loaded }\n it { should be_blacklisted }\n end\n else\n impact 0.0\n describe 'Device or operating system does not have a camera installed' do\n skip 'Device or operating system does not have a camera installed, this control is Not Applicable.'\n end\n end\nend\n", + "code": "control 'SV-230493' do\n title 'RHEL 8 must cover or disable the built-in or attached camera when not\nin use.'\n desc 'It is detrimental for operating systems to provide, or install by\ndefault, functionality exceeding requirements or mission objectives. These\nunnecessary capabilities or services are often overlooked and therefore may\nremain unsecured. They increase the risk to the platform by providing\nadditional attack vectors.\n\n Failing to disconnect from collaborative computing devices (i.e., cameras)\ncan result in subsequent compromises of organizational information. Providing\neasy methods to physically disconnect from such devices after a collaborative\ncomputing session helps to ensure participants actually carry out the\ndisconnect activity without having to go through complex and tedious procedures.'\n desc 'check', 'If the device or operating system does not have a camera installed, this requirement is not applicable.\n\nThis requirement is not applicable to mobile devices (smartphones and tablets), where the use of the camera is a local AO decision.\n\nThis requirement is not applicable to dedicated VTC suites located in approved VTC locations that are centrally managed.\n\nFor an external camera, if there is not a method for the operator to manually disconnect the camera at the end of collaborative computing sessions, this is a finding.\n\nFor a built-in camera, the camera must be protected by a camera cover (e.g., laptop camera cover slide) when not in use. If the built-in camera is not protected with a camera cover, or is not physically disabled, this is a finding.\n\nIf the camera is not disconnected, covered, or physically disabled, determine if it is being disabled via software with the following commands:\n\nVerify the operating system disables the ability to load the uvcvideo kernel module.\n\n$ sudo grep -r uvcvideo /etc/modprobe.d/* | grep \"/bin/true\"\n\ninstall uvcvideo /bin/true\n\nIf the command does not return any output, or the line is commented out, and the collaborative computing device has not been authorized for use, this is a finding.\n\nVerify the camera is disabled via blacklist with the following command:\n\n$ sudo grep -r uvcvideo /etc/modprobe.d/* | grep \"blacklist\"\n\nblacklist uvcvideo\n\nIf the command does not return any output or the output is not \"blacklist uvcvideo\", and the collaborative computing device has not been authorized for use, this is a finding.'\n desc 'fix', 'Configure the operating system to disable the built-in or attached camera when not in use.\n\nBuild or modify the \"/etc/modprobe.d/blacklist.conf\" file by using the following example:\n\ninstall uvcvideo /bin/true\nblacklist uvcvideo\n\nReboot the system for the settings to take effect.'\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000095-GPOS-00049'\n tag satisfies: ['SRG-OS-000095-GPOS-00049', 'SRG-OS-000370-GPOS-00155']\n tag gid: 'V-230493'\n tag rid: 'SV-230493r809316_rule'\n tag stig_id: 'RHEL-08-040020'\n tag fix_id: 'F-33137r809315_fix'\n tag cci: ['CCI-000381']\n tag nist: ['CM-7 a']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable within a container' do\n skip 'Control not applicable within a container'\n end\n elsif input('camera_installed')\n describe kernel_module('uvcvideo') do\n it { should_not be_loaded }\n it { should be_blacklisted }\n end\n else\n impact 0.0\n describe 'Device or operating system does not have a camera installed' do\n skip 'Device or operating system does not have a camera installed, this control is Not Applicable.'