Skip to content
Merged
Show file tree
Hide file tree
Changes from 1 commit
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Original file line number Diff line number Diff line change
@@ -0,0 +1,6 @@
# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_rhcos
apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
spec:
kernelArguments:
- audit_backlog_limit=8192
Original file line number Diff line number Diff line change
@@ -0,0 +1,44 @@
documentation_complete: true

prodtype: rhcos4

title: 'Extend Audit Backlog Limit for the Audit Daemon'

description: |-
To improve the kernel capacity to queue all log events, even those which occurred
prior to the audit daemon, add the argument <tt>audit_backlog_limit=8192</tt> to all
BLS (Boot Loader Specification) entries ('options' line) for the Linux
operating system in <tt>/boot/loader/entries/*.conf</tt>.

rationale: |-
audit_backlog_limit sets the queue length for audit events awaiting transfer
to the audit daemon. Until the audit daemon is up and running, all log messages
are stored in this queue. If the queue is overrun during boot process, the action
defined by audit failure flag is taken.

severity: medium

identifiers:
cce@rhcos4: CCE-82671-9

references:
srg: SRG-OS-000254-GPOS-00095
nist: CM-6(a)
cis@rhel8: 4.1.1.4

ocil_clause: 'audit backlog limit is not configured'

ocil: |-
Inspect the form of all the BLS (Boot Loader Specification) entries
('options' line) in <tt>/boot/loader/entries/*.conf</tt>. If they include
<tt>audit=1</tt>, then auditing is enabled at boot time.

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should the rule talk about enabling audit?

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What do you mean?

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pointing out that the admin should inspect the kernel command line for audit=1 seems a bit redundant, because it's not the point of this rule. But the ocil rule is not super important for coreos rules and the backlog parameter is mentioned next, so it's OK.

<br /><br />
To ensure <tt>audit_backlog_limit=8192</tt> is configured on the installed kernel, add
the kernel argument via a <pre>MachineConfig</pre> object to the appropriate
pools.

template:
name: coreos_kernel_option
vars:
arg_name: audit_backlog_limit
arg_value: '8192'
Original file line number Diff line number Diff line change
@@ -0,0 +1,13 @@
#!/bin/bash
# platform = Red Hat Enterprise Linux 7
Comment thread
JAORMX marked this conversation as resolved.
Outdated

# Correct the form of default kernel command line in GRUB /etc/default/grub and applies value through Grubby
if grep -q '^GRUB_CMDLINE_LINUX=.*audit_backlog_limit=.*"' '/etc/default/grub' ; then
# modify the GRUB command-line if an audit_backlog_limit= arg already exists
sed -i 's/\(^GRUB_CMDLINE_LINUX=".*\)audit_backlog_limit=[^[:space:]]*\(.*"\)/\1 audit_backlog_limit=8192 \2/' '/etc/default/grub'
else
# no audit_backlog_limit=arg is present, append it
sed -i 's/\(^GRUB_CMDLINE_LINUX=".*\)"/\1 audit_backlog_limit=8192"/' '/etc/default/grub'
fi

grubby --update-kernel=ALL --args="audit_backlog_limit=8192"
Original file line number Diff line number Diff line change
@@ -0,0 +1,4 @@
#!/bin/bash
Comment thread
JAORMX marked this conversation as resolved.
Outdated
# platform = Red Hat Enterprise Linux 8

grub2-editenv - set "$(grub2-editenv - list | grep kernelopts) audit_backlog_limit=8192"
Original file line number Diff line number Diff line change
@@ -0,0 +1,11 @@
#!/bin/bash
# platform = Red Hat Enterprise Linux 7
Comment thread
JAORMX marked this conversation as resolved.
Outdated

# Break the audit_backlog_limit argument in kernel command line in /etc/default/grub
if grep -q '^GRUB_CMDLINE_LINUX=.*audit_backlog_limit=.*"' '/etc/default/grub' ; then
# modify the GRUB command-line if an audit_backlog_limit= arg already exists
sed -i 's/\(^GRUB_CMDLINE_LINUX=".*\)audit_backlog_limit=[^[:space:]]*\(.*"\)/\1 audit_backlog_limit=123 \2/' '/etc/default/grub'
else
# no audit_backlog_limit=arg is present, append it
sed -i 's/\(^GRUB_CMDLINE_LINUX=".*\)"/\1 audit_backlog_limit=123"/' '/etc/default/grub'
fi
Original file line number Diff line number Diff line change
@@ -0,0 +1,12 @@
#!/bin/bash
# platform = Red Hat Enterprise Linux 8
Comment thread
JAORMX marked this conversation as resolved.
Outdated

