DISA STIG: Update RHEL8 V2R6 → V2R7

[macko1]

Description:

• Update RHEL 8 DISA STIG profiles and control file from V2R6 to V2R7
• Rule changes across STIG IDs:
  • RHEL-08-010010 (security_patches_up_to_date): update policy checktext
    for systems not connected to the internet
  • RHEL-08-010572 (mount_option_boot_efi_nosuid): drop the vfat exclusion
    from the mount_option template — the rule now checks nosuid regardless of
    filesystem type; fix and rename test scenarios
  • RHEL-08-040020 (kernel_module_uvcvideo_disabled): switch to blacklist
    approach and use /bin/false instead of /bin/true
  • RHEL-08-040060 (configure_libreswan_crypto_policy): grammar and policy
    text fix
  • RHEL-08-040283 (sysctl_kernel_kptr_restrict): enforce
    kernel.kptr_restrict=1 only (drop acceptance of value 2); add tests

Rationale:

• DISA released STIG V2R7 for RHEL 8; the profiles and rules need to track it

Review Hints:

• All changes are in one commit (5ca6422); the rest of the branch is
  upstream master
• mount_option_boot_efi_nosuid: the vfat exclusion was wrong — /boot/efi
  is always vfat, so the check never applied; removing exclude_filesystem_type
  makes the rule actually evaluate
• sysctl_kernel_kptr_restrict: value_2_rhel8.fail.sh is a product-specific
  test that only applies to RHEL 8 STIG; value 2 remains valid for other
  products
• To test locally: ./build_product rhel8 --datastream-only then run automatus
  against the changed rules on a RHEL 8 VM

Warning

These changes also include fs/kernel rules so it cannot be tested in a container - some of the tests WILL fail because of this

[openshift-ci]

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

[github-actions]

This datastream diff is auto generated by the check Compare DS/Generate Diff

Click here to see the full diff

OCIL for rule 'xccdf_org.ssgproject.content_rule_configure_libreswan_crypto_policy' differs.
--- ocil:ssg-configure_libreswan_crypto_policy_ocil:questionnaire:1
+++ ocil:ssg-configure_libreswan_crypto_policy_ocil:questionnaire:1
@@ -1,6 +1,6 @@
-Verify that the IPSec service uses the system crypto policy.
+Verify that the IPsec service uses the system crypto policy.
 
-If the ipsec service is not installed is not applicable.
+If the IPsec service is not installed, this requirement is not applicable.
 
 Check to see if the "IPsec" service is active with the following command:
 

bash remediation for rule 'xccdf_org.ssgproject.content_rule_mount_option_boot_efi_nosuid' differs.
--- xccdf_org.ssgproject.content_rule_mount_option_boot_efi_nosuid
+++ xccdf_org.ssgproject.content_rule_mount_option_boot_efi_nosuid
@@ -2,13 +2,6 @@
 if ( ! ( { rpm --quiet -q kernel-core ;} && { rpm --quiet -q rpm-ostree ;} && { rpm --quiet -q bootc ;} && { ! rpm --quiet -q openshift-kubelet ;} && ([ -f /run/ostree-booted ] || [ -L /ostree ]) ) && ! ( [ -f /.dockerenv ] || [ -f /run/.containerenv ] ) ) && { ( findmnt --kernel "/boot/efi" > /dev/null || findmnt --fstab "/boot/efi" > /dev/null ); }; then
 
 function perform_remediation {
-
-    # Check if the partition is mounted with an excluded filesystem type
-    if findmnt --kernel --raw --evaluate --output=FSTYPE "/boot/efi" | grep -q "^vfat$"; then
-        # The mount point /boot/efi is using vfat filesystem
-        # which is excluded from this requirement. No remediation needed.
-        return 0
-    fi
 
