5349 lines
158 KiB
Diff
5349 lines
158 KiB
Diff
From 7f366ca6916df9dd3cc3b50e3118adad77bcc04c Mon Sep 17 00:00:00 2001
|
|
From: Alex Haydock <alex@alexhaydock.co.uk>
|
|
Date: Tue, 29 Jun 2021 14:37:28 +0100
|
|
Subject: [PATCH 01/55] Split RHEL 8 CIS profile into modular files
|
|
per-benchmark
|
|
|
|
---
|
|
products/rhel8/profiles/cis.profile | 1080 +----------------
|
|
products/rhel8/profiles/cis_server_l1.profile | 22 +
|
|
.../rhel8/profiles/cis_workstation_l1.profile | 22 +
|
|
.../rhel8/profiles/cis_workstation_l2.profile | 22 +
|
|
4 files changed, 72 insertions(+), 1074 deletions(-)
|
|
create mode 100644 products/rhel8/profiles/cis_server_l1.profile
|
|
create mode 100644 products/rhel8/profiles/cis_workstation_l1.profile
|
|
create mode 100644 products/rhel8/profiles/cis_workstation_l2.profile
|
|
|
|
diff --git a/products/rhel8/profiles/cis.profile b/products/rhel8/profiles/cis.profile
|
|
index c22ae86d076..4a00c24e0f7 100644
|
|
--- a/products/rhel8/profiles/cis.profile
|
|
+++ b/products/rhel8/profiles/cis.profile
|
|
@@ -1,1090 +1,22 @@
|
|
documentation_complete: true
|
|
|
|
metadata:
|
|
- version: 1.0.0
|
|
+ version: 1.0.1
|
|
SMEs:
|
|
- vojtapolasek
|
|
- yuumasato
|
|
|
|
reference: https://www.cisecurity.org/benchmark/red_hat_linux/
|
|
|
|
-title: 'CIS Red Hat Enterprise Linux 8 Benchmark'
|
|
+title: 'CIS Red Hat Enterprise Linux 8 Benchmark for Level 2 - Server'
|
|
|
|
description: |-
|
|
- This profile defines a baseline that aligns to the Center for Internet Security®
|
|
- Red Hat Enterprise Linux 8 Benchmark™, v1.0.0, released 09-30-2019.
|
|
+ This profile defines a baseline that aligns to the "Level 2 - Server"
|
|
+ configuration from the Center for Internet Security® Red Hat Enterprise
|
|
+ Linux 8 Benchmark™, v1.0.1, released 2021-05-19.
|
|
|
|
This profile includes Center for Internet Security®
|
|
Red Hat Enterprise Linux 8 CIS Benchmarks™ content.
|
|
|
|
selections:
|
|
- # Necessary for dconf rules
|
|
- - dconf_db_up_to_date
|
|
-
|
|
- ### Partitioning
|
|
- - mount_option_home_nodev
|
|
-
|
|
- ## 1.1 Filesystem Configuration
|
|
-
|
|
- ### 1.1.1 Disable unused filesystems
|
|
-
|
|
- #### 1.1.1.1 Ensure mounting cramfs filesystems is disabled (Scored)
|
|
- - kernel_module_cramfs_disabled
|
|
-
|
|
- #### 1.1.1.2 Ensure mounting of vFAT filesystems is limited (Not Scored)
|
|
-
|
|
-
|
|
- #### 1.1.1.3 Ensure mounting of squashfs filesystems is disabled (Scored)
|
|
- - kernel_module_squashfs_disabled
|
|
-
|
|
- #### 1.1.1.4 Ensure mounting of udf filesystems is disabled (Scored)
|
|
- - kernel_module_udf_disabled
|
|
-
|
|
- ### 1.1.2 Ensure /tmp is configured (Scored)
|
|
- - partition_for_tmp
|
|
-
|
|
- ### 1.1.3 Ensure nodev option set on /tmp partition (Scored)
|
|
- - mount_option_tmp_nodev
|
|
-
|
|
- ### 1.1.4 Ensure nosuid option set on /tmp partition (Scored)
|
|
- - mount_option_tmp_nosuid
|
|
-
|
|
- ### 1.1.5 Ensure noexec option set on /tmp partition (Scored)
|
|
- - mount_option_tmp_noexec
|
|
-
|
|
- ### 1.1.6 Ensure separate partition exists for /var (Scored)
|
|
- - partition_for_var
|
|
-
|
|
- ### 1.1.7 Ensure separate partition exists for /var/tmp (Scored)
|
|
- - partition_for_var_tmp