\n end\n end\nend\n", "source_location": { "ref": "./Red Hat 8 STIG/controls/SV-230493.rb", "line": 1 @@ -5996,8 +5996,8 @@ "desc": "The organization must identify authorized software programs and permit\nexecution of authorized software. The process used to identify software\nprograms that are authorized to execute on organizational information systems\nis commonly referred to as whitelisting.\n\n Utilizing a whitelist provides a configuration management method for\nallowing the execution of only authorized software. Using only authorized\nsoftware decreases risk by limiting the number of potential vulnerabilities.\nVerification of whitelisted software occurs prior to execution or at system\nstartup.\n\n User home directories/folders may contain information of a sensitive\nnature. Non-privileged users should coordinate any sharing of information with\nan SA through shared resources.\n\n RHEL 8 ships with many optional packages. One such package is a file access\npolicy daemon called \"fapolicyd\". \"fapolicyd\" is a userspace daemon that\ndetermines access rights to files based on attributes of the process and file.\nIt can be used to either blacklist or whitelist processes or file access.\n\n Proceed with caution with enforcing the use of this daemon. Improper\nconfiguration may render the system non-functional. The \"fapolicyd\" API is\nnot namespace aware and can cause issues when launching or running containers.", "descriptions": { "default": "The organization must identify authorized software programs and permit\nexecution of authorized software. The process used to identify software\nprograms that are authorized to execute on organizational information systems\nis commonly referred to as whitelisting.\n\n Utilizing a whitelist provides a configuration management method for\nallowing the execution of only authorized software. Using only authorized\nsoftware decreases risk by limiting the number of potential vulnerabilities.\nVerification of whitelisted software occurs prior to execution or at system\nstartup.\n\n User home directories/folders may contain information of a sensitive\nnature. Non-privileged users should coordinate any sharing of information with\nan SA through shared resources.\n\n RHEL 8 ships with many optional packages. One such package is a file access\npolicy daemon called \"fapolicyd\". \"fapolicyd\" is a userspace daemon that\ndetermines access rights to files based on attributes of the process and file.\nIt can be used to either blacklist or whitelist processes or file access.\n\n Proceed with caution with enforcing the use of this daemon. Improper\nconfiguration may render the system non-functional. The \"fapolicyd\" API is\nnot namespace aware and can cause issues when launching or running containers.", - "check": "Verify the RHEL 8 \"fapolicyd\" employs a deny-all, permit-by-exception\npolicy.\n\n Check that \"fapolicyd\" is in enforcement mode with the following command:\n\n $ sudo grep permissive /etc/fapolicyd/fapolicyd.conf\n\n permissive = 0\n\n Check that fapolicyd employs a deny-all policy on system mounts with the\nfollowing commands:\n\n $ sudo tail /etc/fapolicyd/fapolicyd.rules\n\n allow exe=/usr/bin/python3.7 : ftype=text/x-python\n deny_audit perm=any pattern=ld_so : all\n deny perm=any all : all\n\n $ sudo cat /etc/fapolicyd/fapolicyd.mounts\n\n /dev/shm\n /run\n /sys/fs/cgroup\n /\n /home\n /boot\n /run/user/42\n /run/user/1000\n\n If fapolicyd is not running in enforcement mode on all system mounts with a\ndeny-all, permit-by-exception policy, this is a finding.", - "fix": "Configure RHEL 8 to employ a deny-all, permit-by-exception application\nwhitelisting policy with \"fapolicyd\" using the following command:\n\n Note: Running this command requires a root shell\n\n # mount | egrep '^tmpfs| ext4| ext3| xfs' | awk '{ printf \"%s \", $3 }' >> /etc/fapolicyd/fapolicyd.mounts\n\n With the \"fapolicyd\" installed and enabled, configure the daemon to\nfunction in permissive mode until the whitelist is built correctly to avoid\nsystem lockout. Do this by editing the \"/etc/fapolicyd/fapolicyd.conf\" file\nwith the following line:\n\n permissive = 1\n\n Build the whitelist in the \"/etc/fapolicyd/fapolicyd.rules\" file ensuring\nthe last rule is \"deny perm=any all : all\".