diff --git a/scap-security-guide-0.1.58-cis_build_system_fix-PR_7226.patch b/scap-security-guide-0.1.58-cis_build_system_fix-PR_7226.patch new file mode 100644 index 0000000..c609d07 --- /dev/null +++ b/scap-security-guide-0.1.58-cis_build_system_fix-PR_7226.patch @@ -0,0 +1,702 @@ +From 7901659fa169db8ac5ffd7c610a798c785a3556b Mon Sep 17 00:00:00 2001 +From: Vojtech Polasek +Date: Fri, 9 Jul 2021 14:41:03 +0200 +Subject: [PATCH 01/12] ensure that higher policy levels can override variables + of lower levels + +--- + ssg/controls.py | 13 ++++++++++--- + 1 file changed, 10 insertions(+), 3 deletions(-) + +diff --git a/ssg/controls.py b/ssg/controls.py +index 297d80e46c5..165cdf0511a 100644 +--- a/ssg/controls.py ++++ b/ssg/controls.py +@@ -202,9 +202,16 @@ def get_all_controls_of_level(self, policy_id, level_id): + + all_policy_controls = self.get_all_controls(policy_id) + eligible_controls = [] +- for c in all_policy_controls: +- if len(level_ids.intersection(c.levels)) > 0: +- eligible_controls.append(c) ++ defined_variables = [] ++ # we will go level by level, from top to bottom ++ # this is done to enable overriding of variables by higher levels ++ for lv in level_ids: ++ for c in all_policy_controls: ++ if lv in c.levels: ++ # if the control has a variable, check if it is not already defined ++ if c.variables.keys().isdisjoint(defined_variables): ++ eligible_controls.append(c) ++ defined_variables += [*c.variables.keys()] + return eligible_controls + + def get_all_controls(self, policy_id): + +From 66e612a9668009cc553fcf1abbf2c9477155c0c2 Mon Sep 17 00:00:00 2001 +From: Vojtech Polasek +Date: Thu, 5 Aug 2021 14:02:25 +0200 +Subject: [PATCH 02/12] use ordered sets emulated by ordereddict + +because of compatibility with python2 +--- + ssg/controls.py | 21 ++++++++++++++------- + 1 file changed, 14 insertions(+), 7 deletions(-) + +diff --git a/ssg/controls.py b/ssg/controls.py +index 165cdf0511a..611a647e125 100644 +--- a/ssg/controls.py ++++ b/ssg/controls.py +@@ -2,6 +2,7 @@ + import logging + import os + from glob import glob ++from collections import OrderedDict + + import ssg.build_yaml + import ssg.yaml +@@ -152,16 +153,18 @@ def get_level(self, level_id): + raise ValueError(msg) + + def get_level_with_ancestors(self, level_id): +- levels = set() ++ # use OrderedDict for Python2 compatibility instead of ordered set ++ levels = OrderedDict() + level = self.get_level(level_id) +- levels.add(level) ++ levels[level] = "" + if level.inherits_from: + for lv in level.inherits_from: +- levels.update(self.get_level_with_ancestors(lv)) ++ eligible_levels = [l for l in self.get_level_with_ancestors(lv).keys() if l not in levels.keys()] ++ for l in eligible_levels: ++ levels[l] = "" + return levels + + +- + class ControlsManager(): + def __init__(self, controls_dir, env_yaml=None): + self.controls_dir = os.path.abspath(controls_dir) +@@ -198,20 +201,24 @@ def _get_policy(self, policy_id): + def get_all_controls_of_level(self, policy_id, level_id): + policy = self._get_policy(policy_id) + levels = policy.get_level_with_ancestors(level_id) +- level_ids = set([lv.id for lv in levels]) ++ # we use OrderedDict here with empty values instead of ordered set ++ # cause we want to be compatible with python 2 ++ level_ids = OrderedDict() ++ for lv in levels.keys(): ++ level_ids[lv.id] = "" + + all_policy_controls = self.get_all_controls(policy_id) + eligible_controls = [] + defined_variables = [] + # we will go level by level, from top to bottom + # this is done to enable overriding of variables by higher levels +- for lv in level_ids: ++ for lv in level_ids.keys(): + for c in all_policy_controls: + if lv in c.levels: + # if the control has a variable, check if it is not already defined + if c.variables.keys().isdisjoint(defined_variables): + eligible_controls.append(c) +- defined_variables += [*c.variables.keys()] ++ defined_variables += list(c.variables.keys()) + return eligible_controls + + def get_all_controls(self, policy_id): + +From 95a23a31293a0a63361ddf1831866cd5ae1ab61e Mon Sep 17 00:00:00 2001 +From: Vojtech Polasek +Date: Thu, 5 Aug 2021 16:30:10 +0200 +Subject: [PATCH 03/12] rework handling of variables when returning all + controls of a level + +currently only the top most level variables are kept in the controls +if there is a control with lower level which has the same variable defined, it is deep copied and the variable definition is removed only from the resulting control +the original control stays in tact +--- + ssg/controls.py | 27 +++++++++++++++++++++------ + 1 file changed, 21 insertions(+), 6 deletions(-) + +diff --git a/ssg/controls.py b/ssg/controls.py +index 611a647e125..4ebb8bda3d7 100644 +--- a/ssg/controls.py ++++ b/ssg/controls.py +@@ -1,8 +1,8 @@ + import collections + import logging + import os ++import copy + from glob import glob +-from collections import OrderedDict + + import ssg.build_yaml + import ssg.yaml +@@ -154,7 +154,7 @@ def get_level(self, level_id): + + def get_level_with_ancestors(self, level_id): + # use OrderedDict for Python2 compatibility instead of ordered set +- levels = OrderedDict() ++ levels = collections.OrderedDict() + level = self.get_level(level_id) + levels[level] = "" + if level.inherits_from: +@@ -201,24 +201,39 @@ def _get_policy(self, policy_id): + def get_all_controls_of_level(self, policy_id, level_id): + policy = self._get_policy(policy_id) + levels = policy.get_level_with_ancestors(level_id) ++ print ("getting levels of " + level_id) ++ print ([ l.id for l in levels.keys()]) + # we use OrderedDict here with empty values instead of ordered set + # cause we want to be compatible with python 2 +- level_ids = OrderedDict() ++ level_ids = collections.OrderedDict() + for lv in levels.keys(): + level_ids[lv.id] = "" +- ++ print (level_ids.keys()) + all_policy_controls = self.get_all_controls(policy_id) + eligible_controls = [] + defined_variables = [] + # we will go level by level, from top to bottom + # this is done to enable overriding of variables by higher levels + for lv in level_ids.keys(): ++ print ("going through level " +lv) + for c in all_policy_controls: ++ print (c.levels) + if lv in c.levels: + # if the control has a variable, check if it is not already defined +- if c.variables.keys().isdisjoint(defined_variables): ++ variables = list(c.variables.keys()) ++ if len(variables) == 0: + eligible_controls.append(c) +- defined_variables += list(c.variables.keys()) ++ for var in variables: ++ if var in defined_variables: ++ # if it is, create new instance of the control and remove the variable ++ # we are going from the top level to the bottom ++ # so we don't want to overwrite variables ++ new_c = copy.deepcopy(c) ++ del new_c.variables[var] ++ eligible_controls.append(new_c) ++ else: ++ defined_variables.append(var) ++ eligible_controls.append(c) + return eligible_controls + + def get_all_controls(self, policy_id): + +From a2dd7e9386c757a523b57646bdc5a9ffa99f68c5 Mon Sep 17 00:00:00 2001 +From: Vojtech Polasek +Date: Thu, 5 Aug 2021 16:31:25 +0200 +Subject: [PATCH 04/12] add tests for defining of variables + +--- + tests/unit/ssg-module/data/controls_dir/abcd-levels.yml | 6 ++++++ + tests/unit/ssg-module/test_controls.py | 5 +++++ + 2 files changed, 11 insertions(+) + +diff --git a/tests/unit/ssg-module/data/controls_dir/abcd-levels.yml b/tests/unit/ssg-module/data/controls_dir/abcd-levels.yml +index aded77c12a6..b98a7cd4e19 100644 +--- a/tests/unit/ssg-module/data/controls_dir/abcd-levels.yml ++++ b/tests/unit/ssg-module/data/controls_dir/abcd-levels.yml +@@ -19,10 +19,14 @@ controls: + - id: S2 + levels: + - low ++ rules: ++ - var_password_pam_minlen=1 + + - id: S3 + levels: + - medium ++ rules: ++ - var_password_pam_minlen=2 + + - id: S4 + title: Configure authentication +@@ -36,3 +40,5 @@ controls: + title: Enforce password quality standards + levels: + - high ++ rules: ++ - var_password_pam_minlen=3 +diff --git a/tests/unit/ssg-module/test_controls.py b/tests/unit/ssg-module/test_controls.py +index ff9b04f26c9..06fcb0c375d 100644 +--- a/tests/unit/ssg-module/test_controls.py ++++ b/tests/unit/ssg-module/test_controls.py +@@ -87,6 +87,11 @@ def test_controls_levels(): + assert len(low_controls) == 4 + assert len(medium_controls) == 5 + ++ # test overriding of variables in levels ++ assert c_2.variables["var_password_pam_minlen"] == "1" ++ assert c_3.variables["var_password_pam_minlen"] == "2" ++ assert c_4b.variables["var_password_pam_minlen"] == "3" ++ + + def test_controls_load_product(): + ssg_root = \ + +From 82b90a9720dadab7d6060f0ccbcd902b1c097904 Mon Sep 17 00:00:00 2001 +From: Vojtech Polasek +Date: Fri, 6 Aug 2021 09:30:47 +0200 +Subject: [PATCH 05/12] make overriding of variables optional + +--- + ssg/controls.py | 38 +++++++++++++++++++------------------- + 1 file changed, 19 insertions(+), 19 deletions(-) + +diff --git a/ssg/controls.py b/ssg/controls.py +index 4ebb8bda3d7..90639fbe4c7 100644 +--- a/ssg/controls.py ++++ b/ssg/controls.py +@@ -198,42 +198,42 @@ def _get_policy(self, policy_id): + raise ValueError(msg) + return policy + +- def get_all_controls_of_level(self, policy_id, level_id): ++ def get_all_controls_of_level(self, policy_id, level_id, override_vars=True): ++ # if override_vars is enabled, then variables from higher levels will ++ # override variables efined in controls of lower levels + policy = self._get_policy(policy_id) + levels = policy.get_level_with_ancestors(level_id) +- print ("getting levels of " + level_id) +- print ([ l.id for l in levels.keys()]) + # we use OrderedDict here with empty values instead of ordered set + # cause we want to be compatible with python 2 + level_ids = collections.OrderedDict() + for lv in levels.keys(): + level_ids[lv.id] = "" +- print (level_ids.keys()) + all_policy_controls = self.get_all_controls(policy_id) + eligible_controls = [] + defined_variables = [] + # we will go level by level, from top to bottom + # this is done to enable overriding of variables by higher levels + for lv in level_ids.keys(): +- print ("going through level " +lv) + for c in all_policy_controls: +- print (c.levels) + if lv in c.levels: +- # if the control has a variable, check if it is not already defined +- variables = list(c.variables.keys()) +- if len(variables) == 0: ++ if override_vars == False: + eligible_controls.append(c) +- for var in variables: +- if var in defined_variables: +- # if it is, create new instance of the control and remove the variable +- # we are going from the top level to the bottom +- # so we don't want to overwrite variables +- new_c = copy.deepcopy(c) +- del new_c.variables[var] +- eligible_controls.append(new_c) +- else: +- defined_variables.append(var) ++ else: ++ # if the control has a variable, check if it is not already defined ++ variables = list(c.variables.keys()) ++ if len(variables) == 0: + eligible_controls.append(c) ++ for var in variables: ++ if var in defined_variables: ++ # if it is, create new instance of the control and remove the variable ++ # we are going from the top level to the bottom ++ # so we don't want to overwrite variables ++ new_c = copy.deepcopy(c) ++ del new_c.variables[var] ++ eligible_controls.append(new_c) ++ else: ++ defined_variables.append(var) ++ eligible_controls.append(c) + return eligible_controls + + def get_all_controls(self, policy_id): + +From 47df80d086e96deb4eab88d5f813bffb380006a8 Mon Sep 17 00:00:00 2001 +From: Vojtech Polasek +Date: Wed, 11 Aug 2021 12:38:42 +0200 +Subject: [PATCH 06/12] fix a typo + +--- + ssg/controls.py | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/ssg/controls.py b/ssg/controls.py +index 90639fbe4c7..10a304bf8c2 100644 +--- a/ssg/controls.py ++++ b/ssg/controls.py +@@ -200,7 +200,7 @@ def _get_policy(self, policy_id): + + def get_all_controls_of_level(self, policy_id, level_id, override_vars=True): + # if override_vars is enabled, then variables from higher levels will +- # override variables efined in controls of lower levels ++ # override variables defined in controls of lower levels + policy = self._get_policy(policy_id) + levels = policy.get_level_with_ancestors(level_id) + # we use OrderedDict here with empty values instead of ordered set + +From 8e59037ed07aad33a55e8297ee5bce0f51c0dee6 Mon Sep 17 00:00:00 2001 +From: Vojtech Polasek +Date: Wed, 11 Aug 2021 17:02:11 +0200 +Subject: [PATCH 07/12] update tests to check that overriding of variables + works + +--- + .../ssg-module/data/controls_dir/abcd-levels.yml | 4 +--- + tests/unit/ssg-module/test_controls.py | 16 ++++++++++++++-- + 2 files changed, 15 insertions(+), 5 deletions(-) + +diff --git a/tests/unit/ssg-module/data/controls_dir/abcd-levels.yml b/tests/unit/ssg-module/data/controls_dir/abcd-levels.yml +index b98a7cd4e19..99efafd832e 100644 +--- a/tests/unit/ssg-module/data/controls_dir/abcd-levels.yml ++++ b/tests/unit/ssg-module/data/controls_dir/abcd-levels.yml +@@ -25,8 +25,6 @@ controls: + - id: S3 + levels: + - medium +- rules: +- - var_password_pam_minlen=2 + + - id: S4 + title: Configure authentication +@@ -41,4 +39,4 @@ controls: + levels: + - high + rules: +- - var_password_pam_minlen=3 ++ - var_password_pam_minlen=2 +diff --git a/tests/unit/ssg-module/test_controls.py b/tests/unit/ssg-module/test_controls.py +index 06fcb0c375d..124b344d141 100644 +--- a/tests/unit/ssg-module/test_controls.py ++++ b/tests/unit/ssg-module/test_controls.py +@@ -89,8 +89,20 @@ def test_controls_levels(): + + # test overriding of variables in levels + assert c_2.variables["var_password_pam_minlen"] == "1" +- assert c_3.variables["var_password_pam_minlen"] == "2" +- assert c_4b.variables["var_password_pam_minlen"] == "3" ++ assert "var_password_pam_minlen" not in c_3.variables.keys() ++ assert c_4b.variables["var_password_pam_minlen"] == "2" ++ ++ for c in low_controls: ++ if "var_password_pam_minlen" in c.variables.keys(): ++ assert c.variables["var_password_pam_minlen"] == "1" ++ ++ for c in medium_controls: ++ if "var_password_pam_minlen" in c.variables.keys(): ++ assert c.variables["var_password_pam_minlen"] == "1" ++ ++ for c in high_controls: ++ if "var_password_pam_minlen" in c.variables.keys(): ++ assert c.variables["var_password_pam_minlen"] == "2" + + + def test_controls_load_product(): + +From dae4fc52a627eac6595bb73e3ffb1a0c50e78fdd Mon Sep 17 00:00:00 2001 +From: Vojtech Polasek +Date: Wed, 11 Aug 2021 17:02:32 +0200 +Subject: [PATCH 08/12] make overriding of variables hardcoded when requesting + controls of a certain level + +--- + ssg/controls.py | 34 +++++++++++++++------------------- + 1 file changed, 15 insertions(+), 19 deletions(-) + +diff --git a/ssg/controls.py b/ssg/controls.py +index 10a304bf8c2..7923f0cb379 100644 +--- a/ssg/controls.py ++++ b/ssg/controls.py +@@ -198,9 +198,7 @@ def _get_policy(self, policy_id): + raise ValueError(msg) + return policy + +- def get_all_controls_of_level(self, policy_id, level_id, override_vars=True): +- # if override_vars is enabled, then variables from higher levels will +- # override variables defined in controls of lower levels ++ def get_all_controls_of_level(self, policy_id, level_id): + policy = self._get_policy(policy_id) + levels = policy.get_level_with_ancestors(level_id) + # we use OrderedDict here with empty values instead of ordered set +@@ -216,24 +214,22 @@ def get_all_controls_of_level(self, policy_id, level_id, override_vars=True): + for lv in level_ids.keys(): + for c in all_policy_controls: + if lv in c.levels: +- if override_vars == False: ++ # if the control has a variable, check if it is not already defined ++ variables = list(c.variables.keys()) ++ if len(variables) == 0: + eligible_controls.append(c) +- else: +- # if the control has a variable, check if it is not already defined +- variables = list(c.variables.keys()) +- if len(variables) == 0: ++ continue ++ for var in variables: ++ if var in defined_variables: ++ # if it is, create new instance of the control and remove the variable ++ # we are going from the top level to the bottom ++ # so we don't want to overwrite variables ++ new_c = copy.deepcopy(c) ++ del new_c.variables[var] ++ eligible_controls.append(new_c) ++ else: ++ defined_variables.append(var) + eligible_controls.append(c) +- for var in variables: +- if var in defined_variables: +- # if it is, create new instance of the control and remove the variable +- # we are going from the top level to the bottom +- # so we don't want to overwrite variables +- new_c = copy.deepcopy(c) +- del new_c.variables[var] +- eligible_controls.append(new_c) +- else: +- defined_variables.append(var) +- eligible_controls.append(c) + return eligible_controls + + def get_all_controls(self, policy_id): + +From c051e11c70b7e23ce3d4a8e0670da4fae72833c6 Mon Sep 17 00:00:00 2001 +From: Vojtech Polasek +Date: Thu, 12 Aug 2021 15:30:39 +0200 +Subject: [PATCH 09/12] get rid of one ordereddict + +--- + ssg/controls.py | 9 ++------- + 1 file changed, 2 insertions(+), 7 deletions(-) + +diff --git a/ssg/controls.py b/ssg/controls.py +index 7923f0cb379..891b13c891c 100644 +--- a/ssg/controls.py ++++ b/ssg/controls.py +@@ -201,19 +201,14 @@ def _get_policy(self, policy_id): + def get_all_controls_of_level(self, policy_id, level_id): + policy = self._get_policy(policy_id) + levels = policy.get_level_with_ancestors(level_id) +- # we use OrderedDict here with empty values instead of ordered set +- # cause we want to be compatible with python 2 +- level_ids = collections.OrderedDict() +- for lv in levels.keys(): +- level_ids[lv.id] = "" + all_policy_controls = self.get_all_controls(policy_id) + eligible_controls = [] + defined_variables = [] + # we will go level by level, from top to bottom + # this is done to enable overriding of variables by higher levels +- for lv in level_ids.keys(): ++ for lv in levels.keys(): + for c in all_policy_controls: +- if lv in c.levels: ++ if lv.id in c.levels: + # if the control has a variable, check if it is not already defined + variables = list(c.variables.keys()) + if len(variables) == 0: + +From 4dd5cb1326932cf020785a8c2472998eb2e7775e Mon Sep 17 00:00:00 2001 +From: Vojtech Polasek +Date: Thu, 12 Aug 2021 16:44:57 +0200 +Subject: [PATCH 10/12] fix overriding of variables + +when there were multiple variables overridden, it caused problems by creating multiple copies of controls +--- + ssg/controls.py | 16 +++++++++------- + 1 file changed, 9 insertions(+), 7 deletions(-) + +diff --git a/ssg/controls.py b/ssg/controls.py +index 891b13c891c..8b69676313c 100644 +--- a/ssg/controls.py ++++ b/ssg/controls.py +@@ -214,17 +214,19 @@ def get_all_controls_of_level(self, policy_id, level_id): + if len(variables) == 0: + eligible_controls.append(c) + continue ++ variables_to_remove = [] # contains list of variables which are already defined and should be removed from the control + for var in variables: + if var in defined_variables: +- # if it is, create new instance of the control and remove the variable +- # we are going from the top level to the bottom +- # so we don't want to overwrite variables +- new_c = copy.deepcopy(c) +- del new_c.variables[var] +- eligible_controls.append(new_c) ++ variables_to_remove.append(var) + else: + defined_variables.append(var) +- eligible_controls.append(c) ++ if len(variables_to_remove) == 0: ++ eligible_controls.append(c) ++ else: ++ new_c = copy.deepcopy(c) ++ for var in variables_to_remove: ++ del new_c.variables[var] ++ eligible_controls.append(new_c) + return eligible_controls + + def get_all_controls(self, policy_id): + +From fbebba524cab090bc4c2f92b75257a7cc881ef5e Mon Sep 17 00:00:00 2001 +From: Vojtech Polasek +Date: Thu, 12 Aug 2021 16:45:38 +0200 +Subject: [PATCH 11/12] extended tests to test for multiple overridden + variables + +--- + .../data/controls_dir/abcd-levels.yml | 2 ++ + tests/unit/ssg-module/test_controls.py | 19 +++++++++++++++++++ + 2 files changed, 21 insertions(+) + +diff --git a/tests/unit/ssg-module/data/controls_dir/abcd-levels.yml b/tests/unit/ssg-module/data/controls_dir/abcd-levels.yml +index 99efafd832e..2e60ec43532 100644 +--- a/tests/unit/ssg-module/data/controls_dir/abcd-levels.yml ++++ b/tests/unit/ssg-module/data/controls_dir/abcd-levels.yml +@@ -21,6 +21,7 @@ controls: + - low + rules: + - var_password_pam_minlen=1 ++ - var_some_variable=1 + + - id: S3 + levels: +@@ -40,3 +41,4 @@ controls: + - high + rules: + - var_password_pam_minlen=2 ++ - var_some_variable=3 +diff --git a/tests/unit/ssg-module/test_controls.py b/tests/unit/ssg-module/test_controls.py +index 124b344d141..1465661b04a 100644 +--- a/tests/unit/ssg-module/test_controls.py ++++ b/tests/unit/ssg-module/test_controls.py +@@ -104,6 +104,25 @@ def test_controls_levels(): + if "var_password_pam_minlen" in c.variables.keys(): + assert c.variables["var_password_pam_minlen"] == "2" + ++ # now test if controls of lower level has the variable definition correctly removed ++ # because it is overriden by higher level controls ++ s2_high = [c for c in high_controls if c.id == "S2"] ++ assert len(s2_high) == 1 ++ assert "var_some_variable" not in s2_high[0].variables.keys() ++ assert "var_password_pam_minlen" not in s2_high[0].variables.keys() ++ s4b_high = [c for c in high_controls if c.id == "S4.b"] ++ assert len(s4b_high) == 1 ++ assert s4b_high[0].variables["var_some_variable"] == "3" ++ assert s4b_high[0].variables["var_password_pam_minlen"] == "2" ++ ++ # check that in low level the variable is correctly placed there in S2 ++ s2_low = [c for c in low_controls if c.id == "S2"] ++ assert len(s2_low) == 1 ++ assert s2_low[0].variables["var_some_variable"] == "1" ++ assert s2_low[0].variables["var_password_pam_minlen"] == "1" ++ ++ ++ + + def test_controls_load_product(): + ssg_root = \ + +From 369de6b8374084d9d607979b712285912dbb65aa Mon Sep 17 00:00:00 2001 +From: Matej Tyc +Date: Mon, 16 Aug 2021 10:39:22 +0200 +Subject: [PATCH 12/12] Style improvements + +- Renamed get_level_with_ancestors to get_level_with_ancestors_sequence, + and made it return a list - a dictionary result is quite confusing. +- Removed some optimization in the variable deletion loops. +- Extracted functionality to a _get_control_without_variables static + method. +- Defined variable removal steps using set operations. +--- + ssg/controls.py | 54 +++++++++++++++++++++++++------------------------ + 1 file changed, 28 insertions(+), 26 deletions(-) + +diff --git a/ssg/controls.py b/ssg/controls.py +index 8b69676313c..ca3187d5b16 100644 +--- a/ssg/controls.py ++++ b/ssg/controls.py +@@ -152,17 +152,17 @@ def get_level(self, level_id): + ) + raise ValueError(msg) + +- def get_level_with_ancestors(self, level_id): ++ def get_level_with_ancestors_sequence(self, level_id): + # use OrderedDict for Python2 compatibility instead of ordered set + levels = collections.OrderedDict() + level = self.get_level(level_id) + levels[level] = "" + if level.inherits_from: + for lv in level.inherits_from: +- eligible_levels = [l for l in self.get_level_with_ancestors(lv).keys() if l not in levels.keys()] ++ eligible_levels = [l for l in self.get_level_with_ancestors_sequence(lv) if l not in levels.keys()] + for l in eligible_levels: + levels[l] = "" +- return levels ++ return list(levels.keys()) + + + class ControlsManager(): +@@ -200,35 +200,37 @@ def _get_policy(self, policy_id): + + def get_all_controls_of_level(self, policy_id, level_id): + policy = self._get_policy(policy_id) +- levels = policy.get_level_with_ancestors(level_id) ++ levels = policy.get_level_with_ancestors_sequence(level_id) + all_policy_controls = self.get_all_controls(policy_id) + eligible_controls = [] +- defined_variables = [] ++ already_defined_variables = set() + # we will go level by level, from top to bottom + # this is done to enable overriding of variables by higher levels +- for lv in levels.keys(): +- for c in all_policy_controls: +- if lv.id in c.levels: +- # if the control has a variable, check if it is not already defined +- variables = list(c.variables.keys()) +- if len(variables) == 0: +- eligible_controls.append(c) +- continue +- variables_to_remove = [] # contains list of variables which are already defined and should be removed from the control +- for var in variables: +- if var in defined_variables: +- variables_to_remove.append(var) +- else: +- defined_variables.append(var) +- if len(variables_to_remove) == 0: +- eligible_controls.append(c) +- else: +- new_c = copy.deepcopy(c) +- for var in variables_to_remove: +- del new_c.variables[var] +- eligible_controls.append(new_c) ++ for lv in levels: ++ for control in all_policy_controls: ++ if lv.id not in control.levels: ++ continue ++ ++ variables = set(control.variables.keys()) ++ ++ variables_to_remove = variables.intersection(already_defined_variables) ++ already_defined_variables.update(variables) ++ ++ new_c = self._get_control_without_variables(variables_to_remove, control) ++ eligible_controls.append(new_c) ++ + return eligible_controls + ++ @staticmethod ++ def _get_control_without_variables(variables_to_remove, control): ++ if not variables_to_remove: ++ return control ++ ++ new_c = copy.deepcopy(control) ++ for var in variables_to_remove: ++ del new_c.variables[var] ++ return new_c ++ + def get_all_controls(self, policy_id): + policy = self._get_policy(policy_id) + return policy.controls_by_id.values() diff --git a/scap-security-guide-0.1.58-cis_def-PR_6976.patch b/scap-security-guide-0.1.58-cis_def-PR_6976.patch new file mode 100644 index 0000000..3082bf2 --- /dev/null +++ b/scap-security-guide-0.1.58-cis_def-PR_6976.patch @@ -0,0 +1,5333 @@ +From 7f366ca6916df9dd3cc3b50e3118adad77bcc04c Mon Sep 17 00:00:00 2001 +From: Alex Haydock +Date: Tue, 29 Jun 2021 14:37:28 +0100 +Subject: [PATCH 01/55] Split RHEL 8 CIS profile into modular files + per-benchmark + +--- + products/rhel8/profiles/cis.profile | 1080 +---------------- + products/rhel8/profiles/cis_server_l1.profile | 22 + + .../rhel8/profiles/cis_workstation_l1.profile | 22 + + .../rhel8/profiles/cis_workstation_l2.profile | 22 + + 4 files changed, 72 insertions(+), 1074 deletions(-) + create mode 100644 products/rhel8/profiles/cis_server_l1.profile + create mode 100644 products/rhel8/profiles/cis_workstation_l1.profile + create mode 100644 products/rhel8/profiles/cis_workstation_l2.profile + +diff --git a/products/rhel8/profiles/cis.profile b/products/rhel8/profiles/cis.profile +index c22ae86d076..4a00c24e0f7 100644 +--- a/products/rhel8/profiles/cis.profile ++++ b/products/rhel8/profiles/cis.profile +@@ -1,1090 +1,22 @@ + documentation_complete: true + + metadata: +- version: 1.0.0 ++ version: 1.0.1 + SMEs: + - vojtapolasek + - yuumasato + + reference: https://www.cisecurity.org/benchmark/red_hat_linux/ + +-title: 'CIS Red Hat Enterprise Linux 8 Benchmark' ++title: 'CIS Red Hat Enterprise Linux 8 Benchmark for Level 2 - Server' + + description: |- +- This profile defines a baseline that aligns to the Center for Internet Security® +- Red Hat Enterprise Linux 8 Benchmark™, v1.0.0, released 09-30-2019. ++ This profile defines a baseline that aligns to the "Level 2 - Server" ++ configuration from the Center for Internet Security® Red Hat Enterprise ++ Linux 8 Benchmark™, v1.0.1, released 2021-05-19. + + This profile includes Center for Internet Security® + Red Hat Enterprise Linux 8 CIS Benchmarks™ content. + + selections: +- # Necessary for dconf rules +- - dconf_db_up_to_date +- +- ### Partitioning +- - mount_option_home_nodev +- +- ## 1.1 Filesystem Configuration +- +- ### 1.1.1 Disable unused filesystems +- +- #### 1.1.1.1 Ensure mounting cramfs filesystems is disabled (Scored) +- - kernel_module_cramfs_disabled +- +- #### 1.1.1.2 Ensure mounting of vFAT filesystems is limited (Not Scored) +- +- +- #### 1.1.1.3 Ensure mounting of squashfs filesystems is disabled (Scored) +- - kernel_module_squashfs_disabled +- +- #### 1.1.1.4 Ensure mounting of udf filesystems is disabled (Scored) +- - kernel_module_udf_disabled +- +- ### 1.1.2 Ensure /tmp is configured (Scored) +- - partition_for_tmp +- +- ### 1.1.3 Ensure nodev option set on /tmp partition (Scored) +- - mount_option_tmp_nodev +- +- ### 1.1.4 Ensure nosuid option set on /tmp partition (Scored) +- - mount_option_tmp_nosuid +- +- ### 1.1.5 Ensure noexec option set on /tmp partition (Scored) +- - mount_option_tmp_noexec +- +- ### 1.1.6 Ensure separate partition exists for /var (Scored) +- - partition_for_var +- +- ### 1.1.7 Ensure separate partition exists for /var/tmp (Scored) +- - partition_for_var_tmp +- +- ### 1.1.8 Ensure nodev option set on /var/tmp partition (Scored) +- - mount_option_var_tmp_nodev +- +- ### 1.1.9 Ensure nosuid option set on /var/tmp partition (Scored) +- - mount_option_var_tmp_nosuid +- +- ### 1.1.10 Ensure noexec option set on /var/tmp partition (Scored) +- - mount_option_var_tmp_noexec +- +- ### 1.1.11 Ensure separate partition exists for /var/log (Scored) +- - partition_for_var_log +- +- ### 1.1.12 Ensure separate partition exists for /var/log/audit (Scored) +- - partition_for_var_log_audit +- +- ### 1.1.13 Ensure separate partition exists for /home (Scored) +- - partition_for_home +- +- ### 1.1.14 Ensure nodev option set on /home partition (Scored) +- - mount_option_home_nodev +- +- ### 1.1.15 Ensure nodev option set on /dev/shm partition (Scored) +- - mount_option_dev_shm_nodev +- +- ### 1.1.16 Ensure nosuid option set on /dev/shm partition (Scored) +- - mount_option_dev_shm_nosuid +- +- ### 1.1.17 Ensure noexec option set on /dev/shm partition (Scored) +- - mount_option_dev_shm_noexec +- +- ### 1.1.18 Ensure nodev option set on removable media partitions (Not Scored) +- - mount_option_nodev_removable_partitions +- +- ### 1.1.19 Ensure nosuid option set on removable media partitions (Not Scored) +- - mount_option_nosuid_removable_partitions +- +- ### 1.1.20 Ensure noexec option set on removable media partitions (Not Scored) +- - mount_option_noexec_removable_partitions +- +- ### 1.1.21 Ensure sticky bit is set on all world-writable directories (Scored) +- - dir_perms_world_writable_sticky_bits +- +- ### 1.1.22 Disable Automounting (Scored) +- - service_autofs_disabled +- +- ### 1.1.23 Disable USB Storage (Scored) +- - kernel_module_usb-storage_disabled +- +- ## 1.2 Configure Software Updates +- +- ### 1.2.1 Ensure Red Hat Subscription Manager connection is configured (Not Scored) +- # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5218 +- +- ### 1.2.2 Disable the rhnsd Daemon (Not Scored) +- - service_rhnsd_disabled +- +- ### 1.2.3 Ensure GPG keys are configured (Not Scored) +- - ensure_redhat_gpgkey_installed +- +- ### 1.2.4 Ensure gpgcheck is globally activated (Scored) +- - ensure_gpgcheck_globally_activated +- +- ### 1.2.5 Ensure package manager repositories are configured (Scored) +- # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5219 +- +- ## 1.3 Configure sudo +- +- ### 1.3.1 Ensure sudo is installed (Scored) +- - package_sudo_installed +- +- ### 1.3.2 Ensure sudo commands use pty (Scored) +- - sudo_add_use_pty +- +- ### 1.3.3 Ensure sudo log file exists (Scored) +- - sudo_custom_logfile +- +- ## 1.4 Filesystem Integrity Checking +- +- ### 1.4.1 Ensure AIDE is installed (Scored) +- - package_aide_installed +- +- ### 1.4.2 Ensure filesystem integrity is regularly checked (Scored) +- - aide_periodic_cron_checking +- +- ## Secure Boot Settings +- +- ### 1.5.1 Ensure permissions on bootloader config are configured (Scored) +- #### chown root:root /boot/grub2/grub.cfg +- - file_owner_grub2_cfg +- - file_groupowner_grub2_cfg +- +- #### chmod og-rwx /boot/grub2/grub.cfg +- - file_permissions_grub2_cfg +- +- #### chown root:root /boot/grub2/grubenv +- # NEED RULE - https://github.com/ComplianceAsCode/content/issues/5222 +- +- #### chmod og-rwx /boot/grub2/grubenv +- # NEED RULE - https://github.com/ComplianceAsCode/content/issues/5222 +- +- ### 1.5.2 Ensure bootloader password is set (Scored) +- - grub2_password +- +- ### 1.5.3 Ensure authentication required for single user mode (Scored) +- #### ExecStart=-/usr/lib/systemd/systemd-sulogin-shell rescue +- - require_singleuser_auth +- +- #### ExecStart=-/usr/lib/systemd/systemd-sulogin-shell emergency +- - require_emergency_target_auth +- +- ## 1.6 Additional Process Hardening +- +- ### 1.6.1 Ensure core dumps are restricted (Scored) +- #### * hard core 0 +- - disable_users_coredumps +- +- #### fs.suid_dumpable = 0 +- - sysctl_fs_suid_dumpable +- +- #### ProcessSizeMax=0 +- - coredump_disable_backtraces +- +- #### Storage=none +- - coredump_disable_storage +- +- ### 1.6.2 Ensure address space layout randomization (ASLR) is enabled +- - sysctl_kernel_randomize_va_space +- +- ## 1.7 Mandatory Access Control +- +- ### 1.7.1 Configure SELinux +- +- #### 1.7.1.1 Ensure SELinux is installed (Scored) +- - package_libselinux_installed +- +- #### 1.7.1.2 Ensure SELinux is not disabled in bootloader configuration (Scored) +- - grub2_enable_selinux +- +- #### 1.7.1.3 Ensure SELinux policy is configured (Scored) +- - var_selinux_policy_name=targeted +- - selinux_policytype +- +- #### 1.7.1.4 Ensure the SELinux state is enforcing (Scored) +- - var_selinux_state=enforcing +- - selinux_state +- +- #### 1.7.1.5 Ensure no unconfied services exist (Scored) +- - selinux_confinement_of_daemons +- +- #### 1.7.1.6 Ensure SETroubleshoot is not installed (Scored) +- - package_setroubleshoot_removed +- +- #### 1.7.1.7 Ensure the MCS Translation Service (mcstrans) is not installed (Scored) +- - package_mcstrans_removed +- +- ## Warning Banners +- +- ### 1.8.1 Command Line Warning Baners +- +- #### 1.8.1.1 Ensure message of the day is configured properly (Scored) +- - banner_etc_motd +- +- #### 1.8.1.2 Ensure local login warning banner is configured properly (Scored) +- - banner_etc_issue +- +- #### 1.8.1.3 Ensure remote login warning banner is configured properly (Scored) +- # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5225 +- +- #### 1.8.1.4 Ensure permissions on /etc/motd are configured (Scored) +- # chmod u-x,go-wx /etc/motd +- - file_permissions_etc_motd +- +- #### 1.8.1.5 Ensure permissions on /etc/issue are configured (Scored) +- # chmod u-x,go-wx /etc/issue +- - file_permissions_etc_issue +- +- #### 1.8.1.6 Ensure permissions on /etc/issue.net are configured (Scored) +- # Previously addressed via 'rpm_verify_permissions' rule +- +- ### 1.8.2 Ensure GDM login banner is configured (Scored) +- #### banner-message-enable=true +- - dconf_gnome_banner_enabled +- +- #### banner-message-text='' +- - dconf_gnome_login_banner_text +- +- ## 1.9 Ensure updates, patches, and additional security software are installed (Scored) +- - security_patches_up_to_date +- +- ## 1.10 Ensure system-wide crypto policy is not legacy (Scored) +- - var_system_crypto_policy=future +- - configure_crypto_policy +- +- ## 1.11 Ensure system-wide crytpo policy is FUTURE or FIPS (Scored) +- # Previously addressed via 'configure_crypto_policy' rule +- +- # Services +- +- ## 2.1 inetd Services +- +- ### 2.1.1 Ensure xinetd is not installed (Scored) +- - package_xinetd_removed +- +- ## 2.2 Special Purpose Services +- +- ### 2.2.1 Time Synchronization +- +- #### 2.2.1.1 Ensure time synchronization is in use (Not Scored) +- - package_chrony_installed +- +- #### 2.2.1.2 Ensure chrony is configured (Scored) +- - service_chronyd_enabled +- - chronyd_specify_remote_server +- - chronyd_run_as_chrony_user +- +- ### 2.2.2 Ensure X Window System is not installed (Scored) +- - package_xorg-x11-server-common_removed +- - xwindows_runlevel_target +- +- ### 2.2.3 Ensure rsync service is not enabled (Scored) +- - service_rsyncd_disabled +- +- ### 2.2.4 Ensure Avahi Server is not enabled (Scored) +- - service_avahi-daemon_disabled +- +- ### 2.2.5 Ensure SNMP Server is not enabled (Scored) +- - service_snmpd_disabled +- +- ### 2.2.6 Ensure HTTP Proxy Server is not enabled (Scored) +- - package_squid_removed +- +- ### 2.2.7 Ensure Samba is not enabled (Scored) +- - service_smb_disabled +- +- ### 2.2.8 Ensure IMAP and POP3 server is not enabled (Scored) +- - service_dovecot_disabled +- +- ### 2.2.9 Ensure HTTP server is not enabled (Scored) +- - service_httpd_disabled +- +- ### 2.2.10 Ensure FTP Server is not enabled (Scored) +- - service_vsftpd_disabled +- +- ### 2.2.11 Ensure DNS Server is not enabled (Scored) +- - service_named_disabled +- +- ### 2.2.12 Ensure NFS is not enabled (Scored) +- - service_nfs_disabled +- +- ### 2.2.13 Ensure RPC is not enabled (Scored) +- - service_rpcbind_disabled +- +- ### 2.2.14 Ensure LDAP service is not enabled (Scored) +- # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5231 +- +- ### 2.2.15 Ensure DHCP Server is not enabled (Scored) +- - service_dhcpd_disabled +- +- ### 2.2.16 Ensure CUPS is not enabled (Scored) +- - service_cups_disabled +- +- ### 2.2.17 Ensure NIS Server is not enabled (Scored) +- # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5232 +- +- ### 2.2.18 Ensure mail transfer agent is configured for +- ### local-only mode (Scored) +- - postfix_network_listening_disabled +- +- ## 2.3 Service Clients +- +- ### 2.3.1 Ensure NIS Client is not installed (Scored) +- - package_ypbind_removed +- +- ### 2.3.2 Ensure telnet client is not installed (Scored) +- - package_telnet_removed +- +- ### Ensure LDAP client is not installed +- - package_openldap-clients_removed +- +- # 3 Network Configuration +- +- ## 3.1 Network Parameters (Host Only) +- +- ### 3.1.1 Ensure IP forwarding is disabled (Scored) +- #### net.ipv4.ip_forward = 0 +- - sysctl_net_ipv4_ip_forward +- +- #### net.ipv6.conf.all.forwarding = 0 +- - sysctl_net_ipv6_conf_all_forwarding +- +- ### 3.1.2 Ensure packet redirect sending is disabled (Scored) +- #### net.ipv4.conf.all.send_redirects = 0 +- - sysctl_net_ipv4_conf_all_send_redirects +- +- #### net.ipv4.conf.default.send_redirects = 0 +- - sysctl_net_ipv4_conf_default_send_redirects +- +- ## 3.2 Network Parameters (Host and Router) +- +- ### 3.2.1 Ensure source routed packets are not accepted (Scored) +- #### net.ipv4.conf.all.accept_source_route = 0 +- - sysctl_net_ipv4_conf_all_accept_source_route +- +- #### net.ipv4.conf.default.accept_source_route = 0 +- - sysctl_net_ipv4_conf_default_accept_source_route +- +- #### net.ipv6.conf.all.accept_source_route = 0 +- - sysctl_net_ipv6_conf_all_accept_source_route +- +- #### net.ipv6.conf.default.accept_source_route = 0 +- - sysctl_net_ipv6_conf_default_accept_source_route +- +- ### 3.2.2 Ensure ICMP redirects are not accepted (Scored) +- #### net.ipv4.conf.all.accept_redirects = 0 +- - sysctl_net_ipv4_conf_all_accept_redirects +- +- #### net.ipv4.conf.default.accept_redirects +- - sysctl_net_ipv4_conf_default_accept_redirects +- +- #### net.ipv6.conf.all.accept_redirects = 0 +- - sysctl_net_ipv6_conf_all_accept_redirects +- +- #### net.ipv6.conf.defaults.accept_redirects = 0 +- - sysctl_net_ipv6_conf_default_accept_redirects +- +- ### 3.2.3 Ensure secure ICMP redirects are not accepted (Scored) +- #### net.ipv4.conf.all.secure_redirects = 0 +- - sysctl_net_ipv4_conf_all_secure_redirects +- +- #### net.ipv4.cof.default.secure_redirects = 0 +- - sysctl_net_ipv4_conf_default_secure_redirects +- +- ### 3.2.4 Ensure suspicious packets are logged (Scored) +- #### net.ipv4.conf.all.log_martians = 1 +- - sysctl_net_ipv4_conf_all_log_martians +- +- #### net.ipv4.conf.default.log_martians = 1 +- - sysctl_net_ipv4_conf_default_log_martians +- +- ### 3.2.5 Ensure broadcast ICMP requests are ignored (Scored) +- - sysctl_net_ipv4_icmp_echo_ignore_broadcasts +- +- ### 3.2.6 Ensure bogus ICMP responses are ignored (Scored) +- - sysctl_net_ipv4_icmp_ignore_bogus_error_responses +- +- ### 3.2.7 Ensure Reverse Path Filtering is enabled (Scored) +- #### net.ipv4.conf.all.rp_filter = 1 +- - sysctl_net_ipv4_conf_all_rp_filter +- +- #### net.ipv4.conf.default.rp_filter = 1 +- - sysctl_net_ipv4_conf_default_rp_filter +- +- ### 3.2.8 Ensure TCP SYN Cookies is enabled (Scored) +- - sysctl_net_ipv4_tcp_syncookies +- +- ### 3.2.9 Ensure IPv6 router advertisements are not accepted (Scored) +- #### net.ipv6.conf.all.accept_ra = 0 +- - sysctl_net_ipv6_conf_all_accept_ra +- +- #### net.ipv6.conf.default.accept_ra = 0 +- - sysctl_net_ipv6_conf_default_accept_ra +- +- ## 3.3 Uncommon Network Protocols +- +- ### 3.3.1 Ensure DCCP is disabled (Scored) +- - kernel_module_dccp_disabled +- +- ### Ensure SCTP is disabled (Scored) +- - kernel_module_sctp_disabled +- +- ### 3.3.3 Ensure RDS is disabled (Scored) +- - kernel_module_rds_disabled +- +- ### 3.3.4 Ensure TIPC is disabled (Scored) +- - kernel_module_tipc_disabled +- +- ## 3.4 Firewall Configuration +- +- ### 3.4.1 Ensure Firewall software is installed +- +- #### 3.4.1.1 Ensure a Firewall package is installed (Scored) +- ##### firewalld +- - package_firewalld_installed +- +- ##### nftables +- #NEED RULE - https://github.com/ComplianceAsCode/content/issues/5237 +- +- ##### iptables +- #- package_iptables_installed +- +- ### 3.4.2 Configure firewalld +- +- #### 3.4.2.1 Ensure firewalld service is enabled and running (Scored) +- - service_firewalld_enabled +- +- #### 3.4.2.2 Ensure iptables is not enabled (Scored) +- # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5238 +- +- #### 3.4.2.3 Ensure nftables is not enabled (Scored) +- # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5239 +- +- #### 3.4.2.4 Ensure default zone is set (Scored) +- - set_firewalld_default_zone +- +- #### 3.4.2.5 Ensure network interfaces are assigned to +- #### appropriate zone (Not Scored) +- # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5240 +- +- #### 3.4.2.6 Ensure unnecessary services and ports are not +- #### accepted (Not Scored) +- # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5241 +- +- ### 3.4.3 Configure nftables +- # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5242 +- +- #### 3.4.3.1 Ensure iptables are flushed (Not Scored) +- # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5243 +- +- #### 3.4.3.2 Ensure a table exists (Scored) +- # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5244 +- +- #### 3.4.3.3 Ensure base chains exist (Scored) +- # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5245 +- +- #### 3.4.3.4 Ensure loopback traffic is configured (Scored) +- # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5246 +- +- #### 3.4.3.5 Ensure outbound and established connections are +- #### configured (Not Scored) +- # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5247 +- +- #### 3.4.3.6 Ensure default deny firewall policy (Scored) +- # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5248 +- +- #### 3.4.3.7 Ensure nftables service is enabled (Scored) +- # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5249 +- +- #### 3.4.3.8 Ensure nftables rules are permanent (Scored) +- # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5250 +- +- ### 3.4.4 Configure iptables +- +- #### 3.4.4.1 Configure IPv4 iptables +- # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5251 +- +- ##### 3.4.4.1.1 Ensure default deny firewall policy (Scored) +- # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5252 +- +- ##### 3.4.4.1.2 Ensure loopback traffic is configured (Scored) +- # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5253 +- +- ##### 3.4.4.1.3 Ensure outbound and established connections are +- ##### configured (Not Scored) +- # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5254 +- +- ##### 3.4.4.1.4 Ensure firewall rules exist for all open ports (Scored) +- # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5255 +- +- #### 3.4.4.2 Configure IPv6 ip6tables +- # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5256 +- +- ##### 3.4.4.2.1 Ensure IPv6 default deny firewall policy (Scored) +- # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5257 +- +- ##### 3.4.4.2.2 Ensure IPv6 loopback traffic is configured (Scored) +- # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5258 +- +- ##### 3.4.4.2.3 Ensure IPv6 outbound and established connections are +- ##### configured (Not Scored) +- # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5260 +- +- ## 3.5 Ensure wireless interfaces are disabled (Scored) +- - wireless_disable_interfaces +- +- ## 3.6 Disable IPv6 (Not Scored) +- - kernel_module_ipv6_option_disabled +- +- # Logging and Auditing +- +- ## 4.1 Configure System Accounting (auditd) +- +- ### 4.1.1 Ensure auditing is enabled +- +- #### 4.1.1.1 Ensure auditd is installed (Scored) +- - package_audit_installed +- +- #### 4.1.1.2 Ensure auditd service is enabled (Scored) +- - service_auditd_enabled +- +- #### 4.1.1.3 Ensure auditing for processes that start prior to audit +- #### is enabled (Scored) +- - grub2_audit_argument +- +- #### 4.1.1.4 Ensure audit_backlog_limit is sufficient (Scored) +- - grub2_audit_backlog_limit_argument +- +- ### 4.1.2 Configure Data Retention +- +- #### 4.1.2.1 Ensure audit log storage size is configured (Scored) +- - auditd_data_retention_max_log_file +- +- #### 4.1.2.2 Ensure audit logs are not automatically deleted (Scored) +- - auditd_data_retention_max_log_file_action +- +- #### 4.1.2.3 Ensure system is disabled when audit logs are full (Scored) +- - var_auditd_space_left_action=email +- - auditd_data_retention_space_left_action +- +- ##### action_mail_acct = root +- - var_auditd_action_mail_acct=root +- - auditd_data_retention_action_mail_acct +- +- ##### admin_space_left_action = halt +- - var_auditd_admin_space_left_action=halt +- - auditd_data_retention_admin_space_left_action +- +- ### 4.1.3 Ensure changes to system administration scope +- ### (sudoers) is collected (Scored) +- - audit_rules_sysadmin_actions +- +- ### 4.1.4 Ensure login and logout events are collected (Scored) +- - audit_rules_login_events_faillock +- - audit_rules_login_events_lastlog +- +- ### 4.1.5 Ensure session initiation information is collected (Scored) +- - audit_rules_session_events +- +- ### 4.1.6 Ensure events that modify date and time information +- ### are collected (Scored) +- #### adjtimex +- - audit_rules_time_adjtimex +- +- #### settimeofday +- - audit_rules_time_settimeofday +- +- #### stime +- - audit_rules_time_stime +- +- #### clock_settime +- - audit_rules_time_clock_settime +- +- #### -w /etc/localtime -p wa +- - audit_rules_time_watch_localtime +- +- ### 4.1.7 Ensure events that modify the system's Mandatory +- ### Access Control are collected (Scored) +- #### -w /etc/selinux/ -p wa +- - audit_rules_mac_modification +- +- #### -w /usr/share/selinux/ -p wa +- # NEED RULE - https://github.com/ComplianceAsCode/content/issues/5264 +- +- ### 4.1.8 Ensure events that modify the system's network +- ### enironment are collected (Scored) +- - audit_rules_networkconfig_modification +- +- ### 4.1.9 Ensure discretionary access control permission modification +- ### events are collected (Scored) +- - audit_rules_dac_modification_chmod +- - audit_rules_dac_modification_fchmod +- - audit_rules_dac_modification_fchmodat +- - audit_rules_dac_modification_chown +- - audit_rules_dac_modification_fchown +- - audit_rules_dac_modification_fchownat +- - audit_rules_dac_modification_lchown +- - audit_rules_dac_modification_setxattr +- - audit_rules_dac_modification_lsetxattr +- - audit_rules_dac_modification_fsetxattr +- - audit_rules_dac_modification_removexattr +- - audit_rules_dac_modification_lremovexattr +- - audit_rules_dac_modification_fremovexattr +- +- ### 4.1.10 Ensure unsuccessful unauthorized file access attempts are +- ### collected (Scored) +- - audit_rules_unsuccessful_file_modification_creat +- - audit_rules_unsuccessful_file_modification_open +- - audit_rules_unsuccessful_file_modification_openat +- - audit_rules_unsuccessful_file_modification_truncate +- - audit_rules_unsuccessful_file_modification_ftruncate +- # Opinionated selection +- - audit_rules_unsuccessful_file_modification_open_by_handle_at +- +- ### 4.1.11 Ensure events that modify user/group information are +- ### collected (Scored) +- - audit_rules_usergroup_modification_passwd +- - audit_rules_usergroup_modification_group +- - audit_rules_usergroup_modification_gshadow +- - audit_rules_usergroup_modification_shadow +- - audit_rules_usergroup_modification_opasswd +- +- ### 4.1.12 Ensure successful file system mounts are collected (Scored) +- - audit_rules_media_export +- +- ### 4.1.13 Ensure use of privileged commands is collected (Scored) +- - audit_rules_privileged_commands +- +- ### 4.1.14 Ensure file deletion events by users are collected +- ### (Scored) +- - audit_rules_file_deletion_events_unlink +- - audit_rules_file_deletion_events_unlinkat +- - audit_rules_file_deletion_events_rename +- - audit_rules_file_deletion_events_renameat +- # Opinionated selection +- - audit_rules_file_deletion_events_rmdir +- +- ### 4.1.15 Ensure kernel module loading and unloading is collected +- ### (Scored) +- - audit_rules_kernel_module_loading +- +- ### 4.1.16 Ensure system administrator actions (sudolog) are +- ### collected (Scored) +- # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5516 +- +- ### 4.1.17 Ensure the audit configuration is immutable (Scored) +- - audit_rules_immutable +- +- ## 4.2 Configure Logging +- +- ### 4.2.1 Configure rsyslog +- +- #### 4.2.1.1 Ensure rsyslog is installed (Scored) +- - package_rsyslog_installed +- +- #### 4.2.1.2 Ensure rsyslog Service is enabled (Scored) +- - service_rsyslog_enabled +- +- #### 4.2.1.3 Ensure rsyslog default file permissions configured (Scored) +- - rsyslog_files_permissions +- +- #### 4.2.1.4 Ensure logging is configured (Not Scored) +- # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5519 +- +- #### 4.2.1.5 Ensure rsyslog is configured to send logs to a remote +- #### log host (Scored) +- - rsyslog_remote_loghost +- +- #### 4.2.1.6 Ensure remote rsyslog messages are only accepted on +- #### designated log hosts (Not Scored) +- - rsyslog_nolisten +- +- ### 4.2.2 Configure journald +- +- #### 4.2.2.1 Ensure journald is configured to send logs to +- #### rsyslog (Scored) +- # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5520 +- +- #### 4.2.2.2 Ensure journald is configured to compress large +- #### log files (Scored) +- # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5521 +- +- +- #### 4.2.2.3 Ensure journald is configured to write logfiles to +- #### persistent disk (Scored) +- # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5522 +- +- ### 4.2.3 Ensure permissions on all logfiles are configured (Scored) +- # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5523 +- +- ## 4.3 Ensure logrotate is configured (Not Scored) +- +- # 5 Access, Authentication and Authorization +- +- ## 5.1 Configure cron +- +- ### 5.1.1 Ensure cron daemon is enabled (Scored) +- - service_crond_enabled +- +- +- ### 5.1.2 Ensure permissions on /etc/crontab are configured (Scored) +- # chown root:root /etc/crontab +- - file_owner_crontab +- - file_groupowner_crontab +- # chmod og-rwx /etc/crontab +- - file_permissions_crontab +- +- ### 5.1.3 Ensure permissions on /etc/cron.hourly are configured (Scored) +- # chown root:root /etc/cron.hourly +- - file_owner_cron_hourly +- - file_groupowner_cron_hourly +- # chmod og-rwx /etc/cron.hourly +- - file_permissions_cron_hourly +- +- ### 5.1.4 Ensure permissions on /etc/cron.daily are configured (Scored) +- # chown root:root /etc/cron.daily +- - file_owner_cron_daily +- - file_groupowner_cron_daily +- # chmod og-rwx /etc/cron.daily +- - file_permissions_cron_daily +- +- ### 5.1.5 Ensure permissions on /etc/cron.weekly are configured (Scored) +- # chown root:root /etc/cron.weekly +- - file_owner_cron_weekly +- - file_groupowner_cron_weekly +- # chmod og-rwx /etc/cron.weekly +- - file_permissions_cron_weekly +- +- ### 5.1.6 Ensure permissions on /etc/cron.monthly are configured (Scored) +- # chown root:root /etc/cron.monthly +- - file_owner_cron_monthly +- - file_groupowner_cron_monthly +- # chmod og-rwx /etc/cron.monthly +- - file_permissions_cron_monthly +- +- ### 5.1.7 Ensure permissions on /etc/cron.d are configured (Scored) +- # chown root:root /etc/cron.d +- - file_owner_cron_d +- - file_groupowner_cron_d +- # chmod og-rwx /etc/cron.d +- - file_permissions_cron_d +- +- ### 5.1.8 Ensure at/cron is restricted to authorized users (Scored) +- +- +- ## 5.2 SSH Server Configuration +- +- ### 5.2.1 Ensure permissions on /etc/ssh/sshd_config are configured (Scored) +- # chown root:root /etc/ssh/sshd_config +- - file_owner_sshd_config +- - file_groupowner_sshd_config +- +- # chmod og-rwx /etc/ssh/sshd_config +- - file_permissions_sshd_config +- +- ### 5.2.2 Ensure SSH access is limited (Scored) +- +- +- ### 5.2.3 Ensure permissions on SSH private host key files are +- ### configured (Scored) +- # TO DO: The rule sets to 640, but benchmark wants 600 +- - file_permissions_sshd_private_key +- # TO DO: check owner of private keys in /etc/ssh is root:root +- +- ### 5.2.4 Ensure permissions on SSH public host key files are configured +- ### (Scored) +- - file_permissions_sshd_pub_key +- # TO DO: check owner of pub keys in /etc/ssh is root:root +- +- ### 5.2.5 Ensure SSH LogLevel is appropriate (Scored) +- - sshd_set_loglevel_info +- +- ### 5.2.6 Ensure SSH X11 forward is disabled (Scored) +- - sshd_disable_x11_forwarding +- +- ### 5.2.7 Ensure SSH MaxAuthTries is set to 4 or less (Scored) +- - sshd_max_auth_tries_value=4 +- - sshd_set_max_auth_tries +- +- ### 5.2.8 Ensure SSH IgnoreRhosts is enabled (Scored) +- - sshd_disable_rhosts +- +- ### 5.2.9 Ensure SSH HostbasedAuthentication is disabled (Scored) +- - disable_host_auth +- +- ### 5.2.10 Ensure SSH root login is disabled (Scored) +- - sshd_disable_root_login +- +- ### 5.2.11 Ensure SSH PermitEmptyPasswords is disabled (Scored) +- - sshd_disable_empty_passwords +- +- ### 5.2.12 Ensure SSH PermitUserEnvironment is disabled (Scored) +- - sshd_do_not_permit_user_env +- +- ### 5.2.13 Ensure SSH Idle Timeout Interval is configured (Scored) +- # ClientAliveInterval 300 +- - sshd_idle_timeout_value=5_minutes +- - sshd_set_idle_timeout +- +- # ClientAliveCountMax 0 +- - var_sshd_set_keepalive=0 +- - sshd_set_keepalive_0 +- +- ### 5.2.14 Ensure SSH LoginGraceTime is set to one minute +- ### or less (Scored) +- # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5525 +- +- ### 5.2.15 Ensure SSH warning banner is configured (Scored) +- - sshd_enable_warning_banner +- +- ### 5.2.16 Ensure SSH PAM is enabled (Scored) +- # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5526 +- +- ### 5.2.17 Ensure SSH AllowTcpForwarding is disabled (Scored) +- - sshd_disable_tcp_forwarding +- +- ### 5.2.18 Ensure SSH MaxStartups is configured (Scored) +- - sshd_set_maxstartups +- - var_sshd_set_maxstartups=10:30:60 +- +- ### 5.2.19 Ensure SSH MaxSessions is set to 4 or less (Scored) +- - sshd_set_max_sessions +- - var_sshd_max_sessions=4 +- +- ### 5.2.20 Ensure system-wide crypto policy is not over-ridden (Scored) +- - configure_ssh_crypto_policy +- +- ## 5.3 Configure authselect +- +- +- ### 5.3.1 Create custom authselectet profile (Scored) +- # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5530 +- +- ### 5.3.2 Select authselect profile (Scored) +- # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5531 +- +- ### 5.3.3 Ensure authselect includes with-faillock (Scored) +- # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5532 +- +- ## 5.4 Configure PAM +- +- ### 5.4.1 Ensure password creation requirements are configured (Scored) +- # NEEDS RULE: try_first_pass - https://github.com/ComplianceAsCode/content/issues/5533 +- - accounts_password_pam_retry +- - var_password_pam_minlen=14 +- - accounts_password_pam_minlen +- - var_password_pam_minclass=4 +- - accounts_password_pam_minclass +- +- ### 5.4.2 Ensure lockout for failed password attempts is +- ### configured (Scored) +- - var_accounts_passwords_pam_faillock_unlock_time=900 +- - var_accounts_passwords_pam_faillock_deny=5 +- - accounts_passwords_pam_faillock_unlock_time +- - accounts_passwords_pam_faillock_deny +- +- ### 5.4.3 Ensure password reuse is limited (Scored) +- - var_password_pam_unix_remember=5 +- - accounts_password_pam_unix_remember +- +- ### 5.4.4 Ensure password hashing algorithm is SHA-512 (Scored) +- - set_password_hashing_algorithm_systemauth +- +- ## 5.5 User Accounts and Environment +- +- ### 5.5.1 Set Shadow Password Suite Parameters +- +- #### 5.5.1 Ensure password expiration is 365 days or less (Scored) +- - var_accounts_maximum_age_login_defs=365 +- - accounts_maximum_age_login_defs +- +- #### 5.5.1.2 Ensure minimum days between password changes is 7 +- #### or more (Scored) +- - var_accounts_minimum_age_login_defs=7 +- - accounts_minimum_age_login_defs +- +- #### 5.5.1.3 Ensure password expiration warning days is +- #### 7 or more (Scored) +- - var_accounts_password_warn_age_login_defs=7 +- - accounts_password_warn_age_login_defs +- +- #### 5.5.1.4 Ensure inactive password lock is 30 days or less (Scored) +- # TODO: Rule doesn't check list of users +- # https://github.com/ComplianceAsCode/content/issues/5536 +- - var_account_disable_post_pw_expiration=30 +- - account_disable_post_pw_expiration +- +- #### 5.5.1.5 Ensure all users last password change date is +- #### in the past (Scored) +- # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5537 +- +- ### 5.5.2 Ensure system accounts are secured (Scored) +- - no_shelllogin_for_systemaccounts +- +- ### 5.5.3 Ensure default user shell timeout is 900 seconds +- ### or less (Scored) +- - var_accounts_tmout=15_min +- - accounts_tmout +- +- ### 5.5.4 Ensure default group for the root account is +- ### GID 0 (Scored) +- # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5539 +- +- ### 5.5.5 Ensure default user mask is 027 or more restrictive (Scored) +- - var_accounts_user_umask=027 +- - accounts_umask_etc_bashrc +- - accounts_umask_etc_profile +- +- ## 5.6 Ensure root login is restricted to system console (Not Scored) +- - securetty_root_login_console_only +- - no_direct_root_logins +- +- ## 5.7 Ensure access to the su command is restricted (Scored) +- # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5541 +- +- # System Maintenance +- +- ## 6.1 System File Permissions +- +- ### 6.1.1 Audit system file permissions (Not Scored) +- - rpm_verify_permissions +- - rpm_verify_ownership +- +- ### 6.1.2 Ensure permissions on /etc/passwd are configured (Scored) +- # chown root:root /etc/passwd +- - file_owner_etc_passwd +- - file_groupowner_etc_passwd +- +- # chmod 644 /etc/passwd +- - file_permissions_etc_passwd +- +- ### 6.1.3 Ensure permissions on /etc/shadow are configured (Scored) +- # chown root:root /etc/shadow +- - file_owner_etc_shadow +- - file_groupowner_etc_shadow +- +- # chmod o-rwx,g-wx /etc/shadow +- - file_permissions_etc_shadow +- +- ### 6.1.4 Ensure permissions on /etc/group are configured (Scored) +- # chown root:root /etc/group +- - file_owner_etc_group +- - file_groupowner_etc_group +- +- # chmod 644 /etc/group +- - file_permissions_etc_group +- +- ### 6.1.5 Ensure permissions on /etc/gshadow are configured (Scored) +- # chown root:root /etc/gshadow +- - file_owner_etc_gshadow +- - file_groupowner_etc_gshadow +- +- # chmod o-rwx,g-rw /etc/gshadow +- - file_permissions_etc_gshadow +- +- ### 6.1.6 Ensure permissions on /etc/passwd- are configured (Scored) +- # chown root:root /etc/passwd- +- - file_owner_backup_etc_passwd +- - file_groupowner_backup_etc_passwd +- +- # chmod 644 /etc/passwd- +- - file_permissions_backup_etc_passwd +- +- ### 6.1.7 Ensure permissions on /etc/shadow- are configured (Scored) +- # chown root:root /etc/shadow- +- - file_owner_backup_etc_shadow +- - file_groupowner_backup_etc_shadow +- +- # chmod 0000 /etc/shadow- +- - file_permissions_backup_etc_shadow +- +- ### 6.1.8 Ensure permissions on /etc/group- are configured (Scored) +- # chown root:root /etc/group- +- - file_owner_backup_etc_group +- - file_groupowner_backup_etc_group +- +- # chmod 644 /etc/group- +- - file_permissions_backup_etc_group +- +- ### 6.1.9 Ensure permissions on /etc/gshadow- are configured (Scored) +- # chown root:root /etc/gshadow- +- - file_owner_backup_etc_gshadow +- - file_groupowner_backup_etc_gshadow +- +- # chmod 0000 /etc/gshadow- +- - file_permissions_backup_etc_gshadow +- +- ### 6.1.10 Ensure no world writable files exist (Scored) +- - file_permissions_unauthorized_world_writable +- +- ### 6.1.11 Ensure no unowned files or directories exist (Scored) +- - no_files_unowned_by_user +- +- ### 6.1.12 Ensure no ungrouped files or directories exist (Scored) +- - file_permissions_ungroupowned +- +- ### 6.1.13 Audit SUID executables (Not Scored) +- - file_permissions_unauthorized_suid +- +- ### 6.1.14 Audit SGID executables (Not Scored) +- - file_permissions_unauthorized_sgid +- +- ## 6.2 User and Group Settings +- +- ### 6.2.2 Ensure no legacy "+" entries exist in /etc/passwd (Scored) +- - no_legacy_plus_entries_etc_passwd +- +- ### 6.2.4 Ensure no legacy "+" entries exist in /etc/shadow (Scored) +- - no_legacy_plus_entries_etc_shadow +- +- ### 6.2.5 Ensure no legacy "+" entries exist in /etc/group (Scored) +- - no_legacy_plus_entries_etc_group +- +- ### 6.2.6 Ensure root is the only UID 0 account (Scored) +- - accounts_no_uid_except_zero +- +- ### 6.2.7 Ensure users' home directories permissions are 750 +- ### or more restrictive (Scored) +- - file_permissions_home_dirs +- +- ### 6.2.8 Ensure users own their home directories (Scored) +- # NEEDS RULE for user owner @ https://github.com/ComplianceAsCode/content/issues/5507 +- - file_groupownership_home_directories +- +- ### 6.2.9 Ensure users' dot files are not group or world +- ### writable (Scored) +- # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5506 +- +- ### 6.2.10 Ensure no users have .forward files (Scored) +- # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5505 +- +- ### 6.2.11 Ensure no users have .netrc files (Scored) +- - no_netrc_files +- +- ### 6.2.12 Ensure users' .netrc Files are not group or +- ### world accessible (Scored) +- # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5504 +- +- ### 6.2.13 Ensure no users have .rhosts files (Scored) +- - no_rsh_trust_files +- +- ### 6.2.14 Ensure all groups in /etc/passwd exist in +- ### /etc/group (Scored) +- # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5503 +- +- ### 6.2.15 Ensure no duplicate UIDs exist (Scored) +- # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5502 +- +- ### 6.2.16 Ensure no duplicate GIDs exist (Scored) +- # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5501 +- +- ### 6.2.17 Ensure no duplicate user names exist (Scored) +- - account_unique_name +- +- ### 6.2.18 Ensure no duplicate group names exist (Scored) +- # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5500 +- +- ### 6.2.19 Ensure shadow group is empty (Scored) +- # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5499 +- +- ### 6.2.20 Ensure all users' home directories exist (Scored) +- - accounts_user_interactive_home_directory_exists ++ - cis_rhel8:all:l2_server +diff --git a/products/rhel8/profiles/cis_server_l1.profile b/products/rhel8/profiles/cis_server_l1.profile +new file mode 100644 +index 00000000000..7b4518e15a5 +--- /dev/null ++++ b/products/rhel8/profiles/cis_server_l1.profile +@@ -0,0 +1,22 @@ ++documentation_complete: true ++ ++metadata: ++ version: 1.0.1 ++ SMEs: ++ - vojtapolasek ++ - yuumasato ++ ++reference: https://www.cisecurity.org/benchmark/red_hat_linux/ ++ ++title: 'CIS Red Hat Enterprise Linux 8 Benchmark for Level 1 - Server' ++ ++description: |- ++ This profile defines a baseline that aligns to the "Level 1 - Server" ++ configuration from the Center for Internet Security® Red Hat Enterprise ++ Linux 8 Benchmark™, v1.0.1, released 2021-05-19. ++ ++ This profile includes Center for Internet Security® ++ Red Hat Enterprise Linux 8 CIS Benchmarks™ content. ++ ++selections: ++ - cis_rhel8:all:l1_server +diff --git a/products/rhel8/profiles/cis_workstation_l1.profile b/products/rhel8/profiles/cis_workstation_l1.profile +new file mode 100644 +index 00000000000..230e4c2f0ba +--- /dev/null ++++ b/products/rhel8/profiles/cis_workstation_l1.profile +@@ -0,0 +1,22 @@ ++documentation_complete: true ++ ++metadata: ++ version: 1.0.1 ++ SMEs: ++ - vojtapolasek ++ - yuumasato ++ ++reference: https://www.cisecurity.org/benchmark/red_hat_linux/ ++ ++title: 'CIS Red Hat Enterprise Linux 8 Benchmark for Level 1 - Workstation' ++ ++description: |- ++ This profile defines a baseline that aligns to the "Level 1 - Workstation" ++ configuration from the Center for Internet Security® Red Hat Enterprise ++ Linux 8 Benchmark™, v1.0.1, released 2021-05-19. ++ ++ This profile includes Center for Internet Security® ++ Red Hat