added compliance checks

vickeybrown · vickeybrown · commit 0abbd3276edc · 2026-04-28T15:52:15.000-05:00
update

# Conflicts:
#	shared/references/cce-redhat-avail.txt
diff --git a/components/at.yml b/components/at.yml
@@ -3,4 +3,7 @@ packages:
 - at
 rules:
 - file_at_deny_not_exist
+- file_permissions_at_binaries
 - service_atd_disabled
+templates:
+- file_permissions
diff --git a/components/dnf.yml b/components/dnf.yml
@@ -4,6 +4,7 @@ packages:
 - dnf-automatic
 - dnf-plugin-subscription-manager
 - libdnf-plugin-subscription-manager
+- python3-dnf
 rules:
 - clean_components_post_updating
 - disable_weak_deps
@@ -12,6 +13,9 @@ rules:
 - ensure_gpgcheck_local_packages
 - ensure_gpgcheck_never_disabled
 - ensure_gpgcheck_repo_metadata
+- file_permissions_dnf_binaries
 - package_dnf-automatic_installed
 - package_dnf-plugin-subscription-manager_installed
 - package_libdnf-plugin-subscription-manager_installed
+templates:
+- file_permissions
diff --git a/components/nmap-ncat.yml b/components/nmap-ncat.yml
@@ -0,0 +1,7 @@
+name: nmap-ncat
+packages:
+- nmap-ncat
+rules:
+- file_permissions_nmap_ncat_binaries
+templates:
+- file_permissions
diff --git a/components/socat.yml b/components/socat.yml
@@ -0,0 +1,7 @@
+name: socat
+packages:
+- socat
+rules:
+- file_permissions_socat_binaries
+templates:
+- file_permissions
diff --git a/linux_os/guide/services/cron_and_at/file_permissions_at_binaries/rule.yml b/linux_os/guide/services/cron_and_at/file_permissions_at_binaries/rule.yml
@@ -0,0 +1,44 @@
+documentation_complete: true
+
+title: 'Restrict Execution of At Job Scheduling Binaries'
+
+description: |-
+    On RHCOS, packages in the base image cannot be removed. As a compensating
+    control, job scheduling utilities such as at should have their execute
+    permissions removed to prevent unauthorized task scheduling.
+    {{{ describe_file_permissions(file="/usr/bin/at", perms="0000") }}}
+    {{{ describe_file_permissions(file="/usr/bin/atq", perms="0000") }}}
+    {{{ describe_file_permissions(file="/usr/bin/atrm", perms="0000") }}}
+    {{{ describe_file_permissions(file="/usr/bin/batch", perms="0000") }}}
+
+rationale: |-
+    The at package provides the ability to schedule one-time tasks for future
+    execution. While not installed by default on RHCOS, if present, attackers
+    could use these utilities to schedule malicious tasks, making it harder to
+    detect and trace unauthorized activity. On immutable systems like RHCOS,
+    removing execute permissions prevents these tools from being used while
+    maintaining system integrity.