|
|
-
|
|
- ### 1.1.8 Ensure nodev option set on /var/tmp partition (Scored)
|
|
- - mount_option_var_tmp_nodev
|
|
-
|
|
- ### 1.1.9 Ensure nosuid option set on /var/tmp partition (Scored)
|
|
- - mount_option_var_tmp_nosuid
|
|
-
|
|
- ### 1.1.10 Ensure noexec option set on /var/tmp partition (Scored)
|
|
- - mount_option_var_tmp_noexec
|
|
-
|
|
- ### 1.1.11 Ensure separate partition exists for /var/log (Scored)
|
|
- - partition_for_var_log
|
|
-
|
|
- ### 1.1.12 Ensure separate partition exists for /var/log/audit (Scored)
|
|
- - partition_for_var_log_audit
|
|
-
|
|
- ### 1.1.13 Ensure separate partition exists for /home (Scored)
|
|
- - partition_for_home
|
|
-
|
|
- ### 1.1.14 Ensure nodev option set on /home partition (Scored)
|
|
- - mount_option_home_nodev
|
|
-
|
|
- ### 1.1.15 Ensure nodev option set on /dev/shm partition (Scored)
|
|
- - mount_option_dev_shm_nodev
|
|
-
|
|
- ### 1.1.16 Ensure nosuid option set on /dev/shm partition (Scored)
|
|
- - mount_option_dev_shm_nosuid
|
|
-
|
|
- ### 1.1.17 Ensure noexec option set on /dev/shm partition (Scored)
|
|
- - mount_option_dev_shm_noexec
|
|
-
|
|
- ### 1.1.18 Ensure nodev option set on removable media partitions (Not Scored)
|
|
- - mount_option_nodev_removable_partitions
|
|
-
|
|
- ### 1.1.19 Ensure nosuid option set on removable media partitions (Not Scored)
|
|
- - mount_option_nosuid_removable_partitions
|
|
-
|
|
- ### 1.1.20 Ensure noexec option set on removable media partitions (Not Scored)
|
|
- - mount_option_noexec_removable_partitions
|
|
-
|
|
- ### 1.1.21 Ensure sticky bit is set on all world-writable directories (Scored)
|
|
- - dir_perms_world_writable_sticky_bits
|
|
-
|
|
- ### 1.1.22 Disable Automounting (Scored)
|
|
- - service_autofs_disabled
|
|
-
|
|
- ### 1.1.23 Disable USB Storage (Scored)
|
|
- - kernel_module_usb-storage_disabled
|
|
-
|
|
- ## 1.2 Configure Software Updates
|
|
-
|
|
- ### 1.2.1 Ensure Red Hat Subscription Manager connection is configured (Not Scored)
|
|
- # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5218
|
|
-
|
|
- ### 1.2.2 Disable the rhnsd Daemon (Not Scored)
|
|
- - service_rhnsd_disabled
|
|
-
|
|
- ### 1.2.3 Ensure GPG keys are configured (Not Scored)
|
|
- - ensure_redhat_gpgkey_installed
|
|
-
|
|
- ### 1.2.4 Ensure gpgcheck is globally activated (Scored)
|
|
- - ensure_gpgcheck_globally_activated
|
|
-
|
|
- ### 1.2.5 Ensure package manager repositories are configured (Scored)
|
|
- # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5219
|
|
-
|
|
- ## 1.3 Configure sudo
|
|
-
|
|
- ### 1.3.1 Ensure sudo is installed (Scored)
|
|
- - package_sudo_installed
|
|
-
|
|
- ### 1.3.2 Ensure sudo commands use pty (Scored)
|
|
- - sudo_add_use_pty
|
|
-
|
|
- ### 1.3.3 Ensure sudo log file exists (Scored)
|
|
- - sudo_custom_logfile
|
|
-
|
|
- ## 1.4 Filesystem Integrity Checking
|
|
-
|
|
- ### 1.4.1 Ensure AIDE is installed (Scored)
|
|
- - package_aide_installed
|
|
-
|
|
- ### 1.4.2 Ensure filesystem integrity is regularly checked (Scored)
|
|
- - aide_periodic_cron_checking
|
|
-
|
|
- ## Secure Boot Settings
|
|
-
|
|
- ### 1.5.1 Ensure permissions on bootloader config are configured (Scored)
|
|
- #### chown root:root /boot/grub2/grub.cfg