\n\n Once it is determined the whitelist is built correctly, set the fapolicyd\nto enforcing mode by editing the \"permissive\" line in the\n/etc/fapolicyd/fapolicyd.conf file.\n\n permissive = 0" + "check": "Verify the RHEL 8 \"fapolicyd\" employs a deny-all, permit-by-exception policy.\n\nCheck that \"fapolicyd\" is in enforcement mode with the following command:\n\n$ sudo grep permissive /etc/fapolicyd/fapolicyd.conf\n\npermissive = 0\n\nCheck that fapolicyd employs a deny-all policy on system mounts with the following commands:\n\nFor RHEL 8.4 systems and older:\n$ sudo tail /etc/fapolicyd/fapolicyd.rules\n\nFor RHEL 8.5 systems and newer:\n$ sudo tail /etc/fapolicyd/compiled.rules\n\nallow exe=/usr/bin/python3.7 : ftype=text/x-python\ndeny_audit perm=any pattern=ld_so : all\ndeny perm=any all : all\n\nIf fapolicyd is not running in enforcement mode with a deny-all, permit-by-exception policy, this is a finding.", + "fix": "Configure RHEL 8 to employ a deny-all, permit-by-exception application whitelisting policy with \"fapolicyd\".\n\nWith the \"fapolicyd\" installed and enabled, configure the daemon to function in permissive mode until the whitelist is built correctly to avoid system lockout. Do this by editing the \"/etc/fapolicyd/fapolicyd.conf\" file with the following line:\n\npermissive = 1\n\nFor RHEL 8.4 systems and older:\nBuild the whitelist in the \"/etc/fapolicyd/fapolicyd.rules\" file ensuring the last rule is \"deny perm=any all : all\".\n\nFor RHEL 8.5 systems and newer:\nBuild the whitelist in a file within the \"/etc/fapolicyd/rules.d\" directory ensuring the last rule is \"deny perm=any all : all\".\n\nOnce it is determined the whitelist is built correctly, set the fapolicyd to enforcing mode by editing the \"permissive\" line in the /etc/fapolicyd/fapolicyd.conf file.\n\npermissive = 0" }, "impact": 0.5, "refs": [], @@ -6010,9 +6010,9 @@ "SRG-OS-000480-GPOS-00232" ], "gid": "V-244546", - "rid": "SV-244546r743887_rule", + "rid": "SV-244546r858730_rule", "stig_id": "RHEL-08-040137", - "fix_id": "F-47778r743886_fix", + "fix_id": "F-47778r858729_fix", "cci": [ "CCI-001764" ], @@ -6020,7 +6020,7 @@ "CM-7 (2)" ] }, - "code": "control 'SV-244546' do\n title 'The RHEL 8 fapolicy module must be configured to employ a deny-all,\npermit-by-exception policy to allow the execution of authorized software\nprograms.'\n desc 'The organization must identify authorized software programs and permit\nexecution of authorized software. The process used to identify software\nprograms that are authorized to execute on organizational information systems\nis commonly referred to as whitelisting.\n\n Utilizing a whitelist provides a configuration management method for\nallowing the execution of only authorized software. Using only authorized\nsoftware decreases risk by limiting the number of potential vulnerabilities.\nVerification of whitelisted software occurs prior to execution or at system\nstartup.\n\n User home directories/folders may contain information of a sensitive\nnature. Non-privileged users should coordinate any sharing of information with\nan SA through shared resources.\n\n RHEL 8 ships with many optional packages. One such package is a file access\npolicy daemon called \"fapolicyd\". \"fapolicyd\" is a userspace daemon that\ndetermines access rights to files based on attributes of the process and file.\nIt can be used to either blacklist or whitelist processes or file access.