+
+severity: high
+
+identifiers:
+    cce@rhcos4: CCE-86492-6
+
+platform: rhcos4
+
+ocil: |-
+    {{{ describe_file_permissions(file="/usr/bin/at", perms="0000") }}}
+    {{{ describe_file_permissions(file="/usr/bin/atq", perms="0000") }}}
+    {{{ describe_file_permissions(file="/usr/bin/atrm", perms="0000") }}}
+    {{{ describe_file_permissions(file="/usr/bin/batch", perms="0000") }}}
+
+template:
+    name: file_permissions
+    vars:
+        filepath:
+            - /usr/bin/at
+            - /usr/bin/atq
+            - /usr/bin/atrm
+            - /usr/bin/batch
+        filemode: '0000'
+        missing_file_pass: 'true'
diff --git a/linux_os/guide/services/cron_and_at/file_permissions_at_binaries/tests/correct.pass.sh b/linux_os/guide/services/cron_and_at/file_permissions_at_binaries/tests/correct.pass.sh
@@ -0,0 +1,12 @@
+#!/bin/bash
+# platform = multi_platform_all
+
+# Create binaries with correct permissions (0000)
+touch /usr/bin/at
+touch /usr/bin/atq
+touch /usr/bin/atrm
+touch /usr/bin/batch
+chmod 0000 /usr/bin/at
+chmod 0000 /usr/bin/atq
+chmod 0000 /usr/bin/atrm
+chmod 0000 /usr/bin/batch
diff --git a/linux_os/guide/services/cron_and_at/file_permissions_at_binaries/tests/missing_files.pass.sh b/linux_os/guide/services/cron_and_at/file_permissions_at_binaries/tests/missing_files.pass.sh
@@ -0,0 +1,8 @@
+#!/bin/bash
+# platform = multi_platform_all
+
+# Remove binaries - should pass because missing_file_pass: true
+rm -f /usr/bin/at
+rm -f /usr/bin/atq
+rm -f /usr/bin/atrm
+rm -f /usr/bin/batch
diff --git a/linux_os/guide/services/cron_and_at/file_permissions_at_binaries/tests/wrong_permissions.fail.sh b/linux_os/guide/services/cron_and_at/file_permissions_at_binaries/tests/wrong_permissions.fail.sh
@@ -0,0 +1,12 @@
+#!/bin/bash
+# platform = multi_platform_all
+
+# Create binaries with wrong permissions (0755)
+touch /usr/bin/at
+touch /usr/bin/atq
+touch /usr/bin/atrm
+touch /usr/bin/batch
+chmod 0755 /usr/bin/at
+chmod 0755 /usr/bin/atq
+chmod 0755 /usr/bin/atrm
+chmod 0755 /usr/bin/batch
diff --git a/linux_os/guide/system/software/system-tools/file_permissions_dnf_binaries/rule.yml b/linux_os/guide/system/software/system-tools/file_permissions_dnf_binaries/rule.yml
@@ -0,0 +1,42 @@
+documentation_complete: true
+
+title: 'Restrict Execution of DNF Package Manager Binaries'
+
+description: |-
+    On RHCOS, packages in the base image cannot be removed. As a compensating
+    control, package management utilities such as dnf and yum should have their
+    execute permissions removed to prevent unauthorized package installation.
+    {{{ describe_file_permissions(file="/usr/bin/dnf", perms="0000") }}}
+    {{{ describe_file_permissions(file="/usr/bin/dnf-3", perms="0000") }}}
+    {{{ describe_file_permissions(file="/usr/bin/yum", perms="0000") }}}
+
+rationale: |-
+    The dnf and python3-dnf packages provide package management utilities for
+    installing, updating, and removing software. RHCOS is designed to be an
+    immutable operating system managed through atomic upgrades and containerization.
+    Retaining these utilities with execute permissions allows unauthorized users
+    to install or modify packages, potentially compromising system integrity.
+    On immutable systems like RHCOS, removing execute permissions prevents
+    unauthorized package management while maintaining system integrity.