|
|
- - file_owner_grub2_cfg
|
|
- - file_groupowner_grub2_cfg
|
|
-
|
|
- #### chmod og-rwx /boot/grub2/grub.cfg
|
|
- - file_permissions_grub2_cfg
|
|
-
|
|
- #### chown root:root /boot/grub2/grubenv
|
|
- # NEED RULE - https://github.com/ComplianceAsCode/content/issues/5222
|
|
-
|
|
- #### chmod og-rwx /boot/grub2/grubenv
|
|
- # NEED RULE - https://github.com/ComplianceAsCode/content/issues/5222
|
|
-
|
|
- ### 1.5.2 Ensure bootloader password is set (Scored)
|
|
- - grub2_password
|
|
-
|
|
- ### 1.5.3 Ensure authentication required for single user mode (Scored)
|
|
- #### ExecStart=-/usr/lib/systemd/systemd-sulogin-shell rescue
|
|
- - require_singleuser_auth
|
|
-
|
|
- #### ExecStart=-/usr/lib/systemd/systemd-sulogin-shell emergency
|
|
- - require_emergency_target_auth
|
|
-
|
|
- ## 1.6 Additional Process Hardening
|
|
-
|
|
- ### 1.6.1 Ensure core dumps are restricted (Scored)
|
|
- #### * hard core 0
|
|
- - disable_users_coredumps
|
|
-
|
|
- #### fs.suid_dumpable = 0
|
|
- - sysctl_fs_suid_dumpable
|
|
-
|
|
- #### ProcessSizeMax=0
|
|
- - coredump_disable_backtraces
|
|
-
|
|
- #### Storage=none
|
|
- - coredump_disable_storage
|
|
-
|
|
- ### 1.6.2 Ensure address space layout randomization (ASLR) is enabled
|
|
- - sysctl_kernel_randomize_va_space
|
|
-
|
|
- ## 1.7 Mandatory Access Control
|
|
-
|
|
- ### 1.7.1 Configure SELinux
|
|
-
|
|
- #### 1.7.1.1 Ensure SELinux is installed (Scored)
|
|
- - package_libselinux_installed
|
|
-
|
|
- #### 1.7.1.2 Ensure SELinux is not disabled in bootloader configuration (Scored)
|
|
- - grub2_enable_selinux
|
|
-
|
|
- #### 1.7.1.3 Ensure SELinux policy is configured (Scored)
|
|
- - var_selinux_policy_name=targeted
|
|
- - selinux_policytype
|
|
-
|
|
- #### 1.7.1.4 Ensure the SELinux state is enforcing (Scored)
|
|
- - var_selinux_state=enforcing
|
|
- - selinux_state
|
|
-
|
|
- #### 1.7.1.5 Ensure no unconfied services exist (Scored)
|
|
- - selinux_confinement_of_daemons
|
|
-
|
|
- #### 1.7.1.6 Ensure SETroubleshoot is not installed (Scored)
|
|
- - package_setroubleshoot_removed
|
|
-
|
|
- #### 1.7.1.7 Ensure the MCS Translation Service (mcstrans) is not installed (Scored)
|
|
- - package_mcstrans_removed
|
|
-
|
|
- ## Warning Banners
|
|
-
|
|
- ### 1.8.1 Command Line Warning Baners
|
|
-
|
|
- #### 1.8.1.1 Ensure message of the day is configured properly (Scored)
|
|
- - banner_etc_motd
|
|
-
|
|
- #### 1.8.1.2 Ensure local login warning banner is configured properly (Scored)
|
|
- - banner_etc_issue
|
|
-
|
|
- #### 1.8.1.3 Ensure remote login warning banner is configured properly (Scored)
|
|
- # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5225
|
|
-
|
|
- #### 1.8.1.4 Ensure permissions on /etc/motd are configured (Scored)
|
|
- # chmod u-x,go-wx /etc/motd
|
|
- - file_permissions_etc_motd
|
|
-
|
|
- #### 1.8.1.5 Ensure permissions on /etc/issue are configured (Scored)
|
|
- # chmod u-x,go-wx /etc/issue
|
|
- - file_permissions_etc_issue
|
|
-
|
|
- #### 1.8.1.6 Ensure permissions on /etc/issue.net are configured (Scored)
|
|
- # Previously addressed via 'rpm_verify_permissions' rule
|
|
-
|
|
- ### 1.8.2 Ensure GDM login banner is configured (Scored)
|
|
- #### banner-message-enable=true