Enterprise Linux 8 CIS Benchmarks™ content. ++ ++selections: ++ - cis_rhel8:all:l1_workstation +diff --git a/products/rhel8/profiles/cis_workstation_l2.profile b/products/rhel8/profiles/cis_workstation_l2.profile +new file mode 100644 +index 00000000000..c0d1698c2f0 +--- /dev/null ++++ b/products/rhel8/profiles/cis_workstation_l2.profile +@@ -0,0 +1,22 @@ ++documentation_complete: true ++ ++metadata: ++ version: 1.0.1 ++ SMEs: ++ - vojtapolasek ++ - yuumasato ++ ++reference: https://www.cisecurity.org/benchmark/red_hat_linux/ ++ ++title: 'CIS Red Hat Enterprise Linux 8 Benchmark for Level 2 - Workstation' ++ ++description: |- ++ This profile defines a baseline that aligns to the "Level 2 - Workstation" ++ configuration from the Center for Internet Security® Red Hat Enterprise ++ Linux 8 Benchmark™, v1.0.1, released 2021-05-19. ++ ++ This profile includes Center for Internet Security® ++ Red Hat Enterprise Linux 8 CIS Benchmarks™ content. ++ ++selections: ++ - cis_rhel8:all:l2_workstation + +From e53bf4c6b479608b155bcfcc8426ac20ca4c9291 Mon Sep 17 00:00:00 2001 +From: Alex Haydock +Date: Thu, 1 Jul 2021 16:35:19 +0100 +Subject: [PATCH 02/55] Add CIS control file for RHEL 8 + +--- + controls/cis_rhel8.yml | 758 +++++++++++++++++++++++++++++++++++++++++ + 1 file changed, 758 insertions(+) + create mode 100644 controls/cis_rhel8.yml + +diff --git a/controls/cis_rhel8.yml b/controls/cis_rhel8.yml +new file mode 100644 +index 00000000000..a84bb078e34 +--- /dev/null ++++ b/controls/cis_rhel8.yml +@@ -0,0 +1,758 @@ ++policy: 'CIS Benchmark for Red Hat Enterprise Linux 8' ++title: 'CIS Benchmark for Red Hat Enterprise Linux 8' ++id: cis_rhel8 ++version: '1.0.1' ++source: https://www.cisecurity.org/cis-benchmarks/#red_hat_linux ++levels: ++ - id: l1_server ++ - id: l2_server ++ inherits_from: ++ - l1_server ++ - id: l1_workstation ++ - id: l2_workstation ++ inherits_from: ++ - l1_workstation ++ ++controls: ++ - id: reload_dconf_db ++ title: Reload Dconf database ++ levels: ++ - l1_server ++ - l1_workstation ++ notes: <- ++ This is a helper rule to reload Dconf datbase correctly. ++ automated: yes ++ rules: ++ - dconf_db_up_to_date ++ ++ - id: 1.1.1.1 ++ title: Ensure mounting of cramfs filesystems is disabled (Automated) ++ levels: ++ - l1_workstation ++ - l1_server ++ automated: yes ++ rules: ++ - kernel_module_cramfs_disabled ++ ++ - id: 1.1.1.2 ++ title: Ensure mounting of vFAT filesystems is limited (Manual) ++ levels: ++ - l2_workstation ++ - l2_server ++ automated: no ++ related_rules: ++ - kernel_module_vfat_disabled ++ ++ - id: 1.1.1.3 ++ title: Ensure mounting of squashfs filesystems is disabled (Automated) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: yes ++ rules: ++ - kernel_module_squashfs_disabled ++ ++ - id: 1.1.1.4 ++ title: Ensure mounting of udf filesystems is disabled (Automated) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: yes ++ rules: ++ - kernel_module_udf_disabled ++ ++ - id: 1.1.2 ++ title: Ensure /tmp is configured (Automated) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: yes ++ rules: ++ - partition_for_tmp ++ ++ - id: 1.1.3 ++ title: Ensure nodev option set on /tmp partition (Automated) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: yes ++ rules: ++ - mount_option_tmp_nodev ++ ++ - id: 1.1.4 ++ title: Ensure nosuid option set on /tmp partition (Automated) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: yes ++ rules: ++ - mount_option_tmp_nosuid ++ ++ - id: 1.1.5 ++ title: Ensure noexec option set on /tmp partition (Automated) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: yes ++ rules: ++ - mount_option_tmp_noexec ++ ++ - id: 1.1.6 ++ title: Ensure separate partition exists for /var (Automated) ++ levels: ++ - l2_server ++ - l2_workstation ++ automated: yes ++ rules: ++ - partition_for_var ++ ++ - id: 1.1.7 ++ title: Ensure separate partition exists for /var/tmp (Automated) ++ levels: ++ - l2_server ++ - l2_workstation ++ automated: yes ++ rules: ++ - partition_for_var_tmp ++ ++ - id: 1.1.8 ++ title: Ensure nodev option set on /var/tmp partition (Automated) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: yes ++ rules: ++ - mount_option_var_tmp_nodev ++ ++ - id: 1.1.9 ++ title: Ensure nosuid option set on /var/tmp partition (Automated) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: yes ++ rules: ++ - mount_option_var_tmp_nosuid ++ ++ - id: 1.1.10 ++ title: Ensure noexec option set on /var/tmp partition (Automated) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: yes ++ rules: ++ - mount_option_var_tmp_noexec ++ ++ - id: 1.1.11 ++ title: Ensure separate partition exists for /var/log (Automated) ++ levels: ++ - l2_server ++ - l2_workstation ++ automated: yes ++ rules: ++ - partition_for_var_log ++ ++ - id: 1.1.12 ++ title: Ensure separate partition exists for /var/log/audit (Automated) ++ levels: ++ - l2_server ++ - l2_workstation ++ automated: yes ++ rules: ++ - partition_for_var_log_audit ++ ++ - id: 1.1.13 ++ title: Ensure separate partition exists for /home (Automated) ++ levels: ++ - l2_server ++ - l2_workstation ++ automated: yes ++ rules: ++ - partition_for_home ++ ++ - id: 1.1.18 ++ title: Ensure nodev option set on /home partition (Automated) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: yes ++ rules: ++ - mount_option_home_nodev ++ ++ - id: 1.1.15 ++ title: Ensure nodev option set on /dev/shm partition (Automated) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: yes ++ rules: ++ - mount_option_dev_shm_nodev ++ ++ - id: 1.1.16 ++ title: Ensure nosuid option set on /dev/shm partition (Automated) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: yes ++ rules: ++ - mount_option_dev_shm_nosuid ++ ++ - id: 1.1.17 ++ title: Ensure noexec option set on /dev/shm partition (Automated) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: yes ++ rules: ++ - mount_option_dev_shm_noexec ++ ++ - id: 1.1.18 ++ title: Ensure nodev option set on removable media partitions (Manual) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: no ++ rules: ++ - mount_option_nodev_removable_partitions ++ ++ - id: 1.1.19 ++ title: Ensure nosuid option set on removable media partitions (Manual) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: no ++ rules: ++ - mount_option_nosuid_removable_partitions ++ ++ - id: 1.1.20 ++ title: Ensure noexec option set on removable media partitions (Manual) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: no ++ rules: ++ - mount_option_noexec_removable_partitions ++ ++ - id: 1.1.22 ++ title: Disable Automounting (Automated) ++ levels: ++ - l1_server ++ - l2_workstation ++ automated: yes ++ rules: ++ - service_autofs_disabled ++ ++ - id: 1.1.23 ++ title: Disable USB Storage (Automated) ++ levels: ++ - l1_server ++ - l2_workstation ++ automated: yes ++ rules: ++ - kernel_module_usb-storage_disabled ++ ++ - id: 1.2.1 ++ title: Ensure Red Hat Subscription Manager connection is configured (Manual) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: no ++ ++ - id: 1.2.2 ++ title: Disable the rhnsd Daemon (Manual) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: no ++ related_rules: ++ - service_rhnsd_disabled ++ ++ - id: 1.2.3 ++ title: Ensure GPG keys are configured (Manual) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: no ++ related_rules: ++ - ensure_redhat_gpgkey_installed ++ ++ - id: 1.2.4 ++ title: Ensure gpgcheck is globally activated (Automated) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: yes ++ rules: ++ - ensure_gpgcheck_globally_activated ++ ++ - id: 1.2.5 ++ title: Ensure package manager repositories are configured (Manual) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: no ++ ++ - id: 1.3.1 ++ title: Ensure sudo is installed (Automated) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: yes ++ rules: ++ - package_sudo_installed ++ ++ - id: 1.3.2 ++ title: Ensure sudo commands use pty (Automated) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: yes ++ rules: ++ - sudo_add_use_pty ++ ++ - id: 1.3.3 ++ title: Ensure sudo log file exists (Automated) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: yes ++ rules: ++ - sudo_custom_logfile ++ ++ - id: 1.4.1 ++ title: Ensure AIDE is installed (Automated) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: yes ++ rules: ++ - package_aide_installed ++ ++ - id: 1.4.2 ++ title: Ensure filesystem integrity is regularly checked (Automated) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: yes ++ rules: ++ - aide_periodic_cron_checking ++ ++ - id: 1.5.1 ++ title: Ensure permissions on bootloader config are configured (Automated) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: yes ++ rules: ++ - file_owner_grub2_cfg ++ - file_groupowner_grub2_cfg ++ - file_permissions_grub2_cfg ++ ++ - id: 1.5.1 ++ title: Ensure bootloader password is set (Automated) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: yes ++ rules: ++ - grub2_password ++ ++ - id: 1.5.3 ++ title: Ensure authentication required for single user mode (Automated) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: yes ++ rules: ++ - require_singleuser_auth ++ - require_emergency_target_auth ++ ++ - id: 1.6.1 ++ title: Ensure core dumps are restricted (Automated) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: yes ++ rules: ++ - disable_users_coredumps ++ - sysctl_fs_suid_dumpable ++ - coredump_disable_backtraces ++ - coredump_disable_storage ++ ++ - id: 1.6.2 ++ title: Ensure address space layout randomization (ASLR) is enabled (Automated) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: yes ++ rules: ++ - sysctl_kernel_randomize_va_space ++ ++ - id: 1.7.1.1 ++ title: Ensure SELinux is installed (Automated) ++ levels: ++ - l2_server ++ - l2_workstation ++ automated: yes ++ rules: ++ - package_libselinux_installed ++ ++ - id: 1.7.1.1 ++ title: Ensure SELinux is installed (Automated) ++ levels: ++ - l2_server ++ - l2_workstation ++ automated: yes ++ rules: ++ - package_libselinux_installed ++ ++ - id: 1.7.1.2 ++ title: Ensure SELinux is not disabled in bootloader configuration (Automated) ++ levels: ++ - l2_server ++ - l2_workstation ++ automated: yes ++ rules: ++ - grub2_enable_selinux ++ ++ - id: 1.7.1.3 ++ title: Ensure SELinux policy is configured (Automated) ++ levels: ++ - l2_server ++ - l2_workstation ++ automated: yes ++ rules: ++ - var_selinux_policy_name=targeted ++ - selinux_policytype ++ ++ - id: 1.7.1.4 ++ title: Ensure the SELinux state is enforcing (Automated) ++ levels: ++ - l2_server ++ - l2_workstation ++ automated: yes ++ rules: ++ - var_selinux_state=enforcing ++ - selinux_state ++ ++ - id: 1.7.1.5 ++ title: Ensure no unconfined services exist (Automated) ++ levels: ++ - l2_server ++ - l2_workstation ++ automated: yes ++ rules: ++ - selinux_confinement_of_daemons ++ ++ - id: 1.7.1.6 ++ title: Ensure SETroubleshoot is not installed (Automated) ++ levels: ++ - l2_server ++ automated: yes ++ rules: ++ - package_setroubleshoot_removed ++ ++ - id: 1.7.1.7 ++ title: Ensure the MCS Translation Service (mcstrans) is not installed (Automated) ++ levels: ++ - l2_server ++ - l2_workstation ++ automated: yes ++ rules: ++ - package_mcstrans_removed ++ ++ - id: 1.8.1.1 ++ title: Ensure message of the day is configured properly (Automated) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: yes ++ rules: ++ - banner_etc_motd ++ ++ - id: 1.8.1.2 ++ title: Ensure local login warning banner is configured properly (Automated) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: yes ++ rules: ++ - banner_etc_issue ++ ++ # NEEDS RULE ++ # https://github.com/ComplianceAsCode/content/issues/5225 ++ - id: 1.8.1.3 ++ title: Ensure remote login warning banner is configured properly (Automated) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: no ++ ++ - id: 1.8.1.4 ++ title: Ensure permissions on /etc/motd are configured (Automated) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: yes ++ rules: ++ - file_permissions_etc_motd ++ ++ - id: 1.8.1.5 ++ title: Ensure permissions on /etc/issue are configured (Automated) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: yes ++ rules: ++ - file_permissions_etc_issue ++ ++ - id: 1.8.2 ++ title: Ensure GDM login banner is configured (Automated) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: yes ++ rules: ++ - dconf_gnome_banner_enabled ++ - dconf_gnome_login_banner_text ++ ++ - id: 1.9 ++ title: Ensure updates, patches, and additional security software are installed (Manual) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: no ++ related_rules: ++ - security_patches_up_to_date ++ ++ - id: 1.10 ++ title: Ensure system-wide crypto policy is not legacy (Automated) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: yes ++ rules: ++ - configure_crypto_policy ++ ++ # This rule works in conjunction with the configure_crypto_policy above. ++ # If a system is remediated to CIS Level 1, just the rule above will apply ++ # and will enforce the default value for var_system_crypto_policy (DEFAULT). ++ # If the system is remediated to Level 2 then this rule will be selected, ++ # and the value applied by the rule above will will be overridden to ++ # FUTURE through the var_system_crypto_policy variable. ++ - id: 1.11 ++ title: Ensure system-wide crypto policy is FUTURE or FIPS (Automated) ++ levels: ++ - l2_server ++ - l2_workstation ++ automated: yes ++ rules: ++ - var_system_crypto_policy=future ++ ++ - id: 2.1.1 ++ title: Ensure xinetd is not installed (Automated) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: yes ++ rules: ++ - package_xinetd_removed ++ ++ - id: 2.2.1.1 ++ title: Ensure time synchronization is in use (Manual) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: no ++ related_rules: ++ - package_chrony_installed ++ ++ - id: 2.1.1 ++ title: Ensure chrony is configured (Automated) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: yes ++ rules: ++ - service_chronyd_enabled ++ - chronyd_specify_remote_server ++ - chronyd_run_as_chrony_user ++ ++ - id: 2.2.2 ++ title: Ensure chrony is configured (Automated) ++ levels: ++ - l1_server ++ automated: yes ++ rules: ++ - package_xorg-x11-server-common_removed ++ - xwindows_runlevel_target ++ ++ - id: 2.2.3 ++ title: Ensure rsync service is not enabled (Automated) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: yes ++ rules: ++ - service_rsyncd_disabled ++ ++ - id: 2.2.4 ++ title: Ensure Avahi Server is not enabled (Automated) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: yes ++ rules: ++ - service_avahi-daemon_disabled ++ ++ - id: 2.2.5 ++ title: Ensure SNMP Server is not enabled (Automated) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: yes ++ rules: ++ - service_snmpd_disabled ++ ++ - id: 2.2.6 ++ title: Ensure HTTP Proxy Server is not enabled (Automated) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: yes ++ rules: ++ - package_squid_removed ++ ++ - id: 2.2.7 ++ title: Ensure Samba is not enabled (Automated) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: yes ++ rules: ++ - service_smb_disabled ++ ++ - id: 2.2.8 ++ title: Ensure IMAP and POP3 server is not enabled (Automated) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: yes ++ rules: ++ - service_dovecot_disabled ++ ++ - id: 2.2.9 ++ title: Ensure HTTP server is not enabled (Automated) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: yes ++ rules: ++ - service_httpd_disabled ++ ++ - id: 2.2.10 ++ title: Ensure FTP Server is not enabled (Automated) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: yes ++ rules: ++ - service_vsftpd_disabled ++ ++ - id: 2.2.11 ++ title: Ensure DNS Server is not enabled (Automated) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: yes ++ rules: ++ - service_named_disabled ++ ++ - id: 2.2.12 ++ title: Ensure NFS is not enabled (Automated) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: yes ++ rules: ++ - service_nfs_disabled ++ ++ - id: 2.2.13 ++ title: Ensure RPC is not enabled (Automated) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: yes ++ rules: ++ - service_rpcbind_disabled ++ ++ # NEEDS RULE ++ # https://github.com/ComplianceAsCode/content/issues/5231 ++ - id: 2.2.14 ++ title: Ensure RPC is not enabled (Automated) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: no ++ ++ - id: 2.2.15 ++ title: Ensure DHCP Server is not enabled (Automated) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: yes ++ rules: ++ - service_dhcpd_disabled ++ ++ - id: 2.2.16 ++ title: Ensure CUPS is not enabled (Automated) ++ levels: ++ - l1_server ++ - l2_workstation ++ automated: yes ++ rules: ++ - service_cups_disabled ++ ++ # NEEDS RULE ++ # https://github.com/ComplianceAsCode/content/issues/5232 ++ - id: 2.2.17 ++ title: Ensure NIS Server is not enabled (Automated) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: no ++ ++ - id: 2.2.18 ++ title: Ensure mail transfer agent is configured for local-only mode (Automated) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: yes ++ rules: ++ - postfix_network_listening_disabled ++ ++ - id: 2.3.1 ++ title: Ensure NIS Client is not installed (Automated) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: yes ++ rules: ++ - package_ypbind_removed ++ ++ - id: 2.3.2 ++ title: Ensure telnet client is not installed (Automated) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: yes ++ rules: ++ - package_telnet_removed ++ ++ - id: 2.3.3 ++ title: Ensure LDAP client is not installed (Automated) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: yes ++ rules: ++ - package_openldap-clients_removed + +From 7cb13c16162f057e8cf7d9f140c9b27abadce947 Mon Sep 17 00:00:00 2001 +From: Alex Haydock +Date: Fri, 2 Jul 2021 20:47:49 +0100 +Subject: [PATCH 03/55] Add RHEL 8 Sections 3 & 4 to CIS control file + +--- + controls/cis_rhel8.yml | 728 ++++++++++++++++++++++++++++++++++++++++- + 1 file changed, 726 insertions(+), 2 deletions(-) + +diff --git a/controls/cis_rhel8.yml b/controls/cis_rhel8.yml +index a84bb078e34..b63dc6cf9e1 100644 +--- a/controls/cis_rhel8.yml ++++ b/controls/cis_rhel8.yml +@@ -712,8 +712,8 @@ controls: + rules: + - service_cups_disabled + +- # NEEDS RULE +- # https://github.com/ComplianceAsCode/content/issues/5232 ++ # NEEDS RULE ++ # https://github.com/ComplianceAsCode/content/issues/5232 + - id: 2.2.17 + title: Ensure NIS Server is not enabled (Automated) + levels: +@@ -756,3 +756,727 @@ controls: + automated: yes + rules: + - package_openldap-clients_removed ++ ++ - id: 3.1.1 ++ title: Ensure IP forwarding is disabled (Automated) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: yes ++ rules: ++ - sysctl_net_ipv4_ip_forward ++ - sysctl_net_ipv6_conf_all_forwarding ++ ++ - id: 3.1.2 ++ title: Ensure packet redirect sending is disabled (Automated) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: yes ++ rules: ++ - sysctl_net_ipv4_conf_all_send_redirects ++ - sysctl_net_ipv4_conf_default_send_redirects ++ ++ - id: 3.2.1 ++ title: Ensure source routed packets are not accepted (Automated) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: yes ++ rules: ++ - sysctl_net_ipv4_conf_all_accept_source_route ++ - sysctl_net_ipv4_conf_default_accept_source_route ++ - sysctl_net_ipv6_conf_all_accept_source_route ++ - sysctl_net_ipv6_conf_default_accept_source_route ++ ++ - id: 3.2.2 ++ title: Ensure ICMP redirects are not accepted (Automated) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: yes ++ rules: ++ - sysctl_net_ipv4_conf_all_accept_redirects ++ - sysctl_net_ipv4_conf_default_accept_redirects ++ - sysctl_net_ipv6_conf_all_accept_redirects ++ - sysctl_net_ipv6_conf_default_accept_redirects ++ ++ - id: 3.2.3 ++ title: Ensure secure ICMP redirects are not accepted (Automated) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: yes ++ rules: ++ - sysctl_net_ipv4_conf_all_secure_redirects ++ - sysctl_net_ipv4_conf_default_secure_redirects ++ ++ - id: 3.2.4 ++ title: Ensure suspicious packets are logged (Automated) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: yes ++ rules: ++ - sysctl_net_ipv4_conf_all_log_martians ++ - sysctl_net_ipv4_conf_default_log_martians ++ ++ - id: 3.2.5 ++ title: Ensure broadcast ICMP requests are ignored (Automated) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: yes ++ rules: ++ - sysctl_net_ipv4_icmp_echo_ignore_broadcasts ++ ++ - id: 3.2.6 ++ title: Ensure bogus ICMP responses are ignored (Automated) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: yes ++ rules: ++ - sysctl_net_ipv4_icmp_ignore_bogus_error_responses ++ ++ - id: 3.2.7 ++ title: Ensure Reverse Path Filtering is enabled (Automated) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: yes ++ rules: ++ - sysctl_net_ipv4_conf_all_rp_filter ++ - sysctl_net_ipv4_conf_default_rp_filter ++ ++ - id: 3.2.8 ++ title: Ensure TCP SYN Cookies is enabled (Automated) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: yes ++ rules: ++ - sysctl_net_ipv4_tcp_syncookies ++ ++ - id: 3.2.8 ++ title: Ensure TCP SYN Cookies is enabled (Automated) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: yes ++ rules: ++ - sysctl_net_ipv4_tcp_syncookies ++ ++ - id: 3.2.9 ++ title: Ensure IPv6 router advertisements are not accepted (Automated) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: yes ++ rules: ++ - sysctl_net_ipv6_conf_all_accept_ra ++ - sysctl_net_ipv6_conf_default_accept_ra ++ ++ - id: 3.3.1 ++ title: Ensure DCCP is disabled (Automated) ++ levels: ++ - l2_server ++ - l2_workstation ++ automated: yes ++ rules: ++ - kernel_module_dccp_disabled ++ ++ - id: 3.3.2 ++ title: Ensure SCTP is disabled (Automated) ++ levels: ++ - l2_server ++ - l2_workstation ++ automated: yes ++ rules: ++ - kernel_module_sctp_disabled ++ ++ - id: 3.3.3 ++ title: Ensure RDS is disabled (Automated) ++ levels: ++ - l2_server ++ - l2_workstation ++ automated: yes ++ rules: ++ - kernel_module_rds_disabled ++ ++ - id: 3.3.4 ++ title: Ensure TIPC is disabled (Automated) ++ levels: ++ - l2_server ++ - l2_workstation ++ automated: yes ++ rules: ++ - kernel_module_tipc_disabled ++ ++ # NEEDS RULE ++ # This rule is currently quite opinionated and expects firewalld ++ # as the installed firewall package. But, as per the CIS control, ++ # this rule should also be satisfied by nftables or iptables. ++ - id: 3.4.1.1 ++ title: Ensure a Firewall package is installed (Automated) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: yes ++ rules: ++ - package_firewalld_installed ++ ++ - id: 3.4.2.1 ++ title: Ensure firewalld service is enabled and running (Automated) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: yes ++ rules: ++ - service_firewalld_enabled ++ ++ # NEEDS RULE ++ # https://github.com/ComplianceAsCode/content/issues/5238 ++ - id: 3.4.2.2 ++ title: Ensure iptables service is not enabled with firewalld (Automated) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: no ++ ++ # NEEDS RULE ++ # https://github.com/ComplianceAsCode/content/issues/5239 ++ - id: 3.4.2.3 ++ title: Ensure nftables is not enabled with firewalld (Automated) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: no ++ ++ - id: 3.4.2.4 ++ title: Ensure firewalld default zone is set (Automated) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: yes ++ rules: ++ - set_firewalld_default_zone ++ ++ - id: 3.4.2.5 ++ title: Ensure network interfaces are assigned to appropriate zone (Manual) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: no ++ ++ - id: 3.4.2.6 ++ title: Ensure firewalld drops unnecessary services and ports (Manual) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: no ++ ++ - id: 3.4.3.1 ++ title: Ensure iptables are flushed with nftables (Manual) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: no ++ ++ # NEEDS RULE ++ # https://github.com/ComplianceAsCode/content/issues/5244 ++ - id: 3.4.3.2 ++ title: Ensure an nftables table exists (Automated) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: no ++ ++ # NEEDS RULE ++ # https://github.com/ComplianceAsCode/content/issues/5245 ++ - id: 3.4.3.3 ++ title: Ensure nftables base chains exist (Automated) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: no ++ ++ # NEEDS RULE ++ # https://github.com/ComplianceAsCode/content/issues/5246 ++ - id: 3.4.3.4 ++ title: Ensure nftables loopback traffic is configured (Automated) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: no ++ ++ - id: 3.4.3.5 ++ title: Ensure nftables outbound and established connections are configured (Manual) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: no ++ ++ # NEEDS RULE ++ # https://github.com/ComplianceAsCode/content/issues/5248 ++ - id: 3.4.3.6 ++ title: Ensure nftables default deny firewall policy (Automated) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: no ++ ++ # NEEDS RULE ++ # https://github.com/ComplianceAsCode/content/issues/5249 ++ - id: 3.4.3.7 ++ title: Ensure nftables service is enabled (Automated) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: no ++ ++ # NEEDS RULE ++ # https://github.com/ComplianceAsCode/content/issues/5250 ++ - id: 3.4.3.8 ++ title: Ensure nftables rules are permanent (Automated) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: no ++ ++ # NEEDS RULE ++ # https://github.com/ComplianceAsCode/content/issues/5252 ++ - id: 3.4.4.1.1 ++ title: Ensure iptables default deny firewall policy (Automated) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: no ++ ++ # NEEDS RULE ++ # https://github.com/ComplianceAsCode/content/issues/5253 ++ - id: 3.4.4.1.2 ++ title: Ensure iptables loopback traffic is configured (Automated) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: no ++ ++ - id: 3.4.4.1.3 ++ title: Ensure iptables outbound and established connections are configured (Manual) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: no ++ ++ # NEEDS RULE ++ # https://github.com/ComplianceAsCode/content/issues/5255 ++ - id: 3.4.4.1.4 ++ title: Ensure iptables firewall rules exist for all open ports (Automated) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: no ++ ++ # NEEDS RULE ++ # https://github.com/ComplianceAsCode/content/issues/7190 ++ - id: 3.4.4.1.5 ++ title: Ensure iptables is enabled and active (Automated) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: no ++ ++ # NEEDS RULE ++ # https://github.com/ComplianceAsCode/content/issues/5257 ++ - id: 3.4.4.2.1 ++ title: Ensure ip6tables default deny firewall policy (Automated) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: no ++ ++ # NEEDS RULE ++ # https://github.com/ComplianceAsCode/content/issues/5258 ++ - id: 3.4.4.2.2 ++ title: Ensure ip6tables loopback traffic is configured (Automated) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: no ++ ++ - id: 3.4.4.2.3 ++ title: Ensure ip6tables outbound and established connections are configured (Manual) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: no ++ ++ # NEEDS RULE ++ # https://github.com/ComplianceAsCode/content/issues/7191 ++ - id: 3.4.4.2.4 ++ title: Ensure ip6tables firewall rules exist for all open ports (Automated) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: no ++ ++ # NEEDS RULE ++ # https://github.com/ComplianceAsCode/content/issues/7192 ++ - id: 3.4.4.2.5 ++ title: Ensure ip6tables is enabled and active (Automated) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: no ++ ++ - id: 3.5 ++ title: Ensure wireless interfaces are disabled (Automated) ++ levels: ++ - l1_server ++ - l2_workstation ++ automated: yes ++ rules: ++ - wireless_disable_interfaces ++ ++ - id: 3.6 ++ title: Disable IPv6 (Manual) ++ levels: ++ - l2_server ++ - l2_workstation ++ automated: yes ++ rules: ++ - kernel_module_ipv6_option_disabled ++ ++ - id: 4.1.1.1 ++ title: Ensure auditd is installed (Automated) ++ levels: ++ - l2_server ++ - l2_workstation ++ automated: yes ++ rules: ++ - package_audit_installed ++ ++ - id: 4.1.1.2 ++ title: Ensure auditd service is enabled (Automated) ++ levels: ++ - l2_server ++ - l2_workstation ++ automated: yes ++ rules: ++ - service_auditd_enabled ++ ++ - id: 4.1.1.3 ++ title: Ensure auditing for processes that start prior to auditd is enabled (Automated) ++ levels: ++ - l2_server ++ - l2_workstation ++ automated: yes ++ rules: ++ - grub2_audit_argument ++ ++ - id: 4.1.1.4 ++ title: Ensure audit_backlog_limit is sufficient (Automated) ++ levels: ++ - l2_server ++ - l2_workstation ++ automated: yes ++ rules: ++ - grub2_audit_backlog_limit_argument ++ ++ - id: 4.1.2.1 ++ title: Ensure audit log storage size is configured (Automated) ++ levels: ++ - l2_server ++ - l2_workstation ++ automated: yes ++ rules: ++ - auditd_data_retention_max_log_file ++ ++ - id: 4.1.2.2 ++ title: Ensure audit logs are not automatically deleted (Automated) ++ levels: ++ - l2_server ++ - l2_workstation ++ automated: yes ++ rules: ++ - auditd_data_retention_max_log_file_action ++ ++ - id: 4.1.2.3 ++ title: Ensure system is disabled when audit logs are full (Automated) ++ levels: ++ - l2_server ++ - l2_workstation ++ automated: yes ++ rules: ++ - auditd_data_retention_action_mail_acct ++ - auditd_data_retention_admin_space_left_action ++ - auditd_data_retention_space_left_action ++ - var_auditd_action_mail_acct=root ++ - var_auditd_admin_space_left_action=halt ++ - var_auditd_space_left_action=email ++ ++ - id: 4.1.3 ++ title: Ensure changes to system administration scope (sudoers) is collected (Automated) ++ levels: ++ - l2_server ++ - l2_workstation ++ automated: yes ++ rules: ++ - audit_rules_sysadmin_actions ++ ++ - id: 4.1.4 ++ title: Ensure login and logout events are collected (Automated) ++ levels: ++ - l2_server ++ - l2_workstation ++ automated: yes ++ rules: ++ - audit_rules_login_events_faillock ++ - audit_rules_login_events_lastlog ++ ++ - id: 4.1.5 ++ title: Ensure session initiation information is collected (Automated) ++ levels: ++ - l2_server ++ - l2_workstation ++ automated: yes ++ rules: ++ - audit_rules_session_events ++ ++ - id: 4.1.6 ++ title: Ensure events that modify date and time information are collected (Automated) ++ levels: ++ - l2_server ++ - l2_workstation ++ automated: yes ++ rules: ++ - audit_rules_time_adjtimex ++ - audit_rules_time_clock_settime ++ - audit_rules_time_settimeofday ++ - audit_rules_time_stime ++ - audit_rules_time_watch_localtime ++ ++ # NEEDS RULE ++ # -w /usr/share/selinux/ -p wa ++ # https://github.com/ComplianceAsCode/content/issues/5264 ++ - id: 4.1.7 ++ title: Ensure events that modify the system's Mandatory Access Controls are collected (Automated) ++ levels: ++ - l2_server ++ - l2_workstation ++ automated: yes ++ rules: ++ - audit_rules_mac_modification ++ ++ - id: 4.1.8 ++ title: Ensure events that modify the system's network environment are collected (Automated) ++ levels: ++ - l2_server ++ - l2_workstation ++ automated: yes ++ rules: ++ - audit_rules_networkconfig_modification ++ ++ - id: 4.1.9 ++ title: Ensure discretionary access control permission modification events are collected (Automated) ++ levels: ++ - l2_server ++ - l2_workstation ++ automated: yes ++ rules: ++ - audit_rules_dac_modification_chmod ++ - audit_rules_dac_modification_chown ++ - audit_rules_dac_modification_fchmod ++ - audit_rules_dac_modification_fchmodat ++ - audit_rules_dac_modification_fchown ++ - audit_rules_dac_modification_fchownat ++ - audit_rules_dac_modification_fremovexattr ++ - audit_rules_dac_modification_fsetxattr ++ - audit_rules_dac_modification_lchown ++ - audit_rules_dac_modification_lremovexattr ++ - audit_rules_dac_modification_lsetxattr ++ - audit_rules_dac_modification_removexattr ++ - audit_rules_dac_modification_setxattr ++ ++ - id: 4.1.10 ++ title: Ensure unsuccessful unauthorized file access attempts are collected (Automated) ++ levels: ++ - l2_server ++ - l2_workstation ++ automated: yes ++ rules: ++ - audit_rules_unsuccessful_file_modification_creat ++ - audit_rules_unsuccessful_file_modification_ftruncate ++ - audit_rules_unsuccessful_file_modification_open ++ - audit_rules_unsuccessful_file_modification_openat ++ - audit_rules_unsuccessful_file_modification_truncate ++ # Opinionated selection ++ - audit_rules_unsuccessful_file_modification_open_by_handle_at ++ ++ - id: 4.1.11 ++ title: Ensure events that modify user/group information are collected (Automated) ++ levels: ++ - l2_server ++ - l2_workstation ++ automated: yes ++ rules: ++ - audit_rules_usergroup_modification_group ++ - audit_rules_usergroup_modification_gshadow ++ - audit_rules_usergroup_modification_opasswd ++ - audit_rules_usergroup_modification_passwd ++ - audit_rules_usergroup_modification_shadow ++ ++ - id: 4.1.12 ++ title: Ensure successful file system mounts are collected (Automated) ++ levels: ++ - l2_server ++ - l2_workstation ++ automated: yes ++ rules: ++ - audit_rules_media_export ++ ++ - id: 4.1.13 ++ title: Ensure use of privileged commands is collected (Automated) ++ levels: ++ - l2_server ++ - l2_workstation ++ automated: yes ++ rules: ++ - audit_rules_privileged_commands ++ ++ - id: 4.1.14 ++ title: Ensure file deletion events by users are collected (Automated) ++ levels: ++ - l2_server ++ - l2_workstation ++ automated: yes ++ rules: ++ - audit_rules_file_deletion_events_rename ++ - audit_rules_file_deletion_events_renameat ++ - audit_rules_file_deletion_events_unlink ++ - audit_rules_file_deletion_events_unlinkat ++ # Opinionated selection ++ - audit_rules_file_deletion_events_rmdir ++ ++ - id: 4.1.15 ++ title: Ensure kernel module loading and unloading is collected (Automated) ++ levels: ++ - l2_server ++ - l2_workstation ++ automated: yes ++ rules: ++ - audit_rules_kernel_module_loading ++ ++ # NEEDS RULE ++ # https://github.com/ComplianceAsCode/content/issues/5516 ++ - id: 4.1.16 ++ title: Ensure system administrator actions (sudolog) are collected (Automated) ++ levels: ++ - l2_server ++ - l2_workstation ++ automated: no ++ ++ - id: 4.1.17 ++ title: Ensure the audit configuration is immutable (Automated) ++ levels: ++ - l2_server ++ - l2_workstation ++ automated: yes ++ rules: ++ - audit_rules_immutable ++ ++ - id: 4.2.1.1 ++ title: Ensure rsyslog is installed (Automated) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: yes ++ rules: ++ - package_rsyslog_installed ++ ++ - id: 4.2.1.2 ++ title: Ensure rsyslog Service is enabled (Automated) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: yes ++ rules: ++ - service_rsyslog_enabled ++ ++ - id: 4.2.1.3 ++ title: Ensure rsyslog default file permissions configured (Automated) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: yes ++ rules: ++ - rsyslog_files_permissions ++ ++ - id: 4.2.1.4 ++ title: Ensure logging is configured (Manual) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: no ++ ++ - id: 4.2.1.5 ++ title: Ensure rsyslog is configured to send logs to a remote log host (Automated) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: yes ++ rules: ++ - rsyslog_remote_loghost ++ ++ - id: 4.2.1.6 ++ title: Ensure remote rsyslog messages are only accepted on designated log hosts. (Manual) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: no ++ related_rules: ++ - rsyslog_nolisten ++ ++ # NEEDS RULE ++ # https://github.com/ComplianceAsCode/content/issues/5520 ++ - id: 4.2.2.1 ++ title: Ensure journald is configured to send logs to rsyslog (Automated) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: no ++ ++ # NEEDS RULE ++ # https://github.com/ComplianceAsCode/content/issues/5521 ++ - id: 4.2.2.2 ++ title: Ensure journald is configured to compress large log files (Automated) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: no ++ ++ # NEEDS RULE ++ # https://github.com/ComplianceAsCode/content/issues/5522 ++ - id: 4.2.2.3 ++ title: Ensure journald is configured to write logfiles to persistent disk (Automated) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: no ++ ++ # NEEDS RULE ++ # https://github.com/ComplianceAsCode/content/issues/5523 ++ - id: 4.2.3 ++ title: Ensure permissions on all logfiles are configured (Automated) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: no ++ ++ - id: 4.3 ++ title: Ensure logrotate is configured (Manual) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: no + +From e10bc6354fdbc73b0270e52673e0b688d21386a8 Mon Sep 17 00:00:00 2001 +From: Alex Haydock +Date: Sat, 3 Jul 2021 12:08:31 +0100 +Subject: [PATCH 04/55] Add RHEL 8 Section 5 to CIS control file + +--- + controls/cis_rhel8.yml | 460 +++++++++++++++++++++++++++++++++++++++++ + 1 file changed, 460 insertions(+) + +diff --git a/controls/cis_rhel8.yml b/controls/cis_rhel8.yml +index b63dc6cf9e1..85c821bc60d 100644 +--- a/controls/cis_rhel8.yml ++++ b/controls/cis_rhel8.yml +@@ -1480,3 +1480,463 @@ controls: + - l1_server + - l1_workstation + automated: no ++ ++ - id: 5.1.1 ++ title: Ensure cron daemon is enabled (Automated) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: yes ++ rules: ++ - service_crond_enabled ++ ++ - id: 5.1.2 ++ title: Ensure permissions on /etc/crontab are configured (Automated) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: yes ++ rules: ++ - file_groupowner_crontab ++ - file_owner_crontab ++ - file_permissions_crontab ++ ++ - id: 5.1.3 ++ title: Ensure permissions on /etc/cron.hourly are configured (Automated) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: yes ++ rules: ++ - file_groupowner_cron_hourly ++ - file_owner_cron_hourly ++ - file_permissions_cron_hourly ++ ++ - id: 5.1.4 ++ title: Ensure permissions on /etc/cron.daily are configured (Automated) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: yes ++ rules: ++ - file_groupowner_cron_daily ++ - file_owner_cron_daily ++ - file_permissions_cron_daily ++ ++ - id: 5.1.5 ++ title: Ensure permissions on /etc/cron.weekly are configured (Automated) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: yes ++ rules: ++ - file_groupowner_cron_weekly ++ - file_owner_cron_weekly ++ - file_permissions_cron_weekly ++ ++ - id: 5.1.6 ++ title: Ensure permissions on /etc/cron.monthly are configured (Automated) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: yes ++ rules: ++ - file_groupowner_cron_monthly ++ - file_owner_cron_monthly ++ - file_permissions_cron_monthly ++ ++ - id: 5.1.7 ++ title: Ensure permissions on /etc/cron.d are configured (Automated) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: yes ++ rules: ++ - file_groupowner_cron_d ++ - file_owner_cron_d ++ - file_permissions_cron_d ++ ++ # NEEDS RULE ++ # https://github.com/ComplianceAsCode/content/issues/7195 ++ - id: 5.1.8 ++ title: Ensure at/cron is restricted to authorized users (Automated) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: no ++ ++ - id: 5.2.1 ++ title: Ensure permissions on /etc/ssh/sshd_config are configured (Automated) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: yes ++ rules: ++ - file_groupowner_sshd_config ++ - file_owner_sshd_config ++ - file_permissions_sshd_config ++ ++ # NEEDS RULE ++ # https://github.com/ComplianceAsCode/content/issues/7196 ++ - id: 5.2.2 ++ title: Ensure SSH access is limited (Automated) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: no ++ ++ # TODO ++ # Rule sets permissions to 0640 but benchmark wants it to be 0600 ++ # ++ # TODO ++ # Check owner of private keys in /etc/ssh is root:root ++ - id: 5.2.3 ++ title: Ensure permissions on SSH private host key files are configured (Automated) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: yes ++ rules: ++ - file_permissions_sshd_private_key ++ ++ # TODO ++ # Check owner of public keys in /etc/ssh is root:root ++ - id: 5.2.4 ++ title: Ensure permissions on SSH public host key files are configured (Automated) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: yes ++ rules: ++ - file_permissions_sshd_pub_key ++ ++ - id: 5.2.5 ++ title: Ensure SSH LogLevel is appropriate (Automated) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: yes ++ rules: ++ - sshd_set_loglevel_info ++ ++ - id: 5.2.6 ++ title: Ensure SSH X11 forwarding is disabled (Automated) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: yes ++ rules: ++ - sshd_disable_x11_forwarding ++ ++ - id: 5.2.7 ++ title: Ensure SSH MaxAuthTries is set to 4 or less (Automated) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: yes ++ rules: ++ - sshd_max_auth_tries_value=4 ++ - sshd_set_max_auth_tries ++ ++ - id: 5.2.8 ++ title: Ensure SSH IgnoreRhosts is enabled (Automated) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: yes ++ rules: ++ - sshd_disable_rhosts ++ ++ - id: 5.2.9 ++ title: Ensure SSH HostbasedAuthentication is disabled (Automated) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: yes ++ rules: ++ - disable_host_auth ++ ++ - id: 5.2.10 ++ title: Ensure SSH root login is disabled (Automated) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: yes ++ rules: ++ - sshd_disable_root_login ++ ++ - id: 5.2.11 ++ title: Ensure SSH PermitEmptyPasswords is disabled (Automated) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: yes ++ rules: ++ - sshd_disable_empty_passwords ++ ++ - id: 5.2.12 ++ title: Ensure SSH PermitUserEnvironment is disabled (Automated) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: yes ++ rules: ++ - sshd_do_not_permit_user_env ++ ++ - id: 5.2.13 ++ title: Ensure SSH Idle Timeout Interval is configured (Automated) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: yes ++ rules: ++ - sshd_idle_timeout_value=5_minutes ++ - sshd_set_idle_timeout ++ - sshd_set_keepalive_0 ++ - var_sshd_set_keepalive=0 ++ ++ # NEEDS RULE ++ # https://github.com/ComplianceAsCode/content/issues/5525 ++ - id: 5.2.14 ++ title: Ensure SSH LoginGraceTime is set to one minute or less (Automated) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: no ++ ++ - id: 5.2.15 ++ title: Ensure SSH warning banner is configured (Automated) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: yes ++ rules: ++ - sshd_enable_warning_banner ++ ++ # NEEDS RULE ++ # https://github.com/ComplianceAsCode/content/issues/5526 ++ - id: 5.2.16 ++ title: Ensure SSH PAM is enabled (Automated) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: no ++ ++ - id: 5.2.17 ++ title: Ensure SSH AllowTcpForwarding is disabled (Automated) ++ levels: ++ - l2_server ++ - l2_workstation ++ automated: yes ++ rules: ++ - sshd_disable_tcp_forwarding ++ ++ - id: 5.2.18 ++ title: Ensure SSH MaxStartups is configured (Automated) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: yes ++ rules: ++ - sshd_set_maxstartups ++ ++ - id: 5.2.19 ++ title: Ensure SSH MaxSessions is set to 4 or less (Automated) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: yes ++ rules: ++ - sshd_set_max_sessions ++ - var_sshd_max_sessions=4 ++ ++ - id: 5.2.20 ++ title: Ensure system-wide crypto policy is not over-ridden (Automated) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: yes ++ rules: ++ - configure_ssh_crypto_policy ++ ++ # NEEDS RULE ++ # https://github.com/ComplianceAsCode/content/issues/5530 ++ - id: 5.3.1 ++ title: Create custom authselect profile (Automated) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: no ++ ++ # NEEDS RULE ++ # https://github.com/ComplianceAsCode/content/issues/5531 ++ - id: 5.3.2 ++ title: Select authselect profile (Automated) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: no ++ ++ # NEEDS RULE ++ # https://github.com/ComplianceAsCode/content/issues/5532 ++ - id: 5.3.2 ++ title: Ensure authselect includes with-faillock (Automated) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: no ++ ++ # NEEDS RULE: try_first_pass ++ # https://github.com/ComplianceAsCode/content/issues/5533 ++ - id: 5.4.1 ++ title: Ensure password creation requirements are configured (Automated) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: yes ++ rules: ++ - accounts_password_pam_minclass ++ - accounts_password_pam_minlen ++ - accounts_password_pam_retry ++ - var_password_pam_minclass=4 ++ - var_password_pam_minlen=14 ++ ++ - id: 5.4.2 ++ title: Ensure lockout for failed password attempts is configured (Automated) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: yes ++ rules: ++ - accounts_passwords_pam_faillock_deny ++ - accounts_passwords_pam_faillock_unlock_time ++ - var_accounts_passwords_pam_faillock_deny=5 ++ - var_accounts_passwords_pam_faillock_unlock_time=900 ++ ++ - id: 5.4.3 ++ title: Ensure password reuse is limited (Automated) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: yes ++ rules: ++ - accounts_password_pam_unix_remember ++ - var_password_pam_unix_remember=5 ++ ++ - id: 5.4.4 ++ title: Ensure password hashing algorithm is SHA-512 (Automated) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: yes ++ rules: ++ - set_password_hashing_algorithm_systemauth ++ ++ - id: 5.5.1.1 ++ title: Ensure password expiration is 365 days or less (Automated) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: yes ++ rules: ++ - accounts_maximum_age_login_defs ++ - var_accounts_maximum_age_login_defs=365 ++ ++ - id: 5.5.1.2 ++ title: Ensure minimum days between password changes is 7 or more (Automated) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: yes ++ rules: ++ - accounts_minimum_age_login_defs ++ - var_accounts_minimum_age_login_defs=7 ++ ++ - id: 5.5.1.3 ++ title: Ensure password expiration warning days is 7 or more (Automated) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: yes ++ rules: ++ - accounts_password_warn_age_login_defs ++ - var_accounts_password_warn_age_login_defs=7 ++ ++ # TODO ++ # Rule doesn't check list of users ++ - id: 5.5.1.4 ++ title: Ensure inactive password lock is 30 days or less (Automated) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: yes ++ rules: ++ - account_disable_post_pw_expiration ++ - var_account_disable_post_pw_expiration=30 ++ ++ # NEEDS RULE ++ # https://github.com/ComplianceAsCode/content/issues/5537 ++ - id: 5.5.1.5 ++ title: Ensure all users last password change date is in the past (Automated) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: no ++ ++ - id: 5.5.2 ++ title: Ensure system accounts are secured (Automated) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: yes ++ rules: ++ - no_shelllogin_for_systemaccounts ++ ++ - id: 5.5.3 ++ title: Ensure default user shell timeout is 900 seconds or less (Automated) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: yes ++ rules: ++ - accounts_tmout ++ - var_accounts_tmout=15_min ++ ++ # NEEDS RULE ++ # https://github.com/ComplianceAsCode/content/issues/5539 ++ - id: 5.5.4 ++ title: Ensure default group for the root account is GID 0 (Automated) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: no ++ ++ - id: 5.5.5 ++ title: Ensure default user umask is 027 or more restrictive (Automated) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: yes ++ rules: ++ - accounts_umask_etc_bashrc ++ - accounts_umask_etc_profile ++ - var_accounts_user_umask=027 ++ ++ - id: 5.6 ++ title: Ensure root login is restricted to system console (Manual) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: no ++ related_rules: ++ - no_direct_root_logins ++ - securetty_root_login_console_only ++ ++ # NEEDS RULE ++ # https://github.com/ComplianceAsCode/content/issues/5541 ++ - id: 5.7 ++ title: Ensure access to the su command is restricted (Automated) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: no + +From 9aa351c0c0104ec07ee9f23ceb072233992b1a5a Mon Sep 17 00:00:00 2001 +From: Alex Haydock +Date: Sat, 3 Jul 2021 12:33:15 +0100 +Subject: [PATCH 05/55] Add RHEL 8 Section 6 to CIS control file + +--- + controls/cis_rhel8.yml | 325 +++++++++++++++++++++++++++++++++++++++++ + 1 file changed, 325 insertions(+) + +diff --git a/controls/cis_rhel8.yml b/controls/cis_rhel8.yml +index 85c821bc60d..bc77e25d122 100644 +--- a/controls/cis_rhel8.yml ++++ b/controls/cis_rhel8.yml +@@ -1940,3 +1940,328 @@ controls: + - l1_server + - l1_workstation + automated: no ++ ++ - id: 6.1.1 ++ title: Audit system file permissions (Manual) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: no ++ related_rules: ++ - rpm_verify_permissions ++ - rpm_verify_ownership ++ ++ - id: 6.1.2 ++ title: Ensure permissions on /etc/passwd are configured (Automated) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: yes ++ rules: ++ - file_groupowner_etc_passwd ++ - file_owner_etc_passwd ++ - file_permissions_etc_passwd ++ ++ - id: 6.1.3 ++ title: Ensure permissions on /etc/passwd- are configured (Automated) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: yes ++ rules: ++ - file_groupowner_backup_etc_passwd ++ - file_owner_backup_etc_passwd ++ - file_permissions_backup_etc_passwd ++ ++ - id: 6.1.4 ++ title: Ensure permissions on /etc/shadow are configured (Automated) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: yes ++ rules: ++ - file_owner_etc_shadow ++ - file_groupowner_etc_shadow ++ - file_permissions_etc_shadow ++ ++ - id: 6.1.5 ++ title: Ensure permissions on /etc/shadow- are configured (Automated) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: yes ++ rules: ++ - file_groupowner_backup_etc_shadow ++ - file_owner_backup_etc_shadow ++ - file_permissions_backup_etc_shadow ++ ++ - id: 6.1.6 ++ title: Ensure permissions on /etc/gshadow are configured (Automated) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: yes ++ rules: ++ - file_groupowner_etc_gshadow ++ - file_owner_etc_gshadow ++ - file_permissions_etc_gshadow ++ ++ - id: 6.1.7 ++ title: Ensure permissions on /etc/gshadow- are configured (Automated) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: yes ++ rules: ++ - file_groupowner_backup_etc_gshadow ++ - file_owner_backup_etc_gshadow ++ - file_permissions_backup_etc_gshadow ++ ++ - id: 6.1.8 ++ title: Ensure permissions on /etc/group are configured (Automated) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: yes ++ rules: ++ - file_groupowner_etc_group ++ - file_owner_etc_group ++ - file_permissions_etc_group ++ ++ - id: 6.1.9 ++ title: Ensure permissions on /etc/group- are configured (Automated) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: yes ++ rules: ++ - file_groupowner_backup_etc_group ++ - file_owner_backup_etc_group ++ - file_permissions_backup_etc_group ++ ++ - id: 6.1.10 ++ title: Ensure no world writable files exist (Automated) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: yes ++ rules: ++ - file_permissions_unauthorized_world_writable ++ ++ - id: 6.1.11 ++ title: Ensure no unowned files or directories exist (Automated) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: yes ++ rules: ++ - no_files_unowned_by_user ++ ++ - id: 6.1.12 ++ title: Ensure no ungrouped files or directories exist (Automated) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: yes ++ rules: ++ - file_permissions_ungroupowned ++ ++ - id: 6.1.13 ++ title: Audit SUID executables (Manual) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: no ++ rules: ++ - file_permissions_unauthorized_suid ++ ++ - id: 6.1.14 ++ title: Audit SGID executables (Manual) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: no ++ rules: ++ - file_permissions_unauthorized_sgid ++ ++ # NEEDS RULE ++ # https://github.com/ComplianceAsCode/content/issues/7197 ++ - id: 6.2.1 ++ title: Ensure password fields are not empty (Automated) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: no ++ ++ - id: 6.2.2 ++ title: Ensure no legacy "+" entries exist in /etc/passwd (Automated) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: yes ++ rules: ++ - no_legacy_plus_entries_etc_passwd ++ ++ # NEEDS RULE ++ # https://github.com/ComplianceAsCode/content/issues/7198 ++ - id: 6.2.3 ++ title: Ensure root PATH Integrity (Automated) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: no ++ ++ - id: 6.2.4 ++ title: Ensure no legacy "+" entries exist in /etc/shadow (Automated) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: yes ++ rules: ++ - no_legacy_plus_entries_etc_shadow ++ ++ - id: 6.2.5 ++ title: Ensure no legacy "+" entries exist in /etc/group (Automated) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: yes ++ rules: ++ - no_legacy_plus_entries_etc_group ++ ++ - id: 6.2.6 ++ title: Ensure root is the only UID 0 account (Automated) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: yes ++ rules: ++ - accounts_no_uid_except_zero ++ ++ - id: 6.2.7 ++ title: Ensure users' home directories permissions are 750 or more restrictive (Automated) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: yes ++ rules: ++ - file_permissions_home_dirs ++ ++ # NEEDS RULE (for user ownership) ++ # https://github.com/ComplianceAsCode/content/issues/5507 ++ - id: 6.2.8 ++ title: Ensure users own their home directories (Automated) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: yes ++ rules: ++ - file_groupownership_home_directories ++ ++ # NEEDS RULE ++ # https://github.com/ComplianceAsCode/content/issues/5506 ++ - id: 6.2.9 ++ title: Ensure users' dot files are not group or world writable (Automated) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: no ++ ++ # NEEDS RULE ++ # https://github.com/ComplianceAsCode/content/issues/5505 ++ - id: 6.2.10 ++ title: Ensure no users have .forward files (Automated) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: no ++ ++ - id: 6.2.11 ++ title: Ensure no users have .netrc files (Automated) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: yes ++ rules: ++ - no_netrc_files ++ ++ # NEEDS RULE ++ # https://github.com/ComplianceAsCode/content/issues/5504 ++ - id: 6.2.12 ++ title: Ensure users' .netrc Files are not group or world accessible (Automated) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: no ++ ++ - id: 6.2.13 ++ title: Ensure no users have .rhosts files (Automated) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: yes ++ rules: ++ - no_rsh_trust_files ++ ++ # NEEDS RULE ++ # https://github.com/ComplianceAsCode/content/issues/5503 ++ - id: 6.2.14 ++ title: Ensure all groups in /etc/passwd exist in /etc/group (Automated) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: no ++ ++ # NEEDS RULE ++ # https://github.com/ComplianceAsCode/content/issues/5502 ++ - id: 6.2.15 ++ title: Ensure no duplicate UIDs exist (Automated) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: no ++ ++ # NEEDS RULE ++ # https://github.com/ComplianceAsCode/content/issues/5501 ++ - id: 6.2.16 ++ title: Ensure no duplicate GIDs exist (Automated) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: no ++ ++ - id: 6.2.17 ++ title: Ensure no duplicate user names exist (Automated) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: yes ++ rules: ++ - account_unique_name ++ ++ # NEEDS RULE ++ # https://github.com/ComplianceAsCode/content/issues/5500 ++ - id: 6.2.18 ++ title: Ensure no duplicate group names exist (Automated) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: no ++ ++ # NEEDS RULE ++ # https://github.com/ComplianceAsCode/content/issues/5499 ++ - id: 6.2.19 ++ title: Ensure shadow group is empty (Automated) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: no ++ ++ - id: 6.2.20 ++ title: Ensure shadow group is empty (Automated) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: yes ++ rules: ++ - accounts_user_interactive_home_directory_exists + +From 9328919d45d46d2402e6a6cfb8bf726c8d24b7ec Mon Sep 17 00:00:00 2001 +From: Alex Haydock +Date: Sat, 3 Jul 2021 12:36:01 +0100 +Subject: [PATCH 06/55] Tweak RHEL8 CIS control file to satisfy yamllint + +--- + controls/cis_rhel8.yml | 9 +++++---- + 1 file changed, 5 insertions(+), 4 deletions(-) + +diff --git a/controls/cis_rhel8.yml b/controls/cis_rhel8.yml +index bc77e25d122..161a2aac58e 100644 +--- a/controls/cis_rhel8.yml ++++ b/controls/cis_rhel8.yml +@@ -1,3 +1,4 @@ ++--- + policy: 'CIS Benchmark for Red Hat Enterprise Linux 8' + title: 'CIS Benchmark for Red Hat Enterprise Linux 8' + id: cis_rhel8 +@@ -1597,7 +1598,7 @@ controls: + - l1_workstation + automated: yes + rules: +- - file_permissions_sshd_private_key ++ - file_permissions_sshd_private_key + + # TODO + # Check owner of public keys in /etc/ssh is root:root +@@ -1608,7 +1609,7 @@ controls: + - l1_workstation + automated: yes + rules: +- - file_permissions_sshd_pub_key ++ - file_permissions_sshd_pub_key + + - id: 5.2.5 + title: Ensure SSH LogLevel is appropriate (Automated) +@@ -1617,7 +1618,7 @@ controls: + - l1_workstation + automated: yes + rules: +- - sshd_set_loglevel_info ++ - sshd_set_loglevel_info + + - id: 5.2.6 + title: Ensure SSH X11 forwarding is disabled (Automated) +@@ -1626,7 +1627,7 @@ controls: + - l1_workstation + automated: yes + rules: +- - sshd_disable_x11_forwarding ++ - sshd_disable_x11_forwarding + + - id: 5.2.7 + title: Ensure SSH MaxAuthTries is set to 4 or less (Automated) + +From 035dd0b7d79159f1c67ef53baf5a5d284ab79aed Mon Sep 17 00:00:00 2001 +From: Alex Haydock +Date: Fri, 9 Jul 2021 00:11:57 +0100 +Subject: [PATCH 07/55] Updates to address comments on RHEL 8 CIS PR + +--- + controls/cis_rhel8.yml | 45 +++++++++++++++++++++++++++++------------- + 1 file changed, 31 insertions(+), 14 deletions(-) + +diff --git a/controls/cis_rhel8.yml b/controls/cis_rhel8.yml +index 161a2aac58e..c93d6128ca4 100644 +--- a/controls/cis_rhel8.yml ++++ b/controls/cis_rhel8.yml +@@ -170,7 +170,7 @@ controls: + rules: + - partition_for_home + +- - id: 1.1.18 ++ - id: 1.1.14 + title: Ensure nodev option set on /home partition (Automated) + levels: + - l1_server +@@ -212,7 +212,7 @@ controls: + - l1_server + - l1_workstation + automated: no +- rules: ++ related_rules: + - mount_option_nodev_removable_partitions + + - id: 1.1.19 +@@ -221,7 +221,7 @@ controls: + - l1_server + - l1_workstation + automated: no +- rules: ++ related_rules: + - mount_option_nosuid_removable_partitions + + - id: 1.1.20 +@@ -230,9 +230,18 @@ controls: + - l1_server + - l1_workstation + automated: no +- rules: ++ related_rules: + - mount_option_noexec_removable_partitions + ++ - id: 1.1.21 ++ title: Ensure sticky bit is set on all world-writable directories (Automated) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: yes ++ rules: ++ - dir_perms_world_writable_sticky_bits ++ + - id: 1.1.22 + title: Disable Automounting (Automated) + levels: +@@ -348,7 +357,7 @@ controls: + - file_groupowner_grub2_cfg + - file_permissions_grub2_cfg + +- - id: 1.5.1 ++ - id: 1.5.2 + title: Ensure bootloader password is set (Automated) + levels: + - l1_server +@@ -356,6 +365,7 @@ controls: + automated: yes + rules: + - grub2_password ++ - grub2_uefi_password + + - id: 1.5.3 + title: Ensure authentication required for single user mode (Automated) +@@ -397,15 +407,6 @@ controls: + rules: + - package_libselinux_installed + +- - id: 1.7.1.1 +- title: Ensure SELinux is installed (Automated) +- levels: +- - l2_server +- - l2_workstation +- automated: yes +- rules: +- - package_libselinux_installed +- + - id: 1.7.1.2 + title: Ensure SELinux is not disabled in bootloader configuration (Automated) + levels: +@@ -469,6 +470,7 @@ controls: + automated: yes + rules: + - banner_etc_motd ++ - login_banner_text=usgcb_default + + - id: 1.8.1.2 + title: Ensure local login warning banner is configured properly (Automated) +@@ -478,6 +480,7 @@ controls: + automated: yes + rules: + - banner_etc_issue ++ - login_banner_text=usgcb_default + + # NEEDS RULE + # https://github.com/ComplianceAsCode/content/issues/5225 +@@ -495,6 +498,8 @@ controls: + - l1_workstation + automated: yes + rules: ++ - file_groupowner_etc_motd ++ - file_owner_etc_motd + - file_permissions_etc_motd + + - id: 1.8.1.5 +@@ -504,8 +509,19 @@ controls: + - l1_workstation + automated: yes + rules: ++ - file_groupowner_etc_issue ++ - file_owner_etc_issue + - file_permissions_etc_issue + ++ # NEEDS RULE ++ # https://github.com/ComplianceAsCode/content/issues/7225 ++ - id: 1.8.1.6 ++ title: Ensure permissions on /etc/issue.net are configured (Automated) ++ levels: ++ - l1_server ++ - l1_workstation ++ automated: no ++ + - id: 1.8.2 + title: Ensure GDM login banner is configured (Automated) + levels: +@@ -515,6 +531,7 @@ controls: + rules: + - dconf_gnome_banner_enabled + - dconf_gnome_login_banner_text ++ - login_banner_text=usgcb_default + + - id: 1.9 + title: Ensure updates, patches, and additional security software are installed (Manual) + +From 0d2d6a378e8ce767959ffbe8b1c41c9e5ca22d01 Mon Sep 17 00:00:00 2001 +From: Alex Haydock +Date: Fri, 16 Jul 2021 14:21:02 +0100 +Subject: [PATCH 08/55] Allow DEFAULT crypto policy for RHEL 8 CIS (conditional + on merge of #7226) + +--- + controls/cis_rhel8.yml | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/controls/cis_rhel8.yml b/controls/cis_rhel8.yml +index c93d6128ca4..9140711fb66 100644 +--- a/controls/cis_rhel8.yml ++++ b/controls/cis_rhel8.yml +@@ -550,6 +550,7 @@ controls: + automated: yes + rules: + - configure_crypto_policy ++ - var_system_crypto_policy=default + + # This rule works in conjunction with the configure_crypto_policy above. + # If a system is remediated to CIS Level 1, just the rule above will apply + +From 85befb58973da869943ad45b80b495c0061df01b Mon Sep 17 00:00:00 2001 +From: Alex Haydock +Date: Fri, 16 Jul 2021 14:34:41 +0100 +Subject: [PATCH 09/55] Update RHEL 8 CIS Section 2 rules + +--- + controls/cis_rhel8.yml | 12 ++++++------ + 1 file changed, 6 insertions(+), 6 deletions(-) + +diff --git a/controls/cis_rhel8.yml b/controls/cis_rhel8.yml +index 9140711fb66..782dc7666f3 100644 +--- a/controls/cis_rhel8.yml ++++ b/controls/cis_rhel8.yml +@@ -585,7 +585,7 @@ controls: + related_rules: + - package_chrony_installed + +- - id: 2.1.1 ++ - id: 2.2.1.2 + title: Ensure chrony is configured (Automated) + levels: + - l1_server +@@ -597,13 +597,12 @@ controls: + - chronyd_run_as_chrony_user + + - id: 2.2.2 +- title: Ensure chrony is configured (Automated) ++ title: Ensure X Window System is not installed (Automated) + levels: + - l1_server + automated: yes + rules: +- - package_xorg-x11-server-common_removed +- - xwindows_runlevel_target ++ - xwindows_remove_packages + + - id: 2.2.3 + title: Ensure rsync service is not enabled (Automated) +@@ -639,7 +638,7 @@ controls: + - l1_workstation + automated: yes + rules: +- - package_squid_removed ++ - package_squid_disabled + + - id: 2.2.7 + title: Ensure Samba is not enabled (Automated) +@@ -707,7 +706,7 @@ controls: + # NEEDS RULE + # https://github.com/ComplianceAsCode/content/issues/5231 + - id: 2.2.14 +- title: Ensure RPC is not enabled (Automated) ++ title: Ensure LDAP server is not enabled (Automated) + levels: + - l1_server + - l1_workstation +@@ -748,6 +747,7 @@ controls: + automated: yes + rules: + - postfix_network_listening_disabled ++ - var_postfix_inet_interfaces=loopback-only + + - id: 2.3.1 + title: Ensure NIS Client is not installed (Automated) + +From fc72716acbbb503abb094a36f0cb17ab3ee58de3 Mon Sep 17 00:00:00 2001 +From: Alex Haydock +Date: Fri, 16 Jul 2021 15:03:09 +0100 +Subject: [PATCH 10/55] Update RHEL 8 CIS Section 3 rules + +--- + controls/cis_rhel8.yml | 29 ++++++++++++++++++++--------- + 1 file changed, 20 insertions(+), 9 deletions(-) + +diff --git a/controls/cis_rhel8.yml b/controls/cis_rhel8.yml +index 782dc7666f3..1d34337411f 100644 +--- a/controls/cis_rhel8.yml ++++ b/controls/cis_rhel8.yml +@@ -785,6 +785,7 @@ controls: + rules: + - sysctl_net_ipv4_ip_forward + - sysctl_net_ipv6_conf_all_forwarding ++ - sysctl_net_ipv6_conf_all_forwarding_value=disabled + + - id: 3.1.2 + title: Ensure packet redirect sending is disabled (Automated) +@@ -804,9 +805,13 @@ controls: + automated: yes + rules: + - sysctl_net_ipv4_conf_all_accept_source_route ++ - sysctl_net_ipv4_conf_all_accept_source_route_value=disabled + - sysctl_net_ipv4_conf_default_accept_source_route ++ - sysctl_net_ipv4_conf_default_accept_source_route_value=disabled + - sysctl_net_ipv6_conf_all_accept_source_route ++ - sysctl_net_ipv6_conf_all_accept_source_route_value=disabled + - sysctl_net_ipv6_conf_default_accept_source_route ++ - sysctl_net_ipv6_conf_default_accept_source_route_value=disabled + + - id: 3.2.2 + title: Ensure ICMP redirects are not accepted (Automated) +@@ -816,9 +821,13 @@ controls: + automated: yes + rules: + - sysctl_net_ipv4_conf_all_accept_redirects ++ - sysctl_net_ipv4_conf_all_accept_redirects_value=disabled + - sysctl_net_ipv4_conf_default_accept_redirects ++ - sysctl_net_ipv4_conf_default_accept_redirects_value=disabled + - sysctl_net_ipv6_conf_all_accept_redirects ++ - sysctl_net_ipv6_conf_all_accept_redirects_value=disabled + - sysctl_net_ipv6_conf_default_accept_redirects ++ - sysctl_net_ipv6_conf_default_accept_redirects_value=disabled + + - id: 3.2.3 + title: Ensure secure ICMP redirects are not accepted (Automated) +@@ -828,7 +837,9 @@ controls: + automated: yes + rules: + - sysctl_net_ipv4_conf_all_secure_redirects ++ - sysctl_net_ipv4_conf_all_secure_redirects_value=disabled + - sysctl_net_ipv4_conf_default_secure_redirects ++ - sysctl_net_ipv4_conf_default_secure_redirects_value=disabled + + - id: 3.2.4 + title: Ensure suspicious packets are logged (Automated) +@@ -838,7 +849,9 @@ controls: + automated: yes + rules: + - sysctl_net_ipv4_conf_all_log_martians ++ - sysctl_net_ipv4_conf_all_log_martians_value=enabled + - sysctl_net_ipv4_conf_default_log_martians ++ - sysctl_net_ipv4_conf_default_log_martians_value=enabled + + - id: 3.2.5 + title: Ensure broadcast ICMP requests are ignored (Automated) +@@ -848,6 +861,7 @@ controls: + automated: yes + rules: + - sysctl_net_ipv4_icmp_echo_ignore_broadcasts ++ - sysctl_net_ipv4_icmp_echo_ignore_broadcasts_value=enabled + + - id: 3.2.6 + title: Ensure bogus ICMP responses are ignored (Automated) +@@ -857,6 +871,7 @@ controls: + automated: yes + rules: + - sysctl_net_ipv4_icmp_ignore_bogus_error_responses ++ - sysctl_net_ipv4_icmp_ignore_bogus_error_responses_value=enabled + + - id: 3.2.7 + title: Ensure Reverse Path Filtering is enabled (Automated) +@@ -866,7 +881,9 @@ controls: + automated: yes + rules: + - sysctl_net_ipv4_conf_all_rp_filter ++ - sysctl_net_ipv4_conf_all_rp_filter_value=enabled + - sysctl_net_ipv4_conf_default_rp_filter ++ - sysctl_net_ipv4_conf_default_rp_filter_value=enabled + + - id: 3.2.8 + title: Ensure TCP SYN Cookies is enabled (Automated) +@@ -876,15 +893,7 @@ controls: + automated: yes + rules: + - sysctl_net_ipv4_tcp_syncookies +- +- - id: 3.2.8 +- title: Ensure TCP SYN Cookies is enabled (Automated) +- levels: +- - l1_server +- - l1_workstation +- automated: yes +- rules: +- - sysctl_net_ipv4_tcp_syncookies ++ - sysctl_net_ipv4_tcp_syncookies_value=enabled + + - id: 3.2.9 + title: Ensure IPv6 router advertisements are not accepted (Automated) +@@ -894,7 +903,9 @@ controls: + automated: yes + rules: + - sysctl_net_ipv6_conf_all_accept_ra ++ - sysctl_net_ipv6_conf_all_accept_ra_value=disabled + - sysctl_net_ipv6_conf_default_accept_ra ++ - sysctl_net_ipv6_conf_default_accept_ra_value=disabled + + - id: 3.3.1 + title: Ensure DCCP is disabled (Automated) + +From 35206714177e9fac308589041449fc484254c29b Mon Sep 17 00:00:00 2001 +From: Alex Haydock +Date: Tue, 20 Jul 2021 08:43:10 +0100 +Subject: [PATCH 11/55] Update controls/cis_rhel8.yml + +Co-authored-by: vojtapolasek +--- + controls/cis_rhel8.yml | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/controls/cis_rhel8.yml b/controls/cis_rhel8.yml +index 1d34337411f..2acf9aef28d 100644 +--- a/controls/cis_rhel8.yml ++++ b/controls/cis_rhel8.yml +@@ -638,7 +638,7 @@ controls: + - l1_workstation + automated: yes + rules: +- - package_squid_disabled ++ - service_squid_disabled + + - id: 2.2.7 + title: Ensure Samba is not enabled (Automated) + +From 0d1ff0c4d6ecdd1fcb3043d7e7237ef9159322ac Mon Sep 17 00:00:00 2001 +From: Alex Haydock +Date: Fri, 30 Jul 2021 22:13:25 +0100 +Subject: [PATCH 12/55] RHEL 8 CIS 1.5.1 is only partially automated currently + +--- + controls/cis_rhel8.yml | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/controls/cis_rhel8.yml b/controls/cis_rhel8.yml +index 2acf9aef28d..e63fc57ddea 100644 +--- a/controls/cis_rhel8.yml ++++ b/controls/cis_rhel8.yml +@@ -351,7 +351,7 @@ controls: + levels: + - l1_server + - l1_workstation +- automated: yes ++ automated: partially # This rule, as implemented here, does not check for a user.cfg file + rules: + - file_owner_grub2_cfg + - file_groupowner_grub2_cfg + +From 60e7bde2e888abd847505e8f2179aadae8ee8e1a Mon Sep 17 00:00:00 2001 +From: Alex Haydock +Date: Fri, 30 Jul 2021 22:19:14 +0100 +Subject: [PATCH 13/55] Add EFI GRUB rules to RHEL 8 CIS control 1.5.1 + +--- + controls/cis_rhel8.yml | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/controls/cis_rhel8.yml b/controls/cis_rhel8.yml +index e63fc57ddea..2163655d9d3 100644 +--- a/controls/cis_rhel8.yml ++++ b/controls/cis_rhel8.yml +@@ -353,8 +353,11 @@ controls: + - l1_workstation + automated: partially # This rule, as implemented here, does not check for a user.cfg file + rules: +- - file_owner_grub2_cfg ++ - file_groupowner_efi_grub2_cfg + - file_groupowner_grub2_cfg ++ - file_owner_efi_grub2_cfg ++ - file_owner_grub2_cfg ++ - file_permissions_efi_grub2_cfg + - file_permissions_grub2_cfg + + - id: 1.5.2 + +From 3be000366701a2772c7fe3ba7807e63fd4c03b24 Mon Sep 17 00:00:00 2001 +From: Alex Haydock +Date: Wed, 4 Aug 2021 16:11:38 +0100 +Subject: [PATCH 14/55] Update controls/cis_rhel8.yml + +Co-authored-by: vojtapolasek +--- + controls/cis_rhel8.yml | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/controls/cis_rhel8.yml b/controls/cis_rhel8.yml +index 2163655d9d3..aa9c2b6c809 100644 +--- a/controls/cis_rhel8.yml ++++ b/controls/cis_rhel8.yml +@@ -1655,7 +1655,7 @@ controls: + - id: 5.2.6 + title: Ensure SSH X11 forwarding is disabled (Automated) + levels: +- - l1_server ++ - l2_server + - l1_workstation + automated: yes + rules: + +From c62def9e1764d06aacb75b50886c7f4d08fe751b Mon Sep 17 00:00:00 2001 +From: Alex Haydock +Date: Wed, 4 Aug 2021 16:22:44 +0100 +Subject: [PATCH 15/55] Explicitly set var_auditd_max_log_file_action + +--- + controls/cis_rhel8.yml | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/controls/cis_rhel8.yml b/controls/cis_rhel8.yml +index aa9c2b6c809..af874fd789e 100644 +--- a/controls/cis_rhel8.yml ++++ b/controls/cis_rhel8.yml +@@ -1234,6 +1234,7 @@ controls: + automated: yes + rules: + - auditd_data_retention_max_log_file_action ++ - var_auditd_max_log_file_action=keep_logs + + - id: 4.1.2.3 + title: Ensure system is disabled when audit logs are full (Automated) + +From 860425b14b8637123b3f96aa9be319e9448f15a6 Mon Sep 17 00:00:00 2001 +From: Alex Haydock +Date: Wed, 4 Aug 2021 16:31:20 +0100 +Subject: [PATCH 16/55] Explicitly set the number of auditd logs to keep to 6 + +--- + controls/cis_rhel8.yml | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/controls/cis_rhel8.yml b/controls/cis_rhel8.yml +index af874fd789e..af1314325ab 100644 +--- a/controls/cis_rhel8.yml ++++ b/controls/cis_rhel8.yml +@@ -1225,6 +1225,7 @@ controls: + automated: yes + rules: + - auditd_data_retention_max_log_file ++ - var_auditd_max_log_file=6 + + - id: 4.1.2.2 + title: Ensure audit logs are not automatically deleted (Automated) + +From 28cad027f42c4bf0f5570bf16766a7b1d402d5fe Mon Sep 17 00:00:00 2001 +From: Alex Haydock +Date: Wed, 4 Aug 2021 16:36:48 +0100 +Subject: [PATCH 17/55] The audit_rules_time_settimeofday rule does not + directly align with CIS + +--- + controls/cis_rhel8.yml | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/controls/cis_rhel8.yml b/controls/cis_rhel8.yml +index af1314325ab..a81a9ef4605 100644 +--- a/controls/cis_rhel8.yml ++++ b/controls/cis_rhel8.yml +@@ -1284,11 +1284,10 @@ controls: + levels: + - l2_server + - l2_workstation +- automated: yes ++ automated: partial # The CAC rule audit_rules_time_settimeofday uses additional parameters compared to the CIS benchmark and so is not used here. As a result, automated coverage is only partial for this control. + rules: + - audit_rules_time_adjtimex + - audit_rules_time_clock_settime +- - audit_rules_time_settimeofday + - audit_rules_time_stime + - audit_rules_time_watch_localtime + + +From fe542405de5e73479ca8377b80fbbb7ac32be1d7 Mon Sep 17 00:00:00 2001 +From: Alex Haydock +Date: Wed, 4 Aug 2021 16:37:25 +0100 +Subject: [PATCH 18/55] RHEL CIS control 4.1.7 is missing a rule to achieve + full automation + +--- + controls/cis_rhel8.yml | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/controls/cis_rhel8.yml b/controls/cis_rhel8.yml +index a81a9ef4605..cba86f40c9e 100644 +--- a/controls/cis_rhel8.yml ++++ b/controls/cis_rhel8.yml +@@ -1299,7 +1299,7 @@ controls: + levels: + - l2_server + - l2_workstation +- automated: yes ++ automated: partial + rules: + - audit_rules_mac_modification + + +From ed087900ecf7230d2797a483e07a753f1733317e Mon Sep 17 00:00:00 2001 +From: Alex Haydock +Date: Wed, 4 Aug 2021 16:38:54 +0100 +Subject: [PATCH 19/55] Remove opinionated rule from CIS 4.1.10 as it does not + align with the benchmark + +--- + controls/cis_rhel8.yml | 2 -- + 1 file changed, 2 deletions(-) + +diff --git a/controls/cis_rhel8.yml b/controls/cis_rhel8.yml +index cba86f40c9e..6e8c5cf10f0 100644 +--- a/controls/cis_rhel8.yml ++++ b/controls/cis_rhel8.yml +@@ -1345,8 +1345,6 @@ controls: + - audit_rules_unsuccessful_file_modification_open + - audit_rules_unsuccessful_file_modification_openat + - audit_rules_unsuccessful_file_modification_truncate +- # Opinionated selection +- - audit_rules_unsuccessful_file_modification_open_by_handle_at + + - id: 4.1.11 + title: Ensure events that modify user/group information are collected (Automated) + +From 47bf486ddadd79bade733fd444f3aadca4a82ad7 Mon Sep 17 00:00:00 2001 +From: Alex Haydock +Date: Wed, 4 Aug 2021 16:41:13 +0100 +Subject: [PATCH 20/55] Use "partially" rather than "partial" for automation + key + +--- + controls/cis_rhel8.yml | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/controls/cis_rhel8.yml b/controls/cis_rhel8.yml +index 6e8c5cf10f0..829f0515cb0 100644 +--- a/controls/cis_rhel8.yml ++++ b/controls/cis_rhel8.yml +@@ -1284,7 +1284,7 @@ controls: + levels: + - l2_server + - l2_workstation +- automated: partial # The CAC rule audit_rules_time_settimeofday uses additional parameters compared to the CIS benchmark and so is not used here. As a result, automated coverage is only partial for this control. ++ automated: partially # The CAC rule audit_rules_time_settimeofday uses additional parameters compared to the CIS benchmark and so is not used here. As a result, automated coverage is only partial for this control. + rules: + - audit_rules_time_adjtimex + - audit_rules_time_clock_settime +@@ -1299,7 +1299,7 @@ controls: + levels: + - l2_server + - l2_workstation +- automated: partial ++ automated: partially + rules: + - audit_rules_mac_modification + + +From 42e08ddcb1575fccf3ff0f0a4094a15fb445bdf1 Mon Sep 17 00:00:00 2001 +From: Alex Haydock +Date: Wed, 4 Aug 2021 16:42:57 +0100 +Subject: [PATCH 21/55] Disable automation for control 4.1.13 as it does not + align exactly with the benchmark + +--- + controls/cis_rhel8.yml | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/controls/cis_rhel8.yml b/controls/cis_rhel8.yml +index 829f0515cb0..76a7c8bbfa9 100644 +--- a/controls/cis_rhel8.yml ++++ b/controls/cis_rhel8.yml +@@ -1373,8 +1373,9 @@ controls: + levels: + - l2_server + - l2_workstation +- automated: yes +- rules: ++ automated: no ++ related_rules: ++ # The rule below is almost correct but cannot be used as it does not set the perm=x flag. + - audit_rules_privileged_commands + + - id: 4.1.14 + +From 769029ec6639f26afdbb9d595f67e692dec368c2 Mon Sep 17 00:00:00 2001 +From: Alex Haydock +Date: Wed, 4 Aug 2021 16:44:03 +0100 +Subject: [PATCH 22/55] Remove opinionated rule from CIS 4.1.14 as it does not + align with the benchmark + +--- + controls/cis_rhel8.yml | 2 -- + 1 file changed, 2 deletions(-) + +diff --git a/controls/cis_rhel8.yml b/controls/cis_rhel8.yml +index 76a7c8bbfa9..e6a53516666 100644 +--- a/controls/cis_rhel8.yml ++++ b/controls/cis_rhel8.yml +@@ -1389,8 +1389,6 @@ controls: + - audit_rules_file_deletion_events_renameat + - audit_rules_file_deletion_events_unlink + - audit_rules_file_deletion_events_unlinkat +- # Opinionated selection +- - audit_rules_file_deletion_events_rmdir + + - id: 4.1.15 + title: Ensure kernel module loading and unloading is collected (Automated) + +From fe163c10596ab3e24fb805267cb762cc40fd5ed0 Mon Sep 17 00:00:00 2001 +From: Alex Haydock +Date: Wed, 4 Aug 2021 16:47:53 +0100 +Subject: [PATCH 23/55] Disable the rsyslog_files_permissions rule as it does + not align with the benchmark + +--- + controls/cis_rhel8.yml | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +diff --git a/controls/cis_rhel8.yml b/controls/cis_rhel8.yml +index e6a53516666..327400abd65 100644 +--- a/controls/cis_rhel8.yml ++++ b/controls/cis_rhel8.yml +@@ -1435,14 +1435,15 @@ controls: + rules: + - service_rsyslog_enabled + ++ # NEEDS RULE ++ # The rsyslog_files_permissions rule is not sufficient ++ # https://github.com/ComplianceAsCode/content/issues/7332 + - id: 4.2.1.3 + title: Ensure rsyslog default file permissions configured (Automated) + levels: + - l1_server + - l1_workstation +- automated: yes +- rules: +- - rsyslog_files_permissions ++ automated: no + + - id: 4.2.1.4 + title: Ensure logging is configured (Manual) + +From 404aef23030c6286f6b3d465ca84295c5252fe7c Mon Sep 17 00:00:00 2001 +From: Alex Haydock +Date: Wed, 4 Aug 2021 16:52:17 +0100 +Subject: [PATCH 24/55] Disable 4.2.1.5 and 5.2.3 as they do not align + perfectly with the benchmark + +--- + controls/cis_rhel8.yml | 19 ++++++++----------- + 1 file changed, 8 insertions(+), 11 deletions(-) + +diff --git a/controls/cis_rhel8.yml b/controls/cis_rhel8.yml +index 327400abd65..f5a8ce45848 100644 +--- a/controls/cis_rhel8.yml ++++ b/controls/cis_rhel8.yml +@@ -1452,14 +1452,15 @@ controls: + - l1_workstation + automated: no + ++ # NEEDS RULE ++ # The rsyslog_remote_loghost rule is not sufficient ++ # https://github.com/ComplianceAsCode/content/issues/7333 + - id: 4.2.1.5 + title: Ensure rsyslog is configured to send logs to a remote log host (Automated) + levels: + - l1_server + - l1_workstation +- automated: yes +- rules: +- - rsyslog_remote_loghost ++ automated: no + + - id: 4.2.1.6 + title: Ensure remote rsyslog messages are only accepted on designated log hosts. (Manual) +@@ -1617,19 +1618,15 @@ controls: + - l1_workstation + automated: no + +- # TODO +- # Rule sets permissions to 0640 but benchmark wants it to be 0600 +- # +- # TODO +- # Check owner of private keys in /etc/ssh is root:root ++ # NEEDS RULE ++ # The file_permissions_sshd_private_key rule is not aligned with the benchmark ++ # https://github.com/ComplianceAsCode/content/issues/7334 + - id: 5.2.3 + title: Ensure permissions on SSH private host key files are configured (Automated) + levels: + - l1_server + - l1_workstation +- automated: yes +- rules: +- - file_permissions_sshd_private_key ++ automated: no + + # TODO + # Check owner of public keys in /etc/ssh is root:root + +From 012d4f8df6c68e8a7a3c2efcd139a7f9ce8ab6bb Mon Sep 17 00:00:00 2001 +From: Alex Haydock +Date: Wed, 4 Aug 2021 16:53:10 +0100 +Subject: [PATCH 25/55] 5.2.4 is only partially automated + +--- + controls/cis_rhel8.yml | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/controls/cis_rhel8.yml b/controls/cis_rhel8.yml +index f5a8ce45848..0e3fa99d32e 100644 +--- a/controls/cis_rhel8.yml ++++ b/controls/cis_rhel8.yml +@@ -1635,7 +1635,7 @@ controls: + levels: + - l1_server + - l1_workstation +- automated: yes ++ automated: partially + rules: + - file_permissions_sshd_pub_key + + +From e5cfc29ca52446f494a539010af31e54af51d58a Mon Sep 17 00:00:00 2001 +From: Alex Haydock +Date: Wed, 4 Aug 2021 16:55:32 +0100 +Subject: [PATCH 26/55] Ensure var_sshd_set_keepalive variable gets used + properly + +--- + controls/cis_rhel8.yml | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/controls/cis_rhel8.yml b/controls/cis_rhel8.yml +index 0e3fa99d32e..439b3265fe9 100644 +--- a/controls/cis_rhel8.yml ++++ b/controls/cis_rhel8.yml +@@ -1721,7 +1721,7 @@ controls: + rules: + - sshd_idle_timeout_value=5_minutes + - sshd_set_idle_timeout +- - sshd_set_keepalive_0 ++ - sshd_set_keepalive + - var_sshd_set_keepalive=0 + + # NEEDS RULE + +From d21ea1b769d31bfbdcb97d1af5de9969be835ace Mon Sep 17 00:00:00 2001 +From: Alex Haydock +Date: Thu, 5 Aug 2021 08:47:24 +0100 +Subject: [PATCH 27/55] Align RHEL 8 Chrony configuration rule more closely + with CIS benchmark + +--- + controls/cis_rhel8.yml | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/controls/cis_rhel8.yml b/controls/cis_rhel8.yml +index 439b3265fe9..92ac0dd85c5 100644 +--- a/controls/cis_rhel8.yml ++++ b/controls/cis_rhel8.yml +@@ -595,9 +595,9 @@ controls: + - l1_workstation + automated: yes + rules: +- - service_chronyd_enabled + - chronyd_specify_remote_server + - chronyd_run_as_chrony_user ++ - var_multiple_time_servers=rhel + + - id: 2.2.2 + title: Ensure X Window System is not installed (Automated) + +From ade74cf232a649645b91da9d7c007b1106e25fb4 Mon Sep 17 00:00:00 2001 +From: Alex Haydock +Date: Thu, 5 Aug 2021 08:54:14 +0100 +Subject: [PATCH 28/55] Set SSH loglevel to VERBOSE in RHEL 8 CIS controls file + +--- + controls/cis_rhel8.yml | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/controls/cis_rhel8.yml b/controls/cis_rhel8.yml +index 92ac0dd85c5..565974817f1 100644 +--- a/controls/cis_rhel8.yml ++++ b/controls/cis_rhel8.yml +@@ -1645,7 +1645,12 @@ controls: + - l1_server + - l1_workstation + automated: yes ++ # The CIS benchmark is not opinionated about which loglevel is selected ++ # here. Here, this profile uses VERBOSE by default, as it allows for ++ # the capture of login and logout activity as well as key fingerprints. + rules: ++ - sshd_set_loglevel_verbose ++ related_rules: + - sshd_set_loglevel_info + + - id: 5.2.6 + +From 723681dedf1d88c4924684e34ea4c5e7fb8be24d Mon Sep 17 00:00:00 2001 +From: Alex Haydock +Date: Thu, 5 Aug 2021 09:00:17 +0100 +Subject: [PATCH 29/55] Disable SSH warning banner rule in RHEL 8 CIS (uses + wrong path) + +--- + controls/cis_rhel8.yml | 8 +++++--- + 1 file changed, 5 insertions(+), 3 deletions(-) + +diff --git a/controls/cis_rhel8.yml b/controls/cis_rhel8.yml +index 565974817f1..53f024fffea 100644 +--- a/controls/cis_rhel8.yml ++++ b/controls/cis_rhel8.yml +@@ -1738,14 +1738,16 @@ controls: + - l1_workstation + automated: no + ++ # NEEDS RULE ++ # The current sshd_enable_warning_banner rule uses /etc/issue instead ++ # of the /etc/issue.net that the benchmark expects. ++ # + - id: 5.2.15 + title: Ensure SSH warning banner is configured (Automated) + levels: + - l1_server + - l1_workstation +- automated: yes +- rules: +- - sshd_enable_warning_banner ++ automated: no + + # NEEDS RULE + # https://github.com/ComplianceAsCode/content/issues/5526 + +From b0615c26dd852bf817aa919752f543802ff707b0 Mon Sep 17 00:00:00 2001 +From: Alex Haydock +Date: Thu, 5 Aug 2021 09:00:48 +0100 +Subject: [PATCH 30/55] Add explicit variable definition for SSH MaxStartups + rule in RHEL 8 CIS profile + +--- + controls/cis_rhel8.yml | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/controls/cis_rhel8.yml b/controls/cis_rhel8.yml +index 53f024fffea..3345a37d098 100644 +--- a/controls/cis_rhel8.yml ++++ b/controls/cis_rhel8.yml +@@ -1775,6 +1775,7 @@ controls: + automated: yes + rules: + - sshd_set_maxstartups ++ - var_sshd_set_maxstartups=10:30:60 + + - id: 5.2.19 + title: Ensure SSH MaxSessions is set to 4 or less (Automated) + +From 03504b065edbaa7f23352943adc3650e59771ba1 Mon Sep 17 00:00:00 2001 +From: Alex Haydock +Date: Thu, 5 Aug 2021 09:19:43 +0100 +Subject: [PATCH 31/55] Update SSH MaxSessions to match the value CIS audits + for vs the one in the control title + +--- + controls/cis_rhel8.yml | 9 ++++++++- + 1 file changed, 8 insertions(+), 1 deletion(-) + +diff --git a/controls/cis_rhel8.yml b/controls/cis_rhel8.yml +index 3345a37d098..3b6219f3296 100644 +--- a/controls/cis_rhel8.yml ++++ b/controls/cis_rhel8.yml +@@ -1777,6 +1777,13 @@ controls: + - sshd_set_maxstartups + - var_sshd_set_maxstartups=10:30:60 + ++ # The title of this control does not appear to match the suggested audit and ++ # remediation in the CIS Benchmark version 1.0.1 - this profile uses the ++ # value from the audit and remediation sections of the benchmark rather than ++ # from the title. ++ # ++ # An upstream ticket has been opened about this issue: ++ # https://workbench.cisecurity.org/community/14/tickets/13414 + - id: 5.2.19 + title: Ensure SSH MaxSessions is set to 4 or less (Automated) + levels: +@@ -1785,7 +1792,7 @@ controls: + automated: yes + rules: + - sshd_set_max_sessions +- - var_sshd_max_sessions=4 ++ - var_sshd_max_sessions=10 + + - id: 5.2.20 + title: Ensure system-wide crypto policy is not over-ridden (Automated) + +From 0ef85e84670e72afb2842414369b12a1c72cd273 Mon Sep 17 00:00:00 2001 +From: Alex Haydock +Date: Thu, 5 Aug 2021 09:20:45 +0100 +Subject: [PATCH 32/55] Fix rule ID for 5.3.3 + +--- + controls/cis_rhel8.yml | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/controls/cis_rhel8.yml b/controls/cis_rhel8.yml +index 3b6219f3296..55c8378529d 100644 +--- a/controls/cis_rhel8.yml ++++ b/controls/cis_rhel8.yml +@@ -1823,7 +1823,7 @@ controls: + + # NEEDS RULE + # https://github.com/ComplianceAsCode/content/issues/5532 +- - id: 5.3.2 ++ - id: 5.3.3 + title: Ensure authselect includes with-faillock (Automated) + levels: + - l1_server + +From 85c2fcf29b1c71f4528fabeed8c6556cf02312e7 Mon Sep 17 00:00:00 2001 +From: Alex Haydock +Date: Thu, 5 Aug 2021 09:23:40 +0100 +Subject: [PATCH 33/55] Remove misaligned rules from RHEL 8 CIS 5.4.2 + +--- + controls/cis_rhel8.yml | 9 +++------ + 1 file changed, 3 insertions(+), 6 deletions(-) + +diff --git a/controls/cis_rhel8.yml b/controls/cis_rhel8.yml +index 55c8378529d..c7f651994d6 100644 +--- a/controls/cis_rhel8.yml ++++ b/controls/cis_rhel8.yml +@@ -1845,17 +1845,14 @@ controls: + - var_password_pam_minclass=4 + - var_password_pam_minlen=14 + ++ # NEEDS RULE ++ # https://github.com/ComplianceAsCode/content/issues/7337 + - id: 5.4.2 + title: Ensure lockout for failed password attempts is configured (Automated) + levels: + - l1_server + - l1_workstation +- automated: yes +- rules: +- - accounts_passwords_pam_faillock_deny +- - accounts_passwords_pam_faillock_unlock_time +- - var_accounts_passwords_pam_faillock_deny=5 +- - var_accounts_passwords_pam_faillock_unlock_time=900 ++ automated: no + + - id: 5.4.3 + title: Ensure password reuse is limited (Automated) + +From edbd2b2264252ab1a35f872b816947e289c7d4a5 Mon Sep 17 00:00:00 2001 +From: Alex Haydock +Date: Thu, 5 Aug 2021 09:29:15 +0100 +Subject: [PATCH 34/55] RHEL 8 CIS 5.4.1 is only partially automated + +--- + controls/cis_rhel8.yml | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/controls/cis_rhel8.yml b/controls/cis_rhel8.yml +index c7f651994d6..10816e1ba35 100644 +--- a/controls/cis_rhel8.yml ++++ b/controls/cis_rhel8.yml +@@ -1830,14 +1830,15 @@ controls: + - l1_workstation + automated: no + +- # NEEDS RULE: try_first_pass ++ # NEEDS RULE ++ # try_first_pass + # https://github.com/ComplianceAsCode/content/issues/5533 + - id: 5.4.1 + title: Ensure password creation requirements are configured (Automated) + levels: + - l1_server + - l1_workstation +- automated: yes ++ automated: partially + rules: + - accounts_password_pam_minclass + - accounts_password_pam_minlen + +From e32f46528ef2c46986fca31e700b40949096d48f Mon Sep 17 00:00:00 2001 +From: Alex Haydock +Date: Thu, 5 Aug 2021 09:37:15 +0100 +Subject: [PATCH 35/55] Import logic for the "Ensure password reuse is limited" + rule from RHEL 7 + +--- + controls/cis_rhel8.yml | 12 +++++++++--- + 1 file changed, 9 insertions(+), 3 deletions(-) + +diff --git a/controls/cis_rhel8.yml b/controls/cis_rhel8.yml +index 10816e1ba35..0ea36362832 100644 +--- a/controls/cis_rhel8.yml ++++ b/controls/cis_rhel8.yml +@@ -1861,9 +1861,15 @@ controls: + - l1_server + - l1_workstation + automated: yes +- rules: +- - accounts_password_pam_unix_remember +- - var_password_pam_unix_remember=5 ++ notes: |- ++ Usage of pam_unix.so module together with "remember" option is deprecated and is not supported by this policy interpretation. ++ See here for more details about pam_unix.so: ++ https://bugzilla.redhat.com/show_bug.cgi?id=1778929 ++ rules: ++ - accounts_password_pam_pwhistory_remember_password_auth ++ - accounts_password_pam_pwhistory_remember_system_auth ++ - var_password_pam_remember_control_flag=required ++ - var_password_pam_remember=5 + + - id: 5.4.4 + title: Ensure password hashing algorithm is SHA-512 (Automated) + +From c77bbff67b5e700b6785264bee3c973c343364d1 Mon Sep 17 00:00:00 2001 +From: Alex Haydock +Date: Thu, 5 Aug 2021 09:41:13 +0100 +Subject: [PATCH 36/55] RHEL 8 CIS 5.4.4 is only partially automated + +--- + controls/cis_rhel8.yml | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/controls/cis_rhel8.yml b/controls/cis_rhel8.yml +index 0ea36362832..be46d870965 100644 +--- a/controls/cis_rhel8.yml ++++ b/controls/cis_rhel8.yml +@@ -1876,7 +1876,7 @@ controls: + levels: + - l1_server + - l1_workstation +- automated: yes ++ automated: partially # The rule below does not check the /etc/pam.d/password-auth file mentioned in the benchmark. + rules: + - set_password_hashing_algorithm_systemauth + + +From be706084b1cae588b2799b38e9cea615ce8dc22f Mon Sep 17 00:00:00 2001 +From: Alex Haydock +Date: Thu, 5 Aug 2021 09:42:57 +0100 +Subject: [PATCH 37/55] RHEL 8 CIS 5.5.1.1 is only partially automated + +--- + controls/cis_rhel8.yml | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/controls/cis_rhel8.yml b/controls/cis_rhel8.yml +index be46d870965..e41c2eb4dae 100644 +--- a/controls/cis_rhel8.yml ++++ b/controls/cis_rhel8.yml +@@ -1885,7 +1885,7 @@ controls: + levels: + - l1_server + - l1_workstation +- automated: yes ++ automated: partially # The rule below does not validate whether all current users' PASS_MAX_DAYS setting conforms to the control. + rules: + - accounts_maximum_age_login_defs + - var_accounts_maximum_age_login_defs=365 + +From 075eb337ef12d1610626e6b92eb6b207f89e7054 Mon Sep 17 00:00:00 2001 +From: Alex Haydock +Date: Thu, 5 Aug 2021 09:44:17 +0100 +Subject: [PATCH 38/55] RHEL 8 CIS 5.5.1.2 is only partially automated + +--- + controls/cis_rhel8.yml | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/controls/cis_rhel8.yml b/controls/cis_rhel8.yml +index e41c2eb4dae..0b2b3d04621 100644 +--- a/controls/cis_rhel8.yml ++++ b/controls/cis_rhel8.yml +@@ -1895,7 +1895,7 @@ controls: + levels: + - l1_server + - l1_workstation +- automated: yes ++ automated: partially # The rule below does not validate whether all current users' PASS_MIN_DAYS setting conforms to the control. + rules: + - accounts_minimum_age_login_defs + - var_accounts_minimum_age_login_defs=7 + +From 1e3c17e5c1f81582bf891664dd7bc7c6000030b2 Mon Sep 17 00:00:00 2001 +From: Alex Haydock +Date: Thu, 5 Aug 2021 09:47:22 +0100 +Subject: [PATCH 39/55] RHEL 8 CIS 5.5.1.3 is only partially automated + +--- + controls/cis_rhel8.yml | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/controls/cis_rhel8.yml b/controls/cis_rhel8.yml +index 0b2b3d04621..70312f6399a 100644 +--- a/controls/cis_rhel8.yml ++++ b/controls/cis_rhel8.yml +@@ -1905,7 +1905,7 @@ controls: + levels: + - l1_server + - l1_workstation +- automated: yes ++ automated: partially # The rule below does not validate whether all current users' PASS_WARN_AGE setting conforms to the control. + rules: + - accounts_password_warn_age_login_defs + - var_accounts_password_warn_age_login_defs=7 + +From 97c5ff8a7096b04c2ebdac6af58047a9b0ee194b Mon Sep 17 00:00:00 2001 +From: Alex Haydock +Date: Thu, 5 Aug 2021 09:47:54 +0100 +Subject: [PATCH 40/55] RHEL 8 CIS 5.5.1.4 is only partially automated + +--- + controls/cis_rhel8.yml | 4 +--- + 1 file changed, 1 insertion(+), 3 deletions(-) + +diff --git a/controls/cis_rhel8.yml b/controls/cis_rhel8.yml +index 70312f6399a..42dbf14c816 100644 +--- a/controls/cis_rhel8.yml ++++ b/controls/cis_rhel8.yml +@@ -1910,14 +1910,12 @@ controls: + - accounts_password_warn_age_login_defs + - var_accounts_password_warn_age_login_defs=7 + +- # TODO +- # Rule doesn't check list of users + - id: 5.5.1.4 + title: Ensure inactive password lock is 30 days or less (Automated) + levels: + - l1_server + - l1_workstation +- automated: yes ++ automated: partially # The rule below does not validate wheter all current users' INACTIVE setting conforms to the control. + rules: + - account_disable_post_pw_expiration + - var_account_disable_post_pw_expiration=30 + +From 2d5603c3e25f376b0351364c05b3eaccc5b36368 Mon Sep 17 00:00:00 2001 +From: Alex Haydock +Date: Fri, 6 Aug 2021 15:17:53 +0100 +Subject: [PATCH 41/55] Set SSH idle timeout to 15 minutes + +--- + controls/cis_rhel8.yml | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/controls/cis_rhel8.yml b/controls/cis_rhel8.yml +index 42dbf14c816..e8e340e0c36 100644 +--- a/controls/cis_rhel8.yml ++++ b/controls/cis_rhel8.yml +@@ -1724,7 +1724,7 @@ controls: + - l1_workstation + automated: yes + rules: +- - sshd_idle_timeout_value=5_minutes ++ - sshd_idle_timeout_value=15_minutes + - sshd_set_idle_timeout + - sshd_set_keepalive + - var_sshd_set_keepalive=0 + +From da63d392814f48f17436e975cf8ccc3215eb917c Mon Sep 17 00:00:00 2001 +From: Alex Haydock +Date: Fri, 6 Aug 2021 16:12:47 +0100 +Subject: [PATCH 42/55] RHEL 8 CIS 5.5.2 is only partially automated + +--- + controls/cis_rhel8.yml | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/controls/cis_rhel8.yml b/controls/cis_rhel8.yml +index e8e340e0c36..2d534d95072 100644 +--- a/controls/cis_rhel8.yml ++++ b/controls/cis_rhel8.yml +@@ -1929,12 +1929,15 @@ controls: + - l1_workstation + automated: no + ++ # NEEDS RULE ++ # We are missing the component of this control which locks non-root system accounts ++ # https://github.com/ComplianceAsCode/content/issues/7352 + - id: 5.5.2 + title: Ensure system accounts are secured (Automated) + levels: + - l1_server + - l1_workstation +- automated: yes ++ automated: partially + rules: + - no_shelllogin_for_systemaccounts + + +From d07ec30f6cde2e6a3875170ced9004a81af6dee4 Mon Sep 17 00:00:00 2001 +From: Alex Haydock +Date: Fri, 6 Aug 2021 16:17:13 +0100 +Subject: [PATCH 43/55] RHEL 8 CIS 5.5.3 is only partially automated + +--- + controls/cis_rhel8.yml | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/controls/cis_rhel8.yml b/controls/cis_rhel8.yml +index 2d534d95072..784af3e0fe9 100644 +--- a/controls/cis_rhel8.yml ++++ b/controls/cis_rhel8.yml +@@ -1946,7 +1946,7 @@ controls: + levels: + - l1_server + - l1_workstation +- automated: yes ++ automated: partially # The remediation for this rule does not implement the "TMOUT" variable as readonly so does not align fully with the benchmark + rules: + - accounts_tmout + - var_accounts_tmout=15_min + +From cd867062192bb635422d1f72261d4e8fbdc841e6 Mon Sep 17 00:00:00 2001 +From: Alex Haydock +Date: Fri, 6 Aug 2021 16:21:39 +0100 +Subject: [PATCH 44/55] RHEL 8 CIS 5.5.5 is only partially automated + +--- + controls/cis_rhel8.yml | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/controls/cis_rhel8.yml b/controls/cis_rhel8.yml +index 784af3e0fe9..045e219d90f 100644 +--- a/controls/cis_rhel8.yml ++++ b/controls/cis_rhel8.yml +@@ -1965,9 +1965,10 @@ controls: + levels: + - l1_server + - l1_workstation +- automated: yes ++ automated: partially # The rules below do not take /etc/profile.d/* into account so are not perfectly aligned with the benchmark + rules: + - accounts_umask_etc_bashrc ++ - accounts_umask_etc_login_defs + - accounts_umask_etc_profile + - var_accounts_user_umask=027 + + +From ec2d43b53d75627fd9ac33721fb8f04a5c2574df Mon Sep 17 00:00:00 2001 +From: Alex Haydock +Date: Fri, 6 Aug 2021 16:23:32 +0100 +Subject: [PATCH 45/55] RHEL 8 CIS 5.7 can be partially satisfied by + use_pam_wheel_for_su + +--- + controls/cis_rhel8.yml | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/controls/cis_rhel8.yml b/controls/cis_rhel8.yml +index 045e219d90f..84a3269afc6 100644 +--- a/controls/cis_rhel8.yml ++++ b/controls/cis_rhel8.yml +@@ -1989,7 +1989,9 @@ controls: + levels: + - l1_server + - l1_workstation +- automated: no ++ automated: partially ++ rules: ++ - use_pam_wheel_for_su + + - id: 6.1.1 + title: Audit system file permissions (Manual) + +From ca3b471ce283691f423a427c84845ab55860ecfa Mon Sep 17 00:00:00 2001 +From: Alex Haydock +Date: Fri, 6 Aug 2021 16:31:56 +0100 +Subject: [PATCH 46/55] Rules exist which satisfy RHEL 8 CIS 6.2.3 + +--- + controls/cis_rhel8.yml | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +diff --git a/controls/cis_rhel8.yml b/controls/cis_rhel8.yml +index 84a3269afc6..d02f2cbbf86 100644 +--- a/controls/cis_rhel8.yml ++++ b/controls/cis_rhel8.yml +@@ -2154,14 +2154,15 @@ controls: + rules: + - no_legacy_plus_entries_etc_passwd + +- # NEEDS RULE +- # https://github.com/ComplianceAsCode/content/issues/7198 + - id: 6.2.3 + title: Ensure root PATH Integrity (Automated) + levels: + - l1_server + - l1_workstation +- automated: no ++ automated: yes ++ rules: ++ - accounts_root_path_dirs_no_write ++ - root_path_no_dot + + - id: 6.2.4 + title: Ensure no legacy "+" entries exist in /etc/shadow (Automated) + +From 92adfbb1ca271105aee1be7044b617227e0ef93e Mon Sep 17 00:00:00 2001 +From: Alex Haydock +Date: Fri, 6 Aug 2021 16:34:47 +0100 +Subject: [PATCH 47/55] Rules exist for RHEL 8 CIS 6.2.7 and 6.2.8 but without + OVAL checks or remediations + +--- + controls/cis_rhel8.yml | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/controls/cis_rhel8.yml b/controls/cis_rhel8.yml +index d02f2cbbf86..a3f3d4e6d4f 100644 +--- a/controls/cis_rhel8.yml ++++ b/controls/cis_rhel8.yml +@@ -2196,8 +2196,8 @@ controls: + levels: + - l1_server + - l1_workstation +- automated: yes +- rules: ++ automated: no # The rule below exists, but does not have any OVAL checks or remediations. ++ related_rules: + - file_permissions_home_dirs + + # NEEDS RULE (for user ownership) +@@ -2207,7 +2207,7 @@ controls: + levels: + - l1_server + - l1_workstation +- automated: yes ++ automated: no # The rule below exists, but does not have any OVAL checks or remediations. + rules: + - file_groupownership_home_directories + + +From 25b0bbb11fc07f16bada862c99eb01c2d76fb582 Mon Sep 17 00:00:00 2001 +From: Alex Haydock +Date: Fri, 6 Aug 2021 16:35:23 +0100 +Subject: [PATCH 48/55] Rules exist for RHEL 8 CIS 6.2.20 but without OVAL + checks or remediations + +--- + controls/cis_rhel8.yml | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/controls/cis_rhel8.yml b/controls/cis_rhel8.yml +index a3f3d4e6d4f..cfefd245300 100644 +--- a/controls/cis_rhel8.yml ++++ b/controls/cis_rhel8.yml +@@ -2311,10 +2311,10 @@ controls: + automated: no + + - id: 6.2.20 +- title: Ensure shadow group is empty (Automated) ++ title: Ensure all users' home directories exist (Automated) + levels: + - l1_server + - l1_workstation +- automated: yes +- rules: ++ automated: no # The rule below exists, but does not have any OVAL checks or remediations. ++ related_rules: + - accounts_user_interactive_home_directory_exists + +From c8d07e3ace333c4aa0098d64836596a4e4f7b772 Mon Sep 17 00:00:00 2001 +From: Alex Haydock +Date: Fri, 6 Aug 2021 16:38:11 +0100 +Subject: [PATCH 49/55] We cannot use audit_rules_kernel_module_loading because + it also checks for finit_module syscall + +--- + controls/cis_rhel8.yml | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/controls/cis_rhel8.yml b/controls/cis_rhel8.yml +index cfefd245300..e8d3f24ccbb 100644 +--- a/controls/cis_rhel8.yml ++++ b/controls/cis_rhel8.yml +@@ -1397,7 +1397,11 @@ controls: + - l2_workstation + automated: yes + rules: +- - audit_rules_kernel_module_loading ++ - audit_rules_kernel_module_loading_delete ++ - audit_rules_kernel_module_loading_init ++ - audit_rules_privileged_commands_insmod ++ - audit_rules_privileged_commands_modprobe ++ - audit_rules_privileged_commands_rmmod + + # NEEDS RULE + # https://github.com/ComplianceAsCode/content/issues/5516 + +From b3a579bc7aed5519923ce99252210e4d88beda91 Mon Sep 17 00:00:00 2001 +From: Alex Haydock +Date: Mon, 9 Aug 2021 11:49:56 +0100 +Subject: [PATCH 50/55] Use only 'related_rules' and not 'rules' when a control + is not automated + +--- + controls/cis_rhel8.yml | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/controls/cis_rhel8.yml b/controls/cis_rhel8.yml +index e8d3f24ccbb..a624d06cb56 100644 +--- a/controls/cis_rhel8.yml ++++ b/controls/cis_rhel8.yml +@@ -2128,7 +2128,7 @@ controls: + - l1_server + - l1_workstation + automated: no +- rules: ++ related_rules: + - file_permissions_unauthorized_suid + + - id: 6.1.14 +@@ -2137,7 +2137,7 @@ controls: + - l1_server + - l1_workstation + automated: no +- rules: ++ related_rules: + - file_permissions_unauthorized_sgid + + # NEEDS RULE +@@ -2212,7 +2212,7 @@ controls: + - l1_server + - l1_workstation + automated: no # The rule below exists, but does not have any OVAL checks or remediations. +- rules: ++ related_rules: + - file_groupownership_home_directories + + # NEEDS RULE + +From 3f6766beb261a309eacb788bdd21fa54e800b43c Mon Sep 17 00:00:00 2001 +From: Alex Haydock +Date: Tue, 10 Aug 2021 09:12:18 +0100 +Subject: [PATCH 51/55] Correct value of SSH MaxSessions based on upstream + Draft Benchmark 1.1.0 + +--- + controls/cis_rhel8.yml | 10 +++++----- + 1 file changed, 5 insertions(+), 5 deletions(-) + +diff --git a/controls/cis_rhel8.yml b/controls/cis_rhel8.yml +index a624d06cb56..bff2200ce12 100644 +--- a/controls/cis_rhel8.yml ++++ b/controls/cis_rhel8.yml +@@ -1782,11 +1782,11 @@ controls: + - var_sshd_set_maxstartups=10:30:60 + + # The title of this control does not appear to match the suggested audit and +- # remediation in the CIS Benchmark version 1.0.1 - this profile uses the +- # value from the audit and remediation sections of the benchmark rather than +- # from the title. ++ # remediation in the CIS Benchmark version 1.0.1 ++ # ++ # As noted in the ticket below, this is resolved in Draft Benchmark 1.1.0 ++ # which confirms that '4' is the intended value for this control. + # +- # An upstream ticket has been opened about this issue: + # https://workbench.cisecurity.org/community/14/tickets/13414 + - id: 5.2.19 + title: Ensure SSH MaxSessions is set to 4 or less (Automated) +@@ -1796,7 +1796,7 @@ controls: + automated: yes + rules: + - sshd_set_max_sessions +- - var_sshd_max_sessions=10 ++ - var_sshd_max_sessions=4 + + - id: 5.2.20 + title: Ensure system-wide crypto policy is not over-ridden (Automated) + +From e9ca1baec39ff010e63a99ac479e15b7fb73c352 Mon Sep 17 00:00:00 2001 +From: Alex Haydock +Date: Wed, 11 Aug 2021 10:37:23 +0100 +Subject: [PATCH 52/55] Control to disable IPv6 should not be automated + +--- + controls/cis_rhel8.yml | 4 +--- + 1 file changed, 1 insertion(+), 3 deletions(-) + +diff --git a/controls/cis_rhel8.yml b/controls/cis_rhel8.yml +index bff2200ce12..29d972427cf 100644 +--- a/controls/cis_rhel8.yml ++++ b/controls/cis_rhel8.yml +@@ -1177,9 +1177,7 @@ controls: + levels: + - l2_server + - l2_workstation +- automated: yes +- rules: +- - kernel_module_ipv6_option_disabled ++ automated: no + + - id: 4.1.1.1 + title: Ensure auditd is installed (Automated) + +From a7b6c13f927d9494f65c314ea6f3ba71b9b350cb Mon Sep 17 00:00:00 2001 +From: Alex Haydock +Date: Tue, 17 Aug 2021 13:09:48 +0100 +Subject: [PATCH 53/55] Fix rules with missing CCEs for RHEL8 + +--- + .../accounts-session/root_paths/root_path_no_dot/rule.yml | 1 + + .../uefi/file_groupowner_efi_grub2_cfg/rule.yml | 1 + + .../bootloader-grub2/uefi/file_owner_efi_grub2_cfg/rule.yml | 1 + + .../uefi/file_permissions_efi_grub2_cfg/rule.yml | 1 + + shared/references/cce-redhat-avail.txt | 4 ---- + 5 files changed, 4 insertions(+), 4 deletions(-) + +diff --git a/linux_os/guide/system/accounts/accounts-session/root_paths/root_path_no_dot/rule.yml b/linux_os/guide/system/accounts/accounts-session/root_paths/root_path_no_dot/rule.yml +index 24a0feaf0aa..748d9d9d188 100644 +--- a/linux_os/guide/system/accounts/accounts-session/root_paths/root_path_no_dot/rule.yml ++++ b/linux_os/guide/system/accounts/accounts-session/root_paths/root_path_no_dot/rule.yml +@@ -21,6 +21,7 @@ severity: unknown + + identifiers: + cce@rhel7: CCE-80199-3 ++ cce@rhel8: CCE-85914-0 + + references: + cis-csc: 11,3,9 +diff --git a/linux_os/guide/system/bootloader-grub2/uefi/file_groupowner_efi_grub2_cfg/rule.yml b/linux_os/guide/system/bootloader-grub2/uefi/file_groupowner_efi_grub2_cfg/rule.yml +index 288b6706b03..f44e85a059a 100644 +--- a/linux_os/guide/system/bootloader-grub2/uefi/file_groupowner_efi_grub2_cfg/rule.yml ++++ b/linux_os/guide/system/bootloader-grub2/uefi/file_groupowner_efi_grub2_cfg/rule.yml +@@ -25,6 +25,7 @@ severity: medium + + identifiers: + cce@rhel7: CCE-83430-9 ++ cce@rhel8: CCE-85915-7 + + references: + cis-csc: 12,13,14,15,16,18,3,5 +diff --git a/linux_os/guide/system/bootloader-grub2/uefi/file_owner_efi_grub2_cfg/rule.yml b/linux_os/guide/system/bootloader-grub2/uefi/file_owner_efi_grub2_cfg/rule.yml +index edcda693591..a9468d00ddc 100644 +--- a/linux_os/guide/system/bootloader-grub2/uefi/file_owner_efi_grub2_cfg/rule.yml ++++ b/linux_os/guide/system/bootloader-grub2/uefi/file_owner_efi_grub2_cfg/rule.yml +@@ -23,6 +23,7 @@ severity: medium + + identifiers: + cce@rhel7: CCE-83429-1 ++ cce@rhel8: CCE-85913-2 + + references: + cis-csc: 12,13,14,15,16,18,3,5 +diff --git a/linux_os/guide/system/bootloader-grub2/uefi/file_permissions_efi_grub2_cfg/rule.yml b/linux_os/guide/system/bootloader-grub2/uefi/file_permissions_efi_grub2_cfg/rule.yml +index 6e636a7caf7..bc4fdcc7e04 100644 +--- a/linux_os/guide/system/bootloader-grub2/uefi/file_permissions_efi_grub2_cfg/rule.yml ++++ b/linux_os/guide/system/bootloader-grub2/uefi/file_permissions_efi_grub2_cfg/rule.yml +@@ -21,6 +21,7 @@ severity: medium + + identifiers: + cce@rhel7: CCE-83431-7 ++ cce@rhel8: CCE-85912-4 + + references: + cis-csc: 12,13,14,15,16,18,3,5 + +From b2a35c50c402267c8e77db287187e594fe917e77 Mon Sep 17 00:00:00 2001 +From: Alex Haydock +Date: Tue, 17 Aug 2021 13:15:15 +0100 +Subject: [PATCH 54/55] Add missing CIS references for RHEL 8 rules + +--- + .../services/ssh/ssh_server/sshd_set_loglevel_verbose/rule.yml | 1 + + .../disabling_xwindows/xwindows_remove_packages/rule.yml | 1 + + .../root_logins/use_pam_wheel_for_su/rule.yml | 1 + + .../root_paths/accounts_root_path_dirs_no_write/rule.yml | 1 + + .../accounts-session/root_paths/root_path_no_dot/rule.yml | 1 + + .../user_umask/accounts_umask_etc_login_defs/rule.yml | 1 + + 6 files changed, 6 insertions(+) + +diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_loglevel_verbose/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_set_loglevel_verbose/rule.yml +index 2ffb01a3983..ee54a53dfd4 100644 +--- a/linux_os/guide/services/ssh/ssh_server/sshd_set_loglevel_verbose/rule.yml ++++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_loglevel_verbose/rule.yml +@@ -27,6 +27,7 @@ identifiers: + + references: + cis@rhel7: 5.3.5 ++ cis@rhel8: 5.2.5 + disa: CCI-000067 + nerc-cip: CIP-007-3 R7.1 + nist: AC-17(a),AC-17(1),CM-6(a) +diff --git a/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_remove_packages/rule.yml b/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_remove_packages/rule.yml +index c548b1e3ea2..935766db26d 100644 +--- a/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_remove_packages/rule.yml ++++ b/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_remove_packages/rule.yml +@@ -41,6 +41,7 @@ identifiers: + + references: + cis@rhel7: 2.2.2 ++ cis@rhel8: 2.2.2 + disa: CCI-000366 + nist: CM-6(b) + srg: SRG-OS-000480-GPOS-00227 +diff --git a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/use_pam_wheel_for_su/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/use_pam_wheel_for_su/rule.yml +index 984a8cf333e..616a0aa0052 100644 +--- a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/use_pam_wheel_for_su/rule.yml ++++ b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/use_pam_wheel_for_su/rule.yml +@@ -24,6 +24,7 @@ identifiers: + + references: + cis@rhel7: "5.7" ++ cis@rhel8: 5.7 + cis@sle15: '5.6' + cis@ubuntu2004: '5.6' + ospp: FMT_SMF_EXT.1.1 +diff --git a/linux_os/guide/system/accounts/accounts-session/root_paths/accounts_root_path_dirs_no_write/rule.yml b/linux_os/guide/system/accounts/accounts-session/root_paths/accounts_root_path_dirs_no_write/rule.yml +index 81c30174c71..057701075e5 100644 +--- a/linux_os/guide/system/accounts/accounts-session/root_paths/accounts_root_path_dirs_no_write/rule.yml ++++ b/linux_os/guide/system/accounts/accounts-session/root_paths/accounts_root_path_dirs_no_write/rule.yml +@@ -23,6 +23,7 @@ identifiers: + references: + cis-csc: 11,3,9 + cis@rhel7: 6.2.10 ++ cis@rhel8: 6.2.3 + cis@sle15: 6.2.4 + cis@ubuntu2004: 6.2.3 + cobit5: BAI10.01,BAI10.02,BAI10.03,BAI10.05 +diff --git a/linux_os/guide/system/accounts/accounts-session/root_paths/root_path_no_dot/rule.yml b/linux_os/guide/system/accounts/accounts-session/root_paths/root_path_no_dot/rule.yml +index 748d9d9d188..c94de8fa3e6 100644 +--- a/linux_os/guide/system/accounts/accounts-session/root_paths/root_path_no_dot/rule.yml ++++ b/linux_os/guide/system/accounts/accounts-session/root_paths/root_path_no_dot/rule.yml +@@ -26,6 +26,7 @@ identifiers: + references: + cis-csc: 11,3,9 + cis@rhel7: 6.2.10 ++ cis@rhel8: 6.2.3 + cobit5: BAI10.01,BAI10.02,BAI10.03,BAI10.05 + disa: CCI-000366 + isa-62443-2009: 4.3.4.3.2,4.3.4.3.3 +diff --git a/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_login_defs/rule.yml b/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_login_defs/rule.yml +index 46e81737199..51f8e51fa6a 100644 +--- a/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_login_defs/rule.yml ++++ b/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_login_defs/rule.yml +@@ -25,6 +25,7 @@ references: + anssi: BP28(R35) + cis-csc: 11,18,3,9 + cis@rhel7: 5.5.5 ++ cis@rhel8: 5.5.5 + cis@ubuntu2004: 5.4.4 + cobit5: APO13.01,BAI03.01,BAI03.02,BAI03.03,BAI10.01,BAI10.02,BAI10.03,BAI10.05 + disa: CCI-000366 + +From 379910b8185590bed1c620dcb07cbb28ee41ecd7 Mon Sep 17 00:00:00 2001 +From: Alex Haydock +Date: Tue, 17 Aug 2021 13:25:45 +0100 +Subject: [PATCH 55/55] Quote reference to avoid it being interpreted as an + integer + +--- + .../root_logins/use_pam_wheel_for_su/rule.yml | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/use_pam_wheel_for_su/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/use_pam_wheel_for_su/rule.yml +index 616a0aa0052..08677cbb7dc 100644 +--- a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/use_pam_wheel_for_su/rule.yml ++++ b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/use_pam_wheel_for_su/rule.yml +@@ -24,7 +24,7 @@ identifiers: + + references: + cis@rhel7: "5.7" +- cis@rhel8: 5.7 ++ cis@rhel8: "5.7" + cis@sle15: '5.6' + cis@ubuntu2004: '5.6' + ospp: FMT_SMF_EXT.1.1 diff --git a/scap-security-guide-0.1.58-fix_broken_link-PR_7409.patch b/scap-security-guide-0.1.58-fix_broken_link-PR_7409.patch new file mode 100644 index 0000000..7734df6 --- /dev/null +++ b/scap-security-guide-0.1.58-fix_broken_link-PR_7409.patch @@ -0,0 +1,160 @@ +From ac416fb6b73135b6fdeae850740ca4e10ad9fa1e Mon Sep 17 00:00:00 2001 +From: Gabriel Becker +Date: Wed, 18 Aug 2021 15:16:59 +0200 +Subject: [PATCH] Fix RHEL7 documentation links. + +--- + linux_os/guide/services/ldap/openldap_client/group.yml | 2 +- + linux_os/guide/services/ldap/openldap_server/group.yml | 2 +- + .../ntp/chronyd_or_ntpd_specify_multiple_servers/rule.yml | 2 +- + .../ntp/chronyd_or_ntpd_specify_remote_server/rule.yml | 2 +- + linux_os/guide/services/ntp/group.yml | 2 +- + .../services/ntp/service_chronyd_or_ntpd_enabled/rule.yml | 2 +- + linux_os/guide/services/sssd/group.yml | 2 +- + .../screen_locking/smart_card_login/smartcard_auth/rule.yml | 4 +--- + linux_os/guide/system/auditing/group.yml | 2 +- + .../software/disk_partitioning/encrypt_partitions/rule.yml | 2 +- + .../guide/system/software/gnome/gnome_login_screen/group.yml | 2 +- + 11 files changed, 11 insertions(+), 13 deletions(-) + +diff --git a/linux_os/guide/services/ldap/openldap_client/group.yml b/linux_os/guide/services/ldap/openldap_client/group.yml +index bf17a053cd5..a64f105395f 100644 +--- a/linux_os/guide/services/ldap/openldap_client/group.yml ++++ b/linux_os/guide/services/ldap/openldap_client/group.yml +@@ -13,7 +13,7 @@ description: |- + files, which is useful when trying to use SSL cleanly across several protocols. + Installation and configuration of OpenLDAP on {{{ full_name }}} is available at + {{% if product == "rhel7" %}} +- {{{ weblink(link="https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/System-Level_Authentication_Guide/openldap.html") }}}. ++ {{{ weblink(link="https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/system-level_authentication_guide/openldap") }}}. + {{% elif product == "ol7" %}} + {{{ weblink(link="https://docs.oracle.com/en/operating-systems/oracle-linux/7/userauth/ol7-auth.html#ol7-s9-auth") }}}. + {{% endif %}} +diff --git a/linux_os/guide/services/ldap/openldap_server/group.yml b/linux_os/guide/services/ldap/openldap_server/group.yml +index c180820e9fc..d571867a7f8 100644 +--- a/linux_os/guide/services/ldap/openldap_server/group.yml ++++ b/linux_os/guide/services/ldap/openldap_server/group.yml +@@ -7,5 +7,5 @@ description: |- + for an OpenLDAP server. + {{% if product == "rhel7" %}} + Installation and configuration of OpenLDAP on Red Hat Enterprise Linux 7 is available at: +- {{{ weblink(link="https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/System-Level_Authentication_Guide/openldap.html") }}}. ++ {{{ weblink(link="https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/system-level_authentication_guide/openldap") }}}. + {{% endif %}} +diff --git a/linux_os/guide/services/ntp/chronyd_or_ntpd_specify_multiple_servers/rule.yml b/linux_os/guide/services/ntp/chronyd_or_ntpd_specify_multiple_servers/rule.yml +index 8f939356ab1..7dc188589ee 100644 +--- a/linux_os/guide/services/ntp/chronyd_or_ntpd_specify_multiple_servers/rule.yml ++++ b/linux_os/guide/services/ntp/chronyd_or_ntpd_specify_multiple_servers/rule.yml +@@ -14,7 +14,7 @@ description: |- + {{% elif product == "ol8" %}} + {{{ weblink(link="https://docs.oracle.com/en/operating-systems/oracle-linux/8/network/ol-nettime.html") }}} + {{% else %}} +- {{{ weblink(link="https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/System_Administrators_Guide/ch-Configuring_NTP_Using_the_chrony_Suite.html") }}} ++ {{{ weblink(link="https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/system_administrators_guide/ch-configuring_ntp_using_the_chrony_suite") }}} + {{% endif %}} + for more detailed comparison of the features of both of the choices, and for + further guidance how to choose between the two NTP daemons. +diff --git a/linux_os/guide/services/ntp/chronyd_or_ntpd_specify_remote_server/rule.yml b/linux_os/guide/services/ntp/chronyd_or_ntpd_specify_remote_server/rule.yml +index 503aecc0de2..27df8595efa 100644 +--- a/linux_os/guide/services/ntp/chronyd_or_ntpd_specify_remote_server/rule.yml ++++ b/linux_os/guide/services/ntp/chronyd_or_ntpd_specify_remote_server/rule.yml +@@ -14,7 +14,7 @@ description: |- + {{% elif product == "ol8" %}} + {{{ weblink(link="https://docs.oracle.com/en/operating-systems/oracle-linux/8/network/ol-nettime.html") }}} + {{% else %}} +- {{{ weblink(link="https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/System_Administrators_Guide/ch-Configuring_NTP_Using_the_chrony_Suite.html") }}} ++ {{{ weblink(link="https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/system_administrators_guide/ch-configuring_ntp_using_the_chrony_suite") }}} + {{% endif %}} + for more detailed comparison of the features of both of the choices, and for + further guidance how to choose between the two NTP daemons. +diff --git a/linux_os/guide/services/ntp/group.yml b/linux_os/guide/services/ntp/group.yml +index 181b10dfd65..b944ee03116 100644 +--- a/linux_os/guide/services/ntp/group.yml ++++ b/linux_os/guide/services/ntp/group.yml +@@ -54,7 +54,7 @@ description: |- + {{% elif product == "ol8" %}} + {{{ weblink(link="https://docs.oracle.com/en/operating-systems/oracle-linux/8/network/ol-nettime.html") }}} + {{% elif product == "rhel7" %}} +- {{{ weblink(link="https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/System_Administrators_Guide/ch-Configuring_NTP_Using_the_chrony_Suite.html") }}} ++ {{{ weblink(link="https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/system_administrators_guide/ch-configuring_ntp_using_the_chrony_suite") }}} + {{% elif "ubuntu" in product %}} + {{{ weblink(link="https://help.ubuntu.com/lts/serverguide/NTP.html") }}} + {{% elif "debian" in product %}} +diff --git a/linux_os/guide/services/ntp/service_chronyd_or_ntpd_enabled/rule.yml b/linux_os/guide/services/ntp/service_chronyd_or_ntpd_enabled/rule.yml +index 065cf301b95..00739816f5e 100644 +--- a/linux_os/guide/services/ntp/service_chronyd_or_ntpd_enabled/rule.yml ++++ b/linux_os/guide/services/ntp/service_chronyd_or_ntpd_enabled/rule.yml +@@ -17,7 +17,7 @@ description: |- + {{% elif product == "ol8" %}} + {{{ weblink(link="https://docs.oracle.com/en/operating-systems/oracle-linux/8/network/ol-nettime.html") }}} + {{% else %}} +- {{{ weblink(link="https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/System_Administrators_Guide/ch-Configuring_NTP_Using_the_chrony_Suite.html") }}} ++ {{{ weblink(link="https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/system_administrators_guide/ch-configuring_ntp_using_the_chrony_suite") }}} + {{% endif %}} + for guidance which NTP daemon to choose depending on the environment used. + +diff --git a/linux_os/guide/services/sssd/group.yml b/linux_os/guide/services/sssd/group.yml +index 5b0caf7d64b..3f4eced7ca7 100644 +--- a/linux_os/guide/services/sssd/group.yml ++++ b/linux_os/guide/services/sssd/group.yml +@@ -11,7 +11,7 @@ description: |- +

+ For more information, see + {{%- if product == "rhel7" -%}} +- {{{ weblink(link="https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/System-Level_Authentication_Guide/SSSD.html") }}} ++ {{{ weblink(link="https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/system-level_authentication_guide/sssd") }}} + {{%- elif product == "rhel8" -%}} + {{{ weblink(link="https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/installing_identity_management/installing-an-ipa-client-basic-scenario_installing-identity-management#sssd-deployment-operations_install-client-basic") }}} + {{%- elif product == "ol7" -%}} +diff --git a/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/smartcard_auth/rule.yml b/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/smartcard_auth/rule.yml +index fc7f149bf40..62a343cf396 100644 +--- a/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/smartcard_auth/rule.yml ++++ b/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/smartcard_auth/rule.yml +@@ -8,9 +8,7 @@ description: |- + To enable smart card authentication, consult the documentation at: +
    + {{% if product == "rhel7" %}} +-
  • {{{ weblink(link="https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/System-Level_Authentication_Guide/smartcards.html#authconfig-smartcards") }}}
    • +- {{% elif product == "rhel8" %}} +-
  • {{{ weblink(link="https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/System-Level_Authentication_Guide/smartcards.html#authconfig-smartcards") }}}
    • ++
  • {{{ weblink(link="https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/system-level_authentication_guide/smartcards.html#authconfig-smartcards") }}}
    • + {{% elif product == "ol7" %}} +
  • {{{ weblink(link="https://docs.oracle.com/en/operating-systems/oracle-linux/7/userauth/ol7-auth.html#ol7-s4-auth") }}}
    • + {{% endif %}} +diff --git a/linux_os/guide/system/auditing/group.yml b/linux_os/guide/system/auditing/group.yml +index 82f87e81c47..5fce88db032 100644 +--- a/linux_os/guide/system/auditing/group.yml ++++ b/linux_os/guide/system/auditing/group.yml +@@ -38,7 +38,7 @@ description: |- + Examining some example audit records demonstrates how the Linux audit system + satisfies common requirements. + The following example from Fedora Documentation available at +- {{{ weblink(link="https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/SELinux_Users_and_Administrators_Guide/sect-Security-Enhanced_Linux-Troubleshooting-Fixing_Problems.html#sect-Security-Enhanced_Linux-Fixing_Problems-Raw_Audit_Messages") }}} ++ {{{ weblink(link="https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html-single/selinux_users_and_administrators_guide/index#sect-Security-Enhanced_Linux-Fixing_Problems-Raw_Audit_Messages") }}} + shows the substantial amount of information captured in a + two typical "raw" audit messages, followed by a breakdown of the most important + fields. In this example the message is SELinux-related and reports an AVC +diff --git a/linux_os/guide/system/software/disk_partitioning/encrypt_partitions/rule.yml b/linux_os/guide/system/software/disk_partitioning/encrypt_partitions/rule.yml +index add0a41fa94..cd07fb4c0ca 100644 +--- a/linux_os/guide/system/software/disk_partitioning/encrypt_partitions/rule.yml ++++ b/linux_os/guide/system/software/disk_partitioning/encrypt_partitions/rule.yml +@@ -38,7 +38,7 @@ description: |- + {{% elif product in ["sle12", "sle15"] %}} + {{{ weblink(link="https://www.suse.com/documentation/sled-12/book_security/data/sec_security_cryptofs_y2.html") }}} + {{% elif product == "rhel7" %}} +- {{{ weblink(link="https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Security_Guide/sec-Encryption.html") }}}. ++ {{{ weblink(link="https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/security_guide/sec-encryption") }}}. + {{% else %}} + {{{ weblink(link="https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/security_hardening/encrypting-block-devices-using-luks_security-hardening") }}}. + {{% endif %}} +diff --git a/linux_os/guide/system/software/gnome/gnome_login_screen/group.yml b/linux_os/guide/system/software/gnome/gnome_login_screen/group.yml +index 8e8b32f1d79..299b96c0592 100644 +--- a/linux_os/guide/system/software/gnome/gnome_login_screen/group.yml ++++ b/linux_os/guide/system/software/gnome/gnome_login_screen/group.yml +@@ -14,5 +14,5 @@ description: |- + the man page dconf(1). + {{% else %}} + For more information about enforcing preferences in the GNOME3 environment using the DConf +- configuration system, see {{{ weblink(link="https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Desktop_Migration_and_Administration_Guide/index.html") }}}/> and the man page dconf(1). ++ configuration system, see {{{ weblink(link="https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/desktop_migration_and_administration_guide") }}}/> and the man page dconf(1). + {{% endif %}} diff --git a/scap-security-guide-0.1.58-rhel9_cis-PR_7415.patch b/scap-security-guide-0.1.58-rhel9_cis-PR_7415.patch new file mode 100644 index 0000000..164c3c6 --- /dev/null +++ b/scap-security-guide-0.1.58-rhel9_cis-PR_7415.patch @@ -0,0 +1,1834 @@ +From e3844b648a537ae2d28aeb66b30522363e26c8c0 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Mat=C4=9Bj=20T=C3=BD=C4=8D?= +Date: Thu, 19 Aug 2021 15:58:08 +0200 +Subject: [PATCH 1/4] Base the RHEL9 CIS preview on RHEL8 + +Harness the policy files to get a RHEL9 projection of the RHEL8 CIS. +--- + products/rhel9/profiles/cis.profile | 1079 +---------------- + products/rhel9/profiles/cis_server_l1.profile | 19 + + .../rhel9/profiles/cis_workstation_l1.profile | 19 + + .../rhel9/profiles/cis_workstation_l2.profile | 19 + + 4 files changed, 63 insertions(+), 1073 deletions(-) + create mode 100644 products/rhel9/profiles/cis_server_l1.profile + create mode 100644 products/rhel9/profiles/cis_workstation_l1.profile + create mode 100644 products/rhel9/profiles/cis_workstation_l2.profile + +diff --git a/products/rhel9/profiles/cis.profile b/products/rhel9/profiles/cis.profile +index 8d7816e5e2..4240f743df 100644 +--- a/products/rhel9/profiles/cis.profile ++++ b/products/rhel9/profiles/cis.profile +@@ -1,1086 +1,19 @@ + documentation_complete: true + + metadata: +- version: 0.0.0 ++ version: 1.0.1 + SMEs: + - vojtapolasek + - yuumasato + + reference: https://www.cisecurity.org/benchmark/red_hat_linux/ + +-title: '[DRAFT] CIS Red Hat Enterprise Linux 9 Benchmark' ++title: '[DRAFT] CIS Red Hat Enterprise Linux 9 Benchmark for Level 2 - Server' + + description: |- +- This is a draft CIS profile based on the RHEL8 CIS ++ This is a draft profile based on its RHEL8 version for experimental purposes. ++ It is not based on the CIS benchmark for RHEL9, because this one was not available at time of ++ the release. + + selections: +- # Necessary for dconf rules +- - dconf_db_up_to_date +- +- ### Partitioning +- - mount_option_home_nodev +- +- ## 1.1 Filesystem Configuration +- +- ### 1.1.1 Disable unused filesystems +- +- #### 1.1.1.1 Ensure mounting cramfs filesystems is disabled (Scored) +- - kernel_module_cramfs_disabled +- +- #### 1.1.1.2 Ensure mounting of vFAT filesystems is limited (Not Scored) +- +- +- #### 1.1.1.3 Ensure mounting of squashfs filesystems is disabled (Scored) +- - kernel_module_squashfs_disabled +- +- #### 1.1.1.4 Ensure mounting of udf filesystems is disabled (Scored) +- - kernel_module_udf_disabled +- +- ### 1.1.2 Ensure /tmp is configured (Scored) +- - partition_for_tmp +- +- ### 1.1.3 Ensure nodev option set on /tmp partition (Scored) +- - mount_option_tmp_nodev +- +- ### 1.1.4 Ensure nosuid option set on /tmp partition (Scored) +- - mount_option_tmp_nosuid +- +- ### 1.1.5 Ensure noexec option set on /tmp partition (Scored) +- - mount_option_tmp_noexec +- +- ### 1.1.6 Ensure separate partition exists for /var (Scored) +- - partition_for_var +- +- ### 1.1.7 Ensure separate partition exists for /var/tmp (Scored) +- - partition_for_var_tmp +- +- ### 1.1.8 Ensure nodev option set on /var/tmp partition (Scored) +- - mount_option_var_tmp_nodev +- +- ### 1.1.9 Ensure nosuid option set on /var/tmp partition (Scored) +- - mount_option_var_tmp_nosuid +- +- ### 1.1.10 Ensure noexec option set on /var/tmp partition (Scored) +- - mount_option_var_tmp_noexec +- +- ### 1.1.11 Ensure separate partition exists for /var/log (Scored) +- - partition_for_var_log +- +- ### 1.1.12 Ensure separate partition exists for /var/log/audit (Scored) +- - partition_for_var_log_audit +- +- ### 1.1.13 Ensure separate partition exists for /home (Scored) +- - partition_for_home +- +- ### 1.1.14 Ensure nodev option set on /home partition (Scored) +- - mount_option_home_nodev +- +- ### 1.1.15 Ensure nodev option set on /dev/shm partition (Scored) +- - mount_option_dev_shm_nodev +- +- ### 1.1.16 Ensure nosuid option set on /dev/shm partition (Scored) +- - mount_option_dev_shm_nosuid +- +- ### 1.1.17 Ensure noexec option set on /dev/shm partition (Scored) +- - mount_option_dev_shm_noexec +- +- ### 1.1.18 Ensure nodev option set on removable media partitions (Not Scored) +- - mount_option_nodev_removable_partitions +- +- ### 1.1.19 Ensure nosuid option set on removable media partitions (Not Scored) +- - mount_option_nosuid_removable_partitions +- +- ### 1.1.20 Ensure noexec option set on removable media partitions (Not Scored) +- - mount_option_noexec_removable_partitions +- +- ### 1.1.21 Ensure sticky bit is set on all world-writable directories (Scored) +- - dir_perms_world_writable_sticky_bits +- +- ### 1.1.22 Disable Automounting (Scored) +- - service_autofs_disabled +- +- ### 1.1.23 Disable USB Storage (Scored) +- - kernel_module_usb-storage_disabled +- +- ## 1.2 Configure Software Updates +- +- ### 1.2.1 Ensure Red Hat Subscription Manager connection is configured (Not Scored) +- # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5218 +- +- ### 1.2.2 Disable the rhnsd Daemon (Not Scored) +- - service_rhnsd_disabled +- +- ### 1.2.3 Ensure GPG keys are configured (Not Scored) +- - ensure_redhat_gpgkey_installed +- +- ### 1.2.4 Ensure gpgcheck is globally activated (Scored) +- - ensure_gpgcheck_globally_activated +- +- ### 1.2.5 Ensure package manager repositories are configured (Scored) +- # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5219 +- +- ## 1.3 Configure sudo +- +- ### 1.3.1 Ensure sudo is installed (Scored) +- - package_sudo_installed +- +- ### 1.3.2 Ensure sudo commands use pty (Scored) +- - sudo_add_use_pty +- +- ### 1.3.3 Ensure sudo log file exists (Scored) +- - sudo_custom_logfile +- +- ## 1.4 Filesystem Integrity Checking +- +- ### 1.4.1 Ensure AIDE is installed (Scored) +- - package_aide_installed +- +- ### 1.4.2 Ensure filesystem integrity is regularly checked (Scored) +- - aide_periodic_cron_checking +- +- ## Secure Boot Settings +- +- ### 1.5.1 Ensure permissions on bootloader config are configured (Scored) +- #### chown root:root /boot/grub2/grub.cfg +- - file_owner_grub2_cfg +- - file_groupowner_grub2_cfg +- +- #### chmod og-rwx /boot/grub2/grub.cfg +- - file_permissions_grub2_cfg +- +- #### chown root:root /boot/grub2/grubenv +- # NEED RULE - https://github.com/ComplianceAsCode/content/issues/5222 +- +- #### chmod og-rwx /boot/grub2/grubenv +- # NEED RULE - https://github.com/ComplianceAsCode/content/issues/5222 +- +- ### 1.5.2 Ensure bootloader password is set (Scored) +- - grub2_password +- +- ### 1.5.3 Ensure authentication required for single user mode (Scored) +- #### ExecStart=-/usr/lib/systemd/systemd-sulogin-shell rescue +- - require_singleuser_auth +- +- #### ExecStart=-/usr/lib/systemd/systemd-sulogin-shell emergency +- - require_emergency_target_auth +- +- ## 1.6 Additional Process Hardening +- +- ### 1.6.1 Ensure core dumps are restricted (Scored) +- #### * hard core 0 +- - disable_users_coredumps +- +- #### fs.suid_dumpable = 0 +- - sysctl_fs_suid_dumpable +- +- #### ProcessSizeMax=0 +- - coredump_disable_backtraces +- +- #### Storage=none +- - coredump_disable_storage +- +- ### 1.6.2 Ensure address space layout randomization (ASLR) is enabled +- - sysctl_kernel_randomize_va_space +- +- ## 1.7 Mandatory Access Control +- +- ### 1.7.1 Configure SELinux +- +- #### 1.7.1.1 Ensure SELinux is installed (Scored) +- - package_libselinux_installed +- +- #### 1.7.1.2 Ensure SELinux is not disabled in bootloader configuration (Scored) +- - grub2_enable_selinux +- +- #### 1.7.1.3 Ensure SELinux policy is configured (Scored) +- - var_selinux_policy_name=targeted +- - selinux_policytype +- +- #### 1.7.1.4 Ensure the SELinux state is enforcing (Scored) +- - var_selinux_state=enforcing +- - selinux_state +- +- #### 1.7.1.5 Ensure no unconfied services exist (Scored) +- - selinux_confinement_of_daemons +- +- #### 1.7.1.6 Ensure SETroubleshoot is not installed (Scored) +- - package_setroubleshoot_removed +- +- #### 1.7.1.7 Ensure the MCS Translation Service (mcstrans) is not installed (Scored) +- - package_mcstrans_removed +- +- ## Warning Banners +- +- ### 1.8.1 Command Line Warning Baners +- +- #### 1.8.1.1 Ensure message of the day is configured properly (Scored) +- - banner_etc_motd +- +- #### 1.8.1.2 Ensure local login warning banner is configured properly (Scored) +- - banner_etc_issue +- +- #### 1.8.1.3 Ensure remote login warning banner is configured properly (Scored) +- # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5225 +- +- #### 1.8.1.4 Ensure permissions on /etc/motd are configured (Scored) +- # chmod u-x,go-wx /etc/motd +- - file_permissions_etc_motd +- +- #### 1.8.1.5 Ensure permissions on /etc/issue are configured (Scored) +- # chmod u-x,go-wx /etc/issue +- - file_permissions_etc_issue +- +- #### 1.8.1.6 Ensure permissions on /etc/issue.net are configured (Scored) +- # Previously addressed via 'rpm_verify_permissions' rule +- +- ### 1.8.2 Ensure GDM login banner is configured (Scored) +- #### banner-message-enable=true +- - dconf_gnome_banner_enabled +- +- #### banner-message-text='' +- - dconf_gnome_login_banner_text +- +- ## 1.9 Ensure updates, patches, and additional security software are installed (Scored) +- - security_patches_up_to_date +- +- ## 1.10 Ensure system-wide crypto policy is not legacy (Scored) +- - var_system_crypto_policy=future +- - configure_crypto_policy +- +- ## 1.11 Ensure system-wide crytpo policy is FUTURE or FIPS (Scored) +- # Previously addressed via 'configure_crypto_policy' rule +- +- # Services +- +- ## 2.1 inetd Services +- +- ### 2.1.1 Ensure xinetd is not installed (Scored) +- - package_xinetd_removed +- +- ## 2.2 Special Purpose Services +- +- ### 2.2.1 Time Synchronization +- +- #### 2.2.1.1 Ensure time synchronization is in use (Not Scored) +- - package_chrony_installed +- +- #### 2.2.1.2 Ensure chrony is configured (Scored) +- - service_chronyd_enabled +- - chronyd_specify_remote_server +- - chronyd_run_as_chrony_user +- +- ### 2.2.2 Ensure X Window System is not installed (Scored) +- - package_xorg-x11-server-common_removed +- - xwindows_runlevel_target +- +- ### 2.2.3 Ensure rsync service is not enabled (Scored) +- - service_rsyncd_disabled +- +- ### 2.2.4 Ensure Avahi Server is not enabled (Scored) +- - service_avahi-daemon_disabled +- +- ### 2.2.5 Ensure SNMP Server is not enabled (Scored) +- - service_snmpd_disabled +- +- ### 2.2.6 Ensure HTTP Proxy Server is not enabled (Scored) +- - package_squid_removed +- +- ### 2.2.7 Ensure Samba is not enabled (Scored) +- - service_smb_disabled +- +- ### 2.2.8 Ensure IMAP and POP3 server is not enabled (Scored) +- - service_dovecot_disabled +- +- ### 2.2.9 Ensure HTTP server is not enabled (Scored) +- - service_httpd_disabled +- +- ### 2.2.10 Ensure FTP Server is not enabled (Scored) +- - service_vsftpd_disabled +- +- ### 2.2.11 Ensure DNS Server is not enabled (Scored) +- - service_named_disabled +- +- ### 2.2.12 Ensure NFS is not enabled (Scored) +- - service_nfs_disabled +- +- ### 2.2.13 Ensure RPC is not enabled (Scored) +- - service_rpcbind_disabled +- +- ### 2.2.14 Ensure LDAP service is not enabled (Scored) +- # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5231 +- +- ### 2.2.15 Ensure DHCP Server is not enabled (Scored) +- - service_dhcpd_disabled +- +- ### 2.2.16 Ensure CUPS is not enabled (Scored) +- - service_cups_disabled +- +- ### 2.2.17 Ensure NIS Server is not enabled (Scored) +- # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5232 +- +- ### 2.2.18 Ensure mail transfer agent is configured for +- ### local-only mode (Scored) +- - postfix_network_listening_disabled +- +- ## 2.3 Service Clients +- +- ### 2.3.1 Ensure NIS Client is not installed (Scored) +- - package_ypbind_removed +- +- ### 2.3.2 Ensure telnet client is not installed (Scored) +- - package_telnet_removed +- +- ### Ensure LDAP client is not installed +- - package_openldap-clients_removed +- +- # 3 Network Configuration +- +- ## 3.1 Network Parameters (Host Only) +- +- ### 3.1.1 Ensure IP forwarding is disabled (Scored) +- #### net.ipv4.ip_forward = 0 +- - sysctl_net_ipv4_ip_forward +- +- #### net.ipv6.conf.all.forwarding = 0 +- - sysctl_net_ipv6_conf_all_forwarding +- +- ### 3.1.2 Ensure packet redirect sending is disabled (Scored) +- #### net.ipv4.conf.all.send_redirects = 0 +- - sysctl_net_ipv4_conf_all_send_redirects +- +- #### net.ipv4.conf.default.send_redirects = 0 +- - sysctl_net_ipv4_conf_default_send_redirects +- +- ## 3.2 Network Parameters (Host and Router) +- +- ### 3.2.1 Ensure source routed packets are not accepted (Scored) +- #### net.ipv4.conf.all.accept_source_route = 0 +- - sysctl_net_ipv4_conf_all_accept_source_route +- +- #### net.ipv4.conf.default.accept_source_route = 0 +- - sysctl_net_ipv4_conf_default_accept_source_route +- +- #### net.ipv6.conf.all.accept_source_route = 0 +- - sysctl_net_ipv6_conf_all_accept_source_route +- +- #### net.ipv6.conf.default.accept_source_route = 0 +- - sysctl_net_ipv6_conf_default_accept_source_route +- +- ### 3.2.2 Ensure ICMP redirects are not accepted (Scored) +- #### net.ipv4.conf.all.accept_redirects = 0 +- - sysctl_net_ipv4_conf_all_accept_redirects +- +- #### net.ipv4.conf.default.accept_redirects +- - sysctl_net_ipv4_conf_default_accept_redirects +- +- #### net.ipv6.conf.all.accept_redirects = 0 +- - sysctl_net_ipv6_conf_all_accept_redirects +- +- #### net.ipv6.conf.defaults.accept_redirects = 0 +- - sysctl_net_ipv6_conf_default_accept_redirects +- +- ### 3.2.3 Ensure secure ICMP redirects are not accepted (Scored) +- #### net.ipv4.conf.all.secure_redirects = 0 +- - sysctl_net_ipv4_conf_all_secure_redirects +- +- #### net.ipv4.cof.default.secure_redirects = 0 +- - sysctl_net_ipv4_conf_default_secure_redirects +- +- ### 3.2.4 Ensure suspicious packets are logged (Scored) +- #### net.ipv4.conf.all.log_martians = 1 +- - sysctl_net_ipv4_conf_all_log_martians +- +- #### net.ipv4.conf.default.log_martians = 1 +- - sysctl_net_ipv4_conf_default_log_martians +- +- ### 3.2.5 Ensure broadcast ICMP requests are ignored (Scored) +- - sysctl_net_ipv4_icmp_echo_ignore_broadcasts +- +- ### 3.2.6 Ensure bogus ICMP responses are ignored (Scored) +- - sysctl_net_ipv4_icmp_ignore_bogus_error_responses +- +- ### 3.2.7 Ensure Reverse Path Filtering is enabled (Scored) +- #### net.ipv4.conf.all.rp_filter = 1 +- - sysctl_net_ipv4_conf_all_rp_filter +- +- #### net.ipv4.conf.default.rp_filter = 1 +- - sysctl_net_ipv4_conf_default_rp_filter +- +- ### 3.2.8 Ensure TCP SYN Cookies is enabled (Scored) +- - sysctl_net_ipv4_tcp_syncookies +- +- ### 3.2.9 Ensure IPv6 router advertisements are not accepted (Scored) +- #### net.ipv6.conf.all.accept_ra = 0 +- - sysctl_net_ipv6_conf_all_accept_ra +- +- #### net.ipv6.conf.default.accept_ra = 0 +- - sysctl_net_ipv6_conf_default_accept_ra +- +- ## 3.3 Uncommon Network Protocols +- +- ### 3.3.1 Ensure DCCP is disabled (Scored) +- - kernel_module_dccp_disabled +- +- ### Ensure SCTP is disabled (Scored) +- - kernel_module_sctp_disabled +- +- ### 3.3.3 Ensure RDS is disabled (Scored) +- - kernel_module_rds_disabled +- +- ### 3.3.4 Ensure TIPC is disabled (Scored) +- - kernel_module_tipc_disabled +- +- ## 3.4 Firewall Configuration +- +- ### 3.4.1 Ensure Firewall software is installed +- +- #### 3.4.1.1 Ensure a Firewall package is installed (Scored) +- ##### firewalld +- - package_firewalld_installed +- +- ##### nftables +- #NEED RULE - https://github.com/ComplianceAsCode/content/issues/5237 +- +- ##### iptables +- #- package_iptables_installed +- +- ### 3.4.2 Configure firewalld +- +- #### 3.4.2.1 Ensure firewalld service is enabled and running (Scored) +- - service_firewalld_enabled +- +- #### 3.4.2.2 Ensure iptables is not enabled (Scored) +- # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5238 +- +- #### 3.4.2.3 Ensure nftables is not enabled (Scored) +- # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5239 +- +- #### 3.4.2.4 Ensure default zone is set (Scored) +- - set_firewalld_default_zone +- +- #### 3.4.2.5 Ensure network interfaces are assigned to +- #### appropriate zone (Not Scored) +- # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5240 +- +- #### 3.4.2.6 Ensure unnecessary services and ports are not +- #### accepted (Not Scored) +- # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5241 +- +- ### 3.4.3 Configure nftables +- # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5242 +- +- #### 3.4.3.1 Ensure iptables are flushed (Not Scored) +- # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5243 +- +- #### 3.4.3.2 Ensure a table exists (Scored) +- # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5244 +- +- #### 3.4.3.3 Ensure base chains exist (Scored) +- # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5245 +- +- #### 3.4.3.4 Ensure loopback traffic is configured (Scored) +- # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5246 +- +- #### 3.4.3.5 Ensure outbound and established connections are +- #### configured (Not Scored) +- # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5247 +- +- #### 3.4.3.6 Ensure default deny firewall policy (Scored) +- # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5248 +- +- #### 3.4.3.7 Ensure nftables service is enabled (Scored) +- # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5249 +- +- #### 3.4.3.8 Ensure nftables rules are permanent (Scored) +- # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5250 +- +- ### 3.4.4 Configure iptables +- +- #### 3.4.4.1 Configure IPv4 iptables +- # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5251 +- +- ##### 3.4.4.1.1 Ensure default deny firewall policy (Scored) +- # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5252 +- +- ##### 3.4.4.1.2 Ensure loopback traffic is configured (Scored) +- # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5253 +- +- ##### 3.4.4.1.3 Ensure outbound and established connections are +- ##### configured (Not Scored) +- # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5254 +- +- ##### 3.4.4.1.4 Ensure firewall rules exist for all open ports (Scored) +- # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5255 +- +- #### 3.4.4.2 Configure IPv6 ip6tables +- # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5256 +- +- ##### 3.4.4.2.1 Ensure IPv6 default deny firewall policy (Scored) +- # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5257 +- +- ##### 3.4.4.2.2 Ensure IPv6 loopback traffic is configured (Scored) +- # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5258 +- +- ##### 3.4.4.2.3 Ensure IPv6 outbound and established connections are +- ##### configured (Not Scored) +- # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5260 +- +- ## 3.5 Ensure wireless interfaces are disabled (Scored) +- - wireless_disable_interfaces +- +- ## 3.6 Disable IPv6 (Not Scored) +- - kernel_module_ipv6_option_disabled +- +- # Logging and Auditing +- +- ## 4.1 Configure System Accounting (auditd) +- +- ### 4.1.1 Ensure auditing is enabled +- +- #### 4.1.1.1 Ensure auditd is installed (Scored) +- - package_audit_installed +- +- #### 4.1.1.2 Ensure auditd service is enabled (Scored) +- - service_auditd_enabled +- +- #### 4.1.1.3 Ensure auditing for processes that start prior to audit +- #### is enabled (Scored) +- - grub2_audit_argument +- +- #### 4.1.1.4 Ensure audit_backlog_limit is sufficient (Scored) +- - grub2_audit_backlog_limit_argument +- +- ### 4.1.2 Configure Data Retention +- +- #### 4.1.2.1 Ensure audit log storage size is configured (Scored) +- - auditd_data_retention_max_log_file +- +- #### 4.1.2.2 Ensure audit logs are not automatically deleted (Scored) +- - auditd_data_retention_max_log_file_action +- +- #### 4.1.2.3 Ensure system is disabled when audit logs are full (Scored) +- - var_auditd_space_left_action=email +- - auditd_data_retention_space_left_action +- +- ##### action_mail_acct = root +- - var_auditd_action_mail_acct=root +- - auditd_data_retention_action_mail_acct +- +- ##### admin_space_left_action = halt +- - var_auditd_admin_space_left_action=halt +- - auditd_data_retention_admin_space_left_action +- +- ### 4.1.3 Ensure changes to system administration scope +- ### (sudoers) is collected (Scored) +- - audit_rules_sysadmin_actions +- +- ### 4.1.4 Ensure login and logout events are collected (Scored) +- - audit_rules_login_events_faillock +- - audit_rules_login_events_lastlog +- +- ### 4.1.5 Ensure session initiation information is collected (Scored) +- - audit_rules_session_events +- +- ### 4.1.6 Ensure events that modify date and time information +- ### are collected (Scored) +- #### adjtimex +- - audit_rules_time_adjtimex +- +- #### settimeofday +- - audit_rules_time_settimeofday +- +- #### stime +- - audit_rules_time_stime +- +- #### clock_settime +- - audit_rules_time_clock_settime +- +- #### -w /etc/localtime -p wa +- - audit_rules_time_watch_localtime +- +- ### 4.1.7 Ensure events that modify the system's Mandatory +- ### Access Control are collected (Scored) +- #### -w /etc/selinux/ -p wa +- - audit_rules_mac_modification +- +- #### -w /usr/share/selinux/ -p wa +- # NEED RULE - https://github.com/ComplianceAsCode/content/issues/5264 +- +- ### 4.1.8 Ensure events that modify the system's network +- ### enironment are collected (Scored) +- - audit_rules_networkconfig_modification +- +- ### 4.1.9 Ensure discretionary access control permission modification +- ### events are collected (Scored) +- - audit_rules_dac_modification_chmod +- - audit_rules_dac_modification_fchmod +- - audit_rules_dac_modification_fchmodat +- - audit_rules_dac_modification_chown +- - audit_rules_dac_modification_fchown +- - audit_rules_dac_modification_fchownat +- - audit_rules_dac_modification_lchown +- - audit_rules_dac_modification_setxattr +- - audit_rules_dac_modification_lsetxattr +- - audit_rules_dac_modification_fsetxattr +- - audit_rules_dac_modification_removexattr +- - audit_rules_dac_modification_lremovexattr +- - audit_rules_dac_modification_fremovexattr +- +- ### 4.1.10 Ensure unsuccessful unauthorized file access attempts are +- ### collected (Scored) +- - audit_rules_unsuccessful_file_modification_creat +- - audit_rules_unsuccessful_file_modification_open +- - audit_rules_unsuccessful_file_modification_openat +- - audit_rules_unsuccessful_file_modification_truncate +- - audit_rules_unsuccessful_file_modification_ftruncate +- # Opinionated selection +- - audit_rules_unsuccessful_file_modification_open_by_handle_at +- +- ### 4.1.11 Ensure events that modify user/group information are +- ### collected (Scored) +- - audit_rules_usergroup_modification_passwd +- - audit_rules_usergroup_modification_group +- - audit_rules_usergroup_modification_gshadow +- - audit_rules_usergroup_modification_shadow +- - audit_rules_usergroup_modification_opasswd +- +- ### 4.1.12 Ensure successful file system mounts are collected (Scored) +- - audit_rules_media_export +- +- ### 4.1.13 Ensure use of privileged commands is collected (Scored) +- - audit_rules_privileged_commands +- +- ### 4.1.14 Ensure file deletion events by users are collected +- ### (Scored) +- - audit_rules_file_deletion_events_unlink +- - audit_rules_file_deletion_events_unlinkat +- - audit_rules_file_deletion_events_rename +- - audit_rules_file_deletion_events_renameat +- # Opinionated selection +- - audit_rules_file_deletion_events_rmdir +- +- ### 4.1.15 Ensure kernel module loading and unloading is collected +- ### (Scored) +- - audit_rules_kernel_module_loading +- +- ### 4.1.16 Ensure system administrator actions (sudolog) are +- ### collected (Scored) +- # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5516 +- +- ### 4.1.17 Ensure the audit configuration is immutable (Scored) +- - audit_rules_immutable +- +- ## 4.2 Configure Logging +- +- ### 4.2.1 Configure rsyslog +- +- #### 4.2.1.1 Ensure rsyslog is installed (Scored) +- - package_rsyslog_installed +- +- #### 4.2.1.2 Ensure rsyslog Service is enabled (Scored) +- - service_rsyslog_enabled +- +- #### 4.2.1.3 Ensure rsyslog default file permissions configured (Scored) +- - rsyslog_files_permissions +- +- #### 4.2.1.4 Ensure logging is configured (Not Scored) +- # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5519 +- +- #### 4.2.1.5 Ensure rsyslog is configured to send logs to a remote +- #### log host (Scored) +- - rsyslog_remote_loghost +- +- #### 4.2.1.6 Ensure remote rsyslog messages are only accepted on +- #### designated log hosts (Not Scored) +- - rsyslog_nolisten +- +- ### 4.2.2 Configure journald +- +- #### 4.2.2.1 Ensure journald is configured to send logs to +- #### rsyslog (Scored) +- # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5520 +- +- #### 4.2.2.2 Ensure journald is configured to compress large +- #### log files (Scored) +- # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5521 +- +- +- #### 4.2.2.3 Ensure journald is configured to write logfiles to +- #### persistent disk (Scored) +- # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5522 +- +- ### 4.2.3 Ensure permissions on all logfiles are configured (Scored) +- # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5523 +- +- ## 4.3 Ensure logrotate is configured (Not Scored) +- +- # 5 Access, Authentication and Authorization +- +- ## 5.1 Configure cron +- +- ### 5.1.1 Ensure cron daemon is enabled (Scored) +- - service_crond_enabled +- +- +- ### 5.1.2 Ensure permissions on /etc/crontab are configured (Scored) +- # chown root:root /etc/crontab +- - file_owner_crontab +- - file_groupowner_crontab +- # chmod og-rwx /etc/crontab +- - file_permissions_crontab +- +- ### 5.1.3 Ensure permissions on /etc/cron.hourly are configured (Scored) +- # chown root:root /etc/cron.hourly +- - file_owner_cron_hourly +- - file_groupowner_cron_hourly +- # chmod og-rwx /etc/cron.hourly +- - file_permissions_cron_hourly +- +- ### 5.1.4 Ensure permissions on /etc/cron.daily are configured (Scored) +- # chown root:root /etc/cron.daily +- - file_owner_cron_daily +- - file_groupowner_cron_daily +- # chmod og-rwx /etc/cron.daily +- - file_permissions_cron_daily +- +- ### 5.1.5 Ensure permissions on /etc/cron.weekly are configured (Scored) +- # chown root:root /etc/cron.weekly +- - file_owner_cron_weekly +- - file_groupowner_cron_weekly +- # chmod og-rwx /etc/cron.weekly +- - file_permissions_cron_weekly +- +- ### 5.1.6 Ensure permissions on /etc/cron.monthly are configured (Scored) +- # chown root:root /etc/cron.monthly +- - file_owner_cron_monthly +- - file_groupowner_cron_monthly +- # chmod og-rwx /etc/cron.monthly +- - file_permissions_cron_monthly +- +- ### 5.1.7 Ensure permissions on /etc/cron.d are configured (Scored) +- # chown root:root /etc/cron.d +- - file_owner_cron_d +- - file_groupowner_cron_d +- # chmod og-rwx /etc/cron.d +- - file_permissions_cron_d +- +- ### 5.1.8 Ensure at/cron is restricted to authorized users (Scored) +- +- +- ## 5.2 SSH Server Configuration +- +- ### 5.2.1 Ensure permissions on /etc/ssh/sshd_config are configured (Scored) +- # chown root:root /etc/ssh/sshd_config +- - file_owner_sshd_config +- - file_groupowner_sshd_config +- +- # chmod og-rwx /etc/ssh/sshd_config +- - file_permissions_sshd_config +- +- ### 5.2.2 Ensure SSH access is limited (Scored) +- +- +- ### 5.2.3 Ensure permissions on SSH private host key files are +- ### configured (Scored) +- # TO DO: The rule sets to 640, but benchmark wants 600 +- - file_permissions_sshd_private_key +- # TO DO: check owner of private keys in /etc/ssh is root:root +- +- ### 5.2.4 Ensure permissions on SSH public host key files are configured +- ### (Scored) +- - file_permissions_sshd_pub_key +- # TO DO: check owner of pub keys in /etc/ssh is root:root +- +- # Ensure that the configuration is done the right way +- - sshd_use_directory_configuration +- ### 5.2.5 Ensure SSH LogLevel is appropriate (Scored) +- - sshd_set_loglevel_info +- +- ### 5.2.6 Ensure SSH X11 forward is disabled (Scored) +- - sshd_disable_x11_forwarding +- +- ### 5.2.7 Ensure SSH MaxAuthTries is set to 4 or less (Scored) +- - sshd_max_auth_tries_value=4 +- - sshd_set_max_auth_tries +- +- ### 5.2.8 Ensure SSH IgnoreRhosts is enabled (Scored) +- - sshd_disable_rhosts +- +- ### 5.2.9 Ensure SSH HostbasedAuthentication is disabled (Scored) +- - disable_host_auth +- +- ### 5.2.10 Ensure SSH root login is disabled (Scored) +- - sshd_disable_root_login +- +- ### 5.2.11 Ensure SSH PermitEmptyPasswords is disabled (Scored) +- - sshd_disable_empty_passwords +- +- ### 5.2.12 Ensure SSH PermitUserEnvironment is disabled (Scored) +- - sshd_do_not_permit_user_env +- +- ### 5.2.13 Ensure SSH Idle Timeout Interval is configured (Scored) +- # ClientAliveInterval 300 +- - sshd_idle_timeout_value=5_minutes +- - sshd_set_idle_timeout +- +- # ClientAliveCountMax 0 +- - var_sshd_set_keepalive=0 +- +- ### 5.2.14 Ensure SSH LoginGraceTime is set to one minute +- ### or less (Scored) +- # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5525 +- +- ### 5.2.15 Ensure SSH warning banner is configured (Scored) +- - sshd_enable_warning_banner +- +- ### 5.2.16 Ensure SSH PAM is enabled (Scored) +- # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5526 +- +- ### 5.2.17 Ensure SSH AllowTcpForwarding is disabled (Scored) +- - sshd_disable_tcp_forwarding +- +- ### 5.2.18 Ensure SSH MaxStarups is configured (Scored) +- # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5528 +- +- ### 5.2.19 Ensure SSH MaxSessions is set to 4 or less (Scored) +- - sshd_set_max_sessions +- - var_sshd_max_sessions=4 +- +- ### 5.2.20 Ensure system-wide crypto policy is not over-ridden (Scored) +- - configure_ssh_crypto_policy +- +- ## 5.3 Configure authselect +- +- +- ### 5.3.1 Create custom authselectet profile (Scored) +- # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5530 +- +- ### 5.3.2 Select authselect profile (Scored) +- # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5531 +- +- ### 5.3.3 Ensure authselect includes with-faillock (Scored) +- # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5532 +- +- ## 5.4 Configure PAM +- +- ### 5.4.1 Ensure password creation requirements are configured (Scored) +- # NEEDS RULE: try_first_pass - https://github.com/ComplianceAsCode/content/issues/5533 +- - accounts_password_pam_retry +- - var_password_pam_minlen=14 +- - accounts_password_pam_minlen +- - var_password_pam_minclass=4 +- - accounts_password_pam_minclass +- +- ### 5.4.2 Ensure lockout for failed password attempts is +- ### configured (Scored) +- - var_accounts_passwords_pam_faillock_unlock_time=900 +- - var_accounts_passwords_pam_faillock_deny=5 +- - accounts_passwords_pam_faillock_unlock_time +- - accounts_passwords_pam_faillock_deny +- +- ### 5.4.3 Ensure password reuse is limited (Scored) +- - var_password_pam_unix_remember=5 +- - accounts_password_pam_unix_remember +- +- ### 5.4.4 Ensure password hashing algorithm is SHA-512 (Scored) +- - set_password_hashing_algorithm_systemauth +- +- ## 5.5 User Accounts and Environment +- +- ### 5.5.1 Set Shadow Password Suite Parameters +- +- #### 5.5.1 Ensure password expiration is 365 days or less (Scored) +- - var_accounts_maximum_age_login_defs=365 +- - accounts_maximum_age_login_defs +- +- #### 5.5.1.2 Ensure minimum days between password changes is 7 +- #### or more (Scored) +- - var_accounts_minimum_age_login_defs=7 +- - accounts_minimum_age_login_defs +- +- #### 5.5.1.3 Ensure password expiration warning days is +- #### 7 or more (Scored) +- - var_accounts_password_warn_age_login_defs=7 +- - accounts_password_warn_age_login_defs +- +- #### 5.5.1.4 Ensure inactive password lock is 30 days or less (Scored) +- # TODO: Rule doesn't check list of users +- # https://github.com/ComplianceAsCode/content/issues/5536 +- - var_account_disable_post_pw_expiration=30 +- - account_disable_post_pw_expiration +- +- #### 5.5.1.5 Ensure all users last password change date is +- #### in the past (Scored) +- # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5537 +- +- ### 5.5.2 Ensure system accounts are secured (Scored) +- - no_shelllogin_for_systemaccounts +- +- ### 5.5.3 Ensure default user shell timeout is 900 seconds +- ### or less (Scored) +- - var_accounts_tmout=15_min +- - accounts_tmout +- +- ### 5.5.4 Ensure default group for the root account is +- ### GID 0 (Scored) +- # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5539 +- +- ### 5.5.5 Ensure default user mask is 027 or more restrictive (Scored) +- - var_accounts_user_umask=027 +- - accounts_umask_etc_bashrc +- - accounts_umask_etc_profile +- +- ## 5.6 Ensure root login is restricted to system console (Not Scored) +- - securetty_root_login_console_only +- - no_direct_root_logins +- +- ## 5.7 Ensure access to the su command is restricted (Scored) +- # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5541 +- +- # System Maintenance +- +- ## 6.1 System File Permissions +- +- ### 6.1.1 Audit system file permissions (Not Scored) +- - rpm_verify_permissions +- - rpm_verify_ownership +- +- ### 6.1.2 Ensure permissions on /etc/passwd are configured (Scored) +- # chown root:root /etc/passwd +- - file_owner_etc_passwd +- - file_groupowner_etc_passwd +- +- # chmod 644 /etc/passwd +- - file_permissions_etc_passwd +- +- ### 6.1.3 Ensure permissions on /etc/shadow are configured (Scored) +- # chown root:root /etc/shadow +- - file_owner_etc_shadow +- - file_groupowner_etc_shadow +- +- # chmod o-rwx,g-wx /etc/shadow +- - file_permissions_etc_shadow +- +- ### 6.1.4 Ensure permissions on /etc/group are configured (Scored) +- # chown root:root /etc/group +- - file_owner_etc_group +- - file_groupowner_etc_group +- +- # chmod 644 /etc/group +- - file_permissions_etc_group +- +- ### 6.1.5 Ensure permissions on /etc/gshadow are configured (Scored) +- # chown root:root /etc/gshadow +- - file_owner_etc_gshadow +- - file_groupowner_etc_gshadow +- +- # chmod o-rwx,g-rw /etc/gshadow +- - file_permissions_etc_gshadow +- +- ### 6.1.6 Ensure permissions on /etc/passwd- are configured (Scored) +- # chown root:root /etc/passwd- +- - file_owner_backup_etc_passwd +- - file_groupowner_backup_etc_passwd +- +- # chmod 644 /etc/passwd- +- - file_permissions_backup_etc_passwd +- +- ### 6.1.7 Ensure permissions on /etc/shadow- are configured (Scored) +- # chown root:root /etc/shadow- +- - file_owner_backup_etc_shadow +- - file_groupowner_backup_etc_shadow +- +- # chmod 0000 /etc/shadow- +- - file_permissions_backup_etc_shadow +- +- ### 6.1.8 Ensure permissions on /etc/group- are configured (Scored) +- # chown root:root /etc/group- +- - file_owner_backup_etc_group +- - file_groupowner_backup_etc_group +- +- # chmod 644 /etc/group- +- - file_permissions_backup_etc_group +- +- ### 6.1.9 Ensure permissions on /etc/gshadow- are configured (Scored) +- # chown root:root /etc/gshadow- +- - file_owner_backup_etc_gshadow +- - file_groupowner_backup_etc_gshadow +- +- # chmod 0000 /etc/gshadow- +- - file_permissions_backup_etc_gshadow +- +- ### 6.1.10 Ensure no world writable files exist (Scored) +- - file_permissions_unauthorized_world_writable +- +- ### 6.1.11 Ensure no unowned files or directories exist (Scored) +- - no_files_unowned_by_user +- +- ### 6.1.12 Ensure no ungrouped files or directories exist (Scored) +- - file_permissions_ungroupowned +- +- ### 6.1.13 Audit SUID executables (Not Scored) +- - file_permissions_unauthorized_suid +- +- ### 6.1.14 Audit SGID executables (Not Scored) +- - file_permissions_unauthorized_sgid +- +- ## 6.2 User and Group Settings +- +- ### 6.2.2 Ensure no legacy "+" entries exist in /etc/passwd (Scored) +- - no_legacy_plus_entries_etc_passwd +- +- ### 6.2.4 Ensure no legacy "+" entries exist in /etc/shadow (Scored) +- - no_legacy_plus_entries_etc_shadow +- +- ### 6.2.5 Ensure no legacy "+" entries exist in /etc/group (Scored) +- - no_legacy_plus_entries_etc_group +- +- ### 6.2.6 Ensure root is the only UID 0 account (Scored) +- - accounts_no_uid_except_zero +- +- ### 6.2.7 Ensure users' home directories permissions are 750 +- ### or more restrictive (Scored) +- - file_permissions_home_dirs +- +- ### 6.2.8 Ensure users own their home directories (Scored) +- # NEEDS RULE for user owner @ https://github.com/ComplianceAsCode/content/issues/5507 +- - file_groupownership_home_directories +- +- ### 6.2.9 Ensure users' dot files are not group or world +- ### writable (Scored) +- # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5506 +- +- ### 6.2.10 Ensure no users have .forward files (Scored) +- # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5505 +- +- ### 6.2.11 Ensure no users have .netrc files (Scored) +- - no_netrc_files +- +- ### 6.2.12 Ensure users' .netrc Files are not group or +- ### world accessible (Scored) +- # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5504 +- +- ### 6.2.13 Ensure no users have .rhosts files (Scored) +- - no_rsh_trust_files +- +- ### 6.2.14 Ensure all groups in /etc/passwd exist in +- ### /etc/group (Scored) +- # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5503 +- +- ### 6.2.15 Ensure no duplicate UIDs exist (Scored) +- # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5502 +- +- ### 6.2.16 Ensure no duplicate GIDs exist (Scored) +- # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5501 +- +- ### 6.2.17 Ensure no duplicate user names exist (Scored) +- - account_unique_name +- +- ### 6.2.18 Ensure no duplicate group names exist (Scored) +- # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5500 +- +- ### 6.2.19 Ensure shadow group is empty (Scored) +- # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5499 +- +- ### 6.2.20 Ensure all users' home directories exist (Scored) +- - accounts_user_interactive_home_directory_exists ++ - cis_rhel8:all:l2_server +diff --git a/products/rhel9/profiles/cis_server_l1.profile b/products/rhel9/profiles/cis_server_l1.profile +new file mode 100644 +index 0000000000..18314d9c46 +--- /dev/null ++++ b/products/rhel9/profiles/cis_server_l1.profile +@@ -0,0 +1,19 @@ ++documentation_complete: true ++ ++metadata: ++ version: 1.0.1 ++ SMEs: ++ - vojtapolasek ++ - yuumasato ++ ++reference: https://www.cisecurity.org/benchmark/red_hat_linux/ ++ ++title: '[DRAFT] CIS Red Hat Enterprise Linux 9 Benchmark for Level 1 - Server' ++ ++description: |- ++ This is a draft profile based on its RHEL8 version for experimental purposes. ++ It is not based on the CIS benchmark for RHEL9, because this one was not available at time of ++ the release. ++ ++selections: ++ - cis_rhel8:all:l1_server +diff --git a/products/rhel9/profiles/cis_workstation_l1.profile b/products/rhel9/profiles/cis_workstation_l1.profile +new file mode 100644 +index 0000000000..3ce1c80089 +--- /dev/null ++++ b/products/rhel9/profiles/cis_workstation_l1.profile +@@ -0,0 +1,19 @@ ++documentation_complete: true ++ ++metadata: ++ version: 1.0.1 ++ SMEs: ++ - vojtapolasek ++ - yuumasato ++ ++reference: https://www.cisecurity.org/benchmark/red_hat_linux/ ++ ++title: '[DRAFT] CIS Red Hat Enterprise Linux 9 Benchmark