+
+severity: high
+
+identifiers:
+    cce@rhcos4: CCE-86494-2
+
+platform: rhcos4
+
+ocil: |-
+    {{{ describe_file_permissions(file="/usr/bin/dnf", perms="0000") }}}
+    {{{ describe_file_permissions(file="/usr/bin/dnf-3", perms="0000") }}}
+    {{{ describe_file_permissions(file="/usr/bin/yum", perms="0000") }}}
+
+template:
+    name: file_permissions
+    vars:
+        filepath:
+            - /usr/bin/dnf
+            - /usr/bin/dnf-3
+            - /usr/bin/yum
+        filemode: '0000'
+        missing_file_pass: 'true'
diff --git a/linux_os/guide/system/software/system-tools/file_permissions_dnf_binaries/tests/correct.pass.sh b/linux_os/guide/system/software/system-tools/file_permissions_dnf_binaries/tests/correct.pass.sh
@@ -0,0 +1,10 @@
+#!/bin/bash
+# platform = multi_platform_all
+
+# Create binaries with correct permissions (0000)
+touch /usr/bin/dnf
+touch /usr/bin/dnf-3
+touch /usr/bin/yum
+chmod 0000 /usr/bin/dnf
+chmod 0000 /usr/bin/dnf-3
+chmod 0000 /usr/bin/yum
diff --git a/linux_os/guide/system/software/system-tools/file_permissions_dnf_binaries/tests/missing_files.pass.sh b/linux_os/guide/system/software/system-tools/file_permissions_dnf_binaries/tests/missing_files.pass.sh
@@ -0,0 +1,7 @@
+#!/bin/bash
+# platform = multi_platform_all
+
+# Remove binaries - should pass because missing_file_pass: true
+rm -f /usr/bin/dnf
+rm -f /usr/bin/dnf-3
+rm -f /usr/bin/yum
diff --git a/linux_os/guide/system/software/system-tools/file_permissions_dnf_binaries/tests/wrong_permissions.fail.sh b/linux_os/guide/system/software/system-tools/file_permissions_dnf_binaries/tests/wrong_permissions.fail.sh
@@ -0,0 +1,10 @@
+#!/bin/bash
+# platform = multi_platform_all
+
+# Create binaries with wrong permissions (0755)
+touch /usr/bin/dnf
+touch /usr/bin/dnf-3
+touch /usr/bin/yum
+chmod 0755 /usr/bin/dnf
+chmod 0755 /usr/bin/dnf-3
+chmod 0755 /usr/bin/yum
diff --git a/linux_os/guide/system/software/system-tools/file_permissions_nmap_ncat_binaries/rule.yml b/linux_os/guide/system/software/system-tools/file_permissions_nmap_ncat_binaries/rule.yml
@@ -0,0 +1,37 @@
+documentation_complete: true
+
+title: 'Restrict Execution of Netcat Binaries'
+
+description: |-
+    On RHCOS, packages in the base image cannot be removed. As a compensating
+    control, network utilities such as netcat should have their execute permissions
+    removed to prevent unauthorized use.
+    {{{ describe_file_permissions(file="/usr/bin/ncat", perms="0000") }}}
+    {{{ describe_file_permissions(file="/usr/bin/nc", perms="0000") }}}
+
+rationale: |-
+    Utilities such as netcat can be used for legitimate troubleshooting,
+    but they also present a significant security risk if misused by attackers
+    to create unauthorized network connections, transfer data, or establish
+    reverse shells. On immutable operating systems like RHCOS, removing execute
+    permissions prevents these tools from being used while maintaining system integrity.
+
+severity: high
+
+identifiers:
+    cce@rhcos4: CCE-86483-5
+
+platform: rhcos4
+
+ocil: |-
+    {{{ describe_file_permissions(file="/usr/bin/ncat", perms="0000") }}}
+    {{{ describe_file_permissions(file="/usr/bin/nc", perms="0000") }}}
+
+template:
+    name: file_permissions
+    vars:
+        filepath:
+            - /usr/bin/ncat
+            - /usr/bin/nc
+        filemode: '0000'
+        missing_file_pass: 'true'
diff --git a/linux_os/guide/system/software/system-tools/file_permissions_nmap_ncat_binaries/tests/correct.pass.sh b/linux_os/guide/system/software/system-tools/file_permissions_nmap_ncat_binaries/tests/correct.pass.sh
@@ -0,0 +1,8 @@
+#!/bin/bash
+# platform = multi_platform_all
+
+# Create binaries with correct permissions (0000)
+touch /usr/bin/ncat
+touch /usr/bin/nc
+chmod 0000 /usr/bin/ncat
+chmod 0000 /usr/bin/nc
diff --git a/linux_os/guide/system/software/system-tools/file_permissions_nmap_ncat_binaries/tests/missing_files.pass.sh b/linux_os/guide/system/software/system-tools/file_permissions_nmap_ncat_binaries/tests/missing_files.pass.sh
@@ -0,0 +1,6 @@
+#!/bin/bash
+# platform = multi_platform_all
+
+# Remove binaries - should pass because missing_file_pass: true
+rm -f /usr/bin/ncat
+rm -f /usr/bin/nc
diff --git a/linux_os/guide/system/software/system-tools/file_permissions_nmap_ncat_binaries/tests/wrong_permissions.fail.sh b/linux_os/guide/system/software/system-tools/file_permissions_nmap_ncat_binaries/tests/wrong_permissions.fail.sh
@@ -0,0 +1,8 @@
+#!/bin/bash
+# platform = multi_platform_all
+
+# Create binaries with wrong permissions (0755)
+touch /usr/bin/ncat
+touch /usr/bin/nc
+chmod 0755 /usr/bin/ncat
+chmod 0755 /usr/bin/nc
diff --git a/linux_os/guide/system/software/system-tools/file_permissions_socat_binaries/rule.yml b/linux_os/guide/system/software/system-tools/file_permissions_socat_binaries/rule.yml
@@ -0,0 +1,33 @@
+documentation_complete: true
+
+title: 'Restrict Execution of Socat Binaries'
+
+description: |-
+    On RHCOS, packages in the base image cannot be removed. As a compensating
+    control, network utilities such as socat should have their execute permissions
+    removed to prevent unauthorized use.