|
|
- - dconf_gnome_banner_enabled
|
|
-
|
|
- #### banner-message-text='<banner message>'
|
|
- - dconf_gnome_login_banner_text
|
|
-
|
|
- ## 1.9 Ensure updates, patches, and additional security software are installed (Scored)
|
|
- - security_patches_up_to_date
|
|
-
|
|
- ## 1.10 Ensure system-wide crypto policy is not legacy (Scored)
|
|
- - var_system_crypto_policy=future
|
|
- - configure_crypto_policy
|
|
-
|
|
- ## 1.11 Ensure system-wide crytpo policy is FUTURE or FIPS (Scored)
|
|
- # Previously addressed via 'configure_crypto_policy' rule
|
|
-
|
|
- # Services
|
|
-
|
|
- ## 2.1 inetd Services
|
|
-
|
|
- ### 2.1.1 Ensure xinetd is not installed (Scored)
|
|
- - package_xinetd_removed
|
|
-
|
|
- ## 2.2 Special Purpose Services
|
|
-
|
|
- ### 2.2.1 Time Synchronization
|
|
-
|
|
- #### 2.2.1.1 Ensure time synchronization is in use (Not Scored)
|
|
- - package_chrony_installed
|
|
-
|
|
- #### 2.2.1.2 Ensure chrony is configured (Scored)
|
|
- - service_chronyd_enabled
|
|
- - chronyd_specify_remote_server
|
|
- - chronyd_run_as_chrony_user
|
|
-
|
|
- ### 2.2.2 Ensure X Window System is not installed (Scored)
|
|
- - package_xorg-x11-server-common_removed
|
|
- - xwindows_runlevel_target
|
|
-
|
|
- ### 2.2.3 Ensure rsync service is not enabled (Scored)
|
|
- - service_rsyncd_disabled
|
|
-
|
|
- ### 2.2.4 Ensure Avahi Server is not enabled (Scored)
|
|
- - service_avahi-daemon_disabled
|
|
-
|
|
- ### 2.2.5 Ensure SNMP Server is not enabled (Scored)
|
|
- - service_snmpd_disabled
|
|
-
|
|
- ### 2.2.6 Ensure HTTP Proxy Server is not enabled (Scored)
|
|
- - package_squid_removed
|
|
-
|
|
- ### 2.2.7 Ensure Samba is not enabled (Scored)
|
|
- - service_smb_disabled
|
|
-
|
|
- ### 2.2.8 Ensure IMAP and POP3 server is not enabled (Scored)
|
|
- - service_dovecot_disabled
|
|
-
|
|
- ### 2.2.9 Ensure HTTP server is not enabled (Scored)
|
|
- - service_httpd_disabled
|
|
-
|
|
- ### 2.2.10 Ensure FTP Server is not enabled (Scored)
|
|
- - service_vsftpd_disabled
|
|
-
|
|
- ### 2.2.11 Ensure DNS Server is not enabled (Scored)
|
|
- - service_named_disabled
|
|
-
|
|
- ### 2.2.12 Ensure NFS is not enabled (Scored)
|
|
- - service_nfs_disabled
|
|
-
|
|
- ### 2.2.13 Ensure RPC is not enabled (Scored)
|
|
- - service_rpcbind_disabled
|
|
-
|
|
- ### 2.2.14 Ensure LDAP service is not enabled (Scored)
|
|
- # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5231
|
|
-
|
|
- ### 2.2.15 Ensure DHCP Server is not enabled (Scored)
|
|
- - service_dhcpd_disabled
|
|
-
|
|
- ### 2.2.16 Ensure CUPS is not enabled (Scored)
|
|
- - service_cups_disabled
|
|
-
|
|
- ### 2.2.17 Ensure NIS Server is not enabled (Scored)
|
|
- # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5232
|
|
-
|
|
- ### 2.2.18 Ensure mail transfer agent is configured for
|
|
- ### local-only mode (Scored)
|
|
- - postfix_network_listening_disabled
|
|
-
|
|
- ## 2.3 Service Clients
|
|
-
|
|
- ### 2.3.1 Ensure NIS Client is not installed (Scored)
|
|
- - package_ypbind_removed
|
|
-
|
|
- ### 2.3.2 Ensure telnet client is not installed (Scored)
|
|
- - package_telnet_removed
|
|
-
|
|
- ### Ensure LDAP client is not installed
|
|
- - package_openldap-clients_removed
|
|
