add UEFI hardening variant

/hardening/anaconda is not included because the upstream kickstarts are not UEFI compatible, ie. Failed to find a suitable stage1 device: EFI System Partition cannot be of type xfs.; EFI System Partition must be mounted on one of /boot/efi.; EFI System Partition cannot be of type lvmpv. Signed-off-by: Jiri Jaburek <[email protected]>
RHSecurityCompliance · Oct 18, 2024 · 655ead7 · 655ead7
1 parent 7e41d72
commit 655ead7
Show file tree

Hide file tree

Showing 12 changed files with 341 additions and 12 deletions.
diff --git a/conf/waivers/10-unknown b/conf/waivers/10-unknown
@@ -23,7 +23,8 @@
 /hardening(/host-os)?/ansible/.+/audit_rules_usergroup_modification
     True
 # RHEL-9 only
-/hardening/ansible/with-gui/.+/network_nmcli_permissions
+# (possibly because of missing Ansible remediation?)
+/hardening/ansible/.+/network_nmcli_permissions
     rhel == 9
 # RHEL-8 or 9
 /hardening(/host-os)?/ansible/.+/audit_rules_unsuccessful_file_modification
@@ -105,10 +106,10 @@
 # Image Builder
 #
 # TODO: file issues ?
-/hardening/image-builder/anssi_[^/]+/mount_option_tmp_noexec
-/hardening/image-builder/anssi_[^/]+/sebool_polyinstantiation_enabled
+/hardening/image-builder(/.+)?/anssi_[^/]+/mount_option_tmp_noexec
+/hardening/image-builder(/.+)?/anssi_[^/]+/sebool_polyinstantiation_enabled
     True
-/hardening/image-builder/hipaa/sebool_selinuxuser_execmod
+/hardening/image-builder(/.+)?/hipaa/sebool_selinuxuser_execmod
     rhel == 9
 
 # vim: syntax=python
diff --git a/conf/waivers/20-long-term b/conf/waivers/20-long-term
@@ -12,7 +12,7 @@
 # - possibly unrelated https://github.com/ComplianceAsCode/content/issues/12276
 /hardening/kickstart(/with-gui)?/[^/]+/firewalld_sshd_port_enabled
 # https://github.com/ComplianceAsCode/content/issues/11625
-/hardening/image-builder/[^/]+/firewalld_sshd_port_enabled
+/hardening/image-builder/.+/firewalld_sshd_port_enabled
     True
 
 # rule ordering issue - accounts_password_pam_retry is checked first and passes,
@@ -88,7 +88,7 @@
 # https://github.com/ComplianceAsCode/content/issues/11565
 /hardening/image-builder/.*/audit_rules_privileged_commands
 # https://github.com/ComplianceAsCode/content/issues/11566
-/hardening/image-builder/[^/]+/sebool_selinuxuser_execstack
+/hardening/image-builder/.+/sebool_selinuxuser_execstack
 # https://github.com/ComplianceAsCode/content/issues/11567
 /hardening/image-builder/.*/enable_dracut_fips_module
 /hardening/image-builder/.*/enable_fips_mode
@@ -134,4 +134,13 @@
 /static-checks/rule-identifiers/ism_o/.*
     rhel == 8 or rhel == 9 or rhel == 10
 
+# UEFI/SecureBoot
+#
+# https://github.com/ComplianceAsCode/content/issues/12508
+/hardening/ansible/uefi/anssi_bp28_(enhanced|high)
+    status == 'error'
+# https://github.com/ComplianceAsCode/content/issues/12510
+/hardening/image-builder/uefi/.+/mount_option_boot_efi_nosuid
+    True
+
 # vim: syntax=python
diff --git a/hardening/ansible/test.py b/hardening/ansible/test.py
@@ -13,14 +13,16 @@
 
 if variant == 'with-gui':
     g = virt.Guest('gui_with_oscap')
+elif variant == 'uefi':
+    g = virt.Guest('uefi_with_oscap')
 else:
     g = virt.Guest('minimal_with_oscap')
 
 if not g.can_be_snapshotted():
     ks = virt.Kickstart(partitions=partitions.partitions)
     if variant == 'with-gui':
         ks.packages.append('@Server with GUI')
-    g.install(kickstart=ks)
+    g.install(kickstart=ks, secure_boot=(variant == 'uefi'))
     g.prepare_for_snapshot()
 
