Ported more rules and profiles to RHEL9
Resolves: rhbz#1962564
This commit is contained in:
Matej Tyc
parent
449d853fce
commit
5f5226d27a
File diff suppressed because it is too large
Load Diff
File diff suppressed because it is too large
Load Diff
|
|
@ -0,0 +1,815 @@
|
|||
From b1ee8de3856252e2052bee8f5dd2aaaee5dcc95b Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Mat=C4=9Bj=20T=C3=BD=C4=8D?= <matyc@redhat.com>
|
||||
Date: Thu, 20 May 2021 11:33:52 +0200
|
||||
Subject: [PATCH 1/8] Enable update-related rules for RHEL9.
|
||||
|
||||
---
|
||||
.../software/updating/dnf-automatic_apply_updates/rule.yml | 2 +-
|
||||
.../software/updating/package_dnf-automatic_installed/rule.yml | 2 +-
|
||||
.../software/updating/timer_dnf-automatic_enabled/rule.yml | 2 +-
|
||||
3 files changed, 3 insertions(+), 3 deletions(-)
|
||||
|
||||
diff --git a/linux_os/guide/system/software/updating/dnf-automatic_apply_updates/rule.yml b/linux_os/guide/system/software/updating/dnf-automatic_apply_updates/rule.yml
|
||||
index 8b0343a52ec..7a10f5dd9ed 100644
|
||||
--- a/linux_os/guide/system/software/updating/dnf-automatic_apply_updates/rule.yml
|
||||
+++ b/linux_os/guide/system/software/updating/dnf-automatic_apply_updates/rule.yml
|
||||
@@ -1,6 +1,6 @@
|
||||
documentation_complete: true
|
||||
|
||||
-prodtype: fedora,ol8,rhel8
|
||||
+prodtype: fedora,ol8,rhel8,rhel9
|
||||
|
||||
title: Configure dnf-automatic to Install Available Updates Automatically
|
||||
|
||||
diff --git a/linux_os/guide/system/software/updating/package_dnf-automatic_installed/rule.yml b/linux_os/guide/system/software/updating/package_dnf-automatic_installed/rule.yml
|
||||
index 8b332b800c7..0bdace740b4 100644
|
||||
--- a/linux_os/guide/system/software/updating/package_dnf-automatic_installed/rule.yml
|
||||
+++ b/linux_os/guide/system/software/updating/package_dnf-automatic_installed/rule.yml
|
||||
@@ -1,6 +1,6 @@
|
||||
documentation_complete: true
|
||||
|
||||
-prodtype: fedora,ol8,rhel8
|
||||
+prodtype: fedora,ol8,rhel8,rhel9
|
||||
|
||||
title: 'Install dnf-automatic Package'
|
||||
|
||||
diff --git a/linux_os/guide/system/software/updating/timer_dnf-automatic_enabled/rule.yml b/linux_os/guide/system/software/updating/timer_dnf-automatic_enabled/rule.yml
|
||||
index 1c51fe22471..07aa5c3575b 100644
|
||||
--- a/linux_os/guide/system/software/updating/timer_dnf-automatic_enabled/rule.yml
|
||||
+++ b/linux_os/guide/system/software/updating/timer_dnf-automatic_enabled/rule.yml
|
||||
@@ -1,6 +1,6 @@
|
||||
documentation_complete: true
|
||||
|
||||
-prodtype: fedora,ol8,rhel8
|
||||
+prodtype: fedora,ol8,rhel8,rhel9
|
||||
|
||||
title: Enable dnf-automatic Timer
|
||||
|
||||
|
||||
From 55bc57583158dc7c8080fdfd41b2c7ee4ddb677f Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Mat=C4=9Bj=20T=C3=BD=C4=8D?= <matyc@redhat.com>
|
||||
Date: Thu, 20 May 2021 11:45:02 +0200
|
||||
Subject: [PATCH 2/8] Enable AIDE rules for RHEL9.
|
||||
|
||||
The component hasn't changed observably wrt our rules.
|
||||
---
|
||||
.../certified-vendor/installed_OS_is_FIPS_certified/rule.yml | 2 +-
|
||||
.../software-integrity/aide/aide_build_database/rule.yml | 2 +-
|
||||
.../software-integrity/aide/aide_scan_notification/rule.yml | 2 +-
|
||||
.../software-integrity/aide/aide_use_fips_hashes/rule.yml | 2 +-
|
||||
.../integrity/software-integrity/aide/aide_verify_acls/rule.yml | 2 +-
|
||||
.../software-integrity/aide/aide_verify_ext_attributes/rule.yml | 2 +-
|
||||
6 files changed, 6 insertions(+), 6 deletions(-)
|
||||
|
||||
diff --git a/linux_os/guide/system/software/integrity/certified-vendor/installed_OS_is_FIPS_certified/rule.yml b/linux_os/guide/system/software/integrity/certified-vendor/installed_OS_is_FIPS_certified/rule.yml
|
||||
index 07d55e58e55..012fe8f6edd 100644
|
||||
--- a/linux_os/guide/system/software/integrity/certified-vendor/installed_OS_is_FIPS_certified/rule.yml
|
||||
+++ b/linux_os/guide/system/software/integrity/certified-vendor/installed_OS_is_FIPS_certified/rule.yml
|
||||
@@ -1,6 +1,6 @@
|
||||
documentation_complete: true
|
||||
|
||||
-prodtype: fedora,rhcos4,ol7,ol8,rhel7,rhel8,rhv4,sle12,sle15,wrlinux8,ubuntu1604,ubuntu1804,ubuntu2004,wrlinux1019
|
||||
+prodtype: fedora,rhcos4,ol7,ol8,rhel7,rhel8,rhel9,rhv4,sle12,sle15,wrlinux8,ubuntu1604,ubuntu1804,ubuntu2004,wrlinux1019
|
||||
|
||||
title: 'The Installed Operating System Is FIPS 140-2 Certified'
|
||||
|
||||
diff --git a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_build_database/rule.yml b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_build_database/rule.yml
|
||||
index 175c997d508..6c0ee2e4c7b 100644
|
||||
--- a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_build_database/rule.yml
|
||||
+++ b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_build_database/rule.yml
|
||||
@@ -1,6 +1,6 @@
|
||||
documentation_complete: true
|
||||
|
||||
-prodtype: debian9,debian10,fedora,rhcos4,ol7,ol8,rhel7,rhel8,rhv4,sle12,sle15,wrlinux1019
|
||||
+prodtype: debian10,debian9,fedora,ol7,ol8,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,wrlinux1019
|
||||
|
||||
title: 'Build and Test AIDE Database'
|
||||
|
||||
diff --git a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_scan_notification/rule.yml b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_scan_notification/rule.yml
|
||||
index 24d3f8e1c24..a73fb0a39ad 100644
|
||||
--- a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_scan_notification/rule.yml
|
||||
+++ b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_scan_notification/rule.yml
|
||||
@@ -1,6 +1,6 @@
|
||||
documentation_complete: true
|
||||
|
||||
-prodtype: ol7,ol8,rhel7,rhel8,rhv4,wrlinux1019,sle12
|
||||
+prodtype: ol7,ol8,rhel7,rhel8,rhel9,rhv4,sle12,wrlinux1019
|
||||
|
||||
title: 'Configure Notification of Post-AIDE Scan Details'
|
||||
|
||||
diff --git a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_use_fips_hashes/rule.yml b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_use_fips_hashes/rule.yml
|
||||
index 1f86ed8a973..c982b8fde2e 100644
|
||||
--- a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_use_fips_hashes/rule.yml
|
||||
+++ b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_use_fips_hashes/rule.yml
|
||||
@@ -1,6 +1,6 @@
|
||||
documentation_complete: true
|
||||
|
||||
-prodtype: ol7,ol8,rhel7,rhel8,rhv4
|
||||
+prodtype: ol7,ol8,rhel7,rhel8,rhel9,rhv4
|
||||
|
||||
title: 'Configure AIDE to Use FIPS 140-2 for Validating Hashes'
|
||||
|
||||
diff --git a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_verify_acls/rule.yml b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_verify_acls/rule.yml
|
||||
index 144c0645503..f527068022a 100644
|
||||
--- a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_verify_acls/rule.yml
|
||||
+++ b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_verify_acls/rule.yml
|
||||
@@ -1,6 +1,6 @@
|
||||
documentation_complete: true
|
||||
|
||||
-prodtype: ol7,ol8,rhel7,rhel8,rhv4,sle12,sle15
|
||||
+prodtype: ol7,ol8,rhel7,rhel8,rhel9,rhv4,sle12,sle15
|
||||
|
||||
title: 'Configure AIDE to Verify Access Control Lists (ACLs)'
|
||||
|
||||
diff --git a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_verify_ext_attributes/rule.yml b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_verify_ext_attributes/rule.yml
|
||||
index b5bcd202dea..7961f3b5a67 100644
|
||||
--- a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_verify_ext_attributes/rule.yml
|
||||
+++ b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_verify_ext_attributes/rule.yml
|
||||
@@ -1,6 +1,6 @@
|
||||
documentation_complete: true
|
||||
|
||||
-prodtype: ol7,ol8,rhel7,rhel8,rhv4,sle12,sle15
|
||||
+prodtype: ol7,ol8,rhel7,rhel8,rhel9,rhv4,sle12,sle15
|
||||
|
||||
title: 'Configure AIDE to Verify Extended Attributes'
|
||||
|
||||
|
||||
From 5425108a0a88ba36b422ee2a1f672f301531c167 Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Mat=C4=9Bj=20T=C3=BD=C4=8D?= <matyc@redhat.com>
|
||||
Date: Thu, 20 May 2021 15:44:41 +0200
|
||||
Subject: [PATCH 3/8] Enabled package installed rules for RHEL9.
|
||||
|
||||
Packages are likely to exist in RHEL9.
