Details
-
Bug
-
Resolution: Unresolved
-
Undefined
-
None
-
4.14
-
No
-
False
-
Description
Description of problem:
The STIG profile is missing rules from CaC/content that fulfill requirements on the published STIG for OCP4.
List of rules missing in the profile:
- ocp4-oauth-or-oauthclient-token-maxage
- rhcos4-audit-delete-failed
- rhcos4-audit-immutable-login-uids
- rhcos4-audit-rules-privileged-commands-pt-chown
- rhcos4-audit-rules-privileged-commands-write
- rhcos4-audit-rules-unsuccessful-file-modification-rename
- rhcos4-audit-rules-unsuccessful-file-modification-renameat
- rhcos4-audit-rules-unsuccessful-file-modification-unlink
- rhcos4-audit-rules-unsuccessful-file-modification-unlinkat
- rhcos4-configure-usbguard-auditbackend
- rhcos4-coreos-audit-backlog-limit-kernel-argument
- rhcos4-kernel-module-usb-storage
- rhcos4-kernel-module-usb-storage-disabled
- rhcos4-package-usbguard-installed
- rhcos4-service-sshd-disabled
- rhcos4-service-usbguard-enabled
- rhcos4-usbguard-allow-hid-and-hub
Version-Release number of selected component (if applicable):
v1.3.1
How reproducible:
Always
Steps to Reproduce:
1. Install Compliance Operator
2. Create a SSB with auto-remediation using STIG profile
Actual results:
The cluster doesn't satisfy some of STIG's requirements for which automation already exists.
Expected results:
The cluster satisfies STIG requirements that can be remediated via automation.
Additional info:
Attachments
Issue Links
- is related to
-
CMP-2252 CNTR-OS-001010 - rule disable_SSHD_service is not included in the STIG profile
-
- Closed
-
- links to
-
RHBA-2024:129828
openshift-compliance-operator bug fix and/or enhancement update
- mentioned on