for Level 1 - Workstation' ++ ++description: |- ++ This is a draft profile based on its RHEL8 version for experimental purposes. ++ It is not based on the CIS benchmark for RHEL9, because this one was not available at time of ++ the release. ++ ++selections: ++ - cis_rhel8:all:l1_workstation +diff --git a/products/rhel9/profiles/cis_workstation_l2.profile b/products/rhel9/profiles/cis_workstation_l2.profile +new file mode 100644 +index 0000000000..84d76b801f +--- /dev/null ++++ b/products/rhel9/profiles/cis_workstation_l2.profile +@@ -0,0 +1,19 @@ ++documentation_complete: true ++ ++metadata: ++ version: 1.0.1 ++ SMEs: ++ - vojtapolasek ++ - yuumasato ++ ++reference: https://www.cisecurity.org/benchmark/red_hat_linux/ ++ ++title: '[DRAFT] CIS Red Hat Enterprise Linux 9 Benchmark for Level 2 - Workstation' ++ ++description: |- ++ This is a draft profile based on its RHEL8 version for experimental purposes. ++ It is not based on the CIS benchmark for RHEL9, because this one was not available at time of ++ the release. ++ ++selections: ++ - cis_rhel8:all:l2_workstation + +From 11c06fcbc1c75bcc17a765d611449af66efcf3e0 Mon Sep 17 00:00:00 2001 +From: Matej Tyc +Date: Fri, 20 Aug 2021 17:35:21 +0200 +Subject: [PATCH 2/4] Add RHEL9 CIS kickstarts + +Those are based on their RHEL8 counterparts +--- + products/rhel9/kickstart/ssg-rhel9-cis-ks.cfg | 6 +- + .../kickstart/ssg-rhel9-cis_server_l1-ks.cfg | 133 ++++++++++++++++ + .../ssg-rhel9-cis_workstation_l1-ks.cfg | 133 ++++++++++++++++ + .../ssg-rhel9-cis_workstation_l2-ks.cfg | 143 ++++++++++++++++++ + 4 files changed, 412 insertions(+), 3 deletions(-) + create mode 100644 products/rhel9/kickstart/ssg-rhel9-cis_server_l1-ks.cfg + create mode 100644 products/rhel9/kickstart/ssg-rhel9-cis_workstation_l1-ks.cfg + create mode 100644 products/rhel9/kickstart/ssg-rhel9-cis_workstation_l2-ks.cfg + +diff --git a/products/rhel9/kickstart/ssg-rhel9-cis-ks.cfg b/products/rhel9/kickstart/ssg-rhel9-cis-ks.cfg +index 47685726dd..88290ff977 100644 +--- a/products/rhel9/kickstart/ssg-rhel9-cis-ks.cfg ++++ b/products/rhel9/kickstart/ssg-rhel9-cis-ks.cfg +@@ -1,6 +1,6 @@ +-# SCAP Security Guide CIS profile kickstart for Red Hat Enterprise Linux 9 Server ++# SCAP Security Guide CIS profile (Level 2 - Server) kickstart for Red Hat Enterprise Linux 9 Server + # Version: 0.0.1 +-# Date: 2021-07-13 ++# Date: 2021-08-12 + # + # Based on: + # https://pykickstart.readthedocs.io/en/latest/ +@@ -124,7 +124,7 @@ logvol swap --name=lv_swap --vgname=VolGroup --size=2016 + + # Harden installation with CIS profile + # For more details and configuration options see +-# https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html-single/performing_an_advanced_rhel_installation/index#addon-com_redhat_oscap_kickstart-commands-for-addons-supplied-with-the-rhel-installation-program ++# https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html-single/performing_an_advanced_rhel_installation/index#addon-org_fedora_oscap_kickstart-commands-for-addons-supplied-with-the-rhel-installation-program + %addon com_redhat_oscap + content-type = scap-security-guide + profile = xccdf_org.ssgproject.content_profile_cis +diff --git a/products/rhel9/kickstart/ssg-rhel9-cis_server_l1-ks.cfg b/products/rhel9/kickstart/ssg-rhel9-cis_server_l1-ks.cfg +new file mode 100644 +index 0000000000..d8d24e4394 +--- /dev/null ++++ b/products/rhel9/kickstart/ssg-rhel9-cis_server_l1-ks.cfg +@@ -0,0 +1,133 @@ ++# SCAP Security Guide CIS profile (Level 1 - Server) kickstart for Red Hat Enterprise Linux 9 Server ++# Version: 0.0.1 ++# Date: 2021-08-12 ++# ++# Based on: ++# https://pykickstart.readthedocs.io/en/latest/ ++# https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html-single/performing_an_advanced_rhel_installation/index#performing_an_automated_installation_using_kickstart ++ ++# Specify installation method to use for installation ++# To use a different one comment out the 'url' one below, update ++# the selected choice with proper options & un-comment it ++# ++# Install from an installation tree on a remote server via FTP or HTTP: ++# --url the URL to install from ++# ++# Example: ++# ++# url --url=http://192.168.122.1/image ++# ++# Modify concrete URL in the above example appropriately to reflect the actual ++# environment machine is to be installed in ++# ++# Other possible / supported installation methods: ++# * install from the first CD-ROM/DVD drive on the system: ++# ++# cdrom ++# ++# * install from a directory of ISO images on a local drive: ++# ++# harddrive --partition=hdb2 --dir=/tmp/install-tree ++# ++# * install from provided NFS server: ++# ++# nfs --server= --dir= [--opts=] ++# ++ ++# Set language to use during installation and the default language to use on the installed system (required) ++lang en_US.UTF-8 ++ ++# Set system keyboard type / layout (required) ++keyboard us ++ ++# Configure network information for target system and activate network devices in the installer environment (optional) ++# --onboot enable device at a boot time ++# --device device to be activated and / or configured with the network command ++# --bootproto method to obtain networking configuration for device (default dhcp) ++# --noipv6 disable IPv6 on this device ++# ++# NOTE: Usage of DHCP will fail CCE-27021-5 (DISA FSO RHEL-06-000292). To use static IP configuration, ++# "--bootproto=static" must be used. For example: ++# network --bootproto=static --ip=10.0.2.15 --netmask=255.255.255.0 --gateway=10.0.2.254 --nameserver 192.168.2.1,192.168.3.1 ++# ++network --onboot yes --device eth0 --bootproto dhcp --noipv6 ++ ++# Set the system's root password (required) ++# Plaintext password is: server ++# Refer to e.g. https://pykickstart.readthedocs.io/en/latest/commands.html#rootpw to see how to create ++# encrypted password form for different plaintext password ++rootpw --iscrypted $6$/0RYeeRdK70ynvYz$jH2ZN/80HM6DjndHMxfUF9KIibwipitvizzXDH1zW.fTjyD3RD3tkNdNUaND18B/XqfAUW3vy1uebkBybCuIm0 ++ ++# The selected profile will restrict root login ++# Add a user that can login and escalate privileges ++# Plaintext password is: admin123 ++user --name=admin --groups=wheel --password=$6$Ga6ZnIlytrWpuCzO$q0LqT1USHpahzUafQM9jyHCY9BiE5/ahXLNWUMiVQnFGblu0WWGZ1e6icTaCGO4GNgZNtspp1Let/qpM7FMVB0 --iscrypted ++ ++# Configure firewall settings for the system (optional) ++# --enabled reject incoming connections that are not in response to outbound requests ++# --ssh allow sshd service through the firewall ++firewall --enabled --ssh ++ ++# Set up the authentication options for the system (required) ++# sssd profile sets sha512 to hash passwords ++# passwords are shadowed by default ++# See the manual page for authselect-profile for a complete list of possible options. ++authselect select sssd ++ ++# State of SELinux on the installed system (optional) ++# Defaults to enforcing ++selinux --enforcing ++ ++# Set the system time zone (required) ++timezone --utc America/New_York ++ ++# Specify how the bootloader should be installed (required) ++# Plaintext password is: password ++# Refer to e.g. https://pykickstart.readthedocs.io/en/latest/commands.html#rootpw to see how to create ++# encrypted password form for different plaintext password ++bootloader --location=mbr --append="crashkernel=auto rhgb quiet" --password=$6$zCPaBARiNlBYUAS7$40phthWpqvaPVz3QUeIK6n5qoazJDJD5Nlc9OKy5SyYoX9Rt4jFaLjzqJCwpgR4RVAEFSADsqQot0WKs5qNto0 ++ ++# Initialize (format) all disks (optional) ++zerombr ++ ++# The following partition layout scheme assumes disk of size 20GB or larger ++# Modify size of partitions appropriately to reflect actual machine's hardware ++# ++# Remove Linux partitions from the system prior to creating new ones (optional) ++# --linux erase all Linux partitions ++# --initlabel initialize the disk label to the default based on the underlying architecture ++clearpart --linux --initlabel ++ ++# Create primary system partitions (required for installs) ++part /boot --fstype=xfs --size=512 ++part pv.01 --grow --size=1 ++ ++# Create a Logical Volume Management (LVM) group (optional) ++volgroup VolGroup --pesize=4096 pv.01 ++ ++# Create particular logical volumes (optional) ++logvol / --fstype=xfs --name=LogVol06 --vgname=VolGroup --size=10240 --grow ++# Ensure /tmp Located On Separate Partition ++logvol /tmp --fstype=xfs --name=LogVol01 --vgname=VolGroup --size=1024 --fsoptions="nodev,noexec,nosuid" ++logvol swap --name=lv_swap --vgname=VolGroup --size=2016 ++ ++ ++# Harden installation with CIS profile ++# For more details and configuration options see ++# https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html-single/performing_an_advanced_rhel_installation/index#addon-org_fedora_oscap_kickstart-commands-for-addons-supplied-with-the-rhel-installation-program ++%addon com_redhat_oscap ++ content-type = scap-security-guide ++ profile = xccdf_org.ssgproject.content_profile_cis_server_l1 ++%end ++ ++# Packages selection (%packages section is required) ++%packages ++ ++# Require @Base ++@Base ++ ++%end # End of %packages section ++ ++# Reboot after the installation is complete (optional) ++# --eject attempt to eject CD or DVD media before rebooting ++reboot --eject +diff --git a/products/rhel9/kickstart/ssg-rhel9-cis_workstation_l1-ks.cfg b/products/rhel9/kickstart/ssg-rhel9-cis_workstation_l1-ks.cfg +new file mode 100644 +index 0000000000..fb6d0ab9a4 +--- /dev/null ++++ b/products/rhel9/kickstart/ssg-rhel9-cis_workstation_l1-ks.cfg +@@ -0,0 +1,133 @@ ++# SCAP Security Guide CIS profile (Level 1 - Workstation) kickstart for Red Hat Enterprise Linux 9 Server ++# Version: 0.0.1 ++# Date: 2021-08-12 ++# ++# Based on: ++# https://pykickstart.readthedocs.io/en/latest/ ++# https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html-single/performing_an_advanced_rhel_installation/index#performing_an_automated_installation_using_kickstart ++ ++# Specify installation method to use for installation ++# To use a different one comment out the 'url' one below, update ++# the selected choice with proper options & un-comment it ++# ++# Install from an installation tree on a remote server via FTP or HTTP: ++# --url the URL to install from ++# ++# Example: ++# ++# url --url=http://192.168.122.1/image ++# ++# Modify concrete URL in the above example appropriately to reflect the actual ++# environment machine is to be installed in ++# ++# Other possible / supported installation methods: ++# * install from the first CD-ROM/DVD drive on the system: ++# ++# cdrom ++# ++# * install from a directory of ISO images on a local drive: ++# ++# harddrive --partition=hdb2 --dir=/tmp/install-tree ++# ++# * install from provided NFS server: ++# ++# nfs --server= --dir= [--opts=] ++# ++ ++# Set language to use during installation and the default language to use on the installed system (required) ++lang en_US.UTF-8 ++ ++# Set system keyboard type / layout (required) ++keyboard us ++ ++# Configure network information for target system and activate network devices in the installer environment (optional) ++# --onboot enable device at a boot time ++# --device device to be activated and / or configured with the network command ++# --bootproto method to obtain networking configuration for device (default dhcp) ++# --noipv6 disable IPv6 on this device ++# ++# NOTE: Usage of DHCP will fail CCE-27021-5 (DISA FSO RHEL-06-000292). To use static IP configuration, ++# "--bootproto=static" must be used. For example: ++# network --bootproto=static --ip=10.0.2.15 --netmask=255.255.255.0 --gateway=10.0.2.254 --nameserver 192.168.2.1,192.168.3.1 ++# ++network --onboot yes --device eth0 --bootproto dhcp --noipv6 ++ ++# Set the system's root password (required) ++# Plaintext password is: server ++# Refer to e.g. https://pykickstart.readthedocs.io/en/latest/commands.html#rootpw to see how to create ++# encrypted password form for different plaintext password ++rootpw --iscrypted $6$/0RYeeRdK70ynvYz$jH2ZN/80HM6DjndHMxfUF9KIibwipitvizzXDH1zW.fTjyD3RD3tkNdNUaND18B/XqfAUW3vy1uebkBybCuIm0 ++ ++# The selected profile will restrict root login ++# Add a user that can login and escalate privileges ++# Plaintext password is: admin123 ++user --name=admin --groups=wheel --password=$6$Ga6ZnIlytrWpuCzO$q0LqT1USHpahzUafQM9jyHCY9BiE5/ahXLNWUMiVQnFGblu0WWGZ1e6icTaCGO4GNgZNtspp1Let/qpM7FMVB0 --iscrypted ++ ++# Configure firewall settings for the system (optional) ++# --enabled reject incoming connections that are not in response to outbound requests ++# --ssh allow sshd service through the firewall ++firewall --enabled --ssh ++ ++# Set up the authentication options for the system (required) ++# sssd profile sets sha512 to hash passwords ++# passwords are shadowed by default ++# See the manual page for authselect-profile for a complete list of possible options. ++authselect select sssd ++ ++# State of SELinux on the installed system (optional) ++# Defaults to enforcing ++selinux --enforcing ++ ++# Set the system time zone (required) ++timezone --utc America/New_York ++ ++# Specify how the bootloader should be installed (required) ++# Plaintext password is: password ++# Refer to e.g. https://pykickstart.readthedocs.io/en/latest/commands.html#rootpw to see how to create ++# encrypted password form for different plaintext password ++bootloader --location=mbr --append="crashkernel=auto rhgb quiet" --password=$6$zCPaBARiNlBYUAS7$40phthWpqvaPVz3QUeIK6n5qoazJDJD5Nlc9OKy5SyYoX9Rt4jFaLjzqJCwpgR4RVAEFSADsqQot0WKs5qNto0 ++ ++# Initialize (format) all disks (optional) ++zerombr ++ ++# The following partition layout scheme assumes disk of size 20GB or larger ++# Modify size of partitions appropriately to reflect actual machine's hardware ++# ++# Remove Linux partitions from the system prior to creating new ones (optional) ++# --linux erase all Linux partitions ++# --initlabel initialize the disk label to the default based on the underlying architecture ++clearpart --linux --initlabel ++ ++# Create primary system partitions (required for installs) ++part /boot --fstype=xfs --size=512 ++part pv.01 --grow --size=1 ++ ++# Create a Logical Volume Management (LVM) group (optional) ++volgroup VolGroup --pesize=4096 pv.01 ++ ++# Create particular logical volumes (optional) ++logvol / --fstype=xfs --name=LogVol06 --vgname=VolGroup --size=10240 --grow ++# Ensure /tmp Located On Separate Partition ++logvol /tmp --fstype=xfs --name=LogVol01 --vgname=VolGroup --size=1024 --fsoptions="nodev,noexec,nosuid" ++logvol swap --name=lv_swap --vgname=VolGroup --size=2016 ++ ++ ++# Harden installation with CIS profile ++# For more details and configuration options see ++# https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html-single/performing_an_advanced_rhel_installation/index#addon-org_fedora_oscap_kickstart-commands-for-addons-supplied-with-the-rhel-installation-program ++%addon com_redhat_oscap ++ content-type = scap-security-guide ++ profile = xccdf_org.ssgproject.content_profile_cis_workstation_l1 ++%end ++ ++# Packages selection (%packages section is required) ++%packages ++ ++# Require @Base ++@Base ++ ++%end # End of %packages section ++ ++# Reboot after the installation is complete (optional) ++# --eject attempt to eject CD or DVD media before rebooting ++reboot --eject +diff --git a/products/rhel9/kickstart/ssg-rhel9-cis_workstation_l2-ks.cfg b/products/rhel9/kickstart/ssg-rhel9-cis_workstation_l2-ks.cfg +new file mode 100644 +index 0000000000..037de3a1b9 +--- /dev/null ++++ b/products/rhel9/kickstart/ssg-rhel9-cis_workstation_l2-ks.cfg +@@ -0,0 +1,143 @@ ++# SCAP Security Guide CIS profile (Level 2 - Workstation) kickstart for Red Hat Enterprise Linux 9 Server ++# Version: 0.0.1 ++# Date: 2021-08-12 ++# ++# Based on: ++# https://pykickstart.readthedocs.io/en/latest/ ++# https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html-single/performing_an_advanced_rhel_installation/index#performing_an_automated_installation_using_kickstart ++ ++# Specify installation method to use for installation ++# To use a different one comment out the 'url' one below, update ++# the selected choice with proper options & un-comment it ++# ++# Install from an installation tree on a remote server via FTP or HTTP: ++# --url the URL to install from ++# ++# Example: ++# ++# url --url=http://192.168.122.1/image ++# ++# Modify concrete URL in the above example appropriately to reflect the actual ++# environment machine is to be installed in ++# ++# Other possible / supported installation methods: ++# * install from the first CD-ROM/DVD drive on the system: ++# ++# cdrom ++# ++# * install from a directory of ISO images on a local drive: ++# ++# harddrive --partition=hdb2 --dir=/tmp/install-tree ++# ++# * install from provided NFS server: ++# ++# nfs --server= --dir= [--opts=] ++# ++ ++# Set language to use during installation and the default language to use on the installed system (required) ++lang en_US.UTF-8 ++ ++# Set system keyboard type / layout (required) ++keyboard us ++ ++# Configure network information for target system and activate network devices in the installer environment (optional) ++# --onboot enable device at a boot time ++# --device device to be activated and / or configured with the network command ++# --bootproto method to obtain networking configuration for device (default dhcp) ++# --noipv6 disable IPv6 on this device ++# ++# NOTE: Usage of DHCP will fail CCE-27021-5 (DISA FSO RHEL-06-000292). To use static IP configuration, ++# "--bootproto=static" must be used. For example: ++# network --bootproto=static --ip=10.0.2.15 --netmask=255.255.255.0 --gateway=10.0.2.254 --nameserver 192.168.2.1,192.168.3.1 ++# ++network --onboot yes --device eth0 --bootproto dhcp --noipv6 ++ ++# Set the system's root password (required) ++# Plaintext password is: server ++# Refer to e.g. https://pykickstart.readthedocs.io/en/latest/commands.html#rootpw to see how to create ++# encrypted password form for different plaintext password ++rootpw --iscrypted $6$/0RYeeRdK70ynvYz$jH2ZN/80HM6DjndHMxfUF9KIibwipitvizzXDH1zW.fTjyD3RD3tkNdNUaND18B/XqfAUW3vy1uebkBybCuIm0 ++ ++# The selected profile will restrict root login ++# Add a user that can login and escalate privileges ++# Plaintext password is: admin123 ++user --name=admin --groups=wheel --password=$6$Ga6ZnIlytrWpuCzO$q0LqT1USHpahzUafQM9jyHCY9BiE5/ahXLNWUMiVQnFGblu0WWGZ1e6icTaCGO4GNgZNtspp1Let/qpM7FMVB0 --iscrypted ++ ++# Configure firewall settings for the system (optional) ++# --enabled reject incoming connections that are not in response to outbound requests ++# --ssh allow sshd service through the firewall ++firewall --enabled --ssh ++ ++# Set up the authentication options for the system (required) ++# sssd profile sets sha512 to hash passwords ++# passwords are shadowed by default ++# See the manual page for authselect-profile for a complete list of possible options. ++authselect select sssd ++ ++# State of SELinux on the installed system (optional) ++# Defaults to enforcing ++selinux --enforcing ++ ++# Set the system time zone (required) ++timezone --utc America/New_York ++ ++# Specify how the bootloader should be installed (required) ++# Plaintext password is: password ++# Refer to e.g. https://pykickstart.readthedocs.io/en/latest/commands.html#rootpw to see how to create ++# encrypted password form for different plaintext password ++bootloader --location=mbr --append="crashkernel=auto rhgb quiet" --password=$6$zCPaBARiNlBYUAS7$40phthWpqvaPVz3QUeIK6n5qoazJDJD5Nlc9OKy5SyYoX9Rt4jFaLjzqJCwpgR4RVAEFSADsqQot0WKs5qNto0 ++ ++# Initialize (format) all disks (optional) ++zerombr ++ ++# The following partition layout scheme assumes disk of size 20GB or larger ++# Modify size of partitions appropriately to reflect actual machine's hardware ++# ++# Remove Linux partitions from the system prior to creating new ones (optional) ++# --linux erase all Linux partitions ++# --initlabel initialize the disk label to the default based on the underlying architecture ++clearpart --linux --initlabel ++ ++# Create primary system partitions (required for installs) ++part /boot --fstype=xfs --size=512 ++part pv.01 --grow --size=1 ++ ++# Create a Logical Volume Management (LVM) group (optional) ++volgroup VolGroup --pesize=4096 pv.01 ++ ++# Create particular logical volumes (optional) ++logvol / --fstype=xfs --name=LogVol06 --vgname=VolGroup --size=10240 --grow ++# Ensure /home Located On Separate Partition ++logvol /home --fstype=xfs --name=LogVol02 --vgname=VolGroup --size=1024 --fsoptions="nodev" ++# Ensure /tmp Located On Separate Partition ++logvol /tmp --fstype=xfs --name=LogVol01 --vgname=VolGroup --size=1024 --fsoptions="nodev,noexec,nosuid" ++# Ensure /var/tmp Located On Separate Partition ++logvol /var/tmp --fstype=xfs --name=LogVol7 --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid,noexec" ++# Ensure /var Located On Separate Partition ++logvol /var --fstype=xfs --name=LogVol03 --vgname=VolGroup --size=3072 ++# Ensure /var/log Located On Separate Partition ++logvol /var/log --fstype=xfs --name=LogVol04 --vgname=VolGroup --size=1024 ++# Ensure /var/log/audit Located On Separate Partition ++logvol /var/log/audit --fstype=xfs --name=LogVol05 --vgname=VolGroup --size=512 ++logvol swap --name=lv_swap --vgname=VolGroup --size=2016 ++ ++ ++# Harden installation with CIS profile ++# For more details and configuration options see ++# https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html-single/performing_an_advanced_rhel_installation/index#addon-org_fedora_oscap_kickstart-commands-for-addons-supplied-with-the-rhel-installation-program ++%addon com_redhat_oscap ++ content-type = scap-security-guide ++ profile = xccdf_org.ssgproject.content_profile_cis_workstation_l2 ++%end ++ ++# Packages selection (%packages section is required) ++%packages ++ ++# Require @Base ++@Base ++ ++%end # End of %packages section ++ ++# Reboot after the installation is complete (optional) ++# --eject attempt to eject CD or DVD media before rebooting ++reboot --eject + +From 6775cda905bce1f01cc8e89245f7f5d3f53a5b8d Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Mat=C4=9Bj=20T=C3=BD=C4=8D?= +Date: Mon, 23 Aug 2021 10:16:50 +0200 +Subject: [PATCH 3/4] Add CCEs + +to rules that freshly made it into the RHEL9 CIS draft. +--- + .../ssh/ssh_server/sshd_set_loglevel_verbose/rule.yml | 1 + + .../services/ssh/ssh_server/sshd_set_maxstartups/rule.yml | 1 + + .../rule.yml | 1 + + .../rule.yml | 1 + + .../accounts-session/root_paths/root_path_no_dot/rule.yml | 1 + + .../uefi/file_permissions_efi_grub2_cfg/rule.yml | 1 + + shared/references/cce-redhat-avail.txt | 6 ------ + 7 files changed, 6 insertions(+), 6 deletions(-) + +diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_loglevel_verbose/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_set_loglevel_verbose/rule.yml +index ee54a53dfd..059d25cc7c 100644 +--- a/linux_os/guide/services/ssh/ssh_server/sshd_set_loglevel_verbose/rule.yml ++++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_loglevel_verbose/rule.yml +@@ -22,6 +22,7 @@ severity: medium + identifiers: + cce@rhel7: CCE-82419-3 + cce@rhel8: CCE-82420-1 ++ cce@rhel9: CCE-86923-0 + cce@sle12: CCE-83077-8 + cce@sle15: CCE-83270-9 + +diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_maxstartups/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_set_maxstartups/rule.yml +index 7aec7ffb2c..5a1bf4906e 100644 +--- a/linux_os/guide/services/ssh/ssh_server/sshd_set_maxstartups/rule.yml ++++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_maxstartups/rule.yml +@@ -23,6 +23,7 @@ severity: medium + identifiers: + cce@rhel7: CCE-90714-7 + cce@rhel8: CCE-90718-8 ++ cce@rhel9: CCE-87872-8 + + references: + cis@rhel7: 5.3.21 +diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember_password_auth/rule.yml b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember_password_auth/rule.yml +index 62b6f55e00..cf6c38d6f7 100644 +--- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember_password_auth/rule.yml ++++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember_password_auth/rule.yml +@@ -22,6 +22,7 @@ severity: medium + identifiers: + cce@rhel7: CCE-83476-2 + cce@rhel8: CCE-83478-8 ++ cce@rhel9: CCE-86354-8 + + references: + cis-csc: 1,12,15,16,5 +diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember_system_auth/rule.yml b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember_system_auth/rule.yml +index 8cc56eb876..0eae61281f 100644 +--- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember_system_auth/rule.yml ++++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember_system_auth/rule.yml +@@ -22,6 +22,7 @@ severity: medium + identifiers: + cce@rhel7: CCE-83479-6 + cce@rhel8: CCE-83480-4 ++ cce@rhel9: CCE-89176-2 + + references: + cis-csc: 1,12,15,16,5 +diff --git a/linux_os/guide/system/accounts/accounts-session/root_paths/root_path_no_dot/rule.yml b/linux_os/guide/system/accounts/accounts-session/root_paths/root_path_no_dot/rule.yml +index c94de8fa3e..151ad1ebe2 100644 +--- a/linux_os/guide/system/accounts/accounts-session/root_paths/root_path_no_dot/rule.yml ++++ b/linux_os/guide/system/accounts/accounts-session/root_paths/root_path_no_dot/rule.yml +@@ -22,6 +22,7 @@ severity: unknown + identifiers: + cce@rhel7: CCE-80199-3 + cce@rhel8: CCE-85914-0 ++ cce@rhel9: CCE-88059-1 + + references: + cis-csc: 11,3,9 +diff --git a/linux_os/guide/system/bootloader-grub2/uefi/file_permissions_efi_grub2_cfg/rule.yml b/linux_os/guide/system/bootloader-grub2/uefi/file_permissions_efi_grub2_cfg/rule.yml +index bc4fdcc7e0..d9c0be8ccf 100644 +--- a/linux_os/guide/system/bootloader-grub2/uefi/file_permissions_efi_grub2_cfg/rule.yml ++++ b/linux_os/guide/system/bootloader-grub2/uefi/file_permissions_efi_grub2_cfg/rule.yml +@@ -22,6 +22,7 @@ severity: medium + identifiers: + cce@rhel7: CCE-83431-7 + cce@rhel8: CCE-85912-4 ++ cce@rhel9: CCE-85925-6 + + references: + cis-csc: 12,13,14,15,16,18,3,5 +diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt +index 6c33c2e85f..e80f25156e 100644 +--- a/shared/references/cce-redhat-avail.txt ++++ b/shared/references/cce-redhat-avail.txt +@@ -50,7 +50,6 @@ CCE-85921-5 + CCE-85922-3 + CCE-85923-1 + CCE-85924-9 +-CCE-85925-6 + CCE-85926-4 + CCE-85927-2 + CCE-85928-0 +@@ -458,7 +457,6 @@ CCE-86350-6 + CCE-86351-4 + CCE-86352-2 + CCE-86353-0 +-CCE-86354-8 + CCE-86355-5 + CCE-86356-3 + CCE-86357-1 +@@ -1016,7 +1014,6 @@ CCE-86919-8 + CCE-86920-6 + CCE-86921-4 + CCE-86922-2 +-CCE-86923-0 + CCE-86924-8 + CCE-86925-5 + CCE-86926-3 +@@ -1947,7 +1944,6 @@ CCE-87868-6 + CCE-87869-4 + CCE-87870-2 + CCE-87871-0 +-CCE-87872-8 + CCE-87873-6 + CCE-87874-4 + CCE-87875-1 +@@ -2132,7 +2128,6 @@ CCE-88055-9 + CCE-88056-7 + CCE-88057-5 + CCE-88058-3 +-CCE-88059-1 + CCE-88060-9 + CCE-88061-7 + CCE-88062-5 +@@ -3226,7 +3221,6 @@ CCE-89171-3 + CCE-89172-1 + CCE-89173-9 + CCE-89174-7 +-CCE-89176-2 + CCE-89177-0 + CCE-89178-8 + CCE-89179-6 + +From 6835e3d0d26ac210f2d376fdad647bb37cb22c8d Mon Sep 17 00:00:00 2001 +From: Matej Tyc +Date: Tue, 24 Aug 2021 10:43:22 +0200 +Subject: [PATCH 4/4] Increase partition size for CIS kickstarts + +--- + products/rhel8/kickstart/ssg-rhel8-cis_server_l1-ks.cfg | 2 +- + products/rhel8/kickstart/ssg-rhel8-cis_workstation_l1-ks.cfg | 2 +- + products/rhel9/kickstart/ssg-rhel9-cis_server_l1-ks.cfg | 2 +- + products/rhel9/kickstart/ssg-rhel9-cis_workstation_l1-ks.cfg | 2 +- + 4 files changed, 4 insertions(+), 4 deletions(-) + +diff --git a/products/rhel9/kickstart/ssg-rhel9-cis_server_l1-ks.cfg b/products/rhel9/kickstart/ssg-rhel9-cis_server_l1-ks.cfg +index d8d24e4394..1abcf90304 100644 +--- a/products/rhel9/kickstart/ssg-rhel9-cis_server_l1-ks.cfg ++++ b/products/rhel9/kickstart/ssg-rhel9-cis_server_l1-ks.cfg +@@ -106,7 +106,7 @@ part pv.01 --grow --size=1 + volgroup VolGroup --pesize=4096 pv.01 + + # Create particular logical volumes (optional) +-logvol / --fstype=xfs --name=LogVol06 --vgname=VolGroup --size=10240 --grow ++logvol / --fstype=xfs --name=LogVol06 --vgname=VolGroup --size=16896 --grow + # Ensure /tmp Located On Separate Partition + logvol /tmp --fstype=xfs --name=LogVol01 --vgname=VolGroup --size=1024 --fsoptions="nodev,noexec,nosuid" + logvol swap --name=lv_swap --vgname=VolGroup --size=2016 +diff --git a/products/rhel9/kickstart/ssg-rhel9-cis_workstation_l1-ks.cfg b/products/rhel9/kickstart/ssg-rhel9-cis_workstation_l1-ks.cfg +index fb6d0ab9a4..e18e86f474 100644 +--- a/products/rhel9/kickstart/ssg-rhel9-cis_workstation_l1-ks.cfg ++++ b/products/rhel9/kickstart/ssg-rhel9-cis_workstation_l1-ks.cfg +@@ -106,7 +106,7 @@ part pv.01 --grow --size=1 + volgroup VolGroup --pesize=4096 pv.01 + + # Create particular logical volumes (optional) +-logvol / --fstype=xfs --name=LogVol06 --vgname=VolGroup --size=10240 --grow ++logvol / --fstype=xfs --name=LogVol06 --vgname=VolGroup --size=16896 --grow + # Ensure /tmp Located On Separate Partition + logvol /tmp --fstype=xfs --name=LogVol01 --vgname=VolGroup --size=1024 --fsoptions="nodev,noexec,nosuid" + logvol swap --name=lv_swap --vgname=VolGroup --size=2016 diff --git a/scap-security-guide-0.1.58-rhel9_cis_crypto_policy_default-PR_7452.patch b/scap-security-guide-0.1.58-rhel9_cis_crypto_policy_default-PR_7452.patch new file mode 100644 index 0000000..9878022 --- /dev/null +++ b/scap-security-guide-0.1.58-rhel9_cis_crypto_policy_default-PR_7452.patch @@ -0,0 +1,39 @@ +From bd790153e02c1d1725f59f5d88c65c77eb1421e9 Mon Sep 17 00:00:00 2001 +From: Gabriel Becker +Date: Tue, 24 Aug 2021 12:48:46 +0200 +Subject: [PATCH] Add a new selector for var_system_crypto_policy and use it + RHEL8 CIS. + +This new selector is used to select explicit DEFAULT value in RHEL8 CIS +L1 profiles. The "default" selector cannot be selected and it causes +errors if used. +--- + controls/cis_rhel8.yml | 2 +- + .../software/integrity/crypto/var_system_crypto_policy.var | 1 + + 2 files changed, 2 insertions(+), 1 deletion(-) + +diff --git a/controls/cis_rhel8.yml b/controls/cis_rhel8.yml +index 29d972427cf..c0d3f5f40de 100644 +--- a/controls/cis_rhel8.yml ++++ b/controls/cis_rhel8.yml +@@ -553,7 +553,7 @@ controls: + automated: yes + rules: + - configure_crypto_policy +- - var_system_crypto_policy=default ++ - var_system_crypto_policy=default_policy + + # This rule works in conjunction with the configure_crypto_policy above. + # If a system is remediated to CIS Level 1, just the rule above will apply +diff --git a/linux_os/guide/system/software/integrity/crypto/var_system_crypto_policy.var b/linux_os/guide/system/software/integrity/crypto/var_system_crypto_policy.var +index ce301154a39..8b89848d122 100644 +--- a/linux_os/guide/system/software/integrity/crypto/var_system_crypto_policy.var ++++ b/linux_os/guide/system/software/integrity/crypto/var_system_crypto_policy.var +@@ -13,6 +13,7 @@ interactive: false + + options: + default: DEFAULT ++ default_policy: DEFAULT + default_nosha1: "DEFAULT:NO-SHA1" + fips: FIPS + fips_ospp: "FIPS:OSPP" diff --git a/scap-security-guide.spec b/scap-security-guide.spec index 13133fd..b23d061 100644 --- a/scap-security-guide.spec +++ b/scap-security-guide.spec @@ -5,7 +5,7 @@ Name: scap-security-guide Version: 0.1.57 -Release: 3%{?dist} +Release: 4%{?dist} Summary: Security guidance and baselines in SCAP formats License: BSD-3-Clause URL: https://github.com/ComplianceAsCode/content/ @@ -20,6 +20,11 @@ Patch4: scap-security-guide-0.1.58-dont_remove_all_whitespace-PR_7393.patch Patch5: scap-security-guide-0.1.58-fix_gpgkey-PR_7321.patch Patch6: scap-security-guide-0.1.58-s390x_arch-PR_7385.patch Patch7: scap-security-guide-0.1.58-ism_ks-PR_7392.patch +Patch8: scap-security-guide-0.1.58-cis_def-PR_6976.patch +Patch9: scap-security-guide-0.1.58-rhel9_cis_crypto_policy_default-PR_7452.patch +Patch10: scap-security-guide-0.1.58-fix_broken_link-PR_7409.patch +Patch11: scap-security-guide-0.1.58-cis_build_system_fix-PR_7226.patch +Patch12: scap-security-guide-0.1.58-rhel9_cis-PR_7415.patch BuildRequires: libxslt BuildRequires: expat @@ -106,6 +111,11 @@ rm %{buildroot}/%{_docdir}/%{name}/Contributors.md %endif %changelog +* Tue Aug 24 2021 Matej Tyc - 0.1.57-4 +- Fix a broken HTTP link + Add CIS profile based on RHEL8 CIS, fix its Crypto Policy usage + Resolves: rhbz#1962564 + * Tue Aug 17 2021 Matej Tyc - 0.1.57-3 - Use SSHD directory-based configuration. Resolves: rhbz#1962564