-
|
|
- # 3 Network Configuration
|
|
-
|
|
- ## 3.1 Network Parameters (Host Only)
|
|
-
|
|
- ### 3.1.1 Ensure IP forwarding is disabled (Scored)
|
|
- #### net.ipv4.ip_forward = 0
|
|
- - sysctl_net_ipv4_ip_forward
|
|
-
|
|
- #### net.ipv6.conf.all.forwarding = 0
|
|
- - sysctl_net_ipv6_conf_all_forwarding
|
|
-
|
|
- ### 3.1.2 Ensure packet redirect sending is disabled (Scored)
|
|
- #### net.ipv4.conf.all.send_redirects = 0
|
|
- - sysctl_net_ipv4_conf_all_send_redirects
|
|
-
|
|
- #### net.ipv4.conf.default.send_redirects = 0
|
|
- - sysctl_net_ipv4_conf_default_send_redirects
|
|
-
|
|
- ## 3.2 Network Parameters (Host and Router)
|
|
-
|
|
- ### 3.2.1 Ensure source routed packets are not accepted (Scored)
|
|
- #### net.ipv4.conf.all.accept_source_route = 0
|
|
- - sysctl_net_ipv4_conf_all_accept_source_route
|
|
-
|
|
- #### net.ipv4.conf.default.accept_source_route = 0
|
|
- - sysctl_net_ipv4_conf_default_accept_source_route
|
|
-
|
|
- #### net.ipv6.conf.all.accept_source_route = 0
|
|
- - sysctl_net_ipv6_conf_all_accept_source_route
|
|
-
|
|
- #### net.ipv6.conf.default.accept_source_route = 0
|
|
- - sysctl_net_ipv6_conf_default_accept_source_route
|
|
-
|
|
- ### 3.2.2 Ensure ICMP redirects are not accepted (Scored)
|
|
- #### net.ipv4.conf.all.accept_redirects = 0
|
|
- - sysctl_net_ipv4_conf_all_accept_redirects
|
|
-
|
|
- #### net.ipv4.conf.default.accept_redirects
|
|
- - sysctl_net_ipv4_conf_default_accept_redirects
|
|
-
|
|
- #### net.ipv6.conf.all.accept_redirects = 0
|
|
- - sysctl_net_ipv6_conf_all_accept_redirects
|
|
-
|
|
- #### net.ipv6.conf.defaults.accept_redirects = 0
|
|
- - sysctl_net_ipv6_conf_default_accept_redirects
|
|
-
|
|
- ### 3.2.3 Ensure secure ICMP redirects are not accepted (Scored)
|
|
- #### net.ipv4.conf.all.secure_redirects = 0
|
|
- - sysctl_net_ipv4_conf_all_secure_redirects
|
|
-
|
|
- #### net.ipv4.cof.default.secure_redirects = 0
|
|
- - sysctl_net_ipv4_conf_default_secure_redirects
|
|
-
|
|
- ### 3.2.4 Ensure suspicious packets are logged (Scored)
|
|
- #### net.ipv4.conf.all.log_martians = 1
|
|
- - sysctl_net_ipv4_conf_all_log_martians
|
|
-
|
|
- #### net.ipv4.conf.default.log_martians = 1
|
|
- - sysctl_net_ipv4_conf_default_log_martians
|
|
-
|
|
- ### 3.2.5 Ensure broadcast ICMP requests are ignored (Scored)
|
|
- - sysctl_net_ipv4_icmp_echo_ignore_broadcasts
|
|
-
|
|
- ### 3.2.6 Ensure bogus ICMP responses are ignored (Scored)
|
|
- - sysctl_net_ipv4_icmp_ignore_bogus_error_responses
|
|
-
|
|
- ### 3.2.7 Ensure Reverse Path Filtering is enabled (Scored)
|
|
- #### net.ipv4.conf.all.rp_filter = 1
|
|
- - sysctl_net_ipv4_conf_all_rp_filter
|
|
-
|
|
- #### net.ipv4.conf.default.rp_filter = 1
|
|
- - sysctl_net_ipv4_conf_default_rp_filter
|
|
-
|
|
- ### 3.2.8 Ensure TCP SYN Cookies is enabled (Scored)
|
|
- - sysctl_net_ipv4_tcp_syncookies
|
|
-
|
|
- ### 3.2.9 Ensure IPv6 router advertisements are not accepted (Scored)
|
|
- #### net.ipv6.conf.all.accept_ra = 0
|
|
- - sysctl_net_ipv6_conf_all_accept_ra
|
|
-
|
|
- #### net.ipv6.conf.default.accept_ra = 0
|
|
- - sysctl_net_ipv6_conf_default_accept_ra
|
|
-
|
|
- ## 3.3 Uncommon Network Protocols
|
|
-
|
|
- ### 3.3.1 Ensure DCCP is disabled (Scored)
