diff --git a/.github/workflows/ocp-test-profiles.yaml b/.github/workflows/ocp-test-profiles.yaml index 7c188ece96e6..0862aaaf3968 100644 --- a/.github/workflows/ocp-test-profiles.yaml +++ b/.github/workflows/ocp-test-profiles.yaml @@ -91,7 +91,10 @@ jobs: done ALL_PROFILES+=(${ELIGIBLE_PROFILES[@]}) - PROFILES+=(${ELIGIBLE_PROFILES[$(($RANDOM%(${#ELIGIBLE_PROFILES[@]})))]}) + # Only add a profile if there are eligible profiles with CI jobs + if [ ${#ELIGIBLE_PROFILES[@]} -gt 0 ]; then + PROFILES+=(${ELIGIBLE_PROFILES[$(($RANDOM%(${#ELIGIBLE_PROFILES[@]})))]}) + fi done # Sort and ensure that the profiles are unique diff --git a/components/at.yml b/components/at.yml index 67d8d1ddbb2f..c16f9ad9d54c 100644 --- a/components/at.yml +++ b/components/at.yml @@ -3,4 +3,5 @@ packages: - at rules: - file_at_deny_not_exist +- file_permissions_at_binaries - service_atd_disabled diff --git a/components/dnf.yml b/components/dnf.yml index 65a1e2b888d0..35d9db6ac8c5 100644 --- a/components/dnf.yml +++ b/components/dnf.yml @@ -4,6 +4,7 @@ packages: - dnf-automatic - dnf-plugin-subscription-manager - libdnf-plugin-subscription-manager +- python3-dnf rules: - clean_components_post_updating - disable_weak_deps @@ -12,6 +13,7 @@ rules: - ensure_gpgcheck_local_packages - ensure_gpgcheck_never_disabled - ensure_gpgcheck_repo_metadata +- file_permissions_dnf_binaries - package_dnf-automatic_installed - package_dnf-plugin-subscription-manager_installed - package_libdnf-plugin-subscription-manager_installed diff --git a/components/nmap-ncat.yml b/components/nmap-ncat.yml new file mode 100644 index 000000000000..02034094f15e --- /dev/null +++ b/components/nmap-ncat.yml @@ -0,0 +1,5 @@ +name: nmap-ncat +packages: +- nmap-ncat +rules: +- file_permissions_nmap_ncat_binaries diff --git a/components/socat.yml b/components/socat.yml new file mode 100644 index 000000000000..46fd97aa81de --- /dev/null +++ b/components/socat.yml @@ -0,0 +1,5 @@ +name: socat +packages: +- socat +rules: +- file_permissions_socat_binaries diff --git a/linux_os/guide/services/cron_and_at/file_permissions_at_binaries/rule.yml b/linux_os/guide/services/cron_and_at/file_permissions_at_binaries/rule.yml new file mode 100644 index 000000000000..0fd6c2c9afa0 --- /dev/null +++ b/linux_os/guide/services/cron_and_at/file_permissions_at_binaries/rule.yml @@ -0,0 +1,44 @@ +documentation_complete: true + +title: 'Restrict Execution of At Job Scheduling Binaries' + +description: |- + On RHCOS, packages in the base image cannot be removed. As a compensating + control, job scheduling utilities such as at should have their execute + permissions removed to prevent unauthorized task scheduling. + {{{ describe_file_permissions(file="/usr/bin/at", perms="0644") }}} + {{{ describe_file_permissions(file="/usr/bin/atq", perms="0644") }}} + {{{ describe_file_permissions(file="/usr/bin/atrm", perms="0644") }}} + {{{ describe_file_permissions(file="/usr/bin/batch", perms="0644") }}} + +rationale: |- + The at package provides the ability to schedule one-time tasks for future + execution. While not installed by default on RHCOS, if present, attackers + could use these utilities to schedule malicious tasks, making it harder to + detect and trace unauthorized activity. On immutable systems like RHCOS, + removing execute permissions prevents these tools from being used while + maintaining system integrity. + +severity: high + +identifiers: + cce@rhcos4: CCE-86492-6 + +platform: rhcos4 + +ocil: |- + {{{ describe_file_permissions(file="/usr/bin/at", perms="0644") }}} + {{{ describe_file_permissions(file="/usr/bin/atq", perms="0644") }}} + {{{ describe_file_permissions(file="/usr/bin/atrm", perms="0644") }}} + {{{ describe_file_permissions(file="/usr/bin/batch", perms="0644") }}} + +template: + name: file_permissions + vars: + filepath: + - /usr/bin/at + - /usr/bin/atq + - /usr/bin/atrm + - /usr/bin/batch + filemode: '0644' + missing_file_pass: 'true' diff --git a/linux_os/guide/services/cron_and_at/file_permissions_at_binaries/tests/correct.pass.sh b/linux_os/guide/services/cron_and_at/file_permissions_at_binaries/tests/correct.pass.sh new file mode 100755 index 000000000000..09b99c90eef4 --- /dev/null +++ b/linux_os/guide/services/cron_and_at/file_permissions_at_binaries/tests/correct.pass.sh @@ -0,0 +1,12 @@ +#!/bin/bash +# platform = multi_platform_all + +# Create binaries with correct permissions (0000) +touch /usr/bin/at +touch /usr/bin/atq +touch /usr/bin/atrm +touch /usr/bin/batch +chmod 0000 /usr/bin/at +chmod 0000 /usr/bin/atq +chmod 0000 /usr/bin/atrm +chmod 0000 /usr/bin/batch diff --git a/linux_os/guide/services/cron_and_at/file_permissions_at_binaries/tests/missing_files.pass.sh b/linux_os/guide/services/cron_and_at/file_permissions_at_binaries/tests/missing_files.pass.sh new file mode 100755 index 000000000000..dea2ed1ce788 --- /dev/null +++ b/linux_os/guide/services/cron_and_at/file_permissions_at_binaries/tests/missing_files.pass.sh @@ -0,0 +1,8 @@ +#!/bin/bash +# platform = multi_platform_all + +# Remove binaries - should pass because missing_file_pass: true +rm -f /usr/bin/at +rm -f /usr/bin/atq +rm -f /usr/bin/atrm +rm -f /usr/bin/batch diff --git a/linux_os/guide/services/cron_and_at/file_permissions_at_binaries/tests/wrong_permissions.fail.sh b/linux_os/guide/services/cron_and_at/file_permissions_at_binaries/tests/wrong_permissions.fail.sh new file mode 100755 index 000000000000..c07e295ac268 --- /dev/null +++ b/linux_os/guide/services/cron_and_at/file_permissions_at_binaries/tests/wrong_permissions.fail.sh @@ -0,0 +1,12 @@ +#!/bin/bash +# platform = multi_platform_all + +# Create binaries with wrong permissions (0755) +touch /usr/bin/at +touch /usr/bin/atq +touch /usr/bin/atrm +touch /usr/bin/batch +chmod 0755 /usr/bin/at +chmod 0755 /usr/bin/atq +chmod 0755 /usr/bin/atrm +chmod 0755 /usr/bin/batch diff --git a/linux_os/guide/system/software/system-tools/file_permissions_dnf_binaries/rule.yml b/linux_os/guide/system/software/system-tools/file_permissions_dnf_binaries/rule.yml new file mode 100644 index 000000000000..88c04abace72 --- /dev/null +++ b/linux_os/guide/system/software/system-tools/file_permissions_dnf_binaries/rule.yml @@ -0,0 +1,42 @@ +documentation_complete: true + +title: 'Restrict Execution of DNF Package Manager Binaries' + +description: |- + On RHCOS, packages in the base image cannot be removed. As a compensating + control, package management utilities such as dnf and yum should have their + execute permissions removed to prevent unauthorized package installation. + {{{ describe_file_permissions(file="/usr/bin/dnf", perms="0644") }}} + {{{ describe_file_permissions(file="/usr/bin/dnf-3", perms="0644") }}} + {{{ describe_file_permissions(file="/usr/bin/yum", perms="0644") }}} + +rationale: |- + The dnf and python3-dnf packages provide package management utilities for + installing, updating, and removing software. RHCOS is designed to be an + immutable operating system managed through atomic upgrades and containerization. + Retaining these utilities with execute permissions allows unauthorized users + to install or modify packages, potentially compromising system integrity. + On immutable systems like RHCOS, removing execute permissions prevents + unauthorized package management while maintaining system