+    {{{ describe_file_permissions(file="/usr/bin/socat", perms="0000") }}}
+
+rationale: |-
+    Utilities such as socat can be used for legitimate troubleshooting,
+    but they also present a significant security risk if misused by attackers
+    to create unauthorized network connections, transfer data, or establish
+    reverse shells. On immutable operating systems like RHCOS, removing execute
+    permissions prevents these tools from being used while maintaining system integrity.
+
+severity: high
+
+identifiers:
+    cce@rhcos4: CCE-86484-3
+
+platform: rhcos4
+
+ocil: |-
+    {{{ describe_file_permissions(file="/usr/bin/socat", perms="0000") }}}
+
+template:
+    name: file_permissions
+    vars:
+        filepath: /usr/bin/socat
+        filemode: '0000'
+        missing_file_pass: 'true'
diff --git a/linux_os/guide/system/software/system-tools/file_permissions_socat_binaries/tests/correct.pass.sh b/linux_os/guide/system/software/system-tools/file_permissions_socat_binaries/tests/correct.pass.sh
@@ -0,0 +1,6 @@
+#!/bin/bash
+# platform = multi_platform_all
+
+# Create binary with correct permissions (0000)
+touch /usr/bin/socat
+chmod 0000 /usr/bin/socat
diff --git a/linux_os/guide/system/software/system-tools/file_permissions_socat_binaries/tests/missing_file.pass.sh b/linux_os/guide/system/software/system-tools/file_permissions_socat_binaries/tests/missing_file.pass.sh
@@ -0,0 +1,5 @@
+#!/bin/bash
+# platform = multi_platform_all
+
+# Remove binary - should pass because missing_file_pass: true
+rm -f /usr/bin/socat
diff --git a/linux_os/guide/system/software/system-tools/file_permissions_socat_binaries/tests/wrong_permissions.fail.sh b/linux_os/guide/system/software/system-tools/file_permissions_socat_binaries/tests/wrong_permissions.fail.sh
@@ -0,0 +1,6 @@
+#!/bin/bash
+# platform = multi_platform_all
+
+# Create binary with wrong permissions (0755)
+touch /usr/bin/socat
+chmod 0755 /usr/bin/socat
diff --git a/products/rhcos4/profiles/default.profile b/products/rhcos4/profiles/default.profile
@@ -186,6 +186,10 @@ selections:
     - file_permissions_backup_etc_group
     - etc_system_fips_exists
     - package_net-snmp_removed
+    - file_permissions_at_binaries
+    - file_permissions_dnf_binaries
+    - file_permissions_nmap_ncat_binaries
+    - file_permissions_socat_binaries
     - package_fapolicyd_installed
     - audit_rules_for_ospp
     - sshd_enable_pam
diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt
@@ -1,7 +1,3 @@
-CCE-86483-5
-CCE-86484-3
-CCE-86492-6
-CCE-86494-2
 CCE-86497-5
 CCE-86498-3
 CCE-86499-1
