Merge pull request #14637 from macko1/update_rhel8_disa_stig_to_v2r7

DISA STIG: Update RHEL8 V2R6 → V2R7

Author: Mab879

linux_os/guide/system/permissions/partitions/mount_option_boot_efi_nosuid/policy/stig/shared.yml

@@ -7,9 +7,7 @@ vuldiscussion: |-
 
 
 checktext: |-
-    Note: For systems that use BIOS, this requirement is Not Applicable.
-
-    Note: If the /boot/efi partition is mounted with a vfat filesystem, this requirement is Not Applicable.
+    Note: For systems that use BIOS, this requirement is not applicable.
 
     Verify the /boot/efi directory is mounted with the "nosuid" option with the following command:
 

linux_os/guide/system/permissions/partitions/mount_option_boot_efi_nosuid/rule.yml

@@ -33,7 +33,6 @@ template:
     vars:
         mountpoint: /boot/efi
         mountoption: nosuid
-        exclude_filesystem_type: vfat
     backends:
         anaconda: "off"
 

linux_os/guide/system/permissions/partitions/mount_option_boot_efi_nosuid/tests/vfat_with_nosuid.pass.sh

@@ -1,7 +1,6 @@
 #!/bin/bash
 
 # This test verifies that the rule passes when /boot/efi is mounted with vfat filesystem
-# Even with nosuid set, vfat is excluded from the requirement (nosuid has no effect on vfat)
 
 # packages = dosfstools
 
@@ -14,7 +13,7 @@ VFAT_PARTITION="/root/vfat_partition"
 dd if=/dev/zero of=$VFAT_PARTITION bs=1M count=50
 mkfs.vfat $VFAT_PARTITION
 
-# Add to fstab with nosuid option (should still pass because vfat is excluded)
+# Add to fstab with nosuid option
 mkdir -p /boot/efi
 echo "$VFAT_PARTITION /boot/efi vfat rw,nosuid,relatime,loop 0 0" >> /etc/fstab
 

…nosuid/tests/vfat_without_nosuid.pass.sh …nosuid/tests/vfat_without_nosuid.fail.shlinux_os/guide/system/permissions/partitions/mount_option_boot_efi_nosuid/tests/vfat_without_nosuid.pass.sh renamed to linux_os/guide/system/permissions/partitions/mount_option_boot_efi_nosuid/tests/vfat_without_nosuid.fail.sh linux_os/guide/system/permissions/partitions/mount_option_boot_efi_nosuid/tests/vfat_without_nosuid.pass.sh renamed to linux_os/guide/system/permissions/partitions/mount_option_boot_efi_nosuid/tests/vfat_without_nosuid.fail.sh

@@ -1,7 +1,7 @@
 #!/bin/bash
 
-# This test verifies that the rule passes when /boot/efi is mounted with vfat filesystem
-# The nosuid requirement is not applicable to vfat filesystems
+# This test verifies that the rule fails when /boot/efi
+# is mounted with vfat without the nosuid option
 
 # packages = dosfstools
 
@@ -14,7 +14,7 @@ VFAT_PARTITION="/root/vfat_partition"
 dd if=/dev/zero of=$VFAT_PARTITION bs=1M count=50
 mkfs.vfat $VFAT_PARTITION
 
-# Add to fstab without nosuid option (should pass because vfat is excluded)
+# Add to fstab without the nosuid option
 mkdir -p /boot/efi
 echo "$VFAT_PARTITION /boot/efi vfat rw,relatime,loop 0 0" >> /etc/fstab
 

linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/rule.yml

@@ -39,10 +39,12 @@ ocil: |-
     The runtime status of the <code>kernel.kptr_restrict</code> kernel parameter can be queried
     by running the following command:
     <pre>$ sysctl kernel.kptr_restrict</pre>
-    The output of the command should indicate either:
+    The output of the command should indicate:
     <code>kernel.kptr_restrict = 1</code>
+    {{% if product != 'rhel8' %}}
     or:
     <code>kernel.kptr_restrict = 2</code>
+    {{% endif %}}
     The output of the command should not indicate:
     <code>kernel.kptr_restrict = 0</code>
 
@@ -55,12 +57,14 @@ ocil: |-
     <pre>$ grep -r '^\s*kernel.kptr_restrict\s*=' /etc/sysctl.conf /etc/sysctl.d</pre>
     The command should not find any assignments other than:
     kernel.kptr_restrict = 1
+    {{% if product != 'rhel8' %}}
     or:
     kernel.kptr_restrict = 2
+    {{% endif %}}
 
     Conflicting assignments are not allowed.
 
-ocil_clause: "the kernel.kptr_restrict is not set to 1 or 2 or is configured to be 0"
+ocil_clause: "the kernel.kptr_restrict is not set to 1{{% if product != 'rhel8' %}} or 2{{% endif %}} or is configured to be 0"
 
 srg_requirement: '{{{ full_name }}} must restrict exposed kernel pointer addresses access.'
 
