From e3844b648a537ae2d28aeb66b30522363e26c8c0 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Mat=C4=9Bj=20T=C3=BD=C4=8D?= Date: Thu, 19 Aug 2021 15:58:08 +0200 Subject: [PATCH 1/4] Base the RHEL9 CIS preview on RHEL8 Harness the policy files to get a RHEL9 projection of the RHEL8 CIS. --- products/rhel9/profiles/cis.profile | 1079 +---------------- products/rhel9/profiles/cis_server_l1.profile | 19 + .../rhel9/profiles/cis_workstation_l1.profile | 19 + .../rhel9/profiles/cis_workstation_l2.profile | 19 + 4 files changed, 63 insertions(+), 1073 deletions(-) create mode 100644 products/rhel9/profiles/cis_server_l1.profile create mode 100644 products/rhel9/profiles/cis_workstation_l1.profile create mode 100644 products/rhel9/profiles/cis_workstation_l2.profile diff --git a/products/rhel9/profiles/cis.profile b/products/rhel9/profiles/cis.profile index 8d7816e5e2..4240f743df 100644 --- a/products/rhel9/profiles/cis.profile +++ b/products/rhel9/profiles/cis.profile @@ -1,1086 +1,19 @@ documentation_complete: true metadata: - version: 0.0.0 + version: 1.0.1 SMEs: - vojtapolasek - yuumasato reference: https://www.cisecurity.org/benchmark/red_hat_linux/ -title: '[DRAFT] CIS Red Hat Enterprise Linux 9 Benchmark' +title: '[DRAFT] CIS Red Hat Enterprise Linux 9 Benchmark for Level 2 - Server' description: |- - This is a draft CIS profile based on the RHEL8 CIS + This is a draft profile based on its RHEL8 version for experimental purposes. + It is not based on the CIS benchmark for RHEL9, because this one was not available at time of + the release. selections: - # Necessary for dconf rules - - dconf_db_up_to_date - - ### Partitioning - - mount_option_home_nodev - - ## 1.1 Filesystem Configuration - - ### 1.1.1 Disable unused filesystems - - #### 1.1.1.1 Ensure mounting cramfs filesystems is disabled (Scored) - - kernel_module_cramfs_disabled - - #### 1.1.1.2 Ensure mounting of vFAT filesystems is limited (Not Scored) - - - #### 1.1.1.3 Ensure mounting of squashfs filesystems is disabled (Scored) - - kernel_module_squashfs_disabled - - #### 1.1.1.4 Ensure mounting of udf filesystems is disabled (Scored) - - kernel_module_udf_disabled - - ### 1.1.2 Ensure /tmp is configured (Scored) - - partition_for_tmp - - ### 1.1.3 Ensure nodev option set on /tmp partition (Scored) - - mount_option_tmp_nodev - - ### 1.1.4 Ensure nosuid option set on /tmp partition (Scored) - - mount_option_tmp_nosuid - - ### 1.1.5 Ensure noexec option set on /tmp partition (Scored) - - mount_option_tmp_noexec - - ### 1.1.6 Ensure separate partition exists for /var (Scored) - - partition_for_var - - ### 1.1.7 Ensure separate partition exists for /var/tmp (Scored) - - partition_for_var_tmp - - ### 1.1.8 Ensure nodev option set on /var/tmp partition (Scored) - - mount_option_var_tmp_nodev - - ### 1.1.9 Ensure nosuid option set on /var/tmp partition (Scored) - - mount_option_var_tmp_nosuid - - ### 1.1.10 Ensure noexec option set on /var/tmp partition (Scored) - - mount_option_var_tmp_noexec - - ### 1.1.11 Ensure separate partition exists for /var/log (Scored) - - partition_for_var_log - - ### 1.1.12 Ensure separate partition exists for /var/log/audit (Scored) - - partition_for_var_log_audit - - ### 1.1.13 Ensure separate partition exists for /home (Scored) - - partition_for_home - - ### 1.1.14 Ensure nodev option set on /home partition (Scored) - - mount_option_home_nodev - - ### 1.1.15 Ensure nodev option set on /dev/shm partition (Scored) - - mount_option_dev_shm_nodev - - ### 1.1.16 Ensure nosuid option set on /dev/shm partition (Scored) - - mount_option_dev_shm_nosuid - - ### 1.1.17 Ensure noexec option set on /dev/shm partition (Scored) - - mount_option_dev_shm_noexec - - ### 1.1.18 Ensure nodev option set on removable media partitions (Not Scored) - - mount_option_nodev_removable_partitions - - ### 1.1.19 Ensure nosuid option set on removable media partitions (Not Scored) - - mount_option_nosuid_removable_partitions - - ### 1.1.20 Ensure noexec option set on removable media partitions (Not Scored) - - mount_option_noexec_removable_partitions - - ### 1.1.21 Ensure sticky bit is set on all world-writable directories (Scored) - - dir_perms_world_writable_sticky_bits - - ### 1.1.22 Disable Automounting (Scored) - - service_autofs_disabled - - ### 1.1.23 Disable USB Storage (Scored) - - kernel_module_usb-storage_disabled - - ## 1.2 Configure Software Updates - - ### 1.2.1 Ensure Red Hat Subscription Manager connection is configured (Not Scored) - # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5218 - - ### 1.2.2 Disable the rhnsd Daemon (Not Scored) - - service_rhnsd_disabled - - ### 1.2.3 Ensure GPG keys are configured (Not Scored) - - ensure_redhat_gpgkey_installed - - ### 1.2.4 Ensure gpgcheck is globally activated (Scored) - - ensure_gpgcheck_globally_activated - - ### 1.2.5 Ensure package manager repositories are configured (Scored) - # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5219 - - ## 1.3 Configure sudo - - ### 1.3.1 Ensure sudo is installed (Scored) - - package_sudo_installed - - ### 1.3.2 Ensure sudo commands use pty (Scored) - - sudo_add_use_pty - - ### 1.3.3 Ensure sudo log file exists (Scored) - - sudo_custom_logfile - - ## 1.4 Filesystem Integrity Checking - - ### 1.4.1 Ensure AIDE is installed (Scored) - - package_aide_installed - - ### 1.4.2 Ensure filesystem integrity is regularly checked (Scored) - - aide_periodic_cron_checking - - ## Secure Boot Settings - - ### 1.5.1 Ensure permissions on bootloader config are configured (Scored) - #### chown root:root /boot/grub2/grub.cfg - - file_owner_grub2_cfg - - file_groupowner_grub2_cfg - - #### chmod og-rwx /boot/grub2/grub.cfg - - file_permissions_grub2_cfg - - #### chown root:root /boot/grub2/grubenv - # NEED RULE - https://github.com/ComplianceAsCode/content/issues/5222 - - #### chmod og-rwx /boot/grub2/grubenv - # NEED RULE - https://github.com/ComplianceAsCode/content/issues/5222 - - ### 1.5.2 Ensure bootloader password is set (Scored) - - grub2_password - - ### 1.5.3 Ensure authentication required for single user mode (Scored) - #### ExecStart=-/usr/lib/systemd/systemd-sulogin-shell rescue - - require_singleuser_auth - - #### ExecStart=-/usr/lib/systemd/systemd-sulogin-shell emergency - - require_emergency_target_auth - - ## 1.6 Additional Process Hardening - - ### 1.6.1 Ensure core dumps are restricted (Scored) - #### * hard core 0 - - disable_users_coredumps - - #### fs.suid_dumpable = 0 - - sysctl_fs_suid_dumpable - - #### ProcessSizeMax=0 - - coredump_disable_backtraces - - #### Storage=none - - coredump_disable_storage - - ### 1.6.2 Ensure address space layout randomization (ASLR) is enabled - - sysctl_kernel_randomize_va_space - - ## 1.7 Mandatory Access Control - - ### 1.7.1 Configure SELinux - - #### 1.7.1.1 Ensure SELinux is installed (Scored) - - package_libselinux_installed - - #### 1.7.1.2 Ensure SELinux is not disabled in bootloader configuration (Scored) - - grub2_enable_selinux - - #### 1.7.1.3 Ensure SELinux policy is configured (Scored) - - var_selinux_policy_name=targeted - - selinux_policytype - - #### 1.7.1.4 Ensure the SELinux state is enforcing (Scored) - - var_selinux_state=enforcing - - selinux_state - - #### 1.7.1.5 Ensure no unconfied services exist (Scored) - - selinux_confinement_of_daemons - - #### 1.7.1.6 Ensure SETroubleshoot is not installed (Scored) - - package_setroubleshoot_removed - - #### 1.7.1.7 Ensure the MCS Translation Service (mcstrans) is not installed (Scored) - - package_mcstrans_removed - - ## Warning Banners - - ### 1.8.1 Command Line Warning Baners - - #### 1.8.1.1 Ensure message of the day is configured properly (Scored) - - banner_etc_motd - - #### 1.8.1.2 Ensure local login warning banner is configured properly (Scored) - - banner_etc_issue - - #### 1.8.1.3 Ensure remote login warning banner is configured properly (Scored) - # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5225 - - #### 1.8.1.4 Ensure permissions on /etc/motd are configured (Scored) - # chmod u-x,go-wx /etc/motd - - file_permissions_etc_motd - - #### 1.8.1.5 Ensure permissions on /etc/issue are configured (Scored) - # chmod u-x,go-wx /etc/issue - - file_permissions_etc_issue - - #### 1.8.1.6 Ensure permissions on /etc/issue.net are configured (Scored) - # Previously addressed via 'rpm_verify_permissions' rule - - ### 1.8.2 Ensure GDM login banner is configured (Scored) - #### banner-message-enable=true - - dconf_gnome_banner_enabled - - #### banner-message-text='' - - dconf_gnome_login_banner_text - - ## 1.9 Ensure updates, patches, and additional security software are installed (Scored) - - security_patches_up_to_date - - ## 1.10 Ensure system-wide crypto policy is not legacy (Scored) - - var_system_crypto_policy=future - - configure_crypto_policy - - ## 1.11 Ensure system-wide crytpo policy is FUTURE or FIPS (Scored) - # Previously addressed via 'configure_crypto_policy' rule - - # Services - - ## 2.1 inetd Services - - ### 2.1.1 Ensure xinetd is not installed (Scored) - - package_xinetd_removed - - ## 2.2 Special Purpose Services - - ### 2.2.1 Time Synchronization - - #### 2.2.1.1 Ensure time synchronization is in use (Not Scored) - - package_chrony_installed - - #### 2.2.1.2 Ensure chrony is configured (Scored) - - service_chronyd_enabled - - chronyd_specify_remote_server - - chronyd_run_as_chrony_user - - ### 2.2.2 Ensure X Window System is not installed (Scored) - - package_xorg-x11-server-common_removed - - xwindows_runlevel_target - - ### 2.2.3 Ensure rsync service is not enabled (Scored) - - service_rsyncd_disabled - - ### 2.2.4 Ensure Avahi Server is not enabled (Scored) - - service_avahi-daemon_disabled - - ### 2.2.5 Ensure SNMP Server is not enabled (Scored) - - service_snmpd_disabled - - ### 2.2.6 Ensure HTTP Proxy Server is not enabled (Scored) - - package_squid_removed - - ### 2.2.7 Ensure Samba is not enabled (Scored) - - service_smb_disabled - - ### 2.2.8 Ensure IMAP and POP3 server is not enabled (Scored) - - service_dovecot_disabled - - ### 2.2.9 Ensure HTTP server is not enabled (Scored) - - service_httpd_disabled - - ### 2.2.10 Ensure FTP Server is not enabled (Scored) - - service_vsftpd_disabled - - ### 2.2.11 Ensure DNS Server is not enabled (Scored) - - service_named_disabled - - ### 2.2.12 Ensure NFS is not enabled (Scored) - - service_nfs_disabled - - ### 2.2.13 Ensure RPC is not enabled (Scored) - - service_rpcbind_disabled - - ### 2.2.14 Ensure LDAP service is not enabled (Scored) - # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5231 - - ### 2.2.15 Ensure DHCP Server is not enabled (Scored) - - service_dhcpd_disabled - - ### 2.2.16 Ensure CUPS is not enabled (Scored) - - service_cups_disabled - - ### 2.2.17 Ensure NIS Server is not enabled (Scored) - # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5232 - - ### 2.2.18 Ensure mail transfer agent is configured for - ### local-only mode (Scored) - - postfix_network_listening_disabled - - ## 2.3 Service Clients - - ### 2.3.1 Ensure NIS Client is not installed (Scored) - - package_ypbind_removed - - ### 2.3.2 Ensure telnet client is not installed (Scored) - - package_telnet_removed - - ### Ensure LDAP client is not installed - - package_openldap-clients_removed - - # 3 Network Configuration - - ## 3.1 Network Parameters (Host Only) - - ### 3.1.1 Ensure IP forwarding is disabled (Scored) - #### net.ipv4.ip_forward = 0 - - sysctl_net_ipv4_ip_forward - - #### net.ipv6.conf.all.forwarding = 0 - - sysctl_net_ipv6_conf_all_forwarding - - ### 3.1.2 Ensure packet redirect sending is disabled (Scored) - #### net.ipv4.conf.all.send_redirects = 0 - - sysctl_net_ipv4_conf_all_send_redirects - - #### net.ipv4.conf.default.send_redirects = 0 - - sysctl_net_ipv4_conf_default_send_redirects - - ## 3.2 Network Parameters (Host and Router) - - ### 3.2.1 Ensure source routed packets are not accepted (Scored) - #### net.ipv4.conf.all.accept_source_route = 0 - - sysctl_net_ipv4_conf_all_accept_source_route - - #### net.ipv4.conf.default.accept_source_route = 0 - - sysctl_net_ipv4_conf_default_accept_source_route - - #### net.ipv6.conf.all.accept_source_route = 0 - - sysctl_net_ipv6_conf_all_accept_source_route - - #### net.ipv6.conf.default.accept_source_route = 0 - - sysctl_net_ipv6_conf_default_accept_source_route - - ### 3.2.2 Ensure ICMP redirects are not accepted (Scored) - #### net.ipv4.conf.all.accept_redirects = 0 - - sysctl_net_ipv4_conf_all_accept_redirects - - #### net.ipv4.conf.default.accept_redirects - - sysctl_net_ipv4_conf_default_accept_redirects - - #### net.ipv6.conf.all.accept_redirects = 0 - - sysctl_net_ipv6_conf_all_accept_redirects - - #### net.ipv6.conf.defaults.accept_redirects = 0 - - sysctl_net_ipv6_conf_default_accept_redirects - - ### 3.2.3 Ensure secure ICMP redirects are not accepted (Scored) - #### net.ipv4.conf.all.secure_redirects = 0 - - sysctl_net_ipv4_conf_all_secure_redirects - - #### net.ipv4.cof.default.secure_redirects = 0 - - sysctl_net_ipv4_conf_default_secure_redirects - - ### 3.2.4 Ensure suspicious packets are logged (Scored) - #### net.ipv4.conf.all.log_martians = 1 - - sysctl_net_ipv4_conf_all_log_martians - - #### net.ipv4.conf.default.log_martians = 1 - - sysctl_net_ipv4_conf_default_log_martians - - ### 3.2.5 Ensure broadcast ICMP requests are ignored (Scored) - - sysctl_net_ipv4_icmp_echo_ignore_broadcasts - - ### 3.2.6 Ensure bogus ICMP responses are ignored (Scored) - - sysctl_net_ipv4_icmp_ignore_bogus_error_responses - - ### 3.2.7 Ensure Reverse Path Filtering is enabled (Scored) - #### net.ipv4.conf.all.rp_filter = 1 - - sysctl_net_ipv4_conf_all_rp_filter - - #### net.ipv4.conf.default.rp_filter = 1 - - sysctl_net_ipv4_conf_default_rp_filter - - ### 3.2.8 Ensure TCP SYN Cookies is enabled (Scored) - - sysctl_net_ipv4_tcp_syncookies - - ### 3.2.9 Ensure IPv6 router advertisements are not accepted (Scored) - #### net.ipv6.conf.all.accept_ra = 0 - - sysctl_net_ipv6_conf_all_accept_ra - - #### net.ipv6.conf.default.accept_ra = 0 - - sysctl_net_ipv6_conf_default_accept_ra - - ## 3.3 Uncommon Network Protocols - - ### 3.3.1 Ensure DCCP is disabled (Scored) - - kernel_module_dccp_disabled - - ### Ensure SCTP is disabled (Scored) - - kernel_module_sctp_disabled - - ### 3.3.3 Ensure RDS is disabled (Scored) - - kernel_module_rds_disabled - - ### 3.3.4 Ensure TIPC is disabled (Scored) - - kernel_module_tipc_disabled - - ## 3.4 Firewall Configuration - - ### 3.4.1 Ensure Firewall software is installed - - #### 3.4.1.1 Ensure a Firewall package is installed (Scored) - ##### firewalld - - package_firewalld_installed - - ##### nftables - #NEED RULE - https://github.com/ComplianceAsCode/content/issues/5237 - - ##### iptables - #- package_iptables_installed - - ### 3.4.2 Configure firewalld - - #### 3.4.2.1 Ensure firewalld service is enabled and running (Scored) - - service_firewalld_enabled - - #### 3.4.2.2 Ensure iptables is not enabled (Scored) - # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5238 - - #### 3.4.2.3 Ensure nftables is not enabled (Scored) - # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5239 - - #### 3.4.2.4 Ensure default zone is set (Scored) - - set_firewalld_default_zone - - #### 3.4.2.5 Ensure network interfaces are assigned to - #### appropriate zone (Not Scored) - # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5240 - - #### 3.4.2.6 Ensure unnecessary services and ports are not - #### accepted (Not Scored) - # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5241 - - ### 3.4.3 Configure nftables - # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5242 - - #### 3.4.3.1 Ensure iptables are flushed (Not Scored) - # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5243 - - #### 3.4.3.2 Ensure a table exists (Scored) - # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5244 - - #### 3.4.3.3 Ensure base chains exist (Scored) - # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5245 - - #### 3.4.3.4 Ensure loopback traffic is configured (Scored) - # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5246 - - #### 3.4.3.5 Ensure outbound and established connections are - #### configured (Not Scored) - # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5247 - - #### 3.4.3.6 Ensure default deny firewall policy (Scored) - # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5248 - - #### 3.4.3.7 Ensure nftables service is enabled (Scored) - # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5249 - - #### 3.4.3.8 Ensure nftables rules are permanent (Scored) - # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5250 - - ### 3.4.4 Configure iptables - - #### 3.4.4.1 Configure IPv4 iptables - # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5251 - - ##### 3.4.4.1.1 Ensure default deny firewall policy (Scored) - # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5252 - - ##### 3.4.4.1.2 Ensure loopback traffic is configured (Scored) - # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5253 - - ##### 3.4.4.1.3 Ensure outbound and established connections are - ##### configured (Not Scored) - # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5254 - - ##### 3.4.4.1.4 Ensure firewall rules exist for all open ports (Scored) - # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5255 - - #### 3.4.4.2 Configure IPv6 ip6tables - # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5256 - - ##### 3.4.4.2.1 Ensure IPv6 default deny firewall policy (Scored) - # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5257 - - ##### 3.4.4.2.2 Ensure IPv6 loopback traffic is configured (Scored) - # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5258 - - ##### 3.4.4.2.3 Ensure IPv6 outbound and established connections are - ##### configured (Not Scored) - # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5260 - - ## 3.5 Ensure wireless interfaces are disabled (Scored) - - wireless_disable_interfaces - - ## 3.6 Disable IPv6 (Not Scored) - - kernel_module_ipv6_option_disabled - - # Logging and Auditing - - ## 4.1 Configure System Accounting (auditd) - - ### 4.1.1 Ensure auditing is enabled - - #### 4.1.1.1 Ensure auditd is installed (Scored) - - package_audit_installed - - #### 4.1.1.2 Ensure auditd service is enabled (Scored) - - service_auditd_enabled - - #### 4.1.1.3 Ensure auditing for processes that start prior to audit - #### is enabled (Scored) - - grub2_audit_argument - - #### 4.1.1.4 Ensure audit_backlog_limit is sufficient (Scored) - - grub2_audit_backlog_limit_argument - - ### 4.1.2 Configure Data Retention - - #### 4.1.2.1 Ensure audit log storage size is configured (Scored) - - auditd_data_retention_max_log_file - - #### 4.1.2.2 Ensure audit logs are not automatically deleted (Scored) - - auditd_data_retention_max_log_file_action - - #### 4.1.2.3 Ensure system is disabled when audit logs are full (Scored) - - var_auditd_space_left_action=email - - auditd_data_retention_space_left_action - - ##### action_mail_acct = root - - var_auditd_action_mail_acct=root - - auditd_data_retention_action_mail_acct - - ##### admin_space_left_action = halt - - var_auditd_admin_space_left_action=halt - - auditd_data_retention_admin_space_left_action - - ### 4.1.3 Ensure changes to system administration scope - ### (sudoers) is collected (Scored) - - audit_rules_sysadmin_actions - - ### 4.1.4 Ensure login and logout events are collected (Scored) - - audit_rules_login_events_faillock - - audit_rules_login_events_lastlog - - ### 4.1.5 Ensure session initiation information is collected (Scored) - - audit_rules_session_events - - ### 4.1.6 Ensure events that modify date and time information - ### are collected (Scored) - #### adjtimex - - audit_rules_time_adjtimex - - #### settimeofday - - audit_rules_time_settimeofday - - #### stime - - audit_rules_time_stime - - #### clock_settime - - audit_rules_time_clock_settime - - #### -w /etc/localtime -p wa - - audit_rules_time_watch_localtime - - ### 4.1.7 Ensure events that modify the system's Mandatory - ### Access Control are collected (Scored) - #### -w /etc/selinux/ -p wa - - audit_rules_mac_modification - - #### -w /usr/share/selinux/ -p wa - # NEED RULE - https://github.com/ComplianceAsCode/content/issues/5264 - - ### 4.1.8 Ensure events that modify the system's network - ### enironment are collected (Scored) - - audit_rules_networkconfig_modification - - ### 4.1.9 Ensure discretionary access control permission modification - ### events are collected (Scored) - - audit_rules_dac_modification_chmod - - audit_rules_dac_modification_fchmod - - audit_rules_dac_modification_fchmodat - - audit_rules_dac_modification_chown - - audit_rules_dac_modification_fchown - - audit_rules_dac_modification_fchownat - - audit_rules_dac_modification_lchown - - audit_rules_dac_modification_setxattr - - audit_rules_dac_modification_lsetxattr - - audit_rules_dac_modification_fsetxattr - - audit_rules_dac_modification_removexattr - - audit_rules_dac_modification_lremovexattr - - audit_rules_dac_modification_fremovexattr - - ### 4.1.10 Ensure unsuccessful unauthorized file access attempts are - ### collected (Scored) - - audit_rules_unsuccessful_file_modification_creat - - audit_rules_unsuccessful_file_modification_open - - audit_rules_unsuccessful_file_modification_openat - - audit_rules_unsuccessful_file_modification_truncate - - audit_rules_unsuccessful_file_modification_ftruncate - # Opinionated selection - - audit_rules_unsuccessful_file_modification_open_by_handle_at - - ### 4.1.11 Ensure events that modify user/group information are - ### collected (Scored) - - audit_rules_usergroup_modification_passwd - - audit_rules_usergroup_modification_group - - audit_rules_usergroup_modification_gshadow - - audit_rules_usergroup_modification_shadow - - audit_rules_usergroup_modification_opasswd - - ### 4.1.12 Ensure successful file system mounts are collected (Scored) - - audit_rules_media_export - - ### 4.1.13 Ensure use of privileged commands is collected (Scored) - - audit_rules_privileged_commands - - ### 4.1.14 Ensure file deletion events by users are collected - ### (Scored) - - audit_rules_file_deletion_events_unlink - - audit_rules_file_deletion_events_unlinkat - - audit_rules_file_deletion_events_rename - - audit_rules_file_deletion_events_renameat - # Opinionated selection - - audit_rules_file_deletion_events_rmdir - - ### 4.1.15 Ensure kernel module loading and unloading is collected - ### (Scored) - - audit_rules_kernel_module_loading - - ### 4.1.16 Ensure system administrator actions (sudolog) are - ### collected (Scored) - # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5516 - - ### 4.1.17 Ensure the audit configuration is immutable (Scored) - - audit_rules_immutable - - ## 4.2 Configure Logging - - ### 4.2.1 Configure rsyslog - - #### 4.2.1.1 Ensure rsyslog is installed (Scored) - - package_rsyslog_installed - - #### 4.2.1.2 Ensure rsyslog Service is enabled (Scored) - - service_rsyslog_enabled - - #### 4.2.1.3 Ensure rsyslog default file permissions configured (Scored) - - rsyslog_files_permissions - - #### 4.2.1.4 Ensure logging is configured (Not Scored) - # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5519 - - #### 4.2.1.5 Ensure rsyslog is configured to send logs to a remote - #### log host (Scored) - - rsyslog_remote_loghost - - #### 4.2.1.6 Ensure remote rsyslog messages are only accepted on - #### designated log hosts (Not Scored) - - rsyslog_nolisten - - ### 4.2.2 Configure journald - - #### 4.2.2.1 Ensure journald is configured to send logs to - #### rsyslog (Scored) - # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5520 - - #### 4.2.2.2 Ensure journald is configured to compress large - #### log files (Scored) - # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5521 - - - #### 4.2.2.3 Ensure journald is configured to write logfiles to - #### persistent disk (Scored) - # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5522 - - ### 4.2.3 Ensure permissions on all logfiles are configured (Scored) - # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5523 - - ## 4.3 Ensure logrotate is configured (Not Scored) - - # 5 Access, Authentication and Authorization - - ## 5.1 Configure cron - - ### 5.1.1 Ensure cron daemon is enabled (Scored) - - service_crond_enabled - - - ### 5.1.2 Ensure permissions on /etc/crontab are configured (Scored) - # chown root:root /etc/crontab - - file_owner_crontab - - file_groupowner_crontab - # chmod og-rwx /etc/crontab - - file_permissions_crontab - - ### 5.1.3 Ensure permissions on /etc/cron.hourly are configured (Scored) - # chown root:root /etc/cron.hourly - - file_owner_cron_hourly - - file_groupowner_cron_hourly - # chmod og-rwx /etc/cron.hourly - - file_permissions_cron_hourly - - ### 5.1.4 Ensure permissions on /etc/cron.daily are configured (Scored) - # chown root:root /etc/cron.daily - - file_owner_cron_daily - - file_groupowner_cron_daily - # chmod og-rwx /etc/cron.daily - - file_permissions_cron_daily - - ### 5.1.5 Ensure permissions on /etc/cron.weekly are configured (Scored) - # chown root:root /etc/cron.weekly - - file_owner_cron_weekly - - file_groupowner_cron_weekly - # chmod og-rwx /etc/cron.weekly - - file_permissions_cron_weekly - - ### 5.1.6 Ensure permissions on /etc/cron.monthly are configured (Scored) - # chown root:root /etc/cron.monthly - - file_owner_cron_monthly - - file_groupowner_cron_monthly - # chmod og-rwx /etc/cron.monthly - - file_permissions_cron_monthly - - ### 5.1.7 Ensure permissions on /etc/cron.d are configured (Scored) - # chown root:root /etc/cron.d - - file_owner_cron_d - - file_groupowner_cron_d - # chmod og-rwx /etc/cron.d - - file_permissions_cron_d - - ### 5.1.8 Ensure at/cron is restricted to authorized users (Scored) - - - ## 5.2 SSH Server Configuration - - ### 5.2.1 Ensure permissions on /etc/ssh/sshd_config are configured (Scored) - # chown root:root /etc/ssh/sshd_config - - file_owner_sshd_config - - file_groupowner_sshd_config - - # chmod og-rwx /etc/ssh/sshd_config - - file_permissions_sshd_config - - ### 5.2.2 Ensure SSH access is limited (Scored) - - - ### 5.2.3 Ensure permissions on SSH private host key files are - ### configured (Scored) - # TO DO: The rule sets to 640, but benchmark wants 600 - - file_permissions_sshd_private_key - # TO DO: check owner of private keys in /etc/ssh is root:root - - ### 5.2.4 Ensure permissions on SSH public host key files are configured - ### (Scored) - - file_permissions_sshd_pub_key - # TO DO: check owner of pub keys in /etc/ssh is root:root - - # Ensure that the configuration is done the right way - - sshd_use_directory_configuration - ### 5.2.5 Ensure SSH LogLevel is appropriate (Scored) - - sshd_set_loglevel_info - - ### 5.2.6 Ensure SSH X11 forward is disabled (Scored) - - sshd_disable_x11_forwarding - - ### 5.2.7 Ensure SSH MaxAuthTries is set to 4 or less (Scored) - - sshd_max_auth_tries_value=4 - - sshd_set_max_auth_tries - - ### 5.2.8 Ensure SSH IgnoreRhosts is enabled (Scored) - - sshd_disable_rhosts - - ### 5.2.9 Ensure SSH HostbasedAuthentication is disabled (Scored) - - disable_host_auth - - ### 5.2.10 Ensure SSH root login is disabled (Scored) - - sshd_disable_root_login - - ### 5.2.11 Ensure SSH PermitEmptyPasswords is disabled (Scored) - - sshd_disable_empty_passwords - - ### 5.2.12 Ensure SSH PermitUserEnvironment is disabled (Scored) - - sshd_do_not_permit_user_env - - ### 5.2.13 Ensure SSH Idle Timeout Interval is configured (Scored) - # ClientAliveInterval 300 - - sshd_idle_timeout_value=5_minutes - - sshd_set_idle_timeout - - # ClientAliveCountMax 0 - - var_sshd_set_keepalive=0 - - ### 5.2.14 Ensure SSH LoginGraceTime is set to one minute - ### or less (Scored) - # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5525 - - ### 5.2.15 Ensure SSH warning banner is configured (Scored) - - sshd_enable_warning_banner - - ### 5.2.16 Ensure SSH PAM is enabled (Scored) - # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5526 - - ### 5.2.17 Ensure SSH AllowTcpForwarding is disabled (Scored) - - sshd_disable_tcp_forwarding - - ### 5.2.18 Ensure SSH MaxStarups is configured (Scored) - # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5528 - - ### 5.2.19 Ensure SSH MaxSessions is set to 4 or less (Scored) - - sshd_set_max_sessions - - var_sshd_max_sessions=4 - - ### 5.2.20 Ensure system-wide crypto policy is not over-ridden (Scored) - - configure_ssh_crypto_policy - - ## 5.3 Configure authselect - - - ### 5.3.1 Create custom authselectet profile (Scored) - # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5530 - - ### 5.3.2 Select authselect profile (Scored) - # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5531 - - ### 5.3.3 Ensure authselect includes with-faillock (Scored) - # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5532 - - ## 5.4 Configure PAM - - ### 5.4.1 Ensure password creation requirements are configured (Scored) - # NEEDS RULE: try_first_pass - https://github.com/ComplianceAsCode/content/issues/5533 - - accounts_password_pam_retry - - var_password_pam_minlen=14 - - accounts_password_pam_minlen - - var_password_pam_minclass=4 - - accounts_password_pam_minclass - - ### 5.4.2 Ensure lockout for failed password attempts is - ### configured (Scored) - - var_accounts_passwords_pam_faillock_unlock_time=900 - - var_accounts_passwords_pam_faillock_deny=5 - - accounts_passwords_pam_faillock_unlock_time - - accounts_passwords_pam_faillock_deny - - ### 5.4.3 Ensure password reuse is limited (Scored) - - var_password_pam_unix_remember=5 - - accounts_password_pam_unix_remember - - ### 5.4.4 Ensure password hashing algorithm is SHA-512 (Scored) - - set_password_hashing_algorithm_systemauth - - ## 5.5 User Accounts and Environment - - ### 5.5.1 Set Shadow Password Suite Parameters - - #### 5.5.1 Ensure password expiration is 365 days or less (Scored) - - var_accounts_maximum_age_login_defs=365 - - accounts_maximum_age_login_defs - - #### 5.5.1.2 Ensure minimum days between password changes is 7 - #### or more (Scored) - - var_accounts_minimum_age_login_defs=7 - - accounts_minimum_age_login_defs - - #### 5.5.1.3 Ensure password expiration warning days is - #### 7 or more (Scored) - - var_accounts_password_warn_age_login_defs=7 - - accounts_password_warn_age_login_defs - - #### 5.5.1.4 Ensure inactive password lock is 30 days or less (Scored) - # TODO: Rule doesn't check list of users - # https://github.com/ComplianceAsCode/content/issues/5536 - - var_account_disable_post_pw_expiration=30 - - account_disable_post_pw_expiration - - #### 5.5.1.5 Ensure all users last password change date is - #### in the past (Scored) - # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5537 - - ### 5.5.2 Ensure system accounts are secured (Scored) - - no_shelllogin_for_systemaccounts - - ### 5.5.3 Ensure default user shell timeout is 900 seconds - ### or less (Scored) - - var_accounts_tmout=15_min - - accounts_tmout - - ### 5.5.4 Ensure default group for the root account is - ### GID 0 (Scored) - # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5539 - - ### 5.5.5 Ensure default user mask is 027 or more restrictive (Scored) - - var_accounts_user_umask=027 - - accounts_umask_etc_bashrc - - accounts_umask_etc_profile - - ## 5.6 Ensure root login is restricted to system console (Not Scored) - - securetty_root_login_console_only - - no_direct_root_logins - - ## 5.7 Ensure access to the su command is restricted (Scored) - # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5541 - - # System Maintenance - - ## 6.1 System File Permissions - - ### 6.1.1 Audit system file permissions (Not Scored) - - rpm_verify_permissions - - rpm_verify_ownership - - ### 6.1.2 Ensure permissions on /etc/passwd are configured (Scored) - # chown root:root /etc/passwd - - file_owner_etc_passwd - - file_groupowner_etc_passwd - - # chmod 644 /etc/passwd - - file_permissions_etc_passwd - - ### 6.1.3 Ensure permissions on /etc/shadow are configured (Scored) - # chown root:root /etc/shadow - - file_owner_etc_shadow - - file_groupowner_etc_shadow - - # chmod o-rwx,g-wx /etc/shadow - - file_permissions_etc_shadow - - ### 6.1.4 Ensure permissions on /etc/group are configured (Scored) - # chown root:root /etc/group - - file_owner_etc_group - - file_groupowner_etc_group - - # chmod 644 /etc/group - - file_permissions_etc_group - - ### 6.1.5 Ensure permissions on /etc/gshadow are configured (Scored) - # chown root:root /etc/gshadow - - file_owner_etc_gshadow - - file_groupowner_etc_gshadow - - # chmod o-rwx,g-rw /etc/gshadow - - file_permissions_etc_gshadow - - ### 6.1.6 Ensure permissions on /etc/passwd- are configured (Scored) - # chown root:root /etc/passwd- - - file_owner_backup_etc_passwd - - file_groupowner_backup_etc_passwd - - # chmod 644 /etc/passwd- - - file_permissions_backup_etc_passwd - - ### 6.1.7 Ensure permissions on /etc/shadow- are configured (Scored) - # chown root:root /etc/shadow- - - file_owner_backup_etc_shadow - - file_groupowner_backup_etc_shadow - - # chmod 0000 /etc/shadow- - - file_permissions_backup_etc_shadow - - ### 6.1.8 Ensure permissions on /etc/group- are configured (Scored) - # chown root:root /etc/group- - - file_owner_backup_etc_group - - file_groupowner_backup_etc_group - - # chmod 644 /etc/group- - - file_permissions_backup_etc_group - - ### 6.1.9 Ensure permissions on /etc/gshadow- are configured (Scored) - # chown root:root /etc/gshadow- - - file_owner_backup_etc_gshadow - - file_groupowner_backup_etc_gshadow - - # chmod 0000 /etc/gshadow- - - file_permissions_backup_etc_gshadow - - ### 6.1.10 Ensure no world writable files exist (Scored) - - file_permissions_unauthorized_world_writable - - ### 6.1.11 Ensure no unowned files or directories exist (Scored) - - no_files_unowned_by_user - - ### 6.1.12 Ensure no ungrouped files or directories exist (Scored) - - file_permissions_ungroupowned - - ### 6.1.13 Audit SUID executables (Not Scored) - - file_permissions_unauthorized_suid - - ### 6.1.14 Audit SGID executables (Not Scored) - - file_permissions_unauthorized_sgid - - ## 6.2 User and Group Settings - - ### 6.2.2 Ensure no legacy "+" entries exist in /etc/passwd (Scored) - - no_legacy_plus_entries_etc_passwd - - ### 6.2.4 Ensure no legacy "+" entries exist in /etc/shadow (Scored) - - no_legacy_plus_entries_etc_shadow - - ### 6.2.5 Ensure no legacy "+" entries exist in /etc/group (Scored) - - no_legacy_plus_entries_etc_group - - ### 6.2.6 Ensure root is the only UID 0 account (Scored) - - accounts_no_uid_except_zero - - ### 6.2.7 Ensure users' home directories permissions are 750 - ### or more restrictive (Scored) - - file_permissions_home_dirs - - ### 6.2.8 Ensure users own their home directories (Scored) - # NEEDS RULE for user owner @ https://github.com/ComplianceAsCode/content/issues/5507 - - file_groupownership_home_directories - - ### 6.2.9 Ensure users' dot files are not group or world - ### writable (Scored) - # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5506 - - ### 6.2.10 Ensure no users have .forward files (Scored) - # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5505 - - ### 6.2.11 Ensure no users have .netrc files (Scored) - - no_netrc_files - - ### 6.2.12 Ensure users' .netrc Files are not group or - ### world accessible (Scored) - # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5504 - - ### 6.2.13 Ensure no users have .rhosts files (Scored) - - no_rsh_trust_files - - ### 6.2.14 Ensure all groups in /etc/passwd exist in - ### /etc/group (Scored) - # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5503 - - ### 6.2.15 Ensure no duplicate UIDs exist (Scored) - # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5502 - - ### 6.2.16 Ensure no duplicate GIDs exist (Scored) - # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5501 - - ### 6.2.17 Ensure no duplicate user names exist (Scored) - - account_unique_name - - ### 6.2.18 Ensure no duplicate group names exist (Scored) - # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5500 - - ### 6.2.19 Ensure shadow group is empty (Scored) - # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5499 - - ### 6.2.20 Ensure all users' home directories exist (Scored) - - accounts_user_interactive_home_directory_exists + - cis_rhel8:all:l2_server diff --git a/products/rhel9/profiles/cis_server_l1.profile b/products/rhel9/profiles/cis_server_l1.profile new file mode 100644 index 0000000000..18314d9c46 --- /dev/null +++ b/products/rhel9/profiles/cis_server_l1.profile @@ -0,0 +1,19 @@ +documentation_complete: true + +metadata: + version: 1.0.1 + SMEs: + - vojtapolasek + - yuumasato + +reference: https://www.cisecurity.org/benchmark/red_hat_linux/ + +title: '[DRAFT] CIS Red Hat Enterprise Linux 9 Benchmark for Level 1 - Server' + +description: |- + This is a draft profile based on its RHEL8 version for experimental purposes. + It is not based on the CIS benchmark for RHEL9, because this one was not available at time of + the release. + +selections: + - cis_rhel8:all:l1_server diff --git a/products/rhel9/profiles/cis_workstation_l1.profile b/products/rhel9/profiles/cis_workstation_l1.profile new file mode 100644 index 0000000000..3ce1c80089 --- /dev/null +++ b/products/rhel9/profiles/cis_workstation_l1.profile @@ -0,0 +1,19 @@ +documentation_complete: true + +metadata: + version: 1.0.1 + SMEs: + - vojtapolasek + - yuumasato + +reference: https://www.cisecurity.org/benchmark/red_hat_linux/ + +title: '[DRAFT] CIS Red Hat Enterprise Linux 9 Benchmark for Level 1 - Workstation' + +description: |- + This is a draft profile based on its RHEL8 version for experimental purposes. + It is not based on the CIS benchmark for RHEL9, because this one was not available at time of + the release. + +selections: + - cis_rhel8:all:l1_workstation diff --git a/products/rhel9/profiles/cis_workstation_l2.profile b/products/rhel9/profiles/cis_workstation_l2.profile new file mode 100644 index 0000000000..84d76b801f --- /dev/null +++ b/products/rhel9/profiles/cis_workstation_l2.profile @@ -0,0 +1,19 @@ +documentation_complete: true + +metadata: + version: 1.0.1 + SMEs: + - vojtapolasek + - yuumasato + +reference: https://www.cisecurity.org/benchmark/red_hat_linux/ + +title: '[DRAFT] CIS Red Hat Enterprise Linux 9 Benchmark for Level 2 - Workstation' + +description: |- + This is a draft profile based on its RHEL8 version for experimental purposes. + It is not based on the CIS benchmark for RHEL9, because this one was not available at time of + the release. + +selections: + - cis_rhel8:all:l2_workstation From 11c06fcbc1c75bcc17a765d611449af66efcf3e0 Mon Sep 17 00:00:00 2001 From: Matej Tyc Date: Fri, 20 Aug 2021 17:35:21 +0200 Subject: [PATCH 2/4] Add RHEL9 CIS kickstarts Those are based on their RHEL8 counterparts --- products/rhel9/kickstart/ssg-rhel9-cis-ks.cfg | 6 +- .../kickstart/ssg-rhel9-cis_server_l1-ks.cfg | 133 ++++++++++++++++ .../ssg-rhel9-cis_workstation_l1-ks.cfg | 133 ++++++++++++++++ .../ssg-rhel9-cis_workstation_l2-ks.cfg | 143 ++++++++++++++++++ 4 files changed, 412 insertions(+), 3 deletions(-) create mode 100644 products/rhel9/kickstart/ssg-rhel9-cis_server_l1-ks.cfg create mode 100644 products/rhel9/kickstart/ssg-rhel9-cis_workstation_l1-ks.cfg create mode 100644 products/rhel9/kickstart/ssg-rhel9-cis_workstation_l2-ks.cfg diff --git a/products/rhel9/kickstart/ssg-rhel9-cis-ks.cfg b/products/rhel9/kickstart/ssg-rhel9-cis-ks.cfg index 47685726dd..88290ff977 100644 --- a/products/rhel9/kickstart/ssg-rhel9-cis-ks.cfg +++ b/products/rhel9/kickstart/ssg-rhel9-cis-ks.cfg @@ -1,6 +1,6 @@ -# SCAP Security Guide CIS profile kickstart for Red Hat Enterprise Linux 9 Server +# SCAP Security Guide CIS profile (Level 2 - Server) kickstart for Red Hat Enterprise Linux 9 Server # Version: 0.0.1 -# Date: 2021-07-13 +# Date: 2021-08-12 # # Based on: # https://pykickstart.readthedocs.io/en/latest/ @@ -124,7 +124,7 @@ logvol swap --name=lv_swap --vgname=VolGroup --size=2016 # Harden installation with CIS profile # For more details and configuration options see -# https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html-single/performing_an_advanced_rhel_installation/index#addon-com_redhat_oscap_kickstart-commands-for-addons-supplied-with-the-rhel-installation-program +# https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html-single/performing_an_advanced_rhel_installation/index#addon-org_fedora_oscap_kickstart-commands-for-addons-supplied-with-the-rhel-installation-program %addon com_redhat_oscap content-type = scap-security-guide profile = xccdf_org.ssgproject.content_profile_cis diff --git a/products/rhel9/kickstart/ssg-rhel9-cis_server_l1-ks.cfg b/products/rhel9/kickstart/ssg-rhel9-cis_server_l1-ks.cfg new file mode 100644 index 0000000000..d8d24e4394 --- /dev/null +++ b/products/rhel9/kickstart/ssg-rhel9-cis_server_l1-ks.cfg @@ -0,0 +1,133 @@ +# SCAP Security Guide CIS profile (Level 1 - Server) kickstart for Red Hat Enterprise Linux 9 Server +# Version: 0.0.1 +# Date: 2021-08-12 +# +# Based on: +# https://pykickstart.readthedocs.io/en/latest/ +# https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html-single/performing_an_advanced_rhel_installation/index#performing_an_automated_installation_using_kickstart + +# Specify installation method to use for installation +# To use a different one comment out the 'url' one below, update +# the selected choice with proper options & un-comment it +# +# Install from an installation tree on a remote server via FTP or HTTP: +# --url the URL to install from +# +# Example: +# +# url --url=http://192.168.122.1/image +# +# Modify concrete URL in the above example appropriately to reflect the actual +# environment machine is to be installed in +# +# Other possible / supported installation methods: +# * install from the first CD-ROM/DVD drive on the system: +# +# cdrom +# +# * install from a directory of ISO images on a local drive: +# +# harddrive --partition=hdb2 --dir=/tmp/install-tree +# +# * install from provided NFS server: +# +# nfs --server= --dir= [--opts=] +# + +# Set language to use during installation and the default language to use on the installed system (required) +lang en_US.UTF-8 + +# Set system keyboard type / layout (required) +keyboard us + +# Configure network information for target system and activate network devices in the installer environment (optional) +# --onboot enable device at a boot time +# --device device to be activated and / or configured with the network command +# --bootproto method to obtain networking configuration for device (default dhcp) +# --noipv6 disable IPv6 on this device +# +# NOTE: Usage of DHCP will fail CCE-27021-5 (DISA FSO RHEL-06-000292). To use static IP configuration, +# "--bootproto=static" must be used. For example: +# network --bootproto=static --ip=10.0.2.15 --netmask=255.255.255.0 --gateway=10.0.2.254 --nameserver 192.168.2.1,192.168.3.1 +# +network --onboot yes --device eth0 --bootproto dhcp --noipv6 + +# Set the system's root password (required) +# Plaintext password is: server +# Refer to e.g. https://pykickstart.readthedocs.io/en/latest/commands.html#rootpw to see how to create +# encrypted password form for different plaintext password +rootpw --iscrypted $6$/0RYeeRdK70ynvYz$jH2ZN/80HM6DjndHMxfUF9KIibwipitvizzXDH1zW.fTjyD3RD3tkNdNUaND18B/XqfAUW3vy1uebkBybCuIm0 + +# The selected profile will restrict root login +# Add a user that can login and escalate privileges +# Plaintext password is: admin123 +user --name=admin --groups=wheel --password=$6$Ga6ZnIlytrWpuCzO$q0LqT1USHpahzUafQM9jyHCY9BiE5/ahXLNWUMiVQnFGblu0WWGZ1e6icTaCGO4GNgZNtspp1Let/qpM7FMVB0 --iscrypted + +# Configure firewall settings for the system (optional) +# --enabled reject incoming connections that are not in response to outbound requests +# --ssh allow sshd service through the firewall +firewall --enabled --ssh + +# Set up the authentication options for the system (required) +# sssd profile sets sha512 to hash passwords +# passwords are shadowed by default +# See the manual page for authselect-profile for a complete list of possible options. +authselect select sssd + +# State of SELinux on the installed system (optional) +# Defaults to enforcing +selinux --enforcing + +# Set the system time zone (required) +timezone --utc America/New_York + +# Specify how the bootloader should be installed (required) +# Plaintext password is: password +# Refer to e.g. https://pykickstart.readthedocs.io/en/latest/commands.html#rootpw to see how to create +# encrypted password form for different plaintext password +bootloader --location=mbr --append="crashkernel=auto rhgb quiet" --password=$6$zCPaBARiNlBYUAS7$40phthWpqvaPVz3QUeIK6n5qoazJDJD5Nlc9OKy5SyYoX9Rt4jFaLjzqJCwpgR4RVAEFSADsqQot0WKs5qNto0 + +# Initialize (format) all disks (optional) +zerombr + +# The following partition layout scheme assumes disk of size 20GB or larger +# Modify size of partitions appropriately to reflect actual machine's hardware +# +# Remove Linux partitions from the system prior to creating new ones (optional) +# --linux erase all Linux partitions +# --initlabel initialize the disk label to the default based on the underlying architecture +clearpart --linux --initlabel + +# Create primary system partitions (required for installs) +part /boot --fstype=xfs --size=512 +part pv.01 --grow --size=1 + +# Create a Logical Volume Management (LVM) group (optional) +volgroup VolGroup --pesize=4096 pv.01 + +# Create particular logical volumes (optional) +logvol / --fstype=xfs --name=LogVol06 --vgname=VolGroup --size=10240 --grow +# Ensure /tmp Located On Separate Partition +logvol /tmp --fstype=xfs --name=LogVol01 --vgname=VolGroup --size=1024 --fsoptions="nodev,noexec,nosuid" +logvol swap --name=lv_swap --vgname=VolGroup --size=2016 + + +# Harden installation with CIS profile +# For more details and configuration options see +# https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html-single/performing_an_advanced_rhel_installation/index#addon-org_fedora_oscap_kickstart-commands-for-addons-supplied-with-the-rhel-installation-program +%addon com_redhat_oscap + content-type = scap-security-guide + profile = xccdf_org.ssgproject.content_profile_cis_server_l1 +%end + +# Packages selection (%packages section is required) +%packages + +# Require @Base +@Base + +%end # End of %packages section + +# Reboot after the installation is complete (optional) +# --eject attempt to eject CD or DVD media before rebooting +reboot --eject diff --git a/products/rhel9/kickstart/ssg-rhel9-cis_workstation_l1-ks.cfg b/products/rhel9/kickstart/ssg-rhel9-cis_workstation_l1-ks.cfg new file mode 100644 index 0000000000..fb6d0ab9a4 --- /dev/null +++ b/products/rhel9/kickstart/ssg-rhel9-cis_workstation_l1-ks.cfg @@ -0,0 +1,133 @@ +# SCAP Security Guide CIS profile (Level 1 - Workstation) kickstart for Red Hat Enterprise Linux 9 Server +# Version: 0.0.1 +# Date: 2021-08-12 +# +# Based on: +# https://pykickstart.readthedocs.io/en/latest/ +# https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html-single/performing_an_advanced_rhel_installation/index#performing_an_automated_installation_using_kickstart + +# Specify installation method to use for installation +# To use a different one comment out the 'url' one below, update +# the selected choice with proper options & un-comment it +# +# Install from an installation tree on a remote server via FTP or HTTP: +# --url the URL to install from +# +# Example: +# +# url --url=http://192.168.122.1/image +# +# Modify concrete URL in the above example appropriately to reflect the actual +# environment machine is to be installed in +# +# Other possible / supported installation methods: +# * install from the first CD-ROM/DVD drive on the system: +# +# cdrom +# +# * install from a directory of ISO images on a local drive: +# +# harddrive --partition=hdb2 --dir=/tmp/install-tree +# +# * install from provided NFS server: +# +# nfs --server= --dir= [--opts=] +# + +# Set language to use during installation and the default language to use on the installed system (required) +lang en_US.UTF-8 + +# Set system keyboard type / layout (required) +keyboard us + +# Configure network information for target system and activate network devices in the installer environment (optional) +# --onboot enable device at a boot time +# --device device to be activated and / or configured with the network command +# --bootproto method to obtain networking configuration for device (default dhcp) +# --noipv6 disable IPv6 on this device +# +# NOTE: Usage of DHCP will fail CCE-27021-5 (DISA FSO RHEL-06-000292). To use static IP configuration, +# "--bootproto=static" must be used. For example: +# network --bootproto=static --ip=10.0.2.15 --netmask=255.255.255.0 --gateway=10.0.2.254 --nameserver 192.168.2.1,192.168.3.1 +# +network --onboot yes --device eth0 --bootproto dhcp --noipv6 + +# Set the system's root password (required) +# Plaintext password is: server +# Refer to e.g. https://pykickstart.readthedocs.io/en/latest/commands.html#rootpw to see how to create +# encrypted password form for different plaintext password +rootpw --iscrypted $6$/0RYeeRdK70ynvYz$jH2ZN/80HM6DjndHMxfUF9KIibwipitvizzXDH1zW.fTjyD3RD3tkNdNUaND18B/XqfAUW3vy1uebkBybCuIm0 + +# The selected profile will restrict root login +# Add a user that can login and escalate