UBI8 OpenSCAP Edit
Feature description
There are several rules in the RHEL8 STIG that I believe should be applied as OpenSCAP scripts. IronBank currently marks these rules as "Not Applicable".
Benefits
I believe it will make for a more complete STIG.
Requirements
Below I've shown the following commands I've included in a shell script to remediate the corresponding STIGs
# Rule Title: RHEL 8 must disable the asynchronous transfer mode (ATM) protocol.
#
# Vul ID: V-230494
# Rule ID: SV-230494r599732_rule
# STIG ID: RHEL-08-040021
touch /etc/modprobe.d/blacklist.conf
echo "install atm /bin/true" >> /etc/modprobe.d/blacklist.conf
echo "blacklist atm" >> /etc/modprobe.d/blacklist.conf
# Rule Title: RHEL 8 must disable the controller area network (CAN) protocol.
#
# Vul ID: V-230495
# Rule ID: SV-230495r599732_rule
# STIG ID: RHEL-08-040022
echo "install can /bin/true" >> /etc/modprobe.d/blacklist.conf
echo "blacklist can" >> /etc/modprobe.d/blacklist.conf
# Rule Title: RHEL 8 must disable the stream control transmission (SCTP)
# protocol.
#
# Vul ID: V-230496
# Rule ID: SV-230496r599732_rule
# STIG ID: RHEL-08-040023
echo "install sctp /bin/true" >> /etc/modprobe.d/blacklist.conf
echo "blacklist sctp" >> /etc/modprobe.d/blacklist.conf
# Rule Title: RHEL 8 must disable the transparent inter-process communication
# (TIPC) protocol.
#
# Vul ID: V-230497
# Rule ID: SV-230497r599732_rule
# STIG ID: RHEL-08-040024
echo "install tipc /bin/true" >> /etc/modprobe.d/blacklist.conf
echo "blacklist tipc" >> /etc/modprobe.d/blacklist.conf
# Rule Title: RHEL 8 must disable mounting of cramfs.
#
# Vul ID: V-230498
# Rule ID: SV-230498r599732_rule
# STIG ID: RHEL-08-040025
echo "install cramfs /bin/true" >> /etc/modprobe.d/blacklist.conf
echo "blacklist cramfs" >> /etc/modprobe.d/blacklist.conf
# Rule Title: RHEL 8 must disable IEEE 1394 (FireWire) Support.
#
# Vul ID: V-230499
# Rule ID: SV-230499r599732_rule
# STIG ID: RHEL-08-040026
echo "install firewire-core /bin/true" >> /etc/modprobe.d/blacklist.conf
echo "blacklist firewire-core" >> /etc/modprobe.d/blacklist.confThese are the corresponding OpenSCAP rules:
- xccdf_org.ssgproject.content_rule_kernel_module_atm_disabled
- xccdf_org.ssgproject.content_rule_kernel_module_can_disabled
- xccdf_org.ssgproject.content_rule_kernel_module_sctp_disabled
- xccdf_org.ssgproject.content_rule_kernel_module_tipc_disabled
- xccdf_org.ssgproject.content_rule_kernel_module_cramfs_disabled
- xccdf_org.ssgproject.content_rule_kernel_module_firewire-core_disabled
Links / references
Although it's highly unlikely for a user to be loading kernel modules to a container (because it's an odd use case and requires many added privileges/capabilities) ... it's still possible:
- https://stackoverflow.com/questions/33013539/docker-loading-kernel-modules
- https://dummdida.tumblr.com/post/117157045170/modprobe-in-a-docker-container
- https://www.techrepublic.com/article/how-to-secure-a-kubernetes-cluster-by-preventing-unwanted-modules-from-loading/
Definition of Done
-
Feature has been implemented
/cc @ironbank-notifications/feature
Edited by Hunter Stevens