# Break the audit_backlog_limit argument in kernel command line in /boot/grub2/grubenv
file="/boot/grub2/grubenv"
if grep -q '^.*audit_backlog_limit=.*' "$file" ; then
# modify the GRUB command-line if an audit_backlog_limit= arg already exists
sed -i 's/\(^.*\)audit_backlog_limit=[^[:space:]]*\(.*\)/\1 audit_backlog_limit=123 \2/' "$file"
else
# no audit_backlog_limit=arg is present, append it
sed -i 's/\(^.*\(vmlinuz\|kernelopts\).*\)/\1 audit_backlog_limit=123/' "$file"
fi
Original file line number Diff line number Diff line change
Expand Up @@ -19,7 +19,7 @@ rationale: |-
severity: medium

identifiers:
cce@ocp4: CCE-83550-4
Comment thread
JAORMX marked this conversation as resolved.
cce@rhcos4: CCE-82670-1

references:
cis@rhel8: 4.1.1.3
Expand Down
3 changes: 1 addition & 2 deletions linux_os/guide/system/auditing/grub2_audit_argument/rule.yml
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
documentation_complete: true

prodtype: fedora,rhcos4,ol7,ol8,rhel7,rhel8,rhv4,sle15
prodtype: fedora,ol7,ol8,rhel7,rhel8,rhv4,sle15

title: 'Enable Auditing for Processes Which Start Prior to the Audit Daemon'

Expand Down Expand Up @@ -28,7 +28,6 @@ severity: medium
identifiers:
cce@rhel7: CCE-27212-0
cce@rhel8: CCE-80825-3
cce@rhcos4: CCE-82670-1

references:
cis@rhel8: 4.1.1.3
Expand Down
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
documentation_complete: true

prodtype: fedora,rhcos4,ol7,ol8,rhel7,rhel8,sle15
prodtype: fedora,ol7,ol8,rhel7,rhel8,sle15

title: 'Extend Audit Backlog Limit for the Audit Daemon'

Expand All @@ -22,7 +22,6 @@ severity: medium
identifiers:
cce@rhel7: CCE-82156-1
cce@rhel8: CCE-80943-4
cce@rhcos4: CCE-82671-9

references:
srg: SRG-OS-000254-GPOS-00095
Expand Down
Original file line number Diff line number Diff line change
@@ -0,0 +1,6 @@
# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_rhcos
apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
spec:
kernelArguments:
- pti=on
Original file line number Diff line number Diff line change
@@ -0,0 +1,42 @@
documentation_complete: true

prodtype: rhcos4

title: 'Enable Kernel Page-Table Isolation (KPTI)'

description: |-
To enable Kernel page-table isolation, add the argument <tt>pti=on</tt> to all
BLS (Boot Loader Specification) entries ('options' line) for the Linux
operating system in <tt>/boot/loader/entries/*.conf</tt>.

rationale: |-
Kernel page-table isolation is a kernel feature that mitigates
the Meltdown security vulnerability and hardens the kernel
against attempts to bypass kernel address space layout
randomization (KASLR).

severity: high

identifiers:
cce@rhcos4: CCE-82497-9

references:
srg: SRG-OS-000433-GPOS-00193
nist: SI-16

ocil_clause: 'Kernel page-table isolation is not enabled'

ocil: |-
Inspect the form of all the BLS (Boot Loader Specification) entries
('options' line) in <tt>/boot/loader/entries/*.conf</tt>. If they include
<tt>pti=on</tt>, then Kernel page-table isolation is enabled at boot time.
<br /><br />
To ensure <tt>pti=on</tt> is configured on the installed kernel, add
the kernel argument via a <pre>MachineConfig</pre> object to the appropriate
pools.

template:
name: coreos_kernel_option
vars:
arg_name: pti
arg_value: 'on'
Original file line number Diff line number Diff line change
@@ -0,0 +1,10 @@
#!/bin/bash

# profiles = xccdf_org.ssgproject.content_profile_ospp
# platform = Red Hat Enterprise Linux 8

# Removes pti argument from kernel command line in /boot/grub2/grubenv
file="/boot/grub2/grubenv"
if grep -q '^.*pti=.*' "$file" ; then
sed -i 's/\(^.*\)pti=[^[:space:]]*\(.*\)/\1 \2/' "$file"
fi
Original file line number Diff line number Diff line change
@@ -0,0 +1,5 @@
#!/bin/bash
# profiles = xccdf_org.ssgproject.content_profile_ospp
# platform = Red Hat Enterprise Linux 8

grub2-editenv - set "$(grub2-editenv - list | grep kernelopts) pti=on"
Original file line number Diff line number Diff line change
@@ -0,0 +1,13 @@
#!/bin/bash
# profiles = xccdf_org.ssgproject.content_profile_ospp
# platform = Red Hat Enterprise Linux 8

# Break the pti argument in kernel command line in /boot/grub2/grubenv
file="/boot/grub2/grubenv"
if grep -q '^.*pti=.*' "$file" ; then
# modify the GRUB command-line if an pti= arg already exists
sed -i 's/\(^.*\)pti=[^[:space:]]*\(.*\)/\1 pti=off \2/' "$file"
else
# no pti=arg is present, append it
sed -i 's/\(^.*\(vmlinuz\|kernelopts\).*\)/\1 pti=off/' "$file"
fi
Original file line number Diff line number Diff line change
@@ -0,0 +1,40 @@
documentation_complete: true

prodtype: rhcos4

title: 'Disable vsyscalls'

description: |-
To disable use of virtual syscalls, add the argument <tt>vsyscall=none</tt> to all
BLS (Boot Loader Specification) entries ('options' line) for the Linux
operating system in <tt>/boot/loader/entries/*.conf</tt>.