integrity. + +severity: high + +identifiers: + cce@rhcos4: CCE-86494-2 + +platform: rhcos4 + +ocil: |- + {{{ describe_file_permissions(file="/usr/bin/dnf", perms="0644") }}} + {{{ describe_file_permissions(file="/usr/bin/dnf-3", perms="0644") }}} + {{{ describe_file_permissions(file="/usr/bin/yum", perms="0644") }}} + +template: + name: file_permissions + vars: + filepath: + - /usr/bin/dnf + - /usr/bin/dnf-3 + - /usr/bin/yum + filemode: '0644' + missing_file_pass: 'true' diff --git a/linux_os/guide/system/software/system-tools/file_permissions_dnf_binaries/tests/correct.pass.sh b/linux_os/guide/system/software/system-tools/file_permissions_dnf_binaries/tests/correct.pass.sh new file mode 100755 index 000000000000..e4a6188a96c9 --- /dev/null +++ b/linux_os/guide/system/software/system-tools/file_permissions_dnf_binaries/tests/correct.pass.sh @@ -0,0 +1,10 @@ +#!/bin/bash +# platform = multi_platform_all + +# Create binaries with correct permissions (0000) +touch /usr/bin/dnf +touch /usr/bin/dnf-3 +touch /usr/bin/yum +chmod 0000 /usr/bin/dnf +chmod 0000 /usr/bin/dnf-3 +chmod 0000 /usr/bin/yum diff --git a/linux_os/guide/system/software/system-tools/file_permissions_dnf_binaries/tests/missing_files.pass.sh b/linux_os/guide/system/software/system-tools/file_permissions_dnf_binaries/tests/missing_files.pass.sh new file mode 100755 index 000000000000..d760ed855bd6 --- /dev/null +++ b/linux_os/guide/system/software/system-tools/file_permissions_dnf_binaries/tests/missing_files.pass.sh @@ -0,0 +1,7 @@ +#!/bin/bash +# platform = multi_platform_all + +# Remove binaries - should pass because missing_file_pass: true +rm -f /usr/bin/dnf +rm -f /usr/bin/dnf-3 +rm -f /usr/bin/yum diff --git a/linux_os/guide/system/software/system-tools/file_permissions_dnf_binaries/tests/wrong_permissions.fail.sh b/linux_os/guide/system/software/system-tools/file_permissions_dnf_binaries/tests/wrong_permissions.fail.sh new file mode 100755 index 000000000000..a282c01f07a4 --- /dev/null +++ b/linux_os/guide/system/software/system-tools/file_permissions_dnf_binaries/tests/wrong_permissions.fail.sh @@ -0,0 +1,10 @@ +#!/bin/bash +# platform = multi_platform_all + +# Create binaries with wrong permissions (0755) +touch /usr/bin/dnf +touch /usr/bin/dnf-3 +touch /usr/bin/yum +chmod 0755 /usr/bin/dnf +chmod 0755 /usr/bin/dnf-3 +chmod 0755 /usr/bin/yum diff --git a/linux_os/guide/system/software/system-tools/file_permissions_nmap_ncat_binaries/rule.yml b/linux_os/guide/system/software/system-tools/file_permissions_nmap_ncat_binaries/rule.yml new file mode 100644 index 000000000000..d61d3da1617c --- /dev/null +++ b/linux_os/guide/system/software/system-tools/file_permissions_nmap_ncat_binaries/rule.yml @@ -0,0 +1,37 @@ +documentation_complete: true + +title: 'Restrict Execution of Netcat Binaries' + +description: |- + On RHCOS, packages in the base image cannot be removed. As a compensating + control, network utilities such as netcat should have their execute permissions + removed to prevent unauthorized use. + {{{ describe_file_permissions(file="/usr/bin/ncat", perms="0644") }}} + {{{ describe_file_permissions(file="/usr/bin/nc", perms="0644") }}} + +rationale: |- + Utilities such as netcat can be used for legitimate troubleshooting, + but they also present a significant security risk if misused by attackers + to create unauthorized network connections, transfer data, or establish + reverse shells. On immutable operating systems like RHCOS, removing execute + permissions prevents these tools from being used while maintaining system integrity. + +severity: high + +identifiers: + cce@rhcos4: CCE-86483-5 + +platform: rhcos4 + +ocil: |- + {{{ describe_file_permissions(file="/usr/bin/ncat", perms="0644") }}} + {{{ describe_file_permissions(file="/usr/bin/nc", perms="0644") }}} + +template: + name: file_permissions + vars: + filepath: + - /usr/bin/ncat + - /usr/bin/nc + filemode: '0644' + missing_file_pass: 'true' diff --git a/linux_os/guide/system/software/system-tools/file_permissions_nmap_ncat_binaries/tests/correct.pass.sh b/linux_os/guide/system/software/system-tools/file_permissions_nmap_ncat_binaries/tests/correct.pass.sh new file mode 100755 index 000000000000..0f0130c1f28d --- /dev/null +++ b/linux_os/guide/system/software/system-tools/file_permissions_nmap_ncat_binaries/tests/correct.pass.sh @@ -0,0 +1,8 @@ +#!/bin/bash +# platform = multi_platform_all + +# Create binaries with correct permissions (0000) +touch /usr/bin/ncat +touch /usr/bin/nc +chmod 0000 /usr/bin/ncat +chmod 0000 /usr/bin/nc diff --git a/linux_os/guide/system/software/system-tools/file_permissions_nmap_ncat_binaries/tests/missing_files.pass.sh b/linux_os/guide/system/software/system-tools/file_permissions_nmap_ncat_binaries/tests/missing_files.pass.sh new file mode 100755 index 000000000000..2d64935986af --- /dev/null +++ b/linux_os/guide/system/software/system-tools/file_permissions_nmap_ncat_binaries/tests/missing_files.pass.sh @@ -0,0 +1,6 @@ +#!/bin/bash +# platform = multi_platform_all + +# Remove binaries - should pass because missing_file_pass: true +rm -f /usr/bin/ncat +rm -f /usr/bin/nc diff --git a/linux_os/guide/system/software/system-tools/file_permissions_nmap_ncat_binaries/tests/wrong_permissions.fail.sh b/linux_os/guide/system/software/system-tools/file_permissions_nmap_ncat_binaries/tests/wrong_permissions.fail.sh new file mode 100755 index 000000000000..4ebc442c1040 --- /dev/null +++ b/linux_os/guide/system/software/system-tools/file_permissions_nmap_ncat_binaries/tests/wrong_permissions.fail.sh @@ -0,0 +1,8 @@ +#!/bin/bash +# platform = multi_platform_all + +# Create binaries with wrong permissions (0755) +touch /usr/bin/ncat +touch /usr/bin/nc +chmod 0755 /usr/bin/ncat +chmod 0755 /usr/bin/nc diff --git a/linux_os/guide/system/software/system-tools/file_permissions_socat_binaries/rule.yml b/linux_os/guide/system/software/system-tools/file_permissions_socat_binaries/rule.yml new file mode 100644 index 000000000000..ea811fa879b2 --- /dev/null +++ b/linux_os/guide/system/software/system-tools/file_permissions_socat_binaries/rule.yml @@ -0,0 +1,33 @@ +documentation_complete: true + +title: 'Restrict Execution of Socat Binaries' + +description: |- + On RHCOS, packages in the base image cannot be removed. As a compensating + control, network utilities such as socat should have their execute permissions + removed to prevent unauthorized use. + {{{ describe_file_permissions(file="/usr/bin/socat", perms="0644") }}} + +rationale: |- + Utilities such as socat can be used for legitimate troubleshooting, + but they also present a significant security risk if misused by attackers + to create unauthorized network connections, transfer data, or establish + reverse shells. On immutable operating systems like RHCOS, removing execute + permissions prevents these tools from being used while maintaining system integrity. + +severity: high + +identifiers: + cce@rhcos4: CCE-86484-3 + +platform: rhcos4 + +ocil: |- + {{{ describe_file_permissions(file="/usr/bin/socat", perms="0644") }}} + +template: + name: file_permissions + vars: + filepath: /usr/bin/socat + filemode: '0644' + missing_file_pass: 'true' diff --git a/linux_os/guide/system/software/system-tools/file_permissions_socat_binaries/tests/correct.pass.sh b/linux_os/guide/system/software/system-tools/file_permissions_socat_binaries/tests/correct.pass.sh new file mode 100755 index 000000000000..adbd8f5a2a51 --- /dev/null +++ b/linux_os/guide/system/software/system-tools/file_permissions_socat_binaries/tests/correct.pass.sh @@ -0,0 +1,6 @@ +#!