From 11197bee5b7fe6aaf1d40cb0ac783c0aaa188403 Mon Sep 17 00:00:00 2001 From: Vojtech Polasek Date: Tue, 14 Jan 2025 14:09:38 +0100 Subject: [PATCH 1/2] rhel9 stig: make rule syscl_user_max_user_namespaces not scored and informational The rule can conflict with some services which use Systemd PrivateUsers feature, such as irqbalance. Therefore, we do not enforce the rule and it is kept there as informational only. --- products/rhel9/profiles/stig.profile | 3 +++ tests/data/profile_stability/rhel9/stig.profile | 2 ++ 2 files changed, 5 insertions(+) diff --git a/products/rhel9/profiles/stig.profile b/products/rhel9/profiles/stig.profile index 1ab6b2a6345..940f7bb9cd9 100644 --- a/products/rhel9/profiles/stig.profile +++ b/products/rhel9/profiles/stig.profile @@ -28,3 +28,6 @@ selections: - stig_rhel9:all # Following rules once had a prodtype incompatible with the rhel9 product - '!audit_rules_immutable_login_uids' +# the following rule causes problems with irqbalance which is present in default RHEL 9 installation, therefore it is not enforced + - sysctl_user_max_user_namespaces.role=unscored + - sysctl_user_max_user_namespaces.severity=info diff --git a/tests/data/profile_stability/rhel9/stig.profile b/tests/data/profile_stability/rhel9/stig.profile index 8d280308a30..6933c220a8f 100644 --- a/tests/data/profile_stability/rhel9/stig.profile +++ b/tests/data/profile_stability/rhel9/stig.profile @@ -506,6 +506,8 @@ selections: - sysctl_net_ipv6_conf_default_accept_redirects - sysctl_net_ipv6_conf_default_accept_source_route - sysctl_user_max_user_namespaces +- sysctl_user_max_user_namespaces.role=unscored +- sysctl_user_max_user_namespaces.severity=info - usbguard_generate_policy - use_pam_wheel_for_su - wireless_disable_interfaces From 21ef5b3d53eea885fc75a57e843edd8f529bd0d4 Mon Sep 17 00:00:00 2001 From: Vojtech Polasek Date: Tue, 14 Jan 2025 14:11:40 +0100 Subject: [PATCH 2/2] rhel9 stig_gui: add rule back, it stays informational and does no harm --- products/rhel9/profiles/stig_gui.profile | 4 ---- tests/data/profile_stability/rhel9/stig_gui.profile | 3 +++ 2 files changed, 3 insertions(+), 4 deletions(-) diff --git a/products/rhel9/profiles/stig_gui.profile b/products/rhel9/profiles/stig_gui.profile index 507cd07cb32..586e1d99bcb 100644 --- a/products/rhel9/profiles/stig_gui.profile +++ b/products/rhel9/profiles/stig_gui.profile @@ -43,9 +43,5 @@ selections: # RHEL-09-215025 - '!package_nfs-utils_removed' - # RHEL-09-213105 - # Limiting user namespaces cause issues with user apps, such as Firefox and Cheese - # https://issues.redhat.com/browse/RHEL-10416 - - '!sysctl_user_max_user_namespaces' # locking of idle sessions is handled by screensaver when GUI is present, the following rule is therefore redundant - '!logind_session_timeout' diff --git a/tests/data/profile_stability/rhel9/stig_gui.profile b/tests/data/profile_stability/rhel9/stig_gui.profile index 872ec1fb054..a9ad1759c9d 100644 --- a/tests/data/profile_stability/rhel9/stig_gui.profile +++ b/tests/data/profile_stability/rhel9/stig_gui.profile @@ -515,6 +515,9 @@ selections: - sysctl_net_ipv6_conf_default_accept_ra - sysctl_net_ipv6_conf_default_accept_redirects - sysctl_net_ipv6_conf_default_accept_source_route +- sysctl_user_max_user_namespaces +- sysctl_user_max_user_namespaces.role=unscored +- sysctl_user_max_user_namespaces.severity=info - usbguard_generate_policy - use_pam_wheel_for_su - wireless_disable_interfaces