@@ -70,7 +74,10 @@ template:
     name: sysctl
     vars:
         sysctlvar: kernel.kptr_restrict
-        {{% if 'ol' in families or 'rhel' in product %}}
+        {{% if product == 'rhel8' %}}
+        sysctlval: '1'
+        wrong_sysctlval_for_testing: "0"
+        {{% elif 'ol' in families or 'rhel' in product %}}
         sysctlval:
         - '1'
         - '2'

linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/tests/value_2.pass.sh

@@ -1,5 +1,9 @@
 #!/bin/bash
+{{% if product == 'rhel8' %}}
+# platform = Not Applicable
+{{% else %}}
 # platform = multi_platform_ol,multi_platform_rhel,multi_platform_almalinux
+{{% endif %}}
 
 # Clean sysctl config directories
 rm -rf /usr/lib/sysctl.d/* /run/sysctl.d/* /etc/sysctl.d/*

linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/tests/value_2_rhel8.fail.sh

@@ -0,0 +1,11 @@
+#!/bin/bash
+# platform = Red Hat Enterprise Linux 8
+
+# Clean sysctl config directories
+rm -rf /usr/lib/sysctl.d/* /run/sysctl.d/* /etc/sysctl.d/*
+
+sed -i "/kernel.kptr_restrict/d" /etc/sysctl.conf
+echo "kernel.kptr_restrict = 2" >> /etc/sysctl.conf
+
+# set correct runtime value to check if the filesystem configuration is evaluated properly
+sysctl -w kernel.kptr_restrict="2"

linux_os/guide/system/permissions/restrictions/kernel_module_uvcvideo_disabled/rule.yml

@@ -27,28 +27,29 @@ ocil_clause: 'the command does not return any output, or the line is commented o
 ocil: |-
     If the device or {{{ full_name }}} does not have a camera installed, this requirement is not applicable.
 
-    This requirement is not applicable to mobile devices (smartphones and tablets), where the use of the camera is a local AO decision.
+    This requirement is not applicable to mobile devices (smartphones and tablets), where the use of the camera is a local Authorizing Official (AO) decision.
 
     This requirement is not applicable to dedicated VTC suites located in approved VTC locations that are centrally managed.
 
     For an external camera, if there is not a method for the operator to manually disconnect the camera at the end of collaborative computing sessions, this is a finding.
 
     For a built-in camera, the camera must be protected by a camera cover (e.g., laptop camera cover slide) when not in use. If the built-in camera is not protected with a camera cover, or is not physically disabled, this is a finding.
 
-    If the camera is not disconnected, covered, or physically disabled, determine if it is being disabled via software with the following commands:
+    If the camera is not disconnected, covered, or physically disabled, determine if it is being disabled via software.
 
-    Verify the operating system disables the ability to load the uvcvideo kernel module.
+    Verify the operating system disables the ability to load the uvcvideo kernel module and ensure that the uvcvideo protocol module is disabled with the following command:
 
-    $ sudo grep -r uvcvideo /etc/modprobe.d/* | grep "/bin/true"
+    $ sudo grep -r uvcvideo /etc/modprobe.d/
 
-    install uvcvideo /bin/true
+    /etc/modprobe.d/uvcvideo-blacklist.conf:install uvcvideo /bin/false
+    /etc/modprobe.d/uvcvideo-blacklist.conf:blacklist uvcvideo
 
 fixtext: |-
     Configure {{{ full_name }}} to disable the built-in or attached camera when not in use.
 
-    Build or modify the "/etc/modprobe.d/blacklist.conf" file by using the following example:
+    Add or update the following lines in the "/etc/modprobe.d/uvcvideo-blacklist.conf" file:
 
-    install uvcvideo /bin/true
+    install uvcvideo /bin/false
     blacklist uvcvideo
 
     Reboot the system for the settings to take effect.

linux_os/guide/system/software/integrity/crypto/configure_libreswan_crypto_policy/policy/stig/shared.yml

@@ -7,7 +7,7 @@ vuldiscussion: |-
 checktext: |-
     Verify that the IPsec service uses the system crypto policy with the following command:
 
-    Note: If the ipsec service is not installed, this requirement is Not Applicable.
+    Note: If the IPsec service is not installed, this requirement is not applicable.
 
     $ sudo grep include /etc/ipsec.conf /etc/ipsec.d/*.conf
 

linux_os/guide/system/software/integrity/crypto/configure_libreswan_crypto_policy/rule.yml

@@ -40,9 +40,9 @@ ocil_clause: |-
     the "IPsec" service is active and the ipsec configuration file does not contain does not contain <tt>include /etc/crypto-policies/back-ends/libreswan.config</tt>
 
 ocil: |-
-    Verify that the IPSec service uses the system crypto policy.
+    Verify that the IPsec service uses the system crypto policy.
 
-    If the ipsec service is not installed is not applicable.
+    If the IPsec service is not installed, this requirement is not applicable.
 
     Check to see if the "IPsec" service is active with the following command: