scap-security-guide/SOURCES/scap-security-guide-0.1.58-cis_rhel7_updates-PR_7384.patch

From 44976b5fda0f34e78a0a0764add645212bd4e26d Mon Sep 17 00:00:00 2001
From: Vojtech Polasek <vpolasek@redhat.com>
Date: Thu, 12 Aug 2021 11:08:56 +0200
Subject: [PATCH 1/4] remove automated: yes for 1.1.6, rule is missing

---
 controls/cis_rhel7.yml | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/controls/cis_rhel7.yml b/controls/cis_rhel7.yml
index 6a333693fb..7298158ad3 100644
--- a/controls/cis_rhel7.yml
+++ b/controls/cis_rhel7.yml
@@ -95,8 +95,7 @@ controls:
     levels:
     - l1_server
     - l1_workstation
-    automated: yes
-#     rules:
+    automated: no # rule missing
 
   - id: 1.1.7
     title: Ensure noexec option set on /dev/shm partition (Automated)

From 4dcbe4b2d4a9c14527edd06e90809630877d97aa Mon Sep 17 00:00:00 2001
From: Vojtech Polasek <vpolasek@redhat.com>
Date: Thu, 12 Aug 2021 11:21:20 +0200
Subject: [PATCH 2/4] add rule for 3.5.1.5 - firewalld default zone

---
 controls/cis_rhel7.yml                                        | 4 +++-
 .../ruleset_modifications/set_firewalld_default_zone/rule.yml | 1 +
 2 files changed, 4 insertions(+), 1 deletion(-)

diff --git a/controls/cis_rhel7.yml b/controls/cis_rhel7.yml
index 7298158ad3..0f3cec2a83 100644
--- a/controls/cis_rhel7.yml
+++ b/controls/cis_rhel7.yml
@@ -1022,7 +1022,9 @@ controls:
     levels:
     - l1_server
     - l1_workstation
-    automated: no # no exact rule is present
+    automated: yes
+    rules:
+    - set_firewalld_default_zone
 
   - id: 3.5.1.6
     title: Ensure network interfaces are assigned to appropriate zone (Manual)
diff --git a/linux_os/guide/system/network/network-firewalld/ruleset_modifications/set_firewalld_default_zone/rule.yml b/linux_os/guide/system/network/network-firewalld/ruleset_modifications/set_firewalld_default_zone/rule.yml
index 48de06c5bc..f4d78fb7a1 100644
--- a/linux_os/guide/system/network/network-firewalld/ruleset_modifications/set_firewalld_default_zone/rule.yml
+++ b/linux_os/guide/system/network/network-firewalld/ruleset_modifications/set_firewalld_default_zone/rule.yml
@@ -27,6 +27,7 @@ identifiers:
 
 references:
     cis-csc: 11,14,3,9
+    cis@rhel7: 3.5.1.5
     cis@rhel8: 3.4.2.4
     cis@sle15: 3.5.1.5
     cjis: 5.10.1

From a13a796ee8c33ae98e93072bfc7ee15182bdfb5c Mon Sep 17 00:00:00 2001
From: Vojtech Polasek <vpolasek@redhat.com>
Date: Thu, 12 Aug 2021 11:45:52 +0200
Subject: [PATCH 3/4] partially cover 5.5.1.4

---
 controls/cis_rhel7.yml                                       | 5 ++++-
 .../account_disable_post_pw_expiration/rule.yml              | 2 +-
 2 files changed, 5 insertions(+), 2 deletions(-)

diff --git a/controls/cis_rhel7.yml b/controls/cis_rhel7.yml
index 0f3cec2a83..78ac34817f 100644
--- a/controls/cis_rhel7.yml
+++ b/controls/cis_rhel7.yml
@@ -1966,7 +1966,10 @@ controls:
     levels:
     - l1_server
     - l1_workstation
-    automated: no # rule missing
+    automated: partially # we do not check /et/shadow
+    rules:
+    - account_disable_post_pw_expiration
+    - var_account_disable_post_pw_expiration=30
 
   - id: 5.5.1.5
     title: Ensure all users last password change date is in the past (Automated)
diff --git a/linux_os/guide/system/accounts/accounts-restrictions/account_expiration/account_disable_post_pw_expiration/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/account_expiration/account_disable_post_pw_expiration/rule.yml
index 310e234d43..a3d81cf73f 100644
--- a/linux_os/guide/system/accounts/accounts-restrictions/account_expiration/account_disable_post_pw_expiration/rule.yml
+++ b/linux_os/guide/system/accounts/accounts-restrictions/account_expiration/account_disable_post_pw_expiration/rule.yml
@@ -34,7 +34,7 @@ identifiers:
 
 references:
     cis-csc: 1,12,13,14,15,16,18,3,5,7,8
-    cis@rhel7: 5.4.1.4
+    cis@rhel7: 5.5.1.4
     cis@rhel8: 5.5.1.4
     cis@ubuntu2004: 5.4.1.4
     cjis: 5.6.2.1.1