|
||||
---
|
||||
.../disabling_xwindows/xwindows_remove_packages/rule.yml | 2 +-
|
||||
.../smart_card_login/install_smartcard_packages/rule.yml | 2 +-
|
||||
.../smart_card_login/package_opensc_installed/rule.yml | 2 +-
|
||||
.../system/auditing/package_audispd-plugins_installed/rule.yml | 2 +-
|
||||
.../package_policycoreutils-python-utils_installed/rule.yml | 2 +-
|
||||
.../system/selinux/package_policycoreutils_installed/rule.yml | 2 +-
|
||||
.../software/system-tools/package_rng-tools_installed/rule.yml | 2 +-
|
||||
7 files changed, 7 insertions(+), 7 deletions(-)
|
||||
|
||||
diff --git a/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_remove_packages/rule.yml b/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_remove_packages/rule.yml
|
||||
index 2f9dfc1b039..031d63ba778 100644
|
||||
--- a/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_remove_packages/rule.yml
|
||||
+++ b/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_remove_packages/rule.yml
|
||||
@@ -1,6 +1,6 @@
|
||||
documentation_complete: true
|
||||
|
||||
-prodtype: ol7,ol8,rhel7,rhel8
|
||||
+prodtype: ol7,ol8,rhel7,rhel8,rhel9
|
||||
|
||||
title: 'Disable graphical user interface'
|
||||
|
||||
diff --git a/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/install_smartcard_packages/rule.yml b/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/install_smartcard_packages/rule.yml
|
||||
index 85260712c6f..652e9287759 100644
|
||||
--- a/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/install_smartcard_packages/rule.yml
|
||||
+++ b/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/install_smartcard_packages/rule.yml
|
||||
@@ -8,7 +8,7 @@
|
||||
|
||||
documentation_complete: true
|
||||
|
||||
-prodtype: fedora,ol7,rhel7,rhel8,sle12,sle15
|
||||
+prodtype: fedora,ol7,rhel7,rhel8,rhel9,sle12,sle15
|
||||
|
||||
title: 'Install Smart Card Packages For Multifactor Authentication'
|
||||
|
||||
diff --git a/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/package_opensc_installed/rule.yml b/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/package_opensc_installed/rule.yml
|
||||
index df01a282459..a55409d9e8f 100644
|
||||
--- a/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/package_opensc_installed/rule.yml
|
||||
+++ b/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/package_opensc_installed/rule.yml
|
||||
@@ -1,6 +1,6 @@
|
||||
documentation_complete: true
|
||||
|
||||
-prodtype: fedora,ol7,ol8,rhel7,rhel8,rhv4
|
||||
+prodtype: fedora,ol7,ol8,rhel7,rhel8,rhel9,rhv4
|
||||
|
||||
title: 'Install the opensc Package For Multifactor Authentication'
|
||||
|
||||
diff --git a/linux_os/guide/system/auditing/package_audispd-plugins_installed/rule.yml b/linux_os/guide/system/auditing/package_audispd-plugins_installed/rule.yml
|
||||
index 8ed5af7070a..6d96d340a33 100644
|
||||
--- a/linux_os/guide/system/auditing/package_audispd-plugins_installed/rule.yml
|
||||
+++ b/linux_os/guide/system/auditing/package_audispd-plugins_installed/rule.yml
|
||||
@@ -1,6 +1,6 @@
|
||||
documentation_complete: true
|
||||
|
||||
-prodtype: fedora,rhcos4,ol7,ol8,rhel7,rhel8,rhv4
|
||||
+prodtype: fedora,ol7,ol8,rhcos4,rhel7,rhel8,rhel9,rhv4
|
||||
|
||||
title: 'Install audispd-plugins Package'
|
||||
|
||||
diff --git a/linux_os/guide/system/selinux/package_policycoreutils-python-utils_installed/rule.yml b/linux_os/guide/system/selinux/package_policycoreutils-python-utils_installed/rule.yml
|
||||
index 6c23fae18ab..a18a57dcbb3 100644
|
||||
--- a/linux_os/guide/system/selinux/package_policycoreutils-python-utils_installed/rule.yml
|
||||
+++ b/linux_os/guide/system/selinux/package_policycoreutils-python-utils_installed/rule.yml
|
||||
@@ -1,6 +1,6 @@
|
||||
documentation_complete: true
|
||||
|
||||
-prodtype: ol8,rhel8
|
||||
+prodtype: ol8,rhel8,rhel9
|
||||
|
||||
title: 'Install policycoreutils-python-utils package'
|
||||
|
||||
diff --git a/linux_os/guide/system/selinux/package_policycoreutils_installed/rule.yml b/linux_os/guide/system/selinux/package_policycoreutils_installed/rule.yml
|
||||
index b9fcc6a889e..acce754e9d2 100644
|
||||
--- a/linux_os/guide/system/selinux/package_policycoreutils_installed/rule.yml
|
||||
+++ b/linux_os/guide/system/selinux/package_policycoreutils_installed/rule.yml
|
||||
@@ -1,6 +1,6 @@
|
||||
documentation_complete: true
|
||||
|
||||
-prodtype: fedora,ol7,ol8,rhel7,rhel8,rhv4
|
||||
+prodtype: fedora,ol7,ol8,rhel7,rhel8,rhel9,rhv4
|
||||
|
||||
title: 'Install policycoreutils Package'
|
||||
|
||||
diff --git a/linux_os/guide/system/software/system-tools/package_rng-tools_installed/rule.yml b/linux_os/guide/system/software/system-tools/package_rng-tools_installed/rule.yml
|
||||
index 7d25f41fb98..f0ca76b6953 100644
|
||||
--- a/linux_os/guide/system/software/system-tools/package_rng-tools_installed/rule.yml
|
||||
+++ b/linux_os/guide/system/software/system-tools/package_rng-tools_installed/rule.yml
|
||||
@@ -1,6 +1,6 @@
|
||||
documentation_complete: true
|
||||
|
||||
-prodtype: fedora,ol7,ol8,rhel7,rhel8,rhv4
|
||||
+prodtype: fedora,ol7,ol8,rhel7,rhel8,rhel9,rhv4
|
||||
|
||||
title: 'Install rng-tools Package'
|
||||
|
||||
|
||||
From ef063898277b53e35db6f3b54604583c3512ff46 Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Mat=C4=9Bj=20T=C3=BD=C4=8D?= <matyc@redhat.com>
|
||||
Date: Thu, 20 May 2021 16:07:18 +0200
|
||||
Subject: [PATCH 4/8] Enabled service-related rules for RHEL9.
|
||||
|
||||
---
|
||||
linux_os/guide/services/base/service_kdump_disabled/rule.yml | 2 +-
|
||||
linux_os/guide/services/rng/service_rngd_enabled/rule.yml | 2 +-
|
||||
linux_os/guide/services/ssh/service_sshd_enabled/rule.yml | 2 +-
|
||||
.../coredumps/service_systemd-coredump_disabled/rule.yml | 2 +-
|
||||
4 files changed, 4 insertions(+), 4 deletions(-)
|
||||
|
||||
diff --git a/linux_os/guide/services/base/service_kdump_disabled/rule.yml b/linux_os/guide/services/base/service_kdump_disabled/rule.yml
|
||||
index 8a12fd05711..1bb014b5993 100644
|
||||
--- a/linux_os/guide/services/base/service_kdump_disabled/rule.yml
|
||||
+++ b/linux_os/guide/services/base/service_kdump_disabled/rule.yml
|
||||
@@ -1,6 +1,6 @@
|
||||
documentation_complete: true
|
||||
|
||||
-prodtype: ol7,ol8,rhel7,rhel8,rhv4,sle12,wrlinux1019,sle15
|
||||
+prodtype: ol7,ol8,rhel7,rhel8,rhel9,rhv4,sle12,sle15,wrlinux1019
|
||||
|
||||
title: 'Disable KDump Kernel Crash Analyzer (kdump)'
|
||||
|
||||
diff --git a/linux_os/guide/services/rng/service_rngd_enabled/rule.yml b/linux_os/guide/services/rng/service_rngd_enabled/rule.yml
|
||||
index 5d47b5d69b3..4f1e4d85197 100644
|
||||
--- a/linux_os/guide/services/rng/service_rngd_enabled/rule.yml
|
||||
+++ b/linux_os/guide/services/rng/service_rngd_enabled/rule.yml
|
||||
@@ -1,6 +1,6 @@
|
||||
documentation_complete: true
|
||||
|
||||
-prodtype: fedora,rhcos4,ol8,rhel8
|
||||
+prodtype: fedora,ol8,rhcos4,rhel8,rhel9
|
||||
|
||||
title: 'Enable the Hardware RNG Entropy Gatherer Service'
|
||||
|
||||
diff --git a/linux_os/guide/services/ssh/service_sshd_enabled/rule.yml b/linux_os/guide/services/ssh/service_sshd_enabled/rule.yml
|
||||
index 548750d0f61..a7aaa4f3f9c 100644
|
||||
--- a/linux_os/guide/services/ssh/service_sshd_enabled/rule.yml
|
||||
+++ b/linux_os/guide/services/ssh/service_sshd_enabled/rule.yml
|
||||
@@ -1,6 +1,6 @@
|
||||
documentation_complete: true
|
||||
|
||||
-prodtype: ol7,ol8,rhel7,rhel8,rhv4,sle12,sle15,wrlinux1019
|
||||
+prodtype: ol7,ol8,rhel7,rhel8,rhel9,rhv4,sle12,sle15,wrlinux1019
|
||||
|
||||
title: 'Enable the OpenSSH Service'
|
||||
|
||||
diff --git a/linux_os/guide/system/permissions/restrictions/coredumps/service_systemd-coredump_disabled/rule.yml b/linux_os/guide/system/permissions/restrictions/coredumps/service_systemd-coredump_disabled/rule.yml
|
||||
index a2e1affd89d..baa8a448026 100644
|
||||
--- a/linux_os/guide/system/permissions/restrictions/coredumps/service_systemd-coredump_disabled/rule.yml
|
||||
+++ b/linux_os/guide/system/permissions/restrictions/coredumps/service_systemd-coredump_disabled/rule.yml
|
||||
@@ -1,6 +1,6 @@
|
||||
documentation_complete: true
|
||||
|
||||
-prodtype: fedora,rhcos4,ol8,rhel8
|
||||
+prodtype: fedora,ol8,rhcos4,rhel8,rhel9
|
||||
|
||||
title: 'Disable acquiring, saving, and processing core dumps'
|
||||
|
||||
|
||||
From ce273a6e9a50893d6cd2d623b74d30cba5c5ad8c Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Mat=C4=9Bj=20T=C3=BD=C4=8D?= <matyc@redhat.com>
|
||||
Date: Thu, 20 May 2021 17:13:54 +0200
|
||||
Subject: [PATCH 5/8] More various rules.
|
||||
|
||||
---
|
||||
.../files/dir_perms_world_writable_root_owned/rule.yml | 2 +-
|
||||
.../software/disk_partitioning/encrypt_partitions/rule.yml | 6 ++++--
|
||||
.../installed_OS_is_vendor_supported/rule.yml | 4 ++--
|
||||
.../crypto/configure_openssl_tls_crypto_policy/rule.yml | 2 +-
|
||||
.../rule.yml | 2 +-
|
||||
.../system/software/sudo/sudoers_validate_passwd/rule.yml | 2 +-
|
||||
.../updating/clean_components_post_updating/rule.yml | 2 +-
|
||||
7 files changed, 11 insertions(+), 9 deletions(-)
|
||||
|
||||
diff --git a/linux_os/guide/system/permissions/files/dir_perms_world_writable_root_owned/rule.yml b/linux_os/guide/system/permissions/files/dir_perms_world_writable_root_owned/rule.yml
|
||||
index 9714947ae47..0a4232cae38 100644
|
||||
--- a/linux_os/guide/system/permissions/files/dir_perms_world_writable_root_owned/rule.yml
|
||||
+++ b/linux_os/guide/system/permissions/files/dir_perms_world_writable_root_owned/rule.yml
|
||||
@@ -1,6 +1,6 @@
|
||||
documentation_complete: true
|
||||
|
||||
-prodtype: fedora,ol7,ol8,rhel7,rhel8,rhv4,wrlinux1019
|
||||
+prodtype: fedora,ol7,ol8,rhel7,rhel8,rhel9,rhv4,wrlinux1019
|
||||
|
||||
title: 'Ensure All World-Writable Directories Are Owned by root user'
|
||||
|
||||
diff --git a/linux_os/guide/system/software/disk_partitioning/encrypt_partitions/rule.yml b/linux_os/guide/system/software/disk_partitioning/encrypt_partitions/rule.yml
|
||||
index 7730800a0e8..ef544f33d48 100644
|
||||
--- a/linux_os/guide/system/software/disk_partitioning/encrypt_partitions/rule.yml
|
||||
+++ b/linux_os/guide/system/software/disk_partitioning/encrypt_partitions/rule.yml
|
||||
@@ -1,6 +1,6 @@
|
||||
documentation_complete: true
|
||||
|
||||
-prodtype: ol7,ol8,rhcos4,rhel7,rhel8,rhv4,sle12,sle15
|
||||
+prodtype: ol7,ol8,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15
|
||||
|
||||
title: 'Encrypt Partitions'
|
||||
|
||||
@@ -37,8 +37,10 @@ description: |-
|
||||
{{{ weblink(link="https://docs.oracle.com/en/operating-systems/oracle-linux/8/install/ol8-install-basic.html#install-storage-network") }}}.
|
||||
{{% elif product in ["sle12", "sle15"] %}}
|
||||
{{{ weblink(link="https://www.suse.com/documentation/sled-12/book_security/data/sec_security_cryptofs_y2.html") }}}
|
||||
- {{% else %}}
|
||||
+ {{% elif product == "rhel7" %}}
|
||||
{{{ weblink(link="https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Security_Guide/sec-Encryption.html") }}}.
|
||||
+ {{% else %}}
|
||||
+ {{{ weblink(link="https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/security_hardening/encrypting-block-devices-using-luks_security-hardening") }}}.
|
||||
{{% endif %}}
|
||||
|
||||
rationale: |-
|
||||
diff --git a/linux_os/guide/system/software/integrity/certified-vendor/installed_OS_is_vendor_supported/rule.yml b/linux_os/guide/system/software/integrity/certified-vendor/installed_OS_is_vendor_supported/rule.yml
|
||||
index ac76ba7c5a0..8a36d5691b7 100644
|
||||
--- a/linux_os/guide/system/software/integrity/certified-vendor/installed_OS_is_vendor_supported/rule.yml
|
||||
+++ b/linux_os/guide/system/software/integrity/certified-vendor/installed_OS_is_vendor_supported/rule.yml
|
||||
@@ -1,6 +1,6 @@
|
||||
documentation_complete: true
|
||||
|
||||
-prodtype: fedora,ol7,ol8,rhel7,rhel8,rhv4,sle12,sle15,wrlinux1019
|
||||
+prodtype: fedora,ol7,ol8,rhel7,rhel8,rhel9,rhv4,sle12,sle15,wrlinux1019
|
||||
|
||||
title: 'The Installed Operating System Is Vendor Supported'
|
||||
|
||||
@@ -56,7 +56,7 @@ ocil_clause: 'the installed operating system is not supported'
|
||||
ocil: |-
|
||||
To verify that the installed operating system is supported, run
|
||||
the following command:
|
||||
-{{% if product in ["rhel7", "rhel8"] %}}
|
||||
+{{% if product.startswith("rhel") %}}
|
||||
<pre>$ grep -i "red hat" /etc/redhat-release</pre>
|
||||
{{% elif product in ["ol7", "ol8"] %}}
|
||||
<pre>$ grep -i "oracle" /etc/oracle-release</pre>
|
||||
diff --git a/linux_os/guide/system/software/integrity/crypto/configure_openssl_tls_crypto_policy/rule.yml b/linux_os/guide/system/software/integrity/crypto/configure_openssl_tls_crypto_policy/rule.yml
|
||||
index c4637d39fed..dfe105771cc 100644
|
||||
--- a/linux_os/guide/system/software/integrity/crypto/configure_openssl_tls_crypto_policy/rule.yml
|
||||
+++ b/linux_os/guide/system/software/integrity/crypto/configure_openssl_tls_crypto_policy/rule.yml
|
||||
@@ -1,6 +1,6 @@
|
||||
documentation_complete: true
|
||||
|
||||
-prodtype: rhel8
|
||||
+prodtype: rhel8,rhel9
|
||||
|
||||
title: 'Configure OpenSSL library to use TLS Encryption'
|
||||
|
||||
diff --git a/linux_os/guide/system/software/sudo/sudo_restrict_privilege_elevation_to_authorized/rule.yml b/linux_os/guide/system/software/sudo/sudo_restrict_privilege_elevation_to_authorized/rule.yml
|
||||
index 4b01cb39e1a..930915327e0 100644
|
||||
--- a/linux_os/guide/system/software/sudo/sudo_restrict_privilege_elevation_to_authorized/rule.yml
|
||||
+++ b/linux_os/guide/system/software/sudo/sudo_restrict_privilege_elevation_to_authorized/rule.yml
|
||||
@@ -2,7 +2,7 @@ documentation_complete: true
|
||||
|
||||
title: 'The operating system must restrict privilege elevation to authorized personnel'
|
||||
|
||||
-prodtype: ol7,ol8,rhel7,rhel8,sle15
|
||||
+prodtype: ol7,ol8,rhel7,rhel8,rhel9,sle15
|
||||
|
||||
description: |-
|
||||
The sudo command allows a user to execute programs with elevated
|
||||
diff --git a/linux_os/guide/system/software/sudo/sudoers_validate_passwd/rule.yml b/linux_os/guide/system/software/sudo/sudoers_validate_passwd/rule.yml
|
||||
index eede35be8a1..d17f33852db 100644
|
||||
--- a/linux_os/guide/system/software/sudo/sudoers_validate_passwd/rule.yml
|
||||
+++ b/linux_os/guide/system/software/sudo/sudoers_validate_passwd/rule.yml
|
||||
@@ -2,7 +2,7 @@ documentation_complete: true
|
||||
|
||||
title: 'Ensure invoking users password for privilege escalation when using sudo'
|
||||
|
||||
-prodtype: fedora,ol7,ol8,rhel7,rhel8,sle15
|
||||
+prodtype: fedora,ol7,ol8,rhel7,rhel8,rhel9,sle15
|
||||
|
||||
description: |-
|
||||
The sudoers security policy requires that users authenticate themselves before they can use sudo.
|
||||
diff --git a/linux_os/guide/system/software/updating/clean_components_post_updating/rule.yml b/linux_os/guide/system/software/updating/clean_components_post_updating/rule.yml
|
||||
index 34723d0e2a5..d0289b311c6 100644
|
||||
--- a/linux_os/guide/system/software/updating/clean_components_post_updating/rule.yml
|
||||
+++ b/linux_os/guide/system/software/updating/clean_components_post_updating/rule.yml
|
||||
@@ -1,6 +1,6 @@
|
||||
documentation_complete: true
|
||||
|
||||
-prodtype: ol7,ol8,rhel7,rhel8,rhv4,sle12,sle15
|
||||
+prodtype: ol7,ol8,rhel7,rhel8,rhel9,rhv4,sle12,sle15
|
||||
|
||||
title: 'Ensure {{{ pkg_manager }}} Removes Previous Package Versions'
|
||||
|
||||
|
||||
From 255ee86df41e9d5e8ee427ff28e214833796f156 Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Mat=C4=9Bj=20T=C3=BD=C4=8D?= <matyc@redhat.com>
|
||||
Date: Thu, 20 May 2021 17:15:51 +0200
|
||||
Subject: [PATCH 6/8] Enabled zIPL rules for RHEL9.
|
||||
|
||||
There are indications that zIPL will remain the default bootloader for x390, and the project is very conservative.