     
         # the mount point /boot/efi has to be defined in /etc/fstab

ansible remediation for rule 'xccdf_org.ssgproject.content_rule_mount_option_boot_efi_nosuid' differs.
--- xccdf_org.ssgproject.content_rule_mount_option_boot_efi_nosuid
+++ xccdf_org.ssgproject.content_rule_mount_option_boot_efi_nosuid
@@ -1,52 +1,6 @@
 - name: Gather the package facts
   package_facts:
     manager: auto
-  tags:
-  - CCE-86038-7
-  - DISA-STIG-RHEL-08-010572
-  - NIST-800-53-CM-6(b)
-  - NIST-800-53-CM-6.1(iv)
-  - configure_strategy
-  - high_disruption
-  - low_complexity
-  - medium_severity
-  - mount_option_boot_efi_nosuid
-  - no_reboot_needed
-
-- name: 'Add nosuid Option to /boot/efi: Check filesystem type of /boot/efi'
-  ansible.builtin.command: findmnt --kernel --raw --evaluate --output=FSTYPE '/boot/efi'
-  register: fs_type_check
-  failed_when: fs_type_check.rc > 1
-  changed_when: false
-  check_mode: false
-  when:
-  - ( not ( "kernel-core" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages
-    and "bootc" in ansible_facts.packages and not "openshift-kubelet" in ansible_facts.packages
-    and "ostree" in ansible_proc_cmdline ) and not ( ansible_virtualization_type in
-    ["docker", "lxc", "openvz", "podman", "container"] ) )
-  - '"/boot/efi" in ansible_mounts | map(attribute="mount") | list'
-  tags:
-  - CCE-86038-7
-  - DISA-STIG-RHEL-08-010572
-  - NIST-800-53-CM-6(b)
-  - NIST-800-53-CM-6.1(iv)
-  - configure_strategy
-  - high_disruption
-  - low_complexity
-  - medium_severity
-  - mount_option_boot_efi_nosuid
-  - no_reboot_needed
-
-- name: 'Add nosuid Option to /boot/efi: Set fact for excluded filesystem'
-  set_fact:
-    is_excluded_fstype: '{{ fs_type_check.rc == 0 and ''vfat'' in fs_type_check.stdout_lines
-      }}'
-  when:
-  - ( not ( "kernel-core" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages
-    and "bootc" in ansible_facts.packages and not "openshift-kubelet" in ansible_facts.packages
-    and "ostree" in ansible_proc_cmdline ) and not ( ansible_virtualization_type in
-    ["docker", "lxc", "openvz", "podman", "container"] ) )
-  - '"/boot/efi" in ansible_mounts | map(attribute="mount") | list'
   tags:
   - CCE-86038-7
   - DISA-STIG-RHEL-08-010572
@@ -71,7 +25,6 @@
     and "ostree" in ansible_proc_cmdline ) and not ( ansible_virtualization_type in
     ["docker", "lxc", "openvz", "podman", "container"] ) )
   - '"/boot/efi" in ansible_mounts | map(attribute="mount") | list'
-  - not is_excluded_fstype | default(false)
   tags:
   - CCE-86038-7
   - DISA-STIG-RHEL-08-010572
@@ -98,7 +51,6 @@
   - '"/boot/efi" in ansible_mounts | map(attribute="mount") | list'
   - device_name.stdout is defined and device_name.stdout_lines is defined
   - (device_name.stdout | length > 0)
-  - not is_excluded_fstype | default(false)
   tags:
   - CCE-86038-7
   - DISA-STIG-RHEL-08-010572
@@ -133,7 +85,6 @@
   - ("--fstab" | length == 0)
   - device_name.stdout is defined and device_name.stdout_lines is defined
   - (device_name.stdout | length == 0)
-  - not is_excluded_fstype | default(false)
   tags:
   - CCE-86038-7
   - DISA-STIG-RHEL-08-010572
@@ -159,7 +110,6 @@
     ["docker", "lxc", "openvz", "podman", "container"] ) )
   - '"/boot/efi" in ansible_mounts | map(attribute="mount") | list'
   - mount_info is defined and "nosuid" not in (mount_info.options | default(''))
-  - not is_excluded_fstype | default(false)
   tags:
   - CCE-86038-7
   - DISA-STIG-RHEL-08-010572
@@ -193,7 +143,6 @@
   - mount_info is defined
   - (device_name.stdout is defined and (device_name.stdout | length > 0)) or ("--fstab"
     | length == 0)
-  - not is_excluded_fstype | default(false)
   tags:
   - CCE-86038-7
   - DISA-STIG-RHEL-08-010572