From 31ecc1b5806e7bc14199904b0a4e4d7b027ef7c4 Mon Sep 17 00:00:00 2001
From: Vojtech Polasek <vpolasek@redhat.com>
Date: Thu, 12 Aug 2021 11:52:09 +0200
Subject: [PATCH 4/4] automate 6.2.5

---
 controls/cis_rhel7.yml                                        | 4 +++-
 .../account_expiration/account_unique_name/rule.yml           | 1 +
 2 files changed, 4 insertions(+), 1 deletion(-)

diff --git a/controls/cis_rhel7.yml b/controls/cis_rhel7.yml
index 78ac34817f..672b96cbeb 100644
--- a/controls/cis_rhel7.yml
+++ b/controls/cis_rhel7.yml
@@ -2205,7 +2205,9 @@ controls:
     levels:
     - l1_server
     - l1_workstation
-    automated: no # rule missing
+    automated: yes
+    rules:
+    - account_unique_name
 
   - id: 6.2.6
     title: Ensure no duplicate group names exist (Automated)
diff --git a/linux_os/guide/system/accounts/accounts-restrictions/account_expiration/account_unique_name/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/account_expiration/account_unique_name/rule.yml
index 484b3c4f90..5f6377f194 100644
--- a/linux_os/guide/system/accounts/accounts-restrictions/account_expiration/account_unique_name/rule.yml
+++ b/linux_os/guide/system/accounts/accounts-restrictions/account_expiration/account_unique_name/rule.yml
@@ -20,6 +20,7 @@ identifiers:
     cce@rhel9: CCE-83628-8
 
 references:
+    cis@rhel7: 6.2.5
     cis@rhel8: 6.2.17
     cjis: 5.5.2
     disa: CCI-000770,CCI-000804
import scap-security-guide-0.1.57-3.el8 2021-08-24 22:41:12 +00:00			`From 44976b5fda0f34e78a0a0764add645212bd4e26d Mon Sep 17 00:00:00 2001`
			`From: Vojtech Polasek <vpolasek@redhat.com>`
			`Date: Thu, 12 Aug 2021 11:08:56 +0200`
			`Subject: [PATCH 1/4] remove automated: yes for 1.1.6, rule is missing`

			`---`
			`controls/cis_rhel7.yml \| 3 +--`
			`1 file changed, 1 insertion(+), 2 deletions(-)`

			`diff --git a/controls/cis_rhel7.yml b/controls/cis_rhel7.yml`
			`index 6a333693fb..7298158ad3 100644`
			`--- a/controls/cis_rhel7.yml`
			`+++ b/controls/cis_rhel7.yml`
			`@@ -95,8 +95,7 @@ controls:`
			`levels:`
			`- l1_server`
			`- l1_workstation`
			`- automated: yes`
			`-# rules:`
			`+ automated: no # rule missing`

			`- id: 1.1.7`
			`title: Ensure noexec option set on /dev/shm partition (Automated)`

			`From 4dcbe4b2d4a9c14527edd06e90809630877d97aa Mon Sep 17 00:00:00 2001`
			`From: Vojtech Polasek <vpolasek@redhat.com>`
			`Date: Thu, 12 Aug 2021 11:21:20 +0200`
			`Subject: [PATCH 2/4] add rule for 3.5.1.5 - firewalld default zone`

			`---`
			`controls/cis_rhel7.yml \| 4 +++-`
			`.../ruleset_modifications/set_firewalld_default_zone/rule.yml \| 1 +`
			`2 files changed, 4 insertions(+), 1 deletion(-)`

			`diff --git a/controls/cis_rhel7.yml b/controls/cis_rhel7.yml`
			`index 7298158ad3..0f3cec2a83 100644`
			`--- a/controls/cis_rhel7.yml`
			`+++ b/controls/cis_rhel7.yml`
			`@@ -1022,7 +1022,9 @@ controls:`
			`levels:`
			`- l1_server`
			`- l1_workstation`
			`- automated: no # no exact rule is present`
			`+ automated: yes`
			`+ rules:`
			`+ - set_firewalld_default_zone`

			`- id: 3.5.1.6`
			`title: Ensure network interfaces are assigned to appropriate zone (Manual)`
			`diff --git a/linux_os/guide/system/network/network-firewalld/ruleset_modifications/set_firewalld_default_zone/rule.yml b/linux_os/guide/system/network/network-firewalld/ruleset_modifications/set_firewalld_default_zone/rule.yml`
			`index 48de06c5bc..f4d78fb7a1 100644`
			`--- a/linux_os/guide/system/network/network-firewalld/ruleset_modifications/set_firewalld_default_zone/rule.yml`
			`+++ b/linux_os/guide/system/network/network-firewalld/ruleset_modifications/set_firewalld_default_zone/rule.yml`
			`@@ -27,6 +27,7 @@ identifiers:`