|
||||
---
|
||||
.../guide/system/bootloader-zipl/zipl_audit_argument/rule.yml | 2 +-
|
||||
.../bootloader-zipl/zipl_audit_backlog_limit_argument/rule.yml | 2 +-
|
||||
.../guide/system/bootloader-zipl/zipl_bls_entries_only/rule.yml | 2 +-
|
||||
.../system/bootloader-zipl/zipl_bootmap_is_up_to_date/rule.yml | 2 +-
|
||||
.../system/bootloader-zipl/zipl_page_poison_argument/rule.yml | 2 +-
|
||||
.../system/bootloader-zipl/zipl_slub_debug_argument/rule.yml | 2 +-
|
||||
.../system/bootloader-zipl/zipl_vsyscall_argument/rule.yml | 2 +-
|
||||
7 files changed, 7 insertions(+), 7 deletions(-)
|
||||
|
||||
diff --git a/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/rule.yml
|
||||
index c2fb5ba678c..987a42d31ec 100644
|
||||
--- a/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/rule.yml
|
||||
+++ b/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/rule.yml
|
||||
@@ -1,6 +1,6 @@
|
||||
documentation_complete: true
|
||||
|
||||
-prodtype: rhel8,rhcos4
|
||||
+prodtype: rhcos4,rhel8,rhel9
|
||||
|
||||
title: 'Enable Auditing to Start Prior to the Audit Daemon in zIPL'
|
||||
|
||||
diff --git a/linux_os/guide/system/bootloader-zipl/zipl_audit_backlog_limit_argument/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_audit_backlog_limit_argument/rule.yml
|
||||
index 6548c352acc..cfb8c08f31d 100644
|
||||
--- a/linux_os/guide/system/bootloader-zipl/zipl_audit_backlog_limit_argument/rule.yml
|
||||
+++ b/linux_os/guide/system/bootloader-zipl/zipl_audit_backlog_limit_argument/rule.yml
|
||||
@@ -1,6 +1,6 @@
|
||||
documentation_complete: true
|
||||
|
||||
-prodtype: rhel8,rhcos4
|
||||
+prodtype: rhcos4,rhel8,rhel9
|
||||
|
||||
title: 'Extend Audit Backlog Limit for the Audit Daemon in zIPL'
|
||||
|
||||
diff --git a/linux_os/guide/system/bootloader-zipl/zipl_bls_entries_only/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_bls_entries_only/rule.yml
|
||||
index c3f032d8cbb..b8b025f74f4 100644
|
||||
--- a/linux_os/guide/system/bootloader-zipl/zipl_bls_entries_only/rule.yml
|
||||
+++ b/linux_os/guide/system/bootloader-zipl/zipl_bls_entries_only/rule.yml
|
||||
@@ -1,6 +1,6 @@
|
||||
documentation_complete: true
|
||||
|
||||
-prodtype: rhel8,rhcos4
|
||||
+prodtype: rhcos4,rhel8,rhel9
|
||||
|
||||
title: 'Ensure all zIPL boot entries are BLS compliant'
|
||||
|
||||
diff --git a/linux_os/guide/system/bootloader-zipl/zipl_bootmap_is_up_to_date/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_bootmap_is_up_to_date/rule.yml
|
||||
index 13192cd8ca5..c8133e19ab4 100644
|
||||
--- a/linux_os/guide/system/bootloader-zipl/zipl_bootmap_is_up_to_date/rule.yml
|
||||
+++ b/linux_os/guide/system/bootloader-zipl/zipl_bootmap_is_up_to_date/rule.yml
|
||||
@@ -1,6 +1,6 @@
|
||||
documentation_complete: true
|
||||
|
||||
-prodtype: rhel8,rhcos4
|
||||
+prodtype: rhcos4,rhel8,rhel9
|
||||
|
||||
title: 'Ensure zIPL bootmap is up to date'
|
||||
|
||||
diff --git a/linux_os/guide/system/bootloader-zipl/zipl_page_poison_argument/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_page_poison_argument/rule.yml
|
||||
index 42c1c8aecd5..c626f6188cd 100644
|
||||
--- a/linux_os/guide/system/bootloader-zipl/zipl_page_poison_argument/rule.yml
|
||||
+++ b/linux_os/guide/system/bootloader-zipl/zipl_page_poison_argument/rule.yml
|
||||
@@ -1,6 +1,6 @@
|
||||
documentation_complete: true
|
||||
|
||||
-prodtype: rhel8,rhcos4
|
||||
+prodtype: rhcos4,rhel8,rhel9
|
||||
|
||||
title: 'Enable page allocator poisoning in zIPL'
|
||||
|
||||
diff --git a/linux_os/guide/system/bootloader-zipl/zipl_slub_debug_argument/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_slub_debug_argument/rule.yml
|
||||
index 2f9b04f7a27..d266165cddc 100644
|
||||
--- a/linux_os/guide/system/bootloader-zipl/zipl_slub_debug_argument/rule.yml
|
||||
+++ b/linux_os/guide/system/bootloader-zipl/zipl_slub_debug_argument/rule.yml
|
||||
@@ -1,6 +1,6 @@
|
||||
documentation_complete: true
|
||||
|
||||
-prodtype: rhel8,rhcos4
|
||||
+prodtype: rhcos4,rhel8,rhel9
|
||||
|
||||
title: 'Enable SLUB/SLAB allocator poisoning in zIPL'
|
||||
|
||||
diff --git a/linux_os/guide/system/bootloader-zipl/zipl_vsyscall_argument/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_vsyscall_argument/rule.yml
|
||||
index f90a0fb4141..387f7f13850 100644
|
||||
--- a/linux_os/guide/system/bootloader-zipl/zipl_vsyscall_argument/rule.yml
|
||||
+++ b/linux_os/guide/system/bootloader-zipl/zipl_vsyscall_argument/rule.yml
|
||||
@@ -1,6 +1,6 @@
|
||||
documentation_complete: true
|
||||
|
||||
-prodtype: rhel8,rhcos4
|
||||
+prodtype: rhcos4,rhel8,rhel9
|
||||
|
||||
title: 'Disable vsyscalls in zIPL'
|
||||
|
||||
|
||||
From 807dbda2042184d6d2e602506e846bb3a19a775d Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Mat=C4=9Bj=20T=C3=BD=C4=8D?= <matyc@redhat.com>
|
||||
Date: Thu, 20 May 2021 17:40:30 +0200
|
||||
Subject: [PATCH 7/8] Enabled more audit rules for RHEL9.
|
||||
|
||||
Component maintainers have reported that there are no breaking changes in the audit configuration.
|
||||
---
|
||||
.../system/auditing/policy_rules/audit_access_failed/rule.yml | 2 +-
|
||||
.../system/auditing/policy_rules/audit_access_success/rule.yml | 2 +-
|
||||
.../auditing/policy_rules/audit_basic_configuration/rule.yml | 2 +-
|
||||
.../system/auditing/policy_rules/audit_create_failed/rule.yml | 2 +-
|
||||
.../system/auditing/policy_rules/audit_create_success/rule.yml | 2 +-
|
||||
.../system/auditing/policy_rules/audit_delete_failed/rule.yml | 2 +-
|
||||
.../system/auditing/policy_rules/audit_delete_success/rule.yml | 2 +-
|
||||
.../auditing/policy_rules/audit_immutable_login_uids/rule.yml | 2 +-
|
||||
.../system/auditing/policy_rules/audit_modify_failed/rule.yml | 2 +-
|
||||
.../system/auditing/policy_rules/audit_modify_success/rule.yml | 2 +-
|
||||
.../system/auditing/policy_rules/audit_module_load/rule.yml | 2 +-
|
||||
.../system/auditing/policy_rules/audit_ospp_general/rule.yml | 2 +-
|
||||
.../auditing/policy_rules/audit_owner_change_failed/rule.yml | 2 +-
|
||||
.../auditing/policy_rules/audit_owner_change_success/rule.yml | 2 +-
|
||||
.../auditing/policy_rules/audit_perm_change_failed/rule.yml | 2 +-
|
||||
.../auditing/policy_rules/audit_perm_change_success/rule.yml | 2 +-
|
||||
16 files changed, 16 insertions(+), 16 deletions(-)
|
||||
|
||||
diff --git a/linux_os/guide/system/auditing/policy_rules/audit_access_failed/rule.yml b/linux_os/guide/system/auditing/policy_rules/audit_access_failed/rule.yml
|
||||
index 458ac7e0ae6..a0d856b023b 100644
|
||||
--- a/linux_os/guide/system/auditing/policy_rules/audit_access_failed/rule.yml
|
||||
+++ b/linux_os/guide/system/auditing/policy_rules/audit_access_failed/rule.yml
|
||||
@@ -1,6 +1,6 @@
|
||||
documentation_complete: true
|
||||
|
||||
-prodtype: ol8,rhel8,rhcos4
|
||||
+prodtype: ol8,rhcos4,rhel8,rhel9
|
||||
|
||||
title: 'Configure auditing of unsuccessful file accesses'
|
||||
|
||||
diff --git a/linux_os/guide/system/auditing/policy_rules/audit_access_success/rule.yml b/linux_os/guide/system/auditing/policy_rules/audit_access_success/rule.yml
|
||||
index 064618716e8..6f79a5cf04a 100644
|
||||
--- a/linux_os/guide/system/auditing/policy_rules/audit_access_success/rule.yml
|
||||
+++ b/linux_os/guide/system/auditing/policy_rules/audit_access_success/rule.yml
|
||||
@@ -1,6 +1,6 @@
|
||||
documentation_complete: true
|
||||
|
||||
-prodtype: ol8,rhel8,rhcos4
|
||||
+prodtype: ol8,rhcos4,rhel8,rhel9
|
||||
|
||||
title: 'Configure auditing of successful file accesses'
|
||||
|
||||
diff --git a/linux_os/guide/system/auditing/policy_rules/audit_basic_configuration/rule.yml b/linux_os/guide/system/auditing/policy_rules/audit_basic_configuration/rule.yml
|
||||
index cce5e83fd6e..bd5d6455351 100644
|
||||
--- a/linux_os/guide/system/auditing/policy_rules/audit_basic_configuration/rule.yml
|
||||
+++ b/linux_os/guide/system/auditing/policy_rules/audit_basic_configuration/rule.yml
|
||||
@@ -1,6 +1,6 @@
|
||||
documentation_complete: true
|
||||
|
||||
-prodtype: ol8,rhel8,rhcos4,rhcos4
|
||||
+prodtype: ol8,rhcos4,rhel8,rhel9
|
||||
|
||||
title: 'Configure basic parameters of Audit system'
|
||||
|
||||