 # the VM guest ssh code doesn't use $HOME/.known_hosts, so Ansible blocks

diff --git a/hardening/ansible/uefi.fmf b/hardening/ansible/uefi.fmf
@@ -0,0 +1,77 @@
+tag+:
+  - broken
+
+/anssi_bp28_high:
+
+/anssi_bp28_enhanced:
+    tag+:
+      - subset-profile
+
+/anssi_bp28_intermediary:
+    tag+:
+      - subset-profile
+
+/anssi_bp28_minimal:
+    tag+:
+      - subset-profile
+
+/cis:
+
+/cis_server_l1:
+    tag+:
+      - subset-profile
+
+/cis_workstation_l2:
+
+/cis_workstation_l1:
+    tag+:
+      - subset-profile
+
+/cui:
+    adjust+:
+      - when: distro >= rhel-10
+        enabled: false
+        because: there is no CUI profile on RHEL-10+
+
+/e8:
+
+/hipaa:
+
+/ism_o:
+
+/ospp:
+    adjust+:
+      - when: distro >= rhel-10
+        enabled: false
+        because: there is no OSPP profile on RHEL-10+
+
+/pci-dss:
+
+/stig:
+
+/stig_gui:
+    adjust+:
+      - enabled: false
+        because: not supported without GUI, use stig instead
+
+/ccn_advanced:
+    adjust+:
+      - when: distro == rhel-8 or distro == rhel-10
+        enabled: false
+        because: CCN profiles are not present on RHEL-8 and on RHEL-10
+
+/ccn_intermediate:
+    tag+:
+      - subset-profile
+    adjust+:
+      - when: distro == rhel-8 or distro == rhel-10
+        enabled: false
+        because: CCN profiles are not present on RHEL-8 and on RHEL-10
+
+/ccn_basic:
+    tag+:
+      - subset-profile
+    adjust+:
+      - when: distro == rhel-8 or distro == rhel-10
+        enabled: false
+        because: CCN profiles are not present on RHEL-8 and on RHEL-10
diff --git a/hardening/image-builder/test.py b/hardening/image-builder/test.py
@@ -25,7 +25,7 @@
 _, lines = util.subprocess_stream(cmd, check=True)
 blueprint = osbuild.translate_oscap_blueprint(lines, '/root/remediation-ds.xml')
 
-g.create(blueprint=blueprint, rpmpack=rpmpack)
+g.create(blueprint=blueprint, rpmpack=rpmpack, secure_boot=(variant == 'uefi'))
 