privileges +# Plaintext password is: admin123 +user --name=admin --groups=wheel --password=$6$Ga6ZnIlytrWpuCzO$q0LqT1USHpahzUafQM9jyHCY9BiE5/ahXLNWUMiVQnFGblu0WWGZ1e6icTaCGO4GNgZNtspp1Let/qpM7FMVB0 --iscrypted + +# Configure firewall settings for the system (optional) +# --enabled reject incoming connections that are not in response to outbound requests +# --ssh allow sshd service through the firewall +firewall --enabled --ssh + +# Set up the authentication options for the system (required) +# sssd profile sets sha512 to hash passwords +# passwords are shadowed by default +# See the manual page for authselect-profile for a complete list of possible options. +authselect select sssd + +# State of SELinux on the installed system (optional) +# Defaults to enforcing +selinux --enforcing + +# Set the system time zone (required) +timezone --utc America/New_York + +# Specify how the bootloader should be installed (required) +# Plaintext password is: password +# Refer to e.g. https://pykickstart.readthedocs.io/en/latest/commands.html#rootpw to see how to create +# encrypted password form for different plaintext password +bootloader --location=mbr --append="crashkernel=auto rhgb quiet" --password=$6$zCPaBARiNlBYUAS7$40phthWpqvaPVz3QUeIK6n5qoazJDJD5Nlc9OKy5SyYoX9Rt4jFaLjzqJCwpgR4RVAEFSADsqQot0WKs5qNto0 + +# Initialize (format) all disks (optional) +zerombr + +# The following partition layout scheme assumes disk of size 20GB or larger +# Modify size of partitions appropriately to reflect actual machine's hardware +# +# Remove Linux partitions from the system prior to creating new ones (optional) +# --linux erase all Linux partitions +# --initlabel initialize the disk label to the default based on the underlying architecture +clearpart --linux --initlabel + +# Create primary system partitions (required for installs) +part /boot --fstype=xfs --size=512 +part pv.01 --grow --size=1 + +# Create a Logical Volume Management (LVM) group (optional) +volgroup VolGroup --pesize=4096 pv.01 + +# Create particular logical volumes (optional) +logvol / --fstype=xfs --name=LogVol06 --vgname=VolGroup --size=10240 --grow +# Ensure /tmp Located On Separate Partition +logvol /tmp --fstype=xfs --name=LogVol01 --vgname=VolGroup --size=1024 --fsoptions="nodev,noexec,nosuid" +logvol swap --name=lv_swap --vgname=VolGroup --size=2016 + + +# Harden installation with CIS profile +# For more details and configuration options see +# https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html-single/performing_an_advanced_rhel_installation/index#addon-org_fedora_oscap_kickstart-commands-for-addons-supplied-with-the-rhel-installation-program +%addon com_redhat_oscap + content-type = scap-security-guide + profile = xccdf_org.ssgproject.content_profile_cis_workstation_l1 +%end + +# Packages selection (%packages section is required) +%packages + +# Require @Base +@Base + +%end # End of %packages section + +# Reboot after the installation is complete (optional) +# --eject attempt to eject CD or DVD media before rebooting +reboot --eject diff --git a/products/rhel9/kickstart/ssg-rhel9-cis_workstation_l2-ks.cfg b/products/rhel9/kickstart/ssg-rhel9-cis_workstation_l2-ks.cfg new file mode 100644 index 0000000000..037de3a1b9 --- /dev/null +++ b/products/rhel9/kickstart/ssg-rhel9-cis_workstation_l2-ks.cfg @@ -0,0 +1,143 @@ +# SCAP Security Guide CIS profile (Level 2 - Workstation) kickstart for Red Hat Enterprise Linux 9 Server +# Version: 0.0.1 +# Date: 2021-08-12 +# +# Based on: +# https://pykickstart.readthedocs.io/en/latest/ +# https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html-single/performing_an_advanced_rhel_installation/index#performing_an_automated_installation_using_kickstart + +# Specify installation method to use for installation +# To use a different one comment out the 'url' one below, update +# the selected choice with proper options & un-comment it +# +# Install from an installation tree on a remote server via FTP or HTTP: +# --url the URL to install from +# +# Example: +# +# url --url=http://192.168.122.1/image +# +# Modify concrete URL in the above example appropriately to reflect the actual +# environment machine is to be installed in +# +# Other possible / supported installation methods: +# * install from the first CD-ROM/DVD drive on the system: +# +# cdrom +# +# * install from a directory of ISO images on a local drive: +# +# harddrive --partition=hdb2 --dir=/tmp/install-tree +# +# * install from provided NFS server: +# +# nfs --server= --dir= [--opts=] +# + +# Set language to use during installation and the default language to use on the installed system (required) +lang en_US.UTF-8 + +# Set system keyboard type / layout (required) +keyboard us + +# Configure network information for target system and activate network devices in the installer environment (optional) +# --onboot enable device at a boot time +# --device device to be activated and / or configured with the network command +# --bootproto method to obtain networking configuration for device (default dhcp) +# --noipv6 disable IPv6 on this device +# +# NOTE: Usage of DHCP will fail CCE-27021-5 (DISA FSO RHEL-06-000292). To use static IP configuration, +# "--bootproto=static" must be used. For example: +# network --bootproto=static --ip=10.0.2.15 --netmask=255.255.255.0 --gateway=10.0.2.254 --nameserver 192.168.2.1,192.168.3.1 +# +network --onboot yes --device eth0 --bootproto dhcp --noipv6 + +# Set the system's root password (required) +# Plaintext password is: server +# Refer to e.g. https://pykickstart.readthedocs.io/en/latest/commands.html#rootpw to see how to create +# encrypted password form for different plaintext password +rootpw --iscrypted $6$/0RYeeRdK70ynvYz$jH2ZN/80HM6DjndHMxfUF9KIibwipitvizzXDH1zW.fTjyD3RD3tkNdNUaND18B/XqfAUW3vy1uebkBybCuIm0 + +# The selected profile will restrict root login +# Add a user that can login and escalate privileges +# Plaintext password is: admin123 +user --name=admin --groups=wheel --password=$6$Ga6ZnIlytrWpuCzO$q0LqT1USHpahzUafQM9jyHCY9BiE5/ahXLNWUMiVQnFGblu0WWGZ1e6icTaCGO4GNgZNtspp1Let/qpM7FMVB0 --iscrypted + +# Configure firewall settings for the system (optional) +# --enabled reject incoming connections that are not in response to outbound requests +# --ssh allow sshd service through the firewall +firewall --enabled --ssh + +# Set up the authentication options for the system (required) +# sssd profile sets sha512 to hash passwords +# passwords are shadowed by default +# See the manual page for authselect-profile for a complete list of possible options. +authselect select sssd + +# State of SELinux on the installed system (optional) +# Defaults to enforcing +selinux --enforcing + +# Set the system time zone (required) +timezone --utc America/New_York + +# Specify how the bootloader should be installed (required) +# Plaintext password is: password +# Refer to e.g. https://pykickstart.readthedocs.io/en/latest/commands.html#rootpw to see how to create +# encrypted password form for different plaintext password +bootloader --location=mbr --append="crashkernel=auto rhgb quiet" --password=$6$zCPaBARiNlBYUAS7$40phthWpqvaPVz3QUeIK6n5qoazJDJD5Nlc9OKy5SyYoX9Rt4jFaLjzqJCwpgR4RVAEFSADsqQot0WKs5qNto0 + +# Initialize (format) all disks (optional) +zerombr + +# The following partition layout scheme assumes disk of size 20GB or larger +# Modify size of partitions appropriately to reflect actual machine's hardware +# +# Remove Linux partitions from the system prior to creating new ones (optional) +# --linux erase all Linux partitions +# --initlabel initialize the disk label to the default based on the underlying architecture +clearpart --linux --initlabel + +# Create primary system partitions (required for installs) +part /boot --fstype=xfs --size=512 +part pv.01 --grow --size=1 + +# Create a Logical Volume Management (LVM) group (optional) +volgroup VolGroup --pesize=4096 pv.01 + +# Create particular logical volumes (optional) +logvol / --fstype=xfs --name=LogVol06 --vgname=VolGroup --size=10240 --grow +# Ensure /home Located On Separate Partition +logvol /home --fstype=xfs --name=LogVol02 --vgname=VolGroup --size=1024 --fsoptions="nodev" +# Ensure /tmp Located On Separate