diff --git a/linux_os/guide/system/auditing/policy_rules/audit_create_failed/rule.yml b/linux_os/guide/system/auditing/policy_rules/audit_create_failed/rule.yml
|
||||
index 92800b472c7..b2f731d11ba 100644
|
||||
--- a/linux_os/guide/system/auditing/policy_rules/audit_create_failed/rule.yml
|
||||
+++ b/linux_os/guide/system/auditing/policy_rules/audit_create_failed/rule.yml
|
||||
@@ -1,6 +1,6 @@
|
||||
documentation_complete: true
|
||||
|
||||
-prodtype: ol8,rhel8,rhcos4
|
||||
+prodtype: ol8,rhcos4,rhel8,rhel9
|
||||
|
||||
title: 'Configure auditing of unsuccessful file creations'
|
||||
|
||||
diff --git a/linux_os/guide/system/auditing/policy_rules/audit_create_success/rule.yml b/linux_os/guide/system/auditing/policy_rules/audit_create_success/rule.yml
|
||||
index 59db7b10073..a03a7f3b715 100644
|
||||
--- a/linux_os/guide/system/auditing/policy_rules/audit_create_success/rule.yml
|
||||
+++ b/linux_os/guide/system/auditing/policy_rules/audit_create_success/rule.yml
|
||||
@@ -1,6 +1,6 @@
|
||||
documentation_complete: true
|
||||
|
||||
-prodtype: ol8,rhel8,rhcos4
|
||||
+prodtype: ol8,rhcos4,rhel8,rhel9
|
||||
|
||||
title: 'Configure auditing of successful file creations'
|
||||
|
||||
diff --git a/linux_os/guide/system/auditing/policy_rules/audit_delete_failed/rule.yml b/linux_os/guide/system/auditing/policy_rules/audit_delete_failed/rule.yml
|
||||
index 2f67a150dc5..d4bd88e6cfc 100644
|
||||
--- a/linux_os/guide/system/auditing/policy_rules/audit_delete_failed/rule.yml
|
||||
+++ b/linux_os/guide/system/auditing/policy_rules/audit_delete_failed/rule.yml
|
||||
@@ -1,6 +1,6 @@
|
||||
documentation_complete: true
|
||||
|
||||
-prodtype: ol8,rhel8,rhcos4
|
||||
+prodtype: ol8,rhcos4,rhel8,rhel9
|
||||
|
||||
title: 'Configure auditing of unsuccessful file deletions'
|
||||
|
||||
diff --git a/linux_os/guide/system/auditing/policy_rules/audit_delete_success/rule.yml b/linux_os/guide/system/auditing/policy_rules/audit_delete_success/rule.yml
|
||||
index f54899fb842..6c05a736e39 100644
|
||||
--- a/linux_os/guide/system/auditing/policy_rules/audit_delete_success/rule.yml
|
||||
+++ b/linux_os/guide/system/auditing/policy_rules/audit_delete_success/rule.yml
|
||||
@@ -1,6 +1,6 @@
|
||||
documentation_complete: true
|
||||
|
||||
-prodtype: ol8,rhel8,rhcos4
|
||||
+prodtype: ol8,rhcos4,rhel8,rhel9
|
||||
|
||||
title: 'Configure auditing of successful file deletions'
|
||||
|
||||
diff --git a/linux_os/guide/system/auditing/policy_rules/audit_immutable_login_uids/rule.yml b/linux_os/guide/system/auditing/policy_rules/audit_immutable_login_uids/rule.yml
|
||||
index 073f29c9fe6..34e9fc134e0 100644
|
||||
--- a/linux_os/guide/system/auditing/policy_rules/audit_immutable_login_uids/rule.yml
|
||||
+++ b/linux_os/guide/system/auditing/policy_rules/audit_immutable_login_uids/rule.yml
|
||||
@@ -1,6 +1,6 @@
|
||||
documentation_complete: true
|
||||
|
||||
-prodtype: ol8,rhel8,rhcos4
|
||||
+prodtype: ol8,rhcos4,rhel8,rhel9
|
||||
|
||||
title: 'Configure immutable Audit login UIDs'
|
||||
|
||||
diff --git a/linux_os/guide/system/auditing/policy_rules/audit_modify_failed/rule.yml b/linux_os/guide/system/auditing/policy_rules/audit_modify_failed/rule.yml
|
||||
index 51f9d76f06d..2d0f7cf9da3 100644
|
||||
--- a/linux_os/guide/system/auditing/policy_rules/audit_modify_failed/rule.yml
|
||||
+++ b/linux_os/guide/system/auditing/policy_rules/audit_modify_failed/rule.yml
|
||||
@@ -1,6 +1,6 @@
|
||||
documentation_complete: true
|
||||
|
||||
-prodtype: ol8,rhel8,rhcos4,rhcos4
|
||||
+prodtype: ol8,rhcos4,rhel8,rhel9
|
||||
|
||||
title: 'Configure auditing of unsuccessful file modifications'
|
||||
|
||||
diff --git a/linux_os/guide/system/auditing/policy_rules/audit_modify_success/rule.yml b/linux_os/guide/system/auditing/policy_rules/audit_modify_success/rule.yml
|
||||
index b51acc04dcb..28045878a69 100644
|
||||
--- a/linux_os/guide/system/auditing/policy_rules/audit_modify_success/rule.yml
|
||||
+++ b/linux_os/guide/system/auditing/policy_rules/audit_modify_success/rule.yml
|
||||
@@ -1,6 +1,6 @@
|
||||
documentation_complete: true
|
||||
|
||||
-prodtype: ol8,rhel8,rhcos4
|
||||
+prodtype: ol8,rhcos4,rhel8,rhel9
|
||||
|
||||
title: 'Configure auditing of successful file modifications'
|
||||
|
||||
diff --git a/linux_os/guide/system/auditing/policy_rules/audit_module_load/rule.yml b/linux_os/guide/system/auditing/policy_rules/audit_module_load/rule.yml
|
||||
index 20bfca83eee..d764e384ea2 100644
|
||||
--- a/linux_os/guide/system/auditing/policy_rules/audit_module_load/rule.yml
|
||||
+++ b/linux_os/guide/system/auditing/policy_rules/audit_module_load/rule.yml
|
||||
@@ -1,6 +1,6 @@
|
||||
documentation_complete: true
|
||||
|
||||
-prodtype: ol8,rhel8,rhcos4,rhcos4
|
||||
+prodtype: ol8,rhcos4,rhel8,rhel9
|
||||
|
||||
title: 'Configure auditing of loading and unloading of kernel modules'
|
||||
|
||||
diff --git a/linux_os/guide/system/auditing/policy_rules/audit_ospp_general/rule.yml b/linux_os/guide/system/auditing/policy_rules/audit_ospp_general/rule.yml
|
||||
index fbf7473cc4c..0a41ece25fc 100644
|
||||
--- a/linux_os/guide/system/auditing/policy_rules/audit_ospp_general/rule.yml
|
||||
+++ b/linux_os/guide/system/auditing/policy_rules/audit_ospp_general/rule.yml
|
||||
@@ -1,6 +1,6 @@
|
||||
documentation_complete: true
|
||||
|
||||
-prodtype: ol8,rhel8,rhcos4,rhcos4
|
||||
+prodtype: ol8,rhcos4,rhel8,rhel9
|
||||
|
||||
title: 'Perform general configuration of Audit for OSPP'
|
||||
|
||||
diff --git a/linux_os/guide/system/auditing/policy_rules/audit_owner_change_failed/rule.yml b/linux_os/guide/system/auditing/policy_rules/audit_owner_change_failed/rule.yml
|
||||
index b0052f8b645..a95c0146b11 100644
|
||||
--- a/linux_os/guide/system/auditing/policy_rules/audit_owner_change_failed/rule.yml
|
||||
+++ b/linux_os/guide/system/auditing/policy_rules/audit_owner_change_failed/rule.yml
|
||||
@@ -1,6 +1,6 @@
|
||||
documentation_complete: true
|
||||
|
||||
-prodtype: ol8,rhel8,rhcos4
|
||||
+prodtype: ol8,rhcos4,rhel8,rhel9
|
||||
|
||||
title: 'Configure auditing of unsuccessful ownership changes'
|
||||
|
||||
diff --git a/linux_os/guide/system/auditing/policy_rules/audit_owner_change_success/rule.yml b/linux_os/guide/system/auditing/policy_rules/audit_owner_change_success/rule.yml
|
||||
index 3657a32fc3a..4133eb193f2 100644
|
||||
--- a/linux_os/guide/system/auditing/policy_rules/audit_owner_change_success/rule.yml
|
||||
+++ b/linux_os/guide/system/auditing/policy_rules/audit_owner_change_success/rule.yml
|
||||
@@ -1,6 +1,6 @@
|
||||
documentation_complete: true
|
||||
|
||||
-prodtype: ol8,rhel8,rhcos4
|
||||
+prodtype: ol8,rhcos4,rhel8,rhel9
|
||||
|
||||
title: 'Configure auditing of successful ownership changes'
|
||||
|
||||
diff --git a/linux_os/guide/system/auditing/policy_rules/audit_perm_change_failed/rule.yml b/linux_os/guide/system/auditing/policy_rules/audit_perm_change_failed/rule.yml
|
||||
index 477c74282d0..47f248a2b36 100644
|
||||
--- a/linux_os/guide/system/auditing/policy_rules/audit_perm_change_failed/rule.yml
|
||||
+++ b/linux_os/guide/system/auditing/policy_rules/audit_perm_change_failed/rule.yml
|
||||
@@ -1,6 +1,6 @@
|
||||
documentation_complete: true
|
||||
|
||||
-prodtype: ol8,rhel8,rhcos4
|
||||
+prodtype: ol8,rhcos4,rhel8,rhel9
|
||||
|
||||
title: 'Configure auditing of unsuccessful permission changes'
|
||||
|
||||
diff --git a/linux_os/guide/system/auditing/policy_rules/audit_perm_change_success/rule.yml b/linux_os/guide/system/auditing/policy_rules/audit_perm_change_success/rule.yml
|
||||
index 53ecf9d589a..5017b17849b 100644
|
||||
--- a/linux_os/guide/system/auditing/policy_rules/audit_perm_change_success/rule.yml
|
||||
+++ b/linux_os/guide/system/auditing/policy_rules/audit_perm_change_success/rule.yml
|
||||
@@ -1,6 +1,6 @@
|
||||
documentation_complete: true
|
||||
|
||||
-prodtype: ol8,rhel8,rhcos4
|
||||
+prodtype: ol8,rhcos4,rhel8,rhel9
|
||||
|
||||
title: 'Configure auditing of successful permission changes'
|
||||
|
||||
|
||||
From 65b2fe65e7143d38f46f782d7e0d49738ad7dd76 Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Mat=C4=9Bj=20T=C3=BD=C4=8D?= <matyc@redhat.com>
|
||||
Date: Thu, 20 May 2021 17:46:00 +0200
|
||||
Subject: [PATCH 8/8] Enabled Grub cmdline rules for RHEL9.
