Create RHEL 10 STIG control file

[jan-cerny]

Description:

• Create a control file stig_rhel10 based on official RHEL 10 DISA STIG V1R1.
• Perform initial mapping of STIG requirements to rules and select the rules in the control file.
• Use the new control file instead of srg_gpos controls in the RHEL 10 stig and stig_gui profiles.

Rationale:

Transition from a vendor STIG profile to a profile aligned with offical DISA STIG in RHEL 10.

Review Hints:

Check the profile stability data changes.

Added rules

rule_id	STIGID	reason
accounts_password_all_shadowed_sha512	RHEL-10-600730	requires sha512
accounts_password_pam_unix_rounds_password_auth	RHEL-10-600720	requires sha512
accounts_password_pam_unix_rounds_system_auth	RHEL-10-600700	requires sha512
dconf_login_banner_contents=dod_default	RHEL-10-700020	we need to specify the login banner text for rule dconf_gnome_login_banner_text
dconf_login_banner_text=dod_banners	RHEL-10-700020	we need to specify the login banner text for rule dconf_gnome_login_banner_text
enable_gpgcheck_for_all_repositories	RHEL-10-001050	requires setting gpgcheck on all repositories
mount_option_boot_efi_nosuid	RHEL-10-700130	requires setting nosuid on /boot/efi
require_emergency_target_auth	RHEL-10-701250	matches the requirement
sshd_approved_ciphers=stig_rhel10	RHEL-10-300030	only RHEL version number increment in selector, value is the same
sshd_approved_macs=stig_rhel10	RHEL-10-300050	only RHEL version number increment in selector, value is the same
sysctl_net_ipv4_conf_all_log_martians	RHEL-10-800110	matches the requirement
sysctl_net_ipv4_conf_default_log_martians	RHEL-10-800120	matches the requirement

Removed rules

rule_id	note
audit_rules_login_events_tallylog	no mention of tallylog in the manual STIG file
audit_rules_privileged_commands_modprobe	there isn't any requirement to audit usage of the modprobe command
audit_rules_privileged_commands_mount	Confusing requirement RHEL-10-500610, probably a bug in the DISA STIG - title mentions the "mount" command but the example audit rule in the check and fixtext isn't an audit rule watching a command, instead it watches the mount syscall. The selected rule audit_rules_media_export watches the syscall. If the command should be watched, the rule audit_rules_privileged_commands_mount should be selected instead.
audit_rules_privileged_commands_pkexec	no mention of pkexec in the manual STIG file
audit_rules_privileged_commands_rmmod	no mention of rmmod in the manual STIG file
audit_rules_unsuccessful_file_modification_rename	overlaps with rule audit_rules_file_deletion_events_rename
audit_rules_unsuccessful_file_modification_renameat	overlaps with rule audit_rules_file_deletion_events_renameat
audit_rules_unsuccessful_file_modification_unlink	overlaps with rule audit_rules_file_deletion_events_unlink
audit_rules_unsuccessful_file_modification_unlinkat	overlaps with rule audit_rules_file_deletion_events_unlinkat
configure_kerberos_crypto_policy	no specific mention of kerberos crypto policies; already covered by configure_crypto_policy
display_login_attempts	no mention of the "showfailed" PAM option in the manual STIG file
dnf-automatic_apply_updates	no mention of automatic updates or dnf-automatic in the manual STIG file
ensure_gpgcheck_never_disabled	replaced by enable_gpgcheck_for_all_repositories in RHEL-10-001050
file_groupowner_cron_allow	no mention of cron.allow in the manual STIG file
file_owner_cron_allow	no mention of cron.allow in the manual STIG file
file_permission_user_init_files_root	STIG requires to cover only normal user init files (not root init files). They are already covered by file_permission_user_init_files_root.
file_permissions_audit_configuration	already covered by rules file_permissions_etc_audit_auditd and file_permissions_etc_audit_rulesd
file_permissions_cron_allow	no mention of cron.allow in the manual STIG file
fips_crypto_subpolicy	RHEL-10-300010 doesn't mention the FIPS:STIG subpolicy, it requires setting the cryptopolicies simply to FIPS
logind_session_timeout	no mention of StopIdleSessionSec option in the manual STIG
mount_option_nodev_removable_partitions	no mention of removable partition mount options in the STIG
mount_option_noexec_removable_partitions	no mention of removable partition mount options in the STIG
mount_option_nosuid_removable_partitions	no mention of removable partition mount options in the STIG
package_sssd_installed	STIG doesn't require to install this package
service_sssd_enabled	STIG doesn't require to start this service
set_firewalld_default_zone	already covered by configured_firewalld_default_deny in RHEL-10-200532
set_password_hashing_min_rounds_logindefs	SHA_CRYPT_MIN_ROUNDS not mentioned in the STIG
ssh_client_rekey_limit	RekeyLimit not required for the SSH client, RekeyLimit required only for the SSH Server
sshd_approved_ciphers=stig_rhel9	replaced by rhel10 selectors, but values are the same
sshd_approved_macs=stig_rhel9	replaced by rhel10 selectors, but values are the same
sshd_disable_compression	no mention of the SSH option Compression in the STIG file
sshd_include_crypto_policy	can't find any requirement like that in the STIG manual file
sysctl_net_ipv4_ip_forward	no mention of the "forward" option in the STIG manual file
sysctl_net_ipv4_tcp_invalid_ratelimit	the rule is related to RHEL-10-800290 but doesn't align with its description
sysctl_net_ipv4_tcp_invalid_ratelimit_value=five_hundred	the rule is related to RHEL-10-800290 but doesn't align with its description
use_kerberos_security_all_exports	rule mount_option_krb_sec_remote_filesystems fits better to RHEL-10-700115 than this rule
var_authselect_profile=sssd	rule enable_authselect isn't selected
var_password_pam_dictcheck=1	isn't used by any selected rule
var_password_pam_remember=5	isn't used by any selected rule
var_password_pam_remember_control_flag=requisite_or_required	isn't used by any selected rule
var_sshd_disable_compression=no	isn't used by any selected rule
var_sshd_disable_compression=no	isn't used by any selected rule

[Mab879]

Please make sure that yamllint passes.

[openshift-ci]

@jan-cerny: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/e2e-aws-openshift-node-compliance	468a7c0	link	true	/test e2e-aws-openshift-node-compliance
ci/prow/e2e-aws-openshift-platform-compliance	468a7c0	link	true	/test e2e-aws-openshift-platform-compliance

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.