Partition +logvol /tmp --fstype=xfs --name=LogVol01 --vgname=VolGroup --size=1024 --fsoptions="nodev,noexec,nosuid" +# Ensure /var/tmp Located On Separate Partition +logvol /var/tmp --fstype=xfs --name=LogVol7 --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid,noexec" +# Ensure /var Located On Separate Partition +logvol /var --fstype=xfs --name=LogVol03 --vgname=VolGroup --size=3072 +# Ensure /var/log Located On Separate Partition +logvol /var/log --fstype=xfs --name=LogVol04 --vgname=VolGroup --size=1024 +# Ensure /var/log/audit Located On Separate Partition +logvol /var/log/audit --fstype=xfs --name=LogVol05 --vgname=VolGroup --size=512 +logvol swap --name=lv_swap --vgname=VolGroup --size=2016 + + +# Harden installation with CIS profile +# For more details and configuration options see +# https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html-single/performing_an_advanced_rhel_installation/index#addon-org_fedora_oscap_kickstart-commands-for-addons-supplied-with-the-rhel-installation-program +%addon com_redhat_oscap + content-type = scap-security-guide + profile = xccdf_org.ssgproject.content_profile_cis_workstation_l2 +%end + +# Packages selection (%packages section is required) +%packages + +# Require @Base +@Base + +%end # End of %packages section + +# Reboot after the installation is complete (optional) +# --eject attempt to eject CD or DVD media before rebooting +reboot --eject From 6775cda905bce1f01cc8e89245f7f5d3f53a5b8d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Mat=C4=9Bj=20T=C3=BD=C4=8D?= Date: Mon, 23 Aug 2021 10:16:50 +0200 Subject: [PATCH 3/4] Add CCEs to rules that freshly made it into the RHEL9 CIS draft. --- .../ssh/ssh_server/sshd_set_loglevel_verbose/rule.yml | 1 + .../services/ssh/ssh_server/sshd_set_maxstartups/rule.yml | 1 + .../rule.yml | 1 + .../rule.yml | 1 + .../accounts-session/root_paths/root_path_no_dot/rule.yml | 1 + .../uefi/file_permissions_efi_grub2_cfg/rule.yml | 1 + shared/references/cce-redhat-avail.txt | 6 ------ 7 files changed, 6 insertions(+), 6 deletions(-) diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_loglevel_verbose/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_set_loglevel_verbose/rule.yml index ee54a53dfd..059d25cc7c 100644 --- a/linux_os/guide/services/ssh/ssh_server/sshd_set_loglevel_verbose/rule.yml +++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_loglevel_verbose/rule.yml @@ -22,6 +22,7 @@ severity: medium identifiers: cce@rhel7: CCE-82419-3 cce@rhel8: CCE-82420-1 + cce@rhel9: CCE-86923-0 cce@sle12: CCE-83077-8 cce@sle15: CCE-83270-9 diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_maxstartups/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_set_maxstartups/rule.yml index 7aec7ffb2c..5a1bf4906e 100644 --- a/linux_os/guide/services/ssh/ssh_server/sshd_set_maxstartups/rule.yml +++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_maxstartups/rule.yml @@ -23,6 +23,7 @@ severity: medium identifiers: cce@rhel7: CCE-90714-7 cce@rhel8: CCE-90718-8 + cce@rhel9: CCE-87872-8 references: cis@rhel7: 5.3.21 diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember_password_auth/rule.yml b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember_password_auth/rule.yml index 62b6f55e00..cf6c38d6f7 100644 --- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember_password_auth/rule.yml +++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember_password_auth/rule.yml @@ -22,6 +22,7 @@ severity: medium identifiers: cce@rhel7: CCE-83476-2 cce@rhel8: CCE-83478-8 + cce@rhel9: CCE-86354-8 references: cis-csc: 1,12,15,16,5 diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember_system_auth/rule.yml b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember_system_auth/rule.yml index 8cc56eb876..0eae61281f 100644 --- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember_system_auth/rule.yml +++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember_system_auth/rule.yml @@ -22,6 +22,7 @@ severity: medium identifiers: cce@rhel7: CCE-83479-6 cce@rhel8: CCE-83480-4 + cce@rhel9: CCE-89176-2 references: cis-csc: 1,12,15,16,5 diff --git a/linux_os/guide/system/accounts/accounts-session/root_paths/root_path_no_dot/rule.yml b/linux_os/guide/system/accounts/accounts-session/root_paths/root_path_no_dot/rule.yml index c94de8fa3e..151ad1ebe2 100644 --- a/linux_os/guide/system/accounts/accounts-session/root_paths/root_path_no_dot/rule.yml +++ b/linux_os/guide/system/accounts/accounts-session/root_paths/root_path_no_dot/rule.yml @@ -22,6 +22,7 @@ severity: unknown identifiers: cce@rhel7: CCE-80199-3 cce@rhel8: CCE-85914-0 + cce@rhel9: CCE-88059-1 references: cis-csc: 11,3,9 diff --git a/linux_os/guide/system/bootloader-grub2/uefi/file_permissions_efi_grub2_cfg/rule.yml b/linux_os/guide/system/bootloader-grub2/uefi/file_permissions_efi_grub2_cfg/rule.yml index bc4fdcc7e0..d9c0be8ccf 100644 --- a/linux_os/guide/system/bootloader-grub2/uefi/file_permissions_efi_grub2_cfg/rule.yml +++ b/linux_os/guide/system/bootloader-grub2/uefi/file_permissions_efi_grub2_cfg/rule.yml @@ -22,6 +22,7 @@ severity: medium identifiers: cce@rhel7: CCE-83431-7 cce@rhel8: CCE-85912-4 + cce@rhel9: CCE-85925-6 references: cis-csc: 12,13,14,15,16,18,3,5 diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt index 6c33c2e85f..e80f25156e 100644 --- a/shared/references/cce-redhat-avail.txt +++ b/shared/references/cce-redhat-avail.txt @@ -50,7 +50,6 @@ CCE-85921-5 CCE-85922-3 CCE-85923-1 CCE-85924-9 -CCE-85925-6 CCE-85926-4 CCE-85927-2 CCE-85928-0 @@ -458,7 +457,6 @@ CCE-86350-6 CCE-86351-4 CCE-86352-2 CCE-86353-0 -CCE-86354-8 CCE-86355-5 CCE-86356-3 CCE-86357-1 @@ -1016,7 +1014,6 @@ CCE-86919-8 CCE-86920-6 CCE-86921-4 CCE-86922-2 -CCE-86923-0 CCE-86924-8 CCE-86925-5 CCE-86926-3 @@ -1947,7 +1944,6 @@ CCE-87868-6 CCE-87869-4 CCE-87870-2 CCE-87871-0 -CCE-87872-8 CCE-87873-6 CCE-87874-4 CCE-87875-1 @@ -2132,7 +2128,6 @@ CCE-88055-9 CCE-88056-7 CCE-88057-5 CCE-88058-3 -CCE-88059-1 CCE-88060-9 CCE-88061-7 CCE-88062-5 @@ -3226,7 +3221,6 @@ CCE-89171-3 CCE-89172-1 CCE-89173-9 CCE-89174-7 -CCE-89176-2 CCE-89177-0 CCE-89178-8 CCE-89179-6 From 6835e3d0d26ac210f2d376fdad647bb37cb22c8d Mon Sep 17 00:00:00 2001 From: Matej Tyc Date: Tue, 24 Aug 2021 10:43:22 +0200 Subject: [PATCH 4/4] Increase partition size for CIS kickstarts --- products/rhel8/kickstart/ssg-rhel8-cis_server_l1-ks.cfg | 2 +- products/rhel8/kickstart/ssg-rhel8-cis_workstation_l1-ks.cfg | 2 +- products/rhel9/kickstart/ssg-rhel9-cis_server_l1-ks.cfg | 2 +- products/rhel9/kickstart/ssg-rhel9-cis_workstation_l1-ks.cfg | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-) diff --git a/products/rhel9/kickstart/ssg-rhel9-cis_server_l1-ks.cfg b/products/rhel9/kickstart/ssg-rhel9-cis_server_l1-ks.cfg index d8d24e4394..1abcf90304 100644 --- a/products/rhel9/kickstart/ssg-rhel9-cis_server_l1-ks.cfg +++ b/products/rhel9/kickstart/ssg-rhel9-cis_server_l1-ks.cfg @@ -106,7 +106,7 @@ part pv.01 --grow --size=1 volgroup VolGroup --pesize=4096 pv.01 # Create particular logical volumes (optional) -logvol / --fstype=xfs --name=LogVol06 --vgname=VolGroup --size=10240 --grow +logvol / --fstype=xfs --name=LogVol06 --vgname=VolGroup --size=16896 --grow # Ensure /tmp Located On Separate Partition logvol /tmp --fstype=xfs --name=LogVol01 --vgname=VolGroup --size=1024 --fsoptions="nodev,noexec,nosuid" logvol swap --name=lv_swap --vgname=VolGroup --size=2016 diff --git a/products/rhel9/kickstart/ssg-rhel9-cis_workstation_l1-ks.cfg b/products/rhel9/kickstart/ssg-rhel9-cis_workstation_l1-ks.cfg index fb6d0ab9a4..e18e86f474 100644 --- a/products/rhel9/kickstart/ssg-rhel9-cis_workstation_l1-ks.cfg +++ b/products/rhel9/kickstart/ssg-rhel9-cis_workstation_l1-ks.cfg @@ -106,7 +106,7 @@ part pv.01 --grow --size=1 volgroup VolGroup --pesize=4096 pv.01 # Create particular logical volumes (optional) -logvol / --fstype=xfs --name=LogVol06 --vgname=VolGroup --size=10240 --grow +logvol / --fstype=xfs --name=LogVol06 --vgname=VolGroup --size=16896 --grow # Ensure /tmp Located On Separate Partition logvol /tmp --fstype=xfs --name=LogVol01 --vgname=VolGroup --size=1024 --fsoptions="nodev,noexec,nosuid" logvol swap --name=lv_swap --vgname=VolGroup --size=2016