|
||||
|
||||
Those rules are not very specific - they perform basic configuration of kernel parameters.
|
||||
---
|
||||
.../system/bootloader-grub2/grub2_kernel_trust_cpu_rng/rule.yml | 2 +-
|
||||
.../guide/system/bootloader-grub2/grub2_pti_argument/rule.yml | 2 +-
|
||||
.../system/bootloader-grub2/grub2_vsyscall_argument/rule.yml | 2 +-
|
||||
.../restrictions/poisoning/grub2_page_poison_argument/rule.yml | 2 +-
|
||||
.../restrictions/poisoning/grub2_slub_debug_argument/rule.yml | 2 +-
|
||||
5 files changed, 5 insertions(+), 5 deletions(-)
|
||||
|
||||
diff --git a/linux_os/guide/system/bootloader-grub2/grub2_kernel_trust_cpu_rng/rule.yml b/linux_os/guide/system/bootloader-grub2/grub2_kernel_trust_cpu_rng/rule.yml
|
||||
index 39f1bbe285c..03f56b8031d 100644
|
||||
--- a/linux_os/guide/system/bootloader-grub2/grub2_kernel_trust_cpu_rng/rule.yml
|
||||
+++ b/linux_os/guide/system/bootloader-grub2/grub2_kernel_trust_cpu_rng/rule.yml
|
||||
@@ -1,6 +1,6 @@
|
||||
documentation_complete: true
|
||||
|
||||
-prodtype: ol8,rhel8
|
||||
+prodtype: ol8,rhel8,rhel9
|
||||
|
||||
title: 'Configure kernel to trust the CPU random number generator'
|
||||
|
||||
diff --git a/linux_os/guide/system/bootloader-grub2/grub2_pti_argument/rule.yml b/linux_os/guide/system/bootloader-grub2/grub2_pti_argument/rule.yml
|
||||
index 1516972d72c..f186b1ae6e7 100644
|
||||
--- a/linux_os/guide/system/bootloader-grub2/grub2_pti_argument/rule.yml
|
||||
+++ b/linux_os/guide/system/bootloader-grub2/grub2_pti_argument/rule.yml
|
||||
@@ -1,6 +1,6 @@
|
||||
documentation_complete: true
|
||||
|
||||
-prodtype: fedora,ol8,rhel8
|
||||
+prodtype: fedora,ol8,rhel8,rhel9
|
||||
|
||||
title: 'Enable Kernel Page-Table Isolation (KPTI)'
|
||||
|
||||
diff --git a/linux_os/guide/system/bootloader-grub2/grub2_vsyscall_argument/rule.yml b/linux_os/guide/system/bootloader-grub2/grub2_vsyscall_argument/rule.yml
|
||||
index 9ad81924ceb..0b5873c56a2 100644
|
||||
--- a/linux_os/guide/system/bootloader-grub2/grub2_vsyscall_argument/rule.yml
|
||||
+++ b/linux_os/guide/system/bootloader-grub2/grub2_vsyscall_argument/rule.yml
|
||||
@@ -1,6 +1,6 @@
|
||||
documentation_complete: true
|
||||
|
||||
-prodtype: fedora,ol7,ol8,rhel7,rhel8
|
||||
+prodtype: fedora,ol7,ol8,rhel7,rhel8,rhel9
|
||||
|
||||
title: 'Disable vsyscalls'
|
||||
|
||||
diff --git a/linux_os/guide/system/permissions/restrictions/poisoning/grub2_page_poison_argument/rule.yml b/linux_os/guide/system/permissions/restrictions/poisoning/grub2_page_poison_argument/rule.yml
|
||||
index 820e4799f87..9b18bee588f 100644
|
||||
--- a/linux_os/guide/system/permissions/restrictions/poisoning/grub2_page_poison_argument/rule.yml
|
||||
+++ b/linux_os/guide/system/permissions/restrictions/poisoning/grub2_page_poison_argument/rule.yml
|
||||
@@ -1,6 +1,6 @@
|
||||
documentation_complete: true
|
||||
|
||||
-prodtype: fedora,ol7,ol8,rhel7,rhel8
|
||||
+prodtype: fedora,ol7,ol8,rhel7,rhel8,rhel9
|
||||
|
||||
title: 'Enable page allocator poisoning'
|
||||
|
||||
diff --git a/linux_os/guide/system/permissions/restrictions/poisoning/grub2_slub_debug_argument/rule.yml b/linux_os/guide/system/permissions/restrictions/poisoning/grub2_slub_debug_argument/rule.yml
|
||||
index 182a0cc507c..f6059044f14 100644
|
||||
--- a/linux_os/guide/system/permissions/restrictions/poisoning/grub2_slub_debug_argument/rule.yml
|
||||
+++ b/linux_os/guide/system/permissions/restrictions/poisoning/grub2_slub_debug_argument/rule.yml
|
||||
@@ -1,6 +1,6 @@
|
||||
documentation_complete: true
|
||||
|
||||
-prodtype: fedora,ol7,ol8,rhel7,rhel8
|
||||
+prodtype: fedora,ol7,ol8,rhel7,rhel8,rhel9
|
||||
|
||||
title: 'Enable SLUB/SLAB allocator poisoning'
|
||||
|
||||
|
|
@ -0,0 +1,141 @@
|
|||
From a6bd844c52ccadae91ebcb7c252cf4a153522776 Mon Sep 17 00:00:00 2001
|
||||
From: Matej Tyc <matyc@redhat.com>
|
||||
Date: Wed, 30 Jun 2021 15:10:13 +0200
|
||||
Subject: [PATCH] Enable templates for RHEL9.
|
||||
|
||||
Concerned templates are low-level, underlying components are stable.
|
||||
---
|
||||
shared/templates/audit_rules_file_deletion_events/bash.template | 2 +-
|
||||
shared/templates/audit_rules_login_events/bash.template | 2 +-
|
||||
shared/templates/audit_rules_path_syscall/bash.template | 2 +-
|
||||
shared/templates/audit_rules_privileged_commands/bash.template | 2 +-
|
||||
.../audit_rules_unsuccessful_file_modification/bash.template | 2 +-
|
||||
shared/templates/grub2_bootloader_argument/bash.template | 2 +-
|
||||
shared/templates/kernel_module_disabled/ansible.template | 2 +-
|
||||
shared/templates/mount/anaconda.template | 2 +-
|
||||
shared/templates/mount_option/anaconda.template | 2 +-
|
||||
.../mount_option_removable_partitions/anaconda.template | 2 +-
|
||||
shared/templates/zipl_bls_entries_option/ansible.template | 2 +-
|
||||
shared/templates/zipl_bls_entries_option/bash.template | 2 +-
|
||||
12 files changed, 12 insertions(+), 12 deletions(-)
|
||||
|
||||
diff --git a/shared/templates/audit_rules_file_deletion_events/bash.template b/shared/templates/audit_rules_file_deletion_events/bash.template
|
||||
index c387624cfb..851b0fd43e 100644
|
||||
--- a/shared/templates/audit_rules_file_deletion_events/bash.template
|
||||
+++ b/shared/templates/audit_rules_file_deletion_events/bash.template
|
||||
@@ -1,4 +1,4 @@
|
||||
-# platform = Red Hat Enterprise Linux 7,Red Hat Enterprise Linux 8,multi_platform_fedora,multi_platform_ol,multi_platform_rhv
|
||||
+# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv
|
||||
|
||||
# Include source function library.
|
||||
. /usr/share/scap-security-guide/remediation_functions
|
||||
diff --git a/shared/templates/audit_rules_login_events/bash.template b/shared/templates/audit_rules_login_events/bash.template
|
||||
index 065e8bb288..69e8be9c50 100644
|
||||
--- a/shared/templates/audit_rules_login_events/bash.template
|
||||
+++ b/shared/templates/audit_rules_login_events/bash.template
|
||||
@@ -1,4 +1,4 @@
|
||||
-# platform = Red Hat Enterprise Linux 7,Red Hat Enterprise Linux 8,multi_platform_fedora,multi_platform_ol,multi_platform_rhv
|
||||
+# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv
|
||||
|
||||
# Include source function library.
|
||||
. /usr/share/scap-security-guide/remediation_functions
|
||||
diff --git a/shared/templates/audit_rules_path_syscall/bash.template b/shared/templates/audit_rules_path_syscall/bash.template
|
||||
index c3d31aade9..656d168ddd 100644
|
||||
--- a/shared/templates/audit_rules_path_syscall/bash.template
|
||||
+++ b/shared/templates/audit_rules_path_syscall/bash.template
|
||||
@@ -1,4 +1,4 @@
|
||||
-# platform = Red Hat Enterprise Linux 7,Red Hat Enterprise Linux 8,multi_platform_fedora,multi_platform_ol,multi_platform_rhv
