Skip to content

Change rhcos4/moderate kernel argument checks to use coreos check #6131

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
JAORMX merged 2 commits into from
Oct 7, 2020
Merged

Change rhcos4/moderate kernel argument checks to use coreos check #6131

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
f1d7b76
Change rhcos4 kernel argument checks to use coreos-specific checks
JAORMX Sep 30, 2020
8427166
kube: Replace explicit kernel argument remediations for template
JAORMX Sep 30, 2020
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
44 changes: 44 additions & 0 deletions linux_os/guide/system/auditing/coreos_audit_backlog_limit_kernel_argument/rule.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,44 @@
documentation_complete: true

prodtype: rhcos4

title: 'Extend Audit Backlog Limit for the Audit Daemon'

description: |-
To improve the kernel capacity to queue all log events, even those which occurred
prior to the audit daemon, add the argument <tt>audit_backlog_limit=8192</tt> to all
BLS (Boot Loader Specification) entries ('options' line) for the Linux
operating system in <tt>/boot/loader/entries/*.conf</tt>.

rationale: |-
audit_backlog_limit sets the queue length for audit events awaiting transfer
to the audit daemon. Until the audit daemon is up and running, all log messages
are stored in this queue. If the queue is overrun during boot process, the action
defined by audit failure flag is taken.

severity: medium

identifiers:
cce@rhcos4: CCE-82671-9

references:
srg: SRG-OS-000254-GPOS-00095
nist: CM-6(a)
cis@rhel8: 4.1.1.4

ocil_clause: 'audit backlog limit is not configured'

ocil: |-
Inspect the form of all the BLS (Boot Loader Specification) entries
('options' line) in <tt>/boot/loader/entries/*.conf</tt>. If they include
<tt>audit=1</tt>, then auditing is enabled at boot time.
Copy link
Collaborator

@jhrozek jhrozek Oct 6, 2020

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should the rule talk about enabling audit?

Copy link
Contributor Author

@JAORMX JAORMX Oct 6, 2020

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What do you mean?

Copy link
Collaborator

@jhrozek jhrozek Oct 7, 2020

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pointing out that the admin should inspect the kernel command line for audit=1 seems a bit redundant, because it's not the point of this rule. But the ocil rule is not super important for coreos rules and the backlog parameter is mentioned next, so it's OK.

<br /><br />
To ensure <tt>audit_backlog_limit=8192</tt> is configured on the installed kernel, add
the kernel argument via a <pre>MachineConfig</pre> object to the appropriate
pools.

template:
name: coreos_kernel_option
vars:
arg_name: audit_backlog_limit
arg_value: '8192'
6 changes: 0 additions & 6 deletions linux_os/guide/system/auditing/coreos_audit_option/kubernetes/shared.yml
View file
Open in desktop

This file was deleted.

2 changes: 1 addition & 1 deletion linux_os/guide/system/auditing/coreos_audit_option/rule.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -19,7 +19,7 @@ rationale: |-
severity: medium

identifiers:
cce@ocp4: CCE-83550-4
cce@rhcos4: CCE-82670-1

references:
cis@rhel8: 4.1.1.3
Expand Down
6 changes: 0 additions & 6 deletions linux_os/guide/system/auditing/grub2_audit_argument/kubernetes/shared.yml
View file
Open in desktop

This file was deleted.

3 changes: 1 addition & 2 deletions linux_os/guide/system/auditing/grub2_audit_argument/rule.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
documentation_complete: true

prodtype: fedora,rhcos4,ol7,ol8,rhel7,rhel8,rhv4,sle15
prodtype: fedora,ol7,ol8,rhel7,rhel8,rhv4,sle15

title: 'Enable Auditing for Processes Which Start Prior to the Audit Daemon'

Expand Down Expand Up @@ -28,7 +28,6 @@ severity: medium
identifiers:
cce@rhel7: CCE-27212-0
cce@rhel8: CCE-80825-3
cce@rhcos4: CCE-82670-1

references:
cis@rhel8: 4.1.1.3
Expand Down
6 changes: 0 additions & 6 deletions linux_os/guide/system/auditing/grub2_audit_backlog_limit_argument/kubernetes/shared.yml
View file
Open in desktop

This file was deleted.

