From e4fa118f62be421335225d4201265eb6a6bbd306 Mon Sep 17 00:00:00 2001 From: Nathan Kinder Date: Tue, 28 Jan 2020 11:24:06 +0100 Subject: [PATCH] Enable rules that cover AU-9 better in OCP4 moderate profile This enables a few rules that pertain to the AU-9 control in the OCP4 moderate profile. Note that the logrotate check will need to be updated in a future patch to allow a variable for the rotation cadence, as it is currently hardcoded to 'daily'. AU-9 does not require a specific rotation cadence. --- .../rpm_verification/rpm_verify_ownership/rule.yml | 2 +- .../rpm_verification/rpm_verify_permissions/rule.yml | 2 +- ocp4/profiles/moderate.profile | 8 +++++--- 3 files changed, 7 insertions(+), 5 deletions(-) diff --git a/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_ownership/rule.yml b/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_ownership/rule.yml index 1e8e59edf8c..7f3eb637279 100644 --- a/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_ownership/rule.yml +++ b/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_ownership/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: rhel6,rhel7,rhel8,rhv4 +prodtype: rhel6,rhel7,rhel8,rhv4,ocp4 title: 'Verify and Correct Ownership with RPM' diff --git a/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_permissions/rule.yml b/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_permissions/rule.yml index 891256dceeb..329ac375fe2 100644 --- a/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_permissions/rule.yml +++ b/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_permissions/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: wrlinux1019,rhel6,rhel7,rhel8,fedora,ol7,ol8,rhv4 +prodtype: wrlinux1019,rhel6,rhel7,rhel8,fedora,ol7,ol8,rhv4,ocp4 title: 'Verify and Correct File Permissions with RPM' diff --git a/ocp4/profiles/moderate.profile b/ocp4/profiles/moderate.profile index e7f9a492e8d..d19491d7009 100644 --- a/ocp4/profiles/moderate.profile +++ b/ocp4/profiles/moderate.profile @@ -563,10 +563,12 @@ selections: - chronyd_or_ntpd_specify_multiple_servers # AU-9 - #- rpm_verify_ownership - #- rpm_verify_permissions + - rpm_verify_ownership + - rpm_verify_permissions - selinux_confinement_of_daemons - #- ensure_logrotate_activated + # TODO - we should update this rule to parameterize the rotation cadence. + # The check curently expects it to be daily, but OCP4 nodes rotate weekly. + - ensure_logrotate_activated - file_permissions_var_log_audit - file_ownership_var_log_audit - directory_permissions_var_log_audit