|
||||
+# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv
|
||||
|
||||
# Include source function library.
|
||||
. /usr/share/scap-security-guide/remediation_functions
|
||||
diff --git a/shared/templates/audit_rules_privileged_commands/bash.template b/shared/templates/audit_rules_privileged_commands/bash.template
|
||||
index 42e12671ac..85dbc9b828 100644
|
||||
--- a/shared/templates/audit_rules_privileged_commands/bash.template
|
||||
+++ b/shared/templates/audit_rules_privileged_commands/bash.template
|
||||
@@ -1,4 +1,4 @@
|
||||
-# platform = Red Hat Enterprise Linux 7,Red Hat Enterprise Linux 8,multi_platform_fedora,multi_platform_ol,multi_platform_rhv
|
||||
+# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv
|
||||
|
||||
# Include source function library.
|
||||
. /usr/share/scap-security-guide/remediation_functions
|
||||
diff --git a/shared/templates/audit_rules_unsuccessful_file_modification/bash.template b/shared/templates/audit_rules_unsuccessful_file_modification/bash.template
|
||||
index e89ac0749c..daf146f7eb 100644
|
||||
--- a/shared/templates/audit_rules_unsuccessful_file_modification/bash.template
|
||||
+++ b/shared/templates/audit_rules_unsuccessful_file_modification/bash.template
|
||||
@@ -1,4 +1,4 @@
|
||||
-# platform = Red Hat Enterprise Linux 7,Red Hat Enterprise Linux 8,multi_platform_fedora,multi_platform_ol,multi_platform_rhv
|
||||
+# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv
|
||||
|
||||
# Include source function library.
|
||||
. /usr/share/scap-security-guide/remediation_functions
|
||||
diff --git a/shared/templates/grub2_bootloader_argument/bash.template b/shared/templates/grub2_bootloader_argument/bash.template
|
||||
index bac84526ee..965fe5bac0 100644
|
||||
--- a/shared/templates/grub2_bootloader_argument/bash.template
|
||||
+++ b/shared/templates/grub2_bootloader_argument/bash.template
|
||||
@@ -1,4 +1,4 @@
|
||||
-# platform = Red Hat Enterprise Linux 7,Red Hat Enterprise Linux 8,multi_platform_fedora,multi_platform_ol,multi_platform_rhv
|
||||
+# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv
|
||||
|
||||
{{% if product in ["rhel7", "ol7"] %}}
|
||||
{{% if '/' in ARG_NAME %}}
|
||||
diff --git a/shared/templates/kernel_module_disabled/ansible.template b/shared/templates/kernel_module_disabled/ansible.template
|
||||
index 72f7ae18bf..2526baf737 100644
|
||||
--- a/shared/templates/kernel_module_disabled/ansible.template
|
||||
+++ b/shared/templates/kernel_module_disabled/ansible.template
|
||||
@@ -1,4 +1,4 @@
|
||||
-# platform = Red Hat Enterprise Linux 7,Red Hat Enterprise Linux 8,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_ubuntu,multi_platform_sle
|
||||
+# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_ubuntu,multi_platform_sle
|
||||
# reboot = true
|
||||
# strategy = disable
|
||||
# complexity = low
|
||||
diff --git a/shared/templates/mount/anaconda.template b/shared/templates/mount/anaconda.template
|
||||
index 5093c926da..fdcb4ee3e8 100644
|
||||
--- a/shared/templates/mount/anaconda.template
|
||||
+++ b/shared/templates/mount/anaconda.template
|
||||
@@ -1,4 +1,4 @@
|
||||
-# platform = Red Hat Enterprise Linux 7,Red Hat Enterprise Linux 8,multi_platform_fedora,multi_platform_ol,multi_platform_rhv
|
||||
+# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv
|
||||
# reboot = false
|
||||
# strategy = enable
|
||||
# complexity = low
|
||||
diff --git a/shared/templates/mount_option/anaconda.template b/shared/templates/mount_option/anaconda.template
|
||||
index 0a54865e12..083b0ef008 100644
|
||||
--- a/shared/templates/mount_option/anaconda.template
|
||||
+++ b/shared/templates/mount_option/anaconda.template
|
||||
@@ -1,4 +1,4 @@
|
||||
-# platform = Red Hat Enterprise Linux 7,Red Hat Enterprise Linux 8,multi_platform_fedora,multi_platform_ol,multi_platform_rhv
|
||||
+# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv
|
||||
# reboot = false
|
||||
# strategy = enable
|
||||
# complexity = low
|
||||
diff --git a/shared/templates/mount_option_removable_partitions/anaconda.template b/shared/templates/mount_option_removable_partitions/anaconda.template
|
||||
index b4510ae804..8665fb913a 100644
|
||||
--- a/shared/templates/mount_option_removable_partitions/anaconda.template
|
||||
+++ b/shared/templates/mount_option_removable_partitions/anaconda.template
|
||||
@@ -1,4 +1,4 @@
|
||||
-# platform = Red Hat Enterprise Linux 7,Red Hat Enterprise Linux 8,multi_platform_fedora,multi_platform_ol,multi_platform_rhv
|
||||
+# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv
|
||||
# reboot = false
|
||||
# strategy = enable
|
||||
# complexity = low
|
||||
diff --git a/shared/templates/zipl_bls_entries_option/ansible.template b/shared/templates/zipl_bls_entries_option/ansible.template
|
||||
index 7e73d391de..336775e4f8 100644
|
||||
--- a/shared/templates/zipl_bls_entries_option/ansible.template
|
||||
+++ b/shared/templates/zipl_bls_entries_option/ansible.template
|
||||
@@ -1,4 +1,4 @@
|
||||
-# platform = Red Hat Enterprise Linux 8
|
||||
+# platform = Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9
|
||||
# reboot = true
|
||||
# strategy = configure
|
||||
# complexity = medium
|
||||
diff --git a/shared/templates/zipl_bls_entries_option/bash.template b/shared/templates/zipl_bls_entries_option/bash.template
|
||||
index 81bbb7884b..25cd7432c9 100644
|
||||
--- a/shared/templates/zipl_bls_entries_option/bash.template
|
||||
+++ b/shared/templates/zipl_bls_entries_option/bash.template
|
||||
@@ -1,4 +1,4 @@
|
||||
-# platform = Red Hat Enterprise Linux 8
|
||||
+# platform = Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9
|
||||
|
||||
# Correct BLS option using grubby, which is a thin wrapper around BLS operations
|
||||
grubby --update-kernel=ALL --args="{{{ ARG_NAME }}}={{{ ARG_VALUE }}}"
|
||||
|
|
@ -0,0 +1,206 @@
|
|||
From 5d3bcea7c2927f449fbd82074a62425bad89e605 Mon Sep 17 00:00:00 2001
|
||||
From: Alex Haydock <alex@alexhaydock.co.uk>
|
||||
Date: Sun, 30 May 2021 19:16:11 +0100
|
||||
Subject: [PATCH 1/5] Add sudo custom logfile control for RHEL 8 CIS
|
||||
|
||||
---
|
||||
.../sudo/sudo_custom_logfile/rule.yml | 20 +++++++++++++++++++
|
||||
.../system/software/sudo/var_sudo_logfile.var | 16 +++++++++++++++
|
||||
rhel8/profiles/cis.profile | 2 +-
|
||||
3 files changed, 37 insertions(+), 1 deletion(-)
|
||||
create mode 100644 linux_os/guide/system/software/sudo/sudo_custom_logfile/rule.yml
|
||||
create mode 100644 linux_os/guide/system/software/sudo/var_sudo_logfile.var
|
||||
|
||||
diff --git a/linux_os/guide/system/software/sudo/sudo_custom_logfile/rule.yml b/linux_os/guide/system/software/sudo/sudo_custom_logfile/rule.yml
|
||||
new file mode 100644
|
||||
index 00000000000..5571c92a679
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/system/software/sudo/sudo_custom_logfile/rule.yml
|
||||
@@ -0,0 +1,20 @@
|
||||
+documentation_complete: true
|
||||
+
|
||||
+title: 'Ensure Sudo Logfile Exists - sudo logfile'
|
||||
+
|
||||
+description: |-
|
||||
+ A custom logfile can be configured for sudo with the logfile tag.
|
||||
+
|
||||
+rationale: |-
|
||||
+ A sudo log file simplifies auditing of sudo commands.
|
||||
+
|
||||
+severity: medium
|
||||
+
|
||||
+identifiers:
|
||||
+ cis@rhel8: 1.3.3
|
||||
+
|
||||
+template:
|
||||
+ name: sudo_defaults_option
|
||||
+ vars:
|
||||
+ option: logfile
|
||||
+ variable_name: var_sudo_logfile
|
||||
diff --git a/linux_os/guide/system/software/sudo/var_sudo_logfile.var b/linux_os/guide/system/software/sudo/var_sudo_logfile.var
|
||||
new file mode 100644
|
||||
index 00000000000..65b23b5f3c2
|
||||
--- /dev/null
|
||||
+++ b/linux_os/guide/system/software/sudo/var_sudo_logfile.var
|
||||
@@ -0,0 +1,16 @@
|
||||
+documentation_complete: true
|
||||
+
|
||||
+title: 'Sudo - logfile value'
|
||||
+
|
||||
+description: |-
|
||||
+ Specify the sudo logfile to use. The default value used here matches the example
|
||||
+ location from CIS, which uses /var/log/sudo.log.