rationale: |-
Virtual Syscalls provide an opportunity of attack for a user who has control
of the return instruction pointer.

severity: medium

identifiers:
cce@rhcos4: CCE-82674-3

references:
srg: SRG-OS-000480-GPOS-00227
nist: CM-7(a)

ocil_clause: 'vsyscalls are enabled'

ocil: |-
Inspect the form of all the BLS (Boot Loader Specification) entries
('options' line) in <tt>/boot/loader/entries/*.conf</tt>. If they include
<tt>vsyscall=none</tt>, then virtual syscalls are not enabled at boot time.
<br /><br />
To ensure <tt>vsyscall=none</tt> is configured on the installed kernel, add
the kernel argument via a <pre>MachineConfig</pre> object to the appropriate
pools.

template:
name: coreos_kernel_option
vars:
arg_name: vsyscall
arg_value: none
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
documentation_complete: true

prodtype: fedora,rhcos4,ol8,rhel8
prodtype: fedora,ol8,rhel8

title: 'Enable Kernel Page-Table Isolation (KPTI)'

Expand All @@ -21,7 +21,6 @@ severity: high

identifiers:
cce@rhel8: CCE-82194-2
cce@rhcos4: CCE-82497-9

references:
srg: SRG-OS-000433-GPOS-00193
Expand Down
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
documentation_complete: true

prodtype: fedora,rhcos4,ol7,ol8,rhel7,rhel8
prodtype: fedora,ol7,ol8,rhel7,rhel8

title: 'Disable vsyscalls'

Expand All @@ -20,7 +20,6 @@ severity: medium
identifiers:
cce@rhel7: CCE-82159-5
cce@rhel8: CCE-80946-7
cce@rhcos4: CCE-82674-3

references:
srg: SRG-OS-000480-GPOS-00227
Expand Down
Original file line number Diff line number Diff line change
@@ -0,0 +1,6 @@
# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_rhcos
apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
spec:
kernelArguments:
- page_poison=1
Original file line number Diff line number Diff line change
@@ -0,0 +1,44 @@
documentation_complete: true

prodtype: rhcos4

title: 'Enable page allocator poisoning'

description: |-
To enable poisoning of free pages, add the argument <tt>page_poison=1</tt> to all
BLS (Boot Loader Specification) entries ('options' line) for the Linux
operating system in <tt>/boot/loader/entries/*.conf</tt>.


rationale: |-
Poisoning writes an arbitrary value to freed pages, so any modification or
reference to that page after being freed or before being initialized will be
detected and prevented.
This prevents many types of use-after-free vulnerabilities at little performance cost.
Also prevents leak of data and detection of corrupted memory.

severity: medium

identifiers:
cce@rhcos4: CCE-82673-5

references:
srg: SRG-OS-000480-GPOS-00227
nist: CM-6(a)

ocil_clause: 'page allocator poisoning is not enabled'

ocil: |-
Inspect the form of all the BLS (Boot Loader Specification) entries
('options' line) in <tt>/boot/loader/entries/*.conf</tt>. If they include
<tt>page_poison=1</tt>, then page poisoning is enabled at boot time.
<br /><br />
To ensure <tt>page_poison=1</tt> is configured on the installed kernel, add
the kernel argument via a <pre>MachineConfig</pre> object to the appropriate
pools.

template:
name: coreos_kernel_option
vars:
arg_name: page_poison
arg_value: '1'
Original file line number Diff line number Diff line change
@@ -0,0 +1,6 @@
# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_rhcos
apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
spec:
kernelArguments:
- slub_debug=P
Original file line number Diff line number Diff line change
@@ -0,0 +1,43 @@
documentation_complete: true

prodtype: rhcos4

title: 'Enable SLUB/SLAB allocator poisoning'

description: |-
To enable poisoning of SLUB/SLAB objects, add the argument <tt>slub_debug=P</tt> to all
BLS (Boot Loader Specification) entries ('options' line) for the Linux
operating system in <tt>/boot/loader/entries/*.conf</tt>.

rationale: |-
Poisoning writes an arbitrary value to freed objects, so any modification or
reference to that object after being freed or before being initialized will be
detected and prevented.
This prevents many types of use-after-free vulnerabilities at little performance cost.
Also prevents leak of data and detection of corrupted memory.

severity: medium

identifiers:
cce@rhcos4: CCE-82672-7

references:
srg: SRG-OS-000433-GPOS-00192
nist: CM-6(a)

ocil_clause: 'SLUB/SLAB poisoning is not enabled'

ocil: |-
Inspect the form of all the BLS (Boot Loader Specification) entries
('options' line) in <tt>/boot/loader/entries/*.conf</tt>. If they include
<tt>slub_debug=P</tt>, then SLUB/SLAB poisoning is enabled at boot time.
<br /><br />
To ensure <tt>vsyscall=none</tt> is configured on the installed kernel, add
the kernel argument via a <pre>MachineConfig</pre> object to the appropriate
pools.

template:
name: coreos_kernel_option
vars:
arg_name: slub_debug
arg_value: P
Loading