UNCLASSIFIED - NO CUI

Skip to content

Update STIG remediations for UBI8

blake.burkhart requested to merge ubi8-remediations into development

Remediations

I regenerated the remediation script for the "[DRAFT] DISA STIG for Red Hat Enterprise Linux 8" profile using oscap-podman.

I split each remediation into separate file. It should be easier to version control and understand the changes to the files this way. The scripts are numbered to ensure they execute in order. I then only selected required remediations to resolve the STIG findings. All remediation scripts are unmodified from openscap.

Currently the numbers in dsop-fix/ aren't consecutive. Is that ok?

I wrote a small python script to split the remediation script apart. Should I check it into this repo too?

Is --disablerepo="*" --enablerepo="*ubi-8*" still required for yum?

Packages

I applied all remediations that didn't seem likely to break the container. A number of possibly useless/inapplicable packages were installed.

All of the below packages are installed:

  • sudo
  • libcap-ng-utils
  • openscap-scanner
  • rng-tools
  • scap-security-guide
  • iptables
  • usbguard

Some of these are barely applicable or not useful inside a container. We could remove some to reduce container image size, but they will introduce a STIG finding.

I skipped the dnf-automatic remediations because updates should never be applied to containers, all updates should be applied from the Dockerfile while building.

Remaining STIG findings

58 pass, 6 fail, 3 notchecked
Score: 89.83%

Two possible false positives. One error. Four inapplicable.

  1. Configure Kerberos to use System Crypto Policy

    False positive? Remediation was applied.

  2. Configure System Cryptography Policy

    Error configuring policy to use FIPS:OSPP:

    var_system_crypto_policy="FIPS:OSPP"
update-crypto-policies --set ${var_system_crypto_policy}

Unknown profile: FIPS:OSPP

    Does the FIPS:OSPP profile exist on UBI8?

    Note: ensure that FIPS is correctly enabled on the container host

  3. Install dnf-automatic Package

  4. Configure dnf-automatic to Install Available Updates Automatically

  5. Configure dnf-automatic to Install Only Security Updates

  6. Enable dnf-automatic Timer

Containers cannot be updated at runtime, only when built from the Dockerfile. dnf-automatic is inapplicable to containers.

  1. Log USBGuard daemon audit events using Linux Audit

False positive? Remediation was applied.

Containers (typically) have no USB access. This configuration isn't very applicable to containers.

Merge request reports

UNCLASSIFIED - NO CUI