OCIL for rule 'xccdf_org.ssgproject.content_rule_kernel_module_uvcvideo_disabled' differs.
--- ocil:ssg-kernel_module_uvcvideo_disabled_ocil:questionnaire:1
+++ ocil:ssg-kernel_module_uvcvideo_disabled_ocil:questionnaire:1
@@ -1,6 +1,6 @@
-If the device or Red Hat Enterprise Linux 8 does not have a camera installed, this requirement is not applicable.
+If the device or Red Hat Enterprise Linux 8 does not have a camera installed, this is not applicable.
 
-This requirement is not applicable to mobile devices (smartphones and tablets), where the use of the camera is a local AO decision.
+This requirement is not applicable to mobile devices (smartphones and tablets), where the use of the camera is a local Authorizing Official (AO) decision.
 
 This requirement is not applicable to dedicated VTC suites located in approved VTC locations that are centrally managed.
 
@@ -8,12 +8,13 @@
 
 For a built-in camera, the camera must be protected by a camera cover (e.g., laptop camera cover slide) when not in use. If the built-in camera is not protected with a camera cover, or is not physically disabled, this is a finding.
 
-If the camera is not disconnected, covered, or physically disabled, determine if it is being disabled via software with the following commands:
+If the camera is not disconnected, covered, or physically disabled, determine if it is being disabled via software.
 
-Verify the operating system disables the ability to load the uvcvideo kernel module.
+Verify the operating system disables the ability to load the uvcvideo kernel module and ensure that the uvcvideo protocol module is disabled with the following command:
 
-$ sudo grep -r uvcvideo /etc/modprobe.d/* | grep "/bin/true"
+$ sudo grep -r uvcvideo /etc/modprobe.d/* | grep "blacklist"
 
-install uvcvideo /bin/true
+/etc/modprobe.d/blacklist.conf:install uvcvideo /bin/false
+/etc/modprobe.d/blacklist.conf:blacklist uvcvideo
       Is it the case that the command does not return any output, or the line is commented out, and the collaborative computing device has not been authorized for use?
       
OCIL for rule 'xccdf_org.ssgproject.content_rule_sysctl_kernel_kptr_restrict' differs.
--- ocil:ssg-sysctl_kernel_kptr_restrict_ocil:questionnaire:1
+++ ocil:ssg-sysctl_kernel_kptr_restrict_ocil:questionnaire:1
@@ -1,10 +1,9 @@
 The runtime status of the kernel.kptr_restrict kernel parameter can be queried
 by running the following command:
 $ sysctl kernel.kptr_restrict
-The output of the command should indicate either:
+The output of the command should indicate:
 kernel.kptr_restrict = 1
-or:
-kernel.kptr_restrict = 2
+
 The output of the command should not indicate:
 kernel.kptr_restrict = 0
 
@@ -17,9 +16,8 @@
 $ grep -r '^\s*kernel.kptr_restrict\s*=' /etc/sysctl.conf /etc/sysctl.d
 The command should not find any assignments other than:
 kernel.kptr_restrict = 1
-or:
-kernel.kptr_restrict = 2
+
 
 Conflicting assignments are not allowed.
-      Is it the case that the kernel.kptr_restrict is not set to 1 or 2 or is configured to be 0?
+      Is it the case that the kernel.kptr_restrict is not set to 1 or is configured to be 0?
       
bash remediation for rule 'xccdf_org.ssgproject.content_rule_sysctl_kernel_kptr_restrict' differs.
--- xccdf_org.ssgproject.content_rule_sysctl_kernel_kptr_restrict
+++ xccdf_org.ssgproject.content_rule_sysctl_kernel_kptr_restrict
@@ -25,19 +25,17 @@
 
 SYSCONFIG_FILE='/etc/sysctl.d/kernel_kptr_restrict.conf'
 