3 changes: 1 addition & 2 deletions linux_os/guide/system/auditing/grub2_audit_backlog_limit_argument/rule.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
documentation_complete: true

prodtype: fedora,rhcos4,ol7,ol8,rhel7,rhel8,sle15
prodtype: fedora,ol7,ol8,rhel7,rhel8,sle15

title: 'Extend Audit Backlog Limit for the Audit Daemon'

Expand All @@ -22,7 +22,6 @@ severity: medium
identifiers:
cce@rhel7: CCE-82156-1
cce@rhel8: CCE-80943-4
cce@rhcos4: CCE-82671-9

references:
srg: SRG-OS-000254-GPOS-00095
Expand Down
42 changes: 42 additions & 0 deletions linux_os/guide/system/bootloader-grub2/coreos_pti_kernel_argument/rule.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,42 @@
documentation_complete: true

prodtype: rhcos4

title: 'Enable Kernel Page-Table Isolation (KPTI)'

description: |-
To enable Kernel page-table isolation, add the argument <tt>pti=on</tt> to all
BLS (Boot Loader Specification) entries ('options' line) for the Linux
operating system in <tt>/boot/loader/entries/*.conf</tt>.

rationale: |-
Kernel page-table isolation is a kernel feature that mitigates
the Meltdown security vulnerability and hardens the kernel
against attempts to bypass kernel address space layout
randomization (KASLR).

severity: high

identifiers:
cce@rhcos4: CCE-82497-9

references:
srg: SRG-OS-000433-GPOS-00193
nist: SI-16

ocil_clause: 'Kernel page-table isolation is not enabled'

ocil: |-
Inspect the form of all the BLS (Boot Loader Specification) entries
('options' line) in <tt>/boot/loader/entries/*.conf</tt>. If they include
<tt>pti=on</tt>, then Kernel page-table isolation is enabled at boot time.
<br /><br />
To ensure <tt>pti=on</tt> is configured on the installed kernel, add
the kernel argument via a <pre>MachineConfig</pre> object to the appropriate
pools.

template:
name: coreos_kernel_option
vars:
arg_name: pti
arg_value: 'on'
40 changes: 40 additions & 0 deletions linux_os/guide/system/bootloader-grub2/coreos_vsyscall_kernel_argument/rule.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,40 @@
documentation_complete: true

prodtype: rhcos4

title: 'Disable vsyscalls'

description: |-
To disable use of virtual syscalls, add the argument <tt>vsyscall=none</tt> to all
BLS (Boot Loader Specification) entries ('options' line) for the Linux
operating system in <tt>/boot/loader/entries/*.conf</tt>.

rationale: |-
Virtual Syscalls provide an opportunity of attack for a user who has control
of the return instruction pointer.

severity: medium

identifiers:
cce@rhcos4: CCE-82674-3

references:
srg: SRG-OS-000480-GPOS-00227
nist: CM-7(a)

ocil_clause: 'vsyscalls are enabled'

ocil: |-
Inspect the form of all the BLS (Boot Loader Specification) entries
('options' line) in <tt>/boot/loader/entries/*.conf</tt>. If they include
<tt>vsyscall=none</tt>, then virtual syscalls are not enabled at boot time.
<br /><br />
To ensure <tt>vsyscall=none</tt> is configured on the installed kernel, add
the kernel argument via a <pre>MachineConfig</pre> object to the appropriate
pools.

template:
name: coreos_kernel_option
vars:
arg_name: vsyscall
arg_value: none
6 changes: 0 additions & 6 deletions linux_os/guide/system/bootloader-grub2/grub2_pti_argument/kubernetes/shared.yml
View file
Open in desktop

This file was deleted.