			`references:`
			`cis-csc: 11,14,3,9`
			`+ cis@rhel7: 3.5.1.5`
			`cis@rhel8: 3.4.2.4`
			`cis@sle15: 3.5.1.5`
			`cjis: 5.10.1`

			`From a13a796ee8c33ae98e93072bfc7ee15182bdfb5c Mon Sep 17 00:00:00 2001`
			`From: Vojtech Polasek <vpolasek@redhat.com>`
			`Date: Thu, 12 Aug 2021 11:45:52 +0200`
			`Subject: [PATCH 3/4] partially cover 5.5.1.4`

			`---`
			`controls/cis_rhel7.yml \| 5 ++++-`
			`.../account_disable_post_pw_expiration/rule.yml \| 2 +-`
			`2 files changed, 5 insertions(+), 2 deletions(-)`

			`diff --git a/controls/cis_rhel7.yml b/controls/cis_rhel7.yml`
			`index 0f3cec2a83..78ac34817f 100644`
			`--- a/controls/cis_rhel7.yml`
			`+++ b/controls/cis_rhel7.yml`
			`@@ -1966,7 +1966,10 @@ controls:`
			`levels:`
			`- l1_server`
			`- l1_workstation`
			`- automated: no # rule missing`
			`+ automated: partially # we do not check /et/shadow`
			`+ rules:`
			`+ - account_disable_post_pw_expiration`
			`+ - var_account_disable_post_pw_expiration=30`

			`- id: 5.5.1.5`
			`title: Ensure all users last password change date is in the past (Automated)`
			`diff --git a/linux_os/guide/system/accounts/accounts-restrictions/account_expiration/account_disable_post_pw_expiration/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/account_expiration/account_disable_post_pw_expiration/rule.yml`
			`index 310e234d43..a3d81cf73f 100644`
			`--- a/linux_os/guide/system/accounts/accounts-restrictions/account_expiration/account_disable_post_pw_expiration/rule.yml`
			`+++ b/linux_os/guide/system/accounts/accounts-restrictions/account_expiration/account_disable_post_pw_expiration/rule.yml`
			`@@ -34,7 +34,7 @@ identifiers:`

			`references:`
			`cis-csc: 1,12,13,14,15,16,18,3,5,7,8`
			`- cis@rhel7: 5.4.1.4`
			`+ cis@rhel7: 5.5.1.4`
			`cis@rhel8: 5.5.1.4`
			`cis@ubuntu2004: 5.4.1.4`
			`cjis: 5.6.2.1.1`

			`From 31ecc1b5806e7bc14199904b0a4e4d7b027ef7c4 Mon Sep 17 00:00:00 2001`
			`From: Vojtech Polasek <vpolasek@redhat.com>`
			`Date: Thu, 12 Aug 2021 11:52:09 +0200`
			`Subject: [PATCH 4/4] automate 6.2.5`

			`---`
			`controls/cis_rhel7.yml \| 4 +++-`
			`.../account_expiration/account_unique_name/rule.yml \| 1 +`
			`2 files changed, 4 insertions(+), 1 deletion(-)`

			`diff --git a/controls/cis_rhel7.yml b/controls/cis_rhel7.yml`
			`index 78ac34817f..672b96cbeb 100644`
			`--- a/controls/cis_rhel7.yml`
			`+++ b/controls/cis_rhel7.yml`
			`@@ -2205,7 +2205,9 @@ controls:`
			`levels:`
			`- l1_server`
			`- l1_workstation`
			`- automated: no # rule missing`
			`+ automated: yes`
			`+ rules:`
			`+ - account_unique_name`

			`- id: 6.2.6`
			`title: Ensure no duplicate group names exist (Automated)`
			`diff --git a/linux_os/guide/system/accounts/accounts-restrictions/account_expiration/account_unique_name/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/account_expiration/account_unique_name/rule.yml`
			`index 484b3c4f90..5f6377f194 100644`
			`--- a/linux_os/guide/system/accounts/accounts-restrictions/account_expiration/account_unique_name/rule.yml`
			`+++ b/linux_os/guide/system/accounts/accounts-restrictions/account_expiration/account_unique_name/rule.yml`
			`@@ -20,6 +20,7 @@ identifiers:`
			`cce@rhel9: CCE-83628-8`

			`references:`
			`+ cis@rhel7: 6.2.5`
			`cis@rhel8: 6.2.17`
			`cjis: 5.5.2`
			`disa: CCI-000770,CCI-000804`