|
||||
+
|
||||
+interactive: false
|
||||
+
|
||||
+type: string
|
||||
+
|
||||
+operator: equals
|
||||
+
|
||||
+options:
|
||||
+ default: "/var/log/sudo.log"
|
||||
diff --git a/rhel8/profiles/cis.profile b/rhel8/profiles/cis.profile
|
||||
index ec9cbfa0a3d..411083d6e71 100644
|
||||
--- a/rhel8/profiles/cis.profile
|
||||
+++ b/rhel8/profiles/cis.profile
|
||||
@@ -132,7 +132,7 @@ selections:
|
||||
# NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5220
|
||||
|
||||
### 1.3.3 Ensure sudo log file exists (Scored)
|
||||
- # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5221
|
||||
+ - sudo_custom_logfile
|
||||
|
||||
## 1.4 Filesystem Integrity Checking
|
||||
|
||||
|
||||
From da0883992ba7e712f805b86e5b7c96162aed93ec Mon Sep 17 00:00:00 2001
|
||||
From: Alex Haydock <alex@alexhaydock.co.uk>
|
||||
Date: Sun, 30 May 2021 20:46:58 +0100
|
||||
Subject: [PATCH 2/5] Update rule with OCIL parameters
|
||||
|
||||
---
|
||||
.../system/software/sudo/sudo_custom_logfile/rule.yml | 9 ++++++++-
|
||||
1 file changed, 8 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/linux_os/guide/system/software/sudo/sudo_custom_logfile/rule.yml b/linux_os/guide/system/software/sudo/sudo_custom_logfile/rule.yml
|
||||
index 5571c92a679..de0ecb98a76 100644
|
||||
--- a/linux_os/guide/system/software/sudo/sudo_custom_logfile/rule.yml
|
||||
+++ b/linux_os/guide/system/software/sudo/sudo_custom_logfile/rule.yml
|
||||
@@ -8,11 +8,18 @@ description: |-
|
||||
rationale: |-
|
||||
A sudo log file simplifies auditing of sudo commands.
|
||||
|
||||
-severity: medium
|
||||
+severity: low
|
||||
|
||||
identifiers:
|
||||
cis@rhel8: 1.3.3
|
||||
|
||||
+ocil_clause: 'logfile is not enabled in sudo'
|
||||
+
|
||||
+ocil: |-
|
||||
+ To determine if <tt>logfile</tt> has been configured for sudo, run the following command:
|
||||
+ <pre>$ sudo grep -ri "^[\s]*Defaults.*\blogfile\b.*" /etc/sudoers /etc/sudoers.d/</pre>
|
||||
+ The command should return a matching output.
|
||||
+
|
||||
template:
|
||||
name: sudo_defaults_option
|
||||
vars:
|
||||
|
||||
From 2b6721b3e3858d75f27d7ad8395a79a1ce68bc73 Mon Sep 17 00:00:00 2001
|
||||
From: Alex Haydock <alex@alexhaydock.co.uk>
|
||||
Date: Mon, 31 May 2021 11:44:13 +0100
|
||||
Subject: [PATCH 3/5] Use references field for CIS rather than identifiers
|
||||
|
||||
---
|
||||
.../guide/system/software/sudo/sudo_custom_logfile/rule.yml | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/linux_os/guide/system/software/sudo/sudo_custom_logfile/rule.yml b/linux_os/guide/system/software/sudo/sudo_custom_logfile/rule.yml
|
||||
index de0ecb98a76..afce7f1867c 100644
|
||||
--- a/linux_os/guide/system/software/sudo/sudo_custom_logfile/rule.yml
|
||||
+++ b/linux_os/guide/system/software/sudo/sudo_custom_logfile/rule.yml
|
||||
@@ -10,7 +10,7 @@ rationale: |-
|
||||
|
||||
severity: low
|
||||
|
||||
-identifiers:
|
||||
+references:
|
||||
cis@rhel8: 1.3.3
|
||||
|
||||
ocil_clause: 'logfile is not enabled in sudo'
|
||||
|
||||
From ee4ed67f0f9e246b20098d60efed7e20bc7b7a13 Mon Sep 17 00:00:00 2001
|
||||
From: Alex Haydock <alex@alexhaydock.co.uk>
|
||||
Date: Tue, 1 Jun 2021 11:28:08 +0100
|
||||
Subject: [PATCH 4/5] Add missing CCE identifiers to sudo logfile rule
|
||||
|
||||
---
|
||||
.../system/software/sudo/sudo_custom_logfile/rule.yml | 9 ++++++++-
|
||||
shared/references/cce-redhat-avail.txt | 2 --
|
||||
2 files changed, 8 insertions(+), 3 deletions(-)
|
||||
|
||||
diff --git a/linux_os/guide/system/software/sudo/sudo_custom_logfile/rule.yml b/linux_os/guide/system/software/sudo/sudo_custom_logfile/rule.yml
|
||||
index afce7f1867c..d08b7891293 100644
|
||||
--- a/linux_os/guide/system/software/sudo/sudo_custom_logfile/rule.yml
|
||||
+++ b/linux_os/guide/system/software/sudo/sudo_custom_logfile/rule.yml
|
||||
@@ -3,14 +3,21 @@ documentation_complete: true
|
||||
title: 'Ensure Sudo Logfile Exists - sudo logfile'
|
||||
|
||||
description: |-
|
||||
- A custom logfile can be configured for sudo with the logfile tag.
|
||||
+ A custom log sudo file can be configured with the 'logfile' tag. This rule configures
|
||||
+ a sudo custom logfile at the default location suggested by CIS, which uses
|
||||
+ /var/log/sudo.log.
|
||||
|
||||
rationale: |-
|
||||
A sudo log file simplifies auditing of sudo commands.
|
||||
|
||||
severity: low
|
||||
|
||||
+identifiers:
|
||||
+ cce@rhel7: CCE-83600-7
|
||||
+ cce@rhel8: CCE-83601-5
|
||||
+
|
||||
references:
|
||||
+ cis@rhel7: 5.2.3
|
||||
cis@rhel8: 1.3.3
|
||||
|
||||
ocil_clause: 'logfile is not enabled in sudo'
|
||||
diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt
|
||||
index ae54d0ee0b2..e74b6779509 100644
|
||||
--- a/shared/references/cce-redhat-avail.txt
|
||||
+++ b/shared/references/cce-redhat-avail.txt
|
||||
@@ -94,8 +94,6 @@ CCE-83594-2
|
||||
CCE-83595-9
|
||||
CCE-83596-7
|
||||
CCE-83599-1
|
||||
-CCE-83600-7
|
||||
-CCE-83601-5
|
||||
CCE-83606-4
|
||||
CCE-83608-0
|
||||
CCE-83609-8
|
||||
|
||||
From 298533e0e7360752737b24deb07903c04b33bc21 Mon Sep 17 00:00:00 2001
|
||||
From: Alex Haydock <alex@alexhaydock.co.uk>
|
||||
Date: Tue, 1 Jun 2021 16:19:45 +0100
|
||||
Subject: [PATCH 5/5] Allow users to override sudo logfile location with
|
||||
tailoring
|
||||
|
||||
---
|
||||
linux_os/guide/system/software/sudo/var_sudo_logfile.var | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/linux_os/guide/system/software/sudo/var_sudo_logfile.var b/linux_os/guide/system/software/sudo/var_sudo_logfile.var
|
||||
index 65b23b5f3c2..7c5d02d37eb 100644
|
||||
--- a/linux_os/guide/system/software/sudo/var_sudo_logfile.var
|
||||
+++ b/linux_os/guide/system/software/sudo/var_sudo_logfile.var
|
||||
@@ -6,7 +6,7 @@ description: |-
|
||||
Specify the sudo logfile to use. The default value used here matches the example
|
||||
location from CIS, which uses /var/log/sudo.log.
|
||||
|
||||
-interactive: false
|
||||
+interactive: true
|
||||
|
||||
type: string
|
||||
|
||||
|
|
@ -5,13 +5,18 @@
|
|||
|
||||
Name: scap-security-guide
|
||||
Version: 0.1.56
|
||||
Release: 1%{?dist}
|
||||
Release: 2%{?dist}
|
||||
Summary: Security guidance and baselines in SCAP formats
|
||||
License: BSD-3-Clause
|
||||
URL: https://github.com/ComplianceAsCode/content/
|
||||
Source0: https://github.com/ComplianceAsCode/content/releases/download/v%{version}/scap-security-guide-%{version}.tar.bz2
|
||||
Patch1: scap-security-guide-0.1.57-build-system-pr-7025.patch
|
||||
Patch2: scap-security-guide-0.1.57-fix-build-scap-12-ds-pr-7049.patch
|
||||
Patch3: scap-security-guide-0.1.57-sudo_custom_logfile-PR_7058.patch
|
||||
Patch4: scap-security-guide-0.1.57-rhel9_rules_various-PR_7006.patch
|
||||
Patch5: scap-security-guide-0.1.57-rhel9_rules_various_2-PR_7040.patch
|
||||
Patch6: scap-security-guide-0.1.57-rhel9_profile_stubs-PR_7106.patch
|
||||
Patch7: scap-security-guide-0.1.57-rhel9_templates-PR_7182.patch
|
||||
BuildArch: noarch
|
||||
|
||||
BuildRequires: libxslt
|
||||
|
|
@ -44,6 +49,8 @@ The %{name}-doc package contains HTML formatted documents containing
|
|||
hardening guidances that have been generated from XCCDF benchmarks
|
||||
present in %{name} package.
|
||||
|
||||
# Temporarily needed to apply the profile stub patch (identifiers were sorted)
|
||||
%global _default_patch_fuzz 1
|
||||
%prep
|
||||
%autosetup -p1
|
||||
|
||||
|
|
@ -74,6 +81,9 @@ rm %{buildroot}/%{_docdir}/%{name}/Contributors.md
|
|||
%doc %{_docdir}/%{name}/tables/*.html
|
||||
|
||||
%changelog
|
||||
* Mon Jun 28 2021 Matej Tyc <matyc@redhat.com> - 0.1.56-2
|
||||
- Enable more RHEL9 rules and introduce RHEL9 profile stubs
|
||||
|
||||
* Wed May 19 2021 Jan Černý <jcerny@redhat.com> - 0.1.56-1
|
||||
- Upgrade to the latest upstream release
|
||||
- remove README.md and Contributors.md
|
||||
|
|
|
|||
Loading…
Reference in New Issue