3 changes: 1 addition & 2 deletions linux_os/guide/system/bootloader-grub2/grub2_pti_argument/rule.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
documentation_complete: true

prodtype: fedora,rhcos4,ol8,rhel8
prodtype: fedora,ol8,rhel8

title: 'Enable Kernel Page-Table Isolation (KPTI)'

Expand All @@ -21,7 +21,6 @@ severity: high

identifiers:
cce@rhel8: CCE-82194-2
cce@rhcos4: CCE-82497-9

references:
srg: SRG-OS-000433-GPOS-00193
Expand Down
3 changes: 1 addition & 2 deletions linux_os/guide/system/bootloader-grub2/grub2_vsyscall_argument/rule.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
documentation_complete: true

prodtype: fedora,rhcos4,ol7,ol8,rhel7,rhel8
prodtype: fedora,ol7,ol8,rhel7,rhel8

title: 'Disable vsyscalls'

Expand All @@ -20,7 +20,6 @@ severity: medium
identifiers:
cce@rhel7: CCE-82159-5
cce@rhel8: CCE-80946-7
cce@rhcos4: CCE-82674-3

references:
srg: SRG-OS-000480-GPOS-00227
Expand Down
44 changes: 44 additions & 0 deletions ...ide/system/permissions/restrictions/poisoning/coreos_page_poison_kernel_argument/rule.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,44 @@
documentation_complete: true

prodtype: rhcos4

title: 'Enable page allocator poisoning'

description: |-
To enable poisoning of free pages, add the argument <tt>page_poison=1</tt> to all
BLS (Boot Loader Specification) entries ('options' line) for the Linux
operating system in <tt>/boot/loader/entries/*.conf</tt>.


rationale: |-
Poisoning writes an arbitrary value to freed pages, so any modification or
reference to that page after being freed or before being initialized will be
detected and prevented.
This prevents many types of use-after-free vulnerabilities at little performance cost.
Also prevents leak of data and detection of corrupted memory.

severity: medium

identifiers:
cce@rhcos4: CCE-82673-5

references:
srg: SRG-OS-000480-GPOS-00227
nist: CM-6(a)

ocil_clause: 'page allocator poisoning is not enabled'

ocil: |-
Inspect the form of all the BLS (Boot Loader Specification) entries
('options' line) in <tt>/boot/loader/entries/*.conf</tt>. If they include
<tt>page_poison=1</tt>, then page poisoning is enabled at boot time.
<br /><br />
To ensure <tt>page_poison=1</tt> is configured on the installed kernel, add
the kernel argument via a <pre>MachineConfig</pre> object to the appropriate
pools.

template:
name: coreos_kernel_option
vars:
arg_name: page_poison
arg_value: '1'
43 changes: 43 additions & 0 deletions ...uide/system/permissions/restrictions/poisoning/coreos_slub_debug_kernel_argument/rule.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,43 @@
documentation_complete: true

prodtype: rhcos4

title: 'Enable SLUB/SLAB allocator poisoning'

description: |-
To enable poisoning of SLUB/SLAB objects, add the argument <tt>slub_debug=P</tt> to all
BLS (Boot Loader Specification) entries ('options' line) for the Linux
operating system in <tt>/boot/loader/entries/*.conf</tt>.

rationale: |-
Poisoning writes an arbitrary value to freed objects, so any modification or
reference to that object after being freed or before being initialized will be
detected and prevented.
This prevents many types of use-after-free vulnerabilities at little performance cost.
Also prevents leak of data and detection of corrupted memory.

