Update RHEL 9 STIG to v2r8

[vojtapolasek]

Description:

• Update RHEL 9 STIG reference files from V2R7 to V2R8.
• RHEL-09-671010: Remove enable_fips_mode, enable_dracut_fips_module, and var_system_crypto_policy=fips_stig from the STIG control, keeping only sysctl_crypto_fips_enabled to align with the updated STIG requirement.
• RHEL-09-433016 (fapolicy_default_deny): Update OVAL checks to also accept deny_log and deny_audit keywords in addition to deny, matching the updated STIG guidance. Update rule description and fixtext accordingly. Remove rule from default.profile since it is already present in the STIG profile.
• RHEL-09-231105 (mount_option_boot_efi_nosuid): Remove the vfat filesystem exclusion since the updated STIG no longer exempts vfat partitions from the nosuid requirement. Update STIG checktext and test scenarios.
• mount_option_nodev_nonroot_local_partitions: Stop ignoring vfat partitions in OVAL, Bash, and Ansible remediations to align with the updated STIG. Update test scenarios accordingly.
• Update profile stability files for stig and stig_gui profiles.

Rationale:

• Aligns the RHEL 9 STIG content with the DISA STIG V2R8 release. The updated STIG changes requirements for FIPS mode enforcement, fapolicyd deny policy keywords, and vfat partition mount option handling.

Review Hints:

• Affected product: ./build_product --datastream-only rhel9
• Key rule changes to review:
  • fapolicy_default_deny - OVAL regex change to accept deny_log/deny_audit
  • mount_option_boot_efi_nosuid - vfat exclusion removed from template vars, test renamed from .pass.sh to .fail.sh
  • mount_option_nodev_nonroot_local_partitions - vfat removed from OVAL regex, Bash sed, and Ansible regex/exclusion list
• The STIG reference XML files are large diffs but are vendor-provided reference documents (renamed from v2r7 to v2r8).
• Test commands for modified rules:

  ./tests/automatus.py rule --libvirt qemu:///session <vm_name> --datastream build/ssg-rhel9-ds.xml fapolicy_default_deny
  ./tests/automatus.py rule --libvirt qemu:///session <vm_name> --datastream build/ssg-rhel9-ds.xml mount_option_boot_efi_nosuid
  ./tests/automatus.py rule --libvirt qemu:///session <vm_name> --datastream build/ssg-rhel9-ds.xml mount_option_nodev_nonroot_local_partitions
  

• Reviewing all commits together is recommended as they form a cohesive STIG version update.

[openshift-ci]

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

[github-actions]

This datastream diff is auto generated by the check Compare DS/Generate Diff

Click here to see the full diff

New content has different text for rule 'xccdf_org.ssgproject.content_rule_mount_option_nodev_nonroot_local_partitions'.
--- xccdf_org.ssgproject.content_rule_mount_option_nodev_nonroot_local_partitions
+++ xccdf_org.ssgproject.content_rule_mount_option_nodev_nonroot_local_partitions
@@ -19,10 +19,7 @@
 device nodes. The /boot and /efi partitions are
 excluded because they are special partitions usually handled by a
 systemd mount unit, and enforcing nodev on them during
-operating system installation causes issues. Partitions with the
-vfat file system type are excluded because vfat does not
-support Unix device special files, so nodev enforcement on
-them is not meaningful.
+operating system installation causes issues.
 
 [reference]:
 11

OCIL for rule 'xccdf_org.ssgproject.content_rule_mount_option_nodev_nonroot_local_partitions' differs.
--- ocil:ssg-mount_option_nodev_nonroot_local_partitions_ocil:questionnaire:1
+++ ocil:ssg-mount_option_nodev_nonroot_local_partitions_ocil:questionnaire:1
@@ -1,6 +1,8 @@
-To verify the nodev option is configured for non-root local partitions, run the following command:
+To verify the nodev option is configured for non-root local partitions,
+run the following command:
 $ sudo mount | grep '^/dev\S* on /\S' | grep --invert-match 'nodev'
-The output shows local non-root partitions mounted without the nodev option, and there should be no output at all.
+The output shows local non-root partitions mounted without the nodev option,
+and there should be no output at all.
 
       Is it the case that some mounts appear among output lines?
       
bash remediation for rule 'xccdf_org.ssgproject.content_rule_mount_option_nodev_nonroot_local_partitions' differs.
--- xccdf_org.ssgproject.content_rule_mount_option_nodev_nonroot_local_partitions
+++ xccdf_org.ssgproject.content_rule_mount_option_nodev_nonroot_local_partitions
@@ -31,7 +31,6 @@
     lustre
     davfs
     fuse.sshfs
-    vfat
 )
 
 for partition_record in "${partitions_records[@]}"; do
@@ -86,8 +85,8 @@
     fi
 done
 