 with g.booted():
     # copy the original DS to the guest

diff --git a/hardening/image-builder/uefi.fmf b/hardening/image-builder/uefi.fmf
@@ -0,0 +1,77 @@
+tag+:
+  - broken
+
+/anssi_bp28_high:
+
+/anssi_bp28_enhanced:
+    tag+:
+      - subset-profile
+
+/anssi_bp28_intermediary:
+    tag+:
+      - subset-profile
+
+/anssi_bp28_minimal:
+    tag+:
+      - subset-profile
+
+/cis:
+
+/cis_server_l1:
+    tag+:
+      - subset-profile
+
+/cis_workstation_l2:
+
+/cis_workstation_l1:
+    tag+:
+      - subset-profile
+
+/cui:
+    adjust+:
+      - when: distro >= rhel-10
+        enabled: false
+        because: there is no CUI profile on RHEL-10+
+
+/e8:
+
+/hipaa:
+
+/ism_o:
+
+/ospp:
+    adjust+:
+      - when: distro >= rhel-10
+        enabled: false
+        because: there is no OSPP profile on RHEL-10+
+
+/pci-dss:
+
+/stig:
+
+/stig_gui:
+    adjust+:
+      - enabled: false
+        because: not supported without GUI, use stig instead
+
+/ccn_advanced:
+    adjust+:
+      - when: distro == rhel-8 or distro == rhel-10
+        enabled: false
+        because: CCN profiles are not present on RHEL-8 and on RHEL-10
+
+/ccn_intermediate:
+    tag+:
+      - subset-profile
+    adjust+:
+      - when: distro == rhel-8 or distro == rhel-10
+        enabled: false
+        because: CCN profiles are not present on RHEL-8 and on RHEL-10
+
+/ccn_basic:
+    tag+:
+      - subset-profile
+    adjust+:
+      - when: distro == rhel-8 or distro == rhel-10
+        enabled: false
+        because: CCN profiles are not present on RHEL-8 and on RHEL-10
diff --git a/hardening/kickstart/test.py b/hardening/kickstart/test.py
@@ -30,7 +30,7 @@
 if variant == 'with-gui':
     ks.packages.append('@Server with GUI')
 
-g.install(kickstart=ks, rpmpack=rpmpack)
+g.install(kickstart=ks, rpmpack=rpmpack, secure_boot=(variant == 'uefi'))
 
 with g.booted():
     # copy the original DS to the guest

diff --git a/hardening/kickstart/uefi.fmf b/hardening/kickstart/uefi.fmf
@@ -0,0 +1,77 @@
+tag+:
+  - broken
+
+/anssi_bp28_high:
+
+/anssi_bp28_enhanced:
+    tag+:
+      - subset-profile
+
+/anssi_bp28_intermediary:
+    tag+:
+      - subset-profile
+
+/anssi_bp28_minimal:
+    tag+:
+      - subset-profile
+
+/cis:
+
+/cis_server_l1:
+    tag+:
+      - subset-profile
+
+/cis_workstation_l2:
+
+/cis_workstation_l1:
+    tag+:
+      - subset-profile
+
+/cui:
+    adjust+:
+      - when: distro >= rhel-10
+        enabled: false
+        because: there is no CUI profile on RHEL-10+
+
+/e8:
+
+/hipaa:
+
+/ism_o:
+
+/ospp:
+    adjust+:
+      - when: distro >= rhel-10
+        enabled: false
+        because: there is no OSPP profile on RHEL-10+
+
+/pci-dss:
+
+/stig:
+
+/stig_gui:
+    adjust+:
+      - enabled: false
+        because: CCN profiles are not present on RHEL-8
+
+/ccn_advanced:
+    adjust+:
+      - when: distro == rhel-8 or distro == rhel-10
+        enabled: false
+        because: CCN profiles are not present on RHEL-8 and on RHEL-10
+
+/ccn_intermediate:
+    tag+:
+      - subset-profile
+    adjust+:
+      - when: distro == rhel-8 or distro == rhel-10
+        enabled: false
+        because: CCN profiles are not present on RHEL-8 and on RHEL-10
+
+/ccn_basic:
+    tag+:
+      - subset-profile
+    adjust+:
+      - when: distro == rhel-8 or distro == rhel-10
+        enabled: false
+        because: CCN profiles are not present on RHEL-8 and on RHEL-10
diff --git a/hardening/oscap/test.py b/hardening/oscap/test.py
@@ -12,14 +12,16 @@
 
 if variant == 'with-gui':
     g = virt.Guest('gui_with_oscap')
+elif variant == 'uefi':
+    g = virt.Guest('uefi_with_oscap')
 else:
     g = virt.Guest('minimal_with_oscap')
 
 if not g.can_be_snapshotted():
     ks = virt.Kickstart(partitions=partitions.partitions)
     if variant == 'with-gui':
         ks.packages.append('@Server with GUI')
-    g.install(kickstart=ks)
+    g.install(kickstart=ks, secure_boot=(variant == 'uefi'))
     g.prepare_for_snapshot()
 
 with g.snapshotted():