|
|
- - kernel_module_dccp_disabled
|
|
-
|
|
- ### Ensure SCTP is disabled (Scored)
|
|
- - kernel_module_sctp_disabled
|
|
-
|
|
- ### 3.3.3 Ensure RDS is disabled (Scored)
|
|
- - kernel_module_rds_disabled
|
|
-
|
|
- ### 3.3.4 Ensure TIPC is disabled (Scored)
|
|
- - kernel_module_tipc_disabled
|
|
-
|
|
- ## 3.4 Firewall Configuration
|
|
-
|
|
- ### 3.4.1 Ensure Firewall software is installed
|
|
-
|
|
- #### 3.4.1.1 Ensure a Firewall package is installed (Scored)
|
|
- ##### firewalld
|
|
- - package_firewalld_installed
|
|
-
|
|
- ##### nftables
|
|
- #NEED RULE - https://github.com/ComplianceAsCode/content/issues/5237
|
|
-
|
|
- ##### iptables
|
|
- #- package_iptables_installed
|
|
-
|
|
- ### 3.4.2 Configure firewalld
|
|
-
|
|
- #### 3.4.2.1 Ensure firewalld service is enabled and running (Scored)
|
|
- - service_firewalld_enabled
|
|
-
|
|
- #### 3.4.2.2 Ensure iptables is not enabled (Scored)
|
|
- # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5238
|
|
-
|
|
- #### 3.4.2.3 Ensure nftables is not enabled (Scored)
|
|
- # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5239
|
|
-
|
|
- #### 3.4.2.4 Ensure default zone is set (Scored)
|
|
- - set_firewalld_default_zone
|
|
-
|
|
- #### 3.4.2.5 Ensure network interfaces are assigned to
|
|
- #### appropriate zone (Not Scored)
|
|
- # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5240
|
|
-
|
|
- #### 3.4.2.6 Ensure unnecessary services and ports are not
|
|
- #### accepted (Not Scored)
|
|
- # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5241
|
|
-
|
|
- ### 3.4.3 Configure nftables
|
|
- # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5242
|
|
-
|
|
- #### 3.4.3.1 Ensure iptables are flushed (Not Scored)
|
|
- # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5243
|
|
-
|
|
- #### 3.4.3.2 Ensure a table exists (Scored)
|
|
- # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5244
|
|
-
|
|
- #### 3.4.3.3 Ensure base chains exist (Scored)
|
|
- # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5245
|
|
-
|
|
- #### 3.4.3.4 Ensure loopback traffic is configured (Scored)
|
|
- # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5246
|
|
-
|
|
- #### 3.4.3.5 Ensure outbound and established connections are
|
|
- #### configured (Not Scored)
|
|
- # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5247
|
|
-
|
|
- #### 3.4.3.6 Ensure default deny firewall policy (Scored)
|
|
- # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5248
|
|
-
|
|
- #### 3.4.3.7 Ensure nftables service is enabled (Scored)
|
|
- # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5249
|
|
-
|
|
- #### 3.4.3.8 Ensure nftables rules are permanent (Scored)
|
|
- # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5250
|
|
-
|
|
- ### 3.4.4 Configure iptables
|
|
-
|
|
- #### 3.4.4.1 Configure IPv4 iptables
|
|
- # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5251
|
|
-
|
|
- ##### 3.4.4.1.1 Ensure default deny firewall policy (Scored)
|
|
- # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5252
|
|
-
|
|
- ##### 3.4.4.1.2 Ensure loopback traffic is configured (Scored)
|
|
- # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5253
|
|
-
|
|