-# Remediate unmounted /etc/fstab entries, excluding /boot, /efi, and vfat partitions
-sed -i -E '/nodev/! { /^\s*(\/dev\/\S+|UUID=\S+)\s+\/(boot|efi)/! { /^\s*(\/dev\/\S+|UUID=\S+)\s+\/\w\S*\s+vfat\s/! s;^\s*(/dev/\S+|UUID=\S+)\s+(/\w\S*)\s+(\S+)\s+(\S+)(.*)$;\1 \2 \3 \4,nodev \5; } }' /etc/fstab
+# Remediate unmounted /etc/fstab entries, excluding /boot and /efi partitions
+sed -i -E '/nodev/! { /^\s*(\/dev\/\S+|UUID=\S+)\s+\/(boot|efi)/! s;^\s*(/dev/\S+|UUID=\S+)\s+(/\w\S*)\s+(\S+)\s+(\S+)(.*)$;\1 \2 \3 \4,nodev \5; }' /etc/fstab
 
 else
     >&2 echo 'Remediation is not applicable, nothing was done'

ansible remediation for rule 'xccdf_org.ssgproject.content_rule_mount_option_nodev_nonroot_local_partitions' differs.
--- xccdf_org.ssgproject.content_rule_mount_option_nodev_nonroot_local_partitions
+++ xccdf_org.ssgproject.content_rule_mount_option_nodev_nonroot_local_partitions
@@ -64,7 +64,6 @@
     - lustre
     - davfs
     - fuse.sshfs
-    - vfat
   when: ( not ( "kernel-core" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages
     and "bootc" in ansible_facts.packages and not "openshift-kubelet" in ansible_facts.packages
     and "ostree" in ansible_proc_cmdline ) and not ( ansible_virtualization_type in
@@ -122,11 +121,11 @@
   - mount_option_nodev_nonroot_local_partitions
   - no_reboot_needed
 
-- name: 'Add nodev Option to Non-Root Local Partitions: Ensure non-root local partitions
-    are present with nodev option in /etc/fstab'
+- name: 'Add nodev Option to Non-Root Local Partitions: Ensure nodev option in /etc/fstab
+    for non-root local partitions'
   ansible.builtin.replace:
     path: /etc/fstab
-    regexp: ^\s*(?!#)(/dev/\S+|UUID=\S+)\s+(/(?!boot|efi)\w\S*)\s+(?!vfat\s)(\S+)\s+(?!.*\bnodev\b)(\S+)(.*)$
+    regexp: ^\s*(?!#)(/dev/\S+|UUID=\S+)\s+(/(?!boot|efi)\w\S*)\s+(\S+)\s+(?!.*\bnodev\b)(\S+)(.*)$
     replace: \1 \2 \3 \4,nodev \5
   when: ( not ( "kernel-core" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages
     and "bootc" in ansible_facts.packages and not "openshift-kubelet" in ansible_facts.packages

New content has different text for rule 'xccdf_org.ssgproject.content_rule_fapolicy_default_deny'.
--- xccdf_org.ssgproject.content_rule_fapolicy_default_deny
+++ xccdf_org.ssgproject.content_rule_fapolicy_default_deny
@@ -3,7 +3,9 @@
 Configure Fapolicy Module to Employ a Deny-all, Permit-by-exception Policy to Allow the Execution of Authorized Software Programs.
 
 [description]:
-The Fapolicy module must be configured to employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs and to prevent unauthorized software from running.
+The Fapolicy module must be configured to employ a deny-all, permit-by-exception policy to
+allow the execution of authorized software programs and to prevent unauthorized software from
+running.
 
 [reference]:
 CM-7 (2)
@@ -30,12 +32,16 @@
 SV-244546r1017349_rule
 
 [rationale]:
-Utilizing a whitelist provides a configuration management method for allowing the execution of only authorized software.
-Using only authorized software decreases risk by limiting the number of potential vulnerabilities. Verification of whitelisted software occurs prior to execution or at system startup.
+Utilizing a whitelist provides a configuration management method for allowing the execution of
+only authorized software.
+Using only authorized software decreases risk by limiting the number of potential
+vulnerabilities.
+Verification of whitelisted software occurs prior to execution or at system startup.
 
 Proceed with caution with enforcing the use of this daemon.
 Improper configuration may render the system non-functional.
-The "fapolicyd" API is not namespace aware and can cause issues when launching or running containers.
+The "fapolicyd" API is not namespace aware and can cause issues when launching or running
+containers.
 
 [ident]:
 CCE-86478-5

OCIL for rule 'xccdf_org.ssgproject.content_rule_fapolicy_default_deny' differs.
--- ocil:ssg-fapolicy_default_deny_ocil:questionnaire:1
+++ ocil:ssg-fapolicy_default_deny_ocil:questionnaire:1
@@ -17,5 +17,8 @@
 allow exe=/usr/bin/python3.7 : ftype=text/x-python
 deny_audit perm=any pattern=ld_so : all
 deny perm=any all : all
+
+Note: The "deny_log" and "deny_audit" actions also meet the security requirements as they deny
+execution while additionally providing logging.
       Is it the case that fapolicyd is not running in enforcement mode with a deny-all, permit-by-exception policy?
       

[jan-cerny]

@vojtapolasek you'll need to update the version number in both two profile files and in control file

[vojtapolasek]

@jan-cerny thanks, fixed.

[openshift-ci]

@vojtapolasek: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/e2e-aws-openshift-node-compliance	3766896	link	true	/test e2e-aws-openshift-node-compliance

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.