-sysctl_kernel_kptr_restrict_value=''
-
 
 #
 # Set runtime for kernel.kptr_restrict
 #
 if ! { rpm --quiet -q kernel rpm-ostree bootc && ! rpm --quiet -q openshift-kubelet && { [ -f "/run/.containerenv" ] || [ -f "/.containerenv" ]; }; } ; then
-    /sbin/sysctl -q -n -w kernel.kptr_restrict="$sysctl_kernel_kptr_restrict_value"
+    /sbin/sysctl -q -n -w kernel.kptr_restrict="1"
 fi
 
 #
-# If kernel.kptr_restrict present in /etc/sysctl.conf, change value to appropriate value
-#	else, add "kernel.kptr_restrict = value" to /etc/sysctl.conf
+# If kernel.kptr_restrict present in /etc/sysctl.conf, change value to "1"
+#	else, add "kernel.kptr_restrict = 1" to /etc/sysctl.conf
 #
 
 sed -i "/^$SYSCONFIG_VAR/d" /etc/sysctl.conf
@@ -47,7 +45,7 @@
 stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^kernel.kptr_restrict")
 
 # shellcheck disable=SC2059
-printf -v formatted_output "%s = %s" "$stripped_key" "$sysctl_kernel_kptr_restrict_value"
+printf -v formatted_output "%s = %s" "$stripped_key" "1"
 
 # If the key exists, change it. Otherwise, add it to the config_file.
 # We search for the key string followed by a word boundary (matched by \>),

ansible remediation for rule 'xccdf_org.ssgproject.content_rule_sysctl_kernel_kptr_restrict' differs.
--- xccdf_org.ssgproject.content_rule_sysctl_kernel_kptr_restrict
+++ xccdf_org.ssgproject.content_rule_sysctl_kernel_kptr_restrict
@@ -14,11 +14,6 @@
   - medium_severity
   - reboot_required
   - sysctl_kernel_kptr_restrict
-- name: XCCDF Value sysctl_kernel_kptr_restrict_value # promote to variable
-  set_fact:
-    sysctl_kernel_kptr_restrict_value: !!str 
-  tags:
-    - always
 
 - name: Restrict Exposed Kernel Pointer Addresses Access - Set fact for sysctl paths
   ansible.builtin.set_fact:
@@ -69,7 +64,7 @@
     kernel.kptr_restrict to correct value
   ansible.builtin.shell:
     cmd: find -L {{ sysctl_paths | join(" ") }} -type f -name '*.conf' | xargs grep
-      -HP '^\s*kernel.kptr_restrict\s*=\s*{{ sysctl_kernel_kptr_restrict_value }}$'
+      -HP '^\s*kernel.kptr_restrict\s*=\s*1$'
   register: find_correct_value
   check_mode: false
   changed_when: false
@@ -138,10 +133,10 @@
   - sysctl_kernel_kptr_restrict
 
 - name: Restrict Exposed Kernel Pointer Addresses Access - Ensure sysctl kernel.kptr_restrict
-    is set
+    is set to 1
   ansible.posix.sysctl:
     name: kernel.kptr_restrict
-    value: '{{ sysctl_kernel_kptr_restrict_value }}'
+    value: '1'
     sysctl_file: /etc/sysctl.d/kernel_kptr_restrict.conf
     state: present
     reload: true

[github-actions]

Change in Ansible shell module found.

Please consider using more suitable Ansible module than shell if possible.

[github-actions]

Change in Ansible shell module found.

Please consider using more suitable Ansible module than shell if possible.

[github-actions]

Change in Ansible shell module found.

Please consider using more suitable Ansible module than shell if possible.

[github-actions]

Change in Ansible shell module found.

Please consider using more suitable Ansible module than shell if possible.

[github-actions]

Change in Ansible shell module found.

Please consider using more suitable Ansible module than shell if possible.

[github-actions]

Change in Ansible shell module found.

Please consider using more suitable Ansible module than shell if possible.

[github-actions]

Change in Ansible shell module found.

Please consider using more suitable Ansible module than shell if possible.

[github-actions]

Change in Ansible shell module found.

Please consider using more suitable Ansible module than shell if possible.

[github-actions]

Change in Ansible shell module found.

Please consider using more suitable Ansible module than shell if possible.

[Mab879]

I would keep requirements in this sentence.

[Mab879]

This change doesn't make sense.