\n\n Proceed with caution with enforcing the use of this daemon. Improper\nconfiguration may render the system non-functional. The \"fapolicyd\" API is\nnot namespace aware and can cause issues when launching or running containers.'\n desc 'check', 'Verify the RHEL 8 \"fapolicyd\" employs a deny-all, permit-by-exception\npolicy.\n\n Check that \"fapolicyd\" is in enforcement mode with the following command:\n\n $ sudo grep permissive /etc/fapolicyd/fapolicyd.conf\n\n permissive = 0\n\n Check that fapolicyd employs a deny-all policy on system mounts with the\nfollowing commands:\n\n $ sudo tail /etc/fapolicyd/fapolicyd.rules\n\n allow exe=/usr/bin/python3.7 : ftype=text/x-python\n deny_audit perm=any pattern=ld_so : all\n deny perm=any all : all\n\n $ sudo cat /etc/fapolicyd/fapolicyd.mounts\n\n /dev/shm\n /run\n /sys/fs/cgroup\n /\n /home\n /boot\n /run/user/42\n /run/user/1000\n\n If fapolicyd is not running in enforcement mode on all system mounts with a\ndeny-all, permit-by-exception policy, this is a finding.'\n desc 'fix', %q(Configure RHEL 8 to employ a deny-all, permit-by-exception application\nwhitelisting policy with \"fapolicyd\" using the following command:\n\n Note: Running this command requires a root shell\n\n # mount | egrep '^tmpfs| ext4| ext3| xfs' | awk '{ printf \"%s \", $3 }' >> /etc/fapolicyd/fapolicyd.mounts\n\n With the \"fapolicyd\" installed and enabled, configure the daemon to\nfunction in permissive mode until the whitelist is built correctly to avoid\nsystem lockout. Do this by editing the \"/etc/fapolicyd/fapolicyd.conf\" file\nwith the following line:\n\n permissive = 1\n\n Build the whitelist in the \"/etc/fapolicyd/fapolicyd.rules\" file ensuring\nthe last rule is \"deny perm=any all : all\".\n\n Once it is determined the whitelist is built correctly, set the fapolicyd\nto enforcing mode by editing the \"permissive\" line in the\n/etc/fapolicyd/fapolicyd.conf file.\n\n permissive = 0)\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000368-GPOS-00154'\n tag satisfies: ['SRG-OS-000368-GPOS-00154', 'SRG-OS-000370-GPOS-00155', 'SRG-OS-000480-GPOS-00232']\n tag gid: 'V-244546'\n tag rid: 'SV-244546r743887_rule'\n tag stig_id: 'RHEL-08-040137'\n tag fix_id: 'F-47778r743886_fix'\n tag cci: ['CCI-001764']\n tag nist: ['CM-7 (2)']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable within a container' do\n skip 'Control not applicable within a container'\n end\n else\n describe parse_config_file('/etc/fapolicyd/fapolicyd.conf') do\n its('permissive') { should eq 0 }\n end\n\n describe file('/etc/fapolicyd/fapolicyd.rules') do\n it { should exist }\n end\n\n describe file('/etc/fapolicyd/fapolicyd.rules').content.strip.split(\"\\n\")[-1] do\n it { should cmp 'deny all all' }\n end if file('/etc/fapolicyd/fapolicyd.rules').exist?\n\n system_mounts = command(\"mount | egrep '^tmpfs| ext4| ext3| xfs' | awk '{ printf \\\"%s\\\\n\\\", $3 }'\").stdout.split\n\n describe file('/etc/fapolicyd/fapolicyd.mounts') do\n it { should exist }\n end\n\n describe file('/etc/fapolicyd/fapolicyd.mounts') do\n its('content.split') { should match_array system_mounts }\n end if file('/etc/fapolicyd/fapolicyd.mounts').exist?\n end\nend\n", + "code": "control 'SV-244546' do\n title 'The RHEL 8 fapolicy module must be configured to employ a deny-all,\npermit-by-exception policy to allow the execution of authorized software\nprograms.'\n desc 'The organization must identify authorized software programs and permit\nexecution of authorized software. The process used to identify software\nprograms that are authorized to execute on organizational information systems\nis commonly referred to as whitelisting.\n\n Utilizing a whitelist provides a configuration management method for\nallowing the execution of only authorized software. Using only authorized\nsoftware decreases risk by limiting the number of potential vulnerabilities.