Update STIG remediations for UBI8
Remediations
I regenerated the remediation script for the "[DRAFT] DISA STIG for Red Hat Enterprise Linux 8" profile using oscap-podman
.
I split each remediation into separate file. It should be easier to version control and understand the changes to the files this way. The scripts are numbered to ensure they execute in order. I then only selected required remediations to resolve the STIG findings. All remediation scripts are unmodified from openscap.
Currently the numbers in dsop-fix/
aren't consecutive. Is that ok?
I wrote a small python script to split the remediation script apart. Should I check it into this repo too?
Is --disablerepo="*" --enablerepo="*ubi-8*"
still required for yum?
Packages
I applied all remediations that didn't seem likely to break the container. A number of possibly useless/inapplicable packages were installed.
All of the below packages are installed:
- sudo
- libcap-ng-utils
- openscap-scanner
- rng-tools
- scap-security-guide
- iptables
- usbguard
Some of these are barely applicable or not useful inside a container. We could remove some to reduce container image size, but they will introduce a STIG finding.
I skipped the dnf-automatic remediations because updates should never be applied to containers, all updates should be applied from the Dockerfile while building.
Remaining STIG findings
58 pass, 6 fail, 3 notchecked
Score: 89.83%
Two possible false positives. One error. Four inapplicable.
-
Configure Kerberos to use System Crypto Policy
False positive? Remediation was applied.
-
Configure System Cryptography Policy
Error configuring policy to use FIPS:OSPP:
var_system_crypto_policy="FIPS:OSPP" update-crypto-policies --set ${var_system_crypto_policy} Unknown profile: FIPS:OSPP
Does the
FIPS:OSPP
profile exist on UBI8?Note: ensure that FIPS is correctly enabled on the container host
-
Install dnf-automatic Package
-
Configure dnf-automatic to Install Available Updates Automatically
-
Configure dnf-automatic to Install Only Security Updates
-
Enable dnf-automatic Timer
Containers cannot be updated at runtime, only when built from the Dockerfile. dnf-automatic is inapplicable to containers.
- Log USBGuard daemon audit events using Linux Audit
False positive? Remediation was applied.
Containers (typically) have no USB access. This configuration isn't very applicable to containers.