severity: medium

identifiers:
cce@rhcos4: CCE-82672-7

references:
srg: SRG-OS-000433-GPOS-00192
nist: CM-6(a)

ocil_clause: 'SLUB/SLAB poisoning is not enabled'

ocil: |-
Inspect the form of all the BLS (Boot Loader Specification) entries
('options' line) in <tt>/boot/loader/entries/*.conf</tt>. If they include
<tt>slub_debug=P</tt>, then SLUB/SLAB poisoning is enabled at boot time.
<br /><br />
To ensure <tt>vsyscall=none</tt> is configured on the installed kernel, add
the kernel argument via a <pre>MachineConfig</pre> object to the appropriate
pools.

template:
name: coreos_kernel_option
vars:
arg_name: slub_debug
arg_value: P
6 changes: 0 additions & 6 deletions ...ystem/permissions/restrictions/poisoning/grub2_page_poison_argument/kubernetes/shared.yml
View file
Open in desktop

This file was deleted.

3 changes: 1 addition & 2 deletions linux_os/guide/system/permissions/restrictions/poisoning/grub2_page_poison_argument/rule.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
documentation_complete: true

prodtype: fedora,rhcos4,ol7,ol8,rhel7,rhel8
prodtype: fedora,ol7,ol8,rhel7,rhel8

title: 'Enable page allocator poisoning'

Expand All @@ -23,7 +23,6 @@ severity: medium
identifiers:
cce@rhel7: CCE-82158-7
cce@rhel8: CCE-80944-2
cce@rhcos4: CCE-82673-5
Copy link
Member

@yuumasato yuumasato Sep 30, 2020

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

CCE-82673-5 went from rule grub2_page_poison_argument to coreos_page_poison_kernel_argument.
The configuration checked/remediated is almost the same, the difference is that coreos_page_poison_kernel_argument checks only the last boot entry.

I'm not sure if this CEE migration is okay, maybe @redhatrises has thoughts on it.

Copy link
Contributor

@redhatrises redhatrises Oct 6, 2020

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I am okay with this until we actually deliver something. Ultimately, I think that creating duplicate rules for something that is subtly unique is not a great. This is something to figure out in a separate PR.


references:
srg: SRG-OS-000480-GPOS-00227
Expand Down
6 changes: 0 additions & 6 deletions ...system/permissions/restrictions/poisoning/grub2_slub_debug_argument/kubernetes/shared.yml
View file
Open in desktop

This file was deleted.

3 changes: 1 addition & 2 deletions linux_os/guide/system/permissions/restrictions/poisoning/grub2_slub_debug_argument/rule.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
documentation_complete: true

prodtype: fedora,rhcos4,ol7,ol8,rhel7,rhel8
prodtype: fedora,ol7,ol8,rhel7,rhel8

title: 'Enable SLUB/SLAB allocator poisoning'

Expand All @@ -23,7 +23,6 @@ severity: medium
identifiers:
cce@rhel7: CCE-82157-9
cce@rhel8: CCE-80945-9
cce@rhcos4: CCE-82672-7

references:
srg: SRG-OS-000433-GPOS-00192
Expand Down
14 changes: 7 additions & 7 deletions rhcos4/profiles/moderate.profile
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -136,9 +136,7 @@ selections:

### Kernel Config
## Boot prompt
- grub2_vsyscall_argument.role=unscored
- grub2_vsyscall_argument.severity=info
- grub2_pti_argument
- coreos_pti_kernel_argument

## Security Settings
- sysctl_kernel_kptr_restrict
Expand Down Expand Up @@ -556,11 +554,13 @@ selections:

# AU-3
- package_audit_installed
- grub2_audit_backlog_limit_argument
- coreos_audit_backlog_limit_kernel_argument
- coreos_audit_option
#- grub2_slub_debug_argument
- grub2_page_poison_argument
- grub2_vsyscall_argument
#- coreos_slub_debug_kernel_argument
- coreos_page_poison_kernel_argument
- coreos_vsyscall_kernel_argument
- coreos_vsyscall_kernel_argument.role=unscored
- coreos_vsyscall_kernel_argument.severity=info

# AU-4
- auditd_data_retention_action_mail_acct
Expand Down
Loading