\nVerification of whitelisted software occurs prior to execution or at system\nstartup.\n\n User home directories/folders may contain information of a sensitive\nnature. Non-privileged users should coordinate any sharing of information with\nan SA through shared resources.\n\n RHEL 8 ships with many optional packages. One such package is a file access\npolicy daemon called \"fapolicyd\". \"fapolicyd\" is a userspace daemon that\ndetermines access rights to files based on attributes of the process and file.\nIt can be used to either blacklist or whitelist processes or file access.\n\n Proceed with caution with enforcing the use of this daemon. Improper\nconfiguration may render the system non-functional. The \"fapolicyd\" API is\nnot namespace aware and can cause issues when launching or running containers.'\n desc 'check', 'Verify the RHEL 8 \"fapolicyd\" employs a deny-all, permit-by-exception policy.\n\nCheck that \"fapolicyd\" is in enforcement mode with the following command:\n\n$ sudo grep permissive /etc/fapolicyd/fapolicyd.conf\n\npermissive = 0\n\nCheck that fapolicyd employs a deny-all policy on system mounts with the following commands:\n\nFor RHEL 8.4 systems and older:\n$ sudo tail /etc/fapolicyd/fapolicyd.rules\n\nFor RHEL 8.5 systems and newer:\n$ sudo tail /etc/fapolicyd/compiled.rules\n\nallow exe=/usr/bin/python3.7 : ftype=text/x-python\ndeny_audit perm=any pattern=ld_so : all\ndeny perm=any all : all\n\nIf fapolicyd is not running in enforcement mode with a deny-all, permit-by-exception policy, this is a finding.'\n desc 'fix', 'Configure RHEL 8 to employ a deny-all, permit-by-exception application whitelisting policy with \"fapolicyd\".\n\nWith the \"fapolicyd\" installed and enabled, configure the daemon to function in permissive mode until the whitelist is built correctly to avoid system lockout. Do this by editing the \"/etc/fapolicyd/fapolicyd.conf\" file with the following line:\n\npermissive = 1\n\nFor RHEL 8.4 systems and older:\nBuild the whitelist in the \"/etc/fapolicyd/fapolicyd.rules\" file ensuring the last rule is \"deny perm=any all : all\".\n\nFor RHEL 8.5 systems and newer:\nBuild the whitelist in a file within the \"/etc/fapolicyd/rules.d\" directory ensuring the last rule is \"deny perm=any all : all\".\n\nOnce it is determined the whitelist is built correctly, set the fapolicyd to enforcing mode by editing the \"permissive\" line in the /etc/fapolicyd/fapolicyd.conf file.\n\npermissive = 0'\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000368-GPOS-00154'\n tag satisfies: ['SRG-OS-000368-GPOS-00154', 'SRG-OS-000370-GPOS-00155', 'SRG-OS-000480-GPOS-00232']\n tag gid: 'V-244546'\n tag rid: 'SV-244546r858730_rule'\n tag stig_id: 'RHEL-08-040137'\n tag fix_id: 'F-47778r858729_fix'\n tag cci: ['CCI-001764']\n tag nist: ['CM-7 (2)']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable within a container' do\n skip 'Control not applicable within a container'\n end\n else\n describe parse_config_file('/etc/fapolicyd/fapolicyd.conf') do\n its('permissive') { should cmp 0 }\n end\n\n rules_file = '/etc/fapolicyd/compiled.rules'\n if os.release.to_f < 8.4\n rules_file = '/etc/fapolicyd/fapolicyd.rules'\n end\n\n describe file(rules_file) do\n it { should exist }\n end\n\n describe file(rules_file).content.strip.split(\"\\n\")[-1] do\n it { should cmp 'deny perm=any all : all' }\n end if file(rules_file).exist?\n end\nend\n", "source_location": { "ref": "./Red Hat 8 STIG/controls/SV-244546.rb", "line": 1 @@ -15578,7 +15578,7 @@ "id": "controls/SV-244548.rb" } ], - "sha256": "83c0c27b7185180571e1a64c536202de25fcde6d6ab448ca652b5a658ea910f3", + "sha256": "d6946b9f8e0ae5bf1961967f843d6371045682587312790255ede015436c3f81", "status_message": "", "status": "loaded", "generator": {