/bin/bash +# platform = multi_platform_all + +# Create binary with correct permissions (0000) +touch /usr/bin/socat +chmod 0000 /usr/bin/socat diff --git a/linux_os/guide/system/software/system-tools/file_permissions_socat_binaries/tests/missing_file.pass.sh b/linux_os/guide/system/software/system-tools/file_permissions_socat_binaries/tests/missing_file.pass.sh new file mode 100755 index 000000000000..fec7598c3c5c --- /dev/null +++ b/linux_os/guide/system/software/system-tools/file_permissions_socat_binaries/tests/missing_file.pass.sh @@ -0,0 +1,5 @@ +#!/bin/bash +# platform = multi_platform_all + +# Remove binary - should pass because missing_file_pass: true +rm -f /usr/bin/socat diff --git a/linux_os/guide/system/software/system-tools/file_permissions_socat_binaries/tests/wrong_permissions.fail.sh b/linux_os/guide/system/software/system-tools/file_permissions_socat_binaries/tests/wrong_permissions.fail.sh new file mode 100755 index 000000000000..ddd1b0022a7a --- /dev/null +++ b/linux_os/guide/system/software/system-tools/file_permissions_socat_binaries/tests/wrong_permissions.fail.sh @@ -0,0 +1,6 @@ +#!/bin/bash +# platform = multi_platform_all + +# Create binary with wrong permissions (0755) +touch /usr/bin/socat +chmod 0755 /usr/bin/socat diff --git a/products/rhcos4/profiles/default.profile b/products/rhcos4/profiles/default.profile index eb7e2a6898e7..978646827186 100644 --- a/products/rhcos4/profiles/default.profile +++ b/products/rhcos4/profiles/default.profile @@ -186,6 +186,10 @@ selections: - file_permissions_backup_etc_group - etc_system_fips_exists - package_net-snmp_removed + - file_permissions_at_binaries + - file_permissions_dnf_binaries + - file_permissions_nmap_ncat_binaries + - file_permissions_socat_binaries - package_fapolicyd_installed - audit_rules_for_ospp - sshd_enable_pam diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt index 7c9d4b0fba07..b7a343481342 100644 --- a/shared/references/cce-redhat-avail.txt +++ b/shared/references/cce-redhat-avail.txt @@ -1,7 +1,3 @@ -CCE-86483-5 -CCE-86484-3 -CCE-86492-6 -CCE-86494-2 CCE-86497-5 CCE-86498-3 CCE-86499-1 diff --git a/shared/templates/file_permissions/kubernetes.template b/shared/templates/file_permissions/kubernetes.template new file mode 100644 index 000000000000..ea696d84653e --- /dev/null +++ b/shared/templates/file_permissions/kubernetes.template @@ -0,0 +1,31 @@ +--- +# platform = multi_platform_rhcos +# reboot = true +# strategy = restrict +# complexity = low +# disruption = low +apiVersion: machineconfiguration.openshift.io/v1 +kind: MachineConfig +spec: + config: + ignition: + version: 3.1.0 + systemd: + units: + - name: {{{ rule_id }}}-permissions.service + enabled: true + contents: | + [Unit] + Description=Set file permissions for {{{ rule_id }}} + DefaultDependencies=no + After=local-fs.target + + [Service] + Type=oneshot +{{% for path in FILEPATH %}} + ExecStart=/bin/bash -c 'test -e {{{ path }}} && chmod {{{ FILEMODE }}} {{{ path }}} || true' +{{% endfor %}} + RemainAfterExit=yes + + [Install] + WantedBy=basic.target diff --git a/shared/templates/file_permissions/template.yml b/shared/templates/file_permissions/template.yml index b57de6fbb63e..cc0f77299303 100644 --- a/shared/templates/file_permissions/template.yml +++ b/shared/templates/file_permissions/template.yml @@ -2,3 +2,4 @@ supported_languages: - ansible - bash - oval + - kubernetes