- ##### 3.4.4.1.3 Ensure outbound and established connections are
|
|
- ##### configured (Not Scored)
|
|
- # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5254
|
|
-
|
|
- ##### 3.4.4.1.4 Ensure firewall rules exist for all open ports (Scored)
|
|
- # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5255
|
|
-
|
|
- #### 3.4.4.2 Configure IPv6 ip6tables
|
|
- # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5256
|
|
-
|
|
- ##### 3.4.4.2.1 Ensure IPv6 default deny firewall policy (Scored)
|
|
- # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5257
|
|
-
|
|
- ##### 3.4.4.2.2 Ensure IPv6 loopback traffic is configured (Scored)
|
|
- # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5258
|
|
-
|
|
- ##### 3.4.4.2.3 Ensure IPv6 outbound and established connections are
|
|
- ##### configured (Not Scored)
|
|
- # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5260
|
|
-
|
|
- ## 3.5 Ensure wireless interfaces are disabled (Scored)
|
|
- - wireless_disable_interfaces
|
|
-
|
|
- ## 3.6 Disable IPv6 (Not Scored)
|
|
- - kernel_module_ipv6_option_disabled
|
|
-
|
|
- # Logging and Auditing
|
|
-
|
|
- ## 4.1 Configure System Accounting (auditd)
|
|
-
|
|
- ### 4.1.1 Ensure auditing is enabled
|
|
-
|
|
- #### 4.1.1.1 Ensure auditd is installed (Scored)
|
|
- - package_audit_installed
|
|
-
|
|
- #### 4.1.1.2 Ensure auditd service is enabled (Scored)
|
|
- - service_auditd_enabled
|
|
-
|
|
- #### 4.1.1.3 Ensure auditing for processes that start prior to audit
|
|
- #### is enabled (Scored)
|
|
- - grub2_audit_argument
|
|
-
|
|
- #### 4.1.1.4 Ensure audit_backlog_limit is sufficient (Scored)
|
|
- - grub2_audit_backlog_limit_argument
|
|
-
|
|
- ### 4.1.2 Configure Data Retention
|
|
-
|
|
- #### 4.1.2.1 Ensure audit log storage size is configured (Scored)
|
|
- - auditd_data_retention_max_log_file
|
|
-
|
|
- #### 4.1.2.2 Ensure audit logs are not automatically deleted (Scored)
|
|
- - auditd_data_retention_max_log_file_action
|
|
-
|
|
- #### 4.1.2.3 Ensure system is disabled when audit logs are full (Scored)
|
|
- - var_auditd_space_left_action=email
|
|
- - auditd_data_retention_space_left_action
|
|
-
|
|
- ##### action_mail_acct = root
|
|
- - var_auditd_action_mail_acct=root
|
|
- - auditd_data_retention_action_mail_acct
|
|
-
|
|
- ##### admin_space_left_action = halt
|
|
- - var_auditd_admin_space_left_action=halt
|
|
- - auditd_data_retention_admin_space_left_action
|
|
-
|
|
- ### 4.1.3 Ensure changes to system administration scope
|
|
- ### (sudoers) is collected (Scored)
|
|
- - audit_rules_sysadmin_actions
|
|
-
|
|
- ### 4.1.4 Ensure login and logout events are collected (Scored)
|
|
- - audit_rules_login_events_faillock
|
|
- - audit_rules_login_events_lastlog
|
|
-
|
|
- ### 4.1.5 Ensure session initiation information is collected (Scored)
|
|
- - audit_rules_session_events
|
|
-
|
|
- ### 4.1.6 Ensure events that modify date and time information
|
|
- ### are collected (Scored)
|
|
- #### adjtimex
|
|
- - audit_rules_time_adjtimex
|
|
-
|
|
- #### settimeofday
|
|
- - audit_rules_time_settimeofday
|
|
-
|
|
- #### stime
|
|
- - audit_rules_time_stime
|
|
-
|
|
- #### clock_settime
|
|
- - audit_rules_time_clock_settime
|
|
-
|
|
- #### -w /etc/localtime -p wa
|
|
- - audit_rules_time_watch_localtime
|
|
-
|
|
- ### 4.1.7 Ensure events that modify the system's Mandatory
|
|
- ### Access Control are collected (Scored)
|
|
- #### -w /etc/selinux/ -p wa
|
|
- - audit_rules_mac_modification
|
|
-
|
|
- #### -w /usr/share/selinux/ -p wa
|
|
- # NEED RULE - https://github.com/ComplianceAsCode/content/issues/5264
|
|
-
|
|
- ### 4.1.8 Ensure events that modify the system's network
|
|
- ### enironment are collected (Scored)
|
|
- - audit_rules_networkconfig_modification
|
|
-
|
|
- ### 4.1.9 Ensure discretionary access control permission modification
|
|
- ### events are collected (Scored)
|
|
- - audit_rules_dac_modification_chmod
|
|
- - audit_rules_dac_modification_fchmod
|
|
- - audit_rules_dac_modification_fchmodat
|
|
- - audit_rules_dac_modification_chown
|
|
- - audit_rules_dac_modification_fchown
|
|
- - audit_rules_dac_modification_fchownat
|
|
- - audit_rules_dac_modification_lchown
|
|
- - audit_rules_dac_modification_setxattr
|
|
- - audit_rules_dac_modification_lsetxattr
|
|
- - audit_rules_dac_modification_fsetxattr
|
|
- - audit_rules_dac_modification_removexattr
|
|
- - audit_rules_dac_modification_lremovexattr
|
|
- - audit_rules_dac_modification_fremovexattr
|
|
-
|
|
- ### 4.1.10 Ensure unsuccessful unauthorized file access attempts are
|
|
- ### collected (Scored)
|
|
- - audit_rules_unsuccessful_file_modification_creat
|
|
- - audit_rules_unsuccessful_file_modification_open
|
|
- - audit_rules_unsuccessful_file_modification_openat
|
|
- - audit_rules_unsuccessful_file_modification_truncate
|
|
- - audit_rules_unsuccessful_file_modification_ftruncate
|
|
- # Opinionated selection
|
|
- - audit_rules_unsuccessful_file_modification_open_by_handle_at
|
|
-
|
|
- ### 4.1.11 Ensure events that modify user/group information are
|
|
- ### collected (Scored)
|
|
- - audit_rules_usergroup_modification_passwd
|
|
- - audit_rules_usergroup_modification_group
|
|
- - audit_rules_usergroup_modification_gshadow
|
|
- - audit_rules_usergroup_modification_shadow
|
|
- - audit_rules_usergroup_modification_opasswd
|
|
-
|
|
- ### 4.1.12 Ensure successful file system mounts are collected (Scored)
|
|
- - audit_rules_media_export
|
|
-
|
|
- ### 4.1.13 Ensure use of privileged commands is collected (Scored)
|
|
- - audit_rules_privileged_commands
|
|
-
|
|
- ### 4.1.14 Ensure file deletion events by users are collected
|
|
- ### (Scored)
|
|
- - audit_rules_file_deletion_events_unlink
|
|
- - audit_rules_file_deletion_events_unlinkat
|
|
- - audit_rules_file_deletion_events_rename
|
|
- - audit_rules_file_deletion_events_renameat
|
|
- # Opinionated selection
|
|
- - audit_rules_file_deletion_events_rmdir
|
|
-
|
|
- ### 4.1.15 Ensure kernel module loading and unloading is collected
|
|
- ### (Scored)
|
|
- - audit_rules_kernel_module_loading
|
|
-
|
|
- ### 4.1.16 Ensure system administrator actions (sudolog) are
|
|
- ### collected (Scored)
|
|
- # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5516
|
|
-
|
|
- ### 4.1.17 Ensure the audit configuration is immutable (Scored)
|
|
- - audit_rules_immutable
|
|
-
|
|
- ## 4.2 Configure Logging
|
|
-
|
|
- ### 4.2.1 Configure rsyslog
|
|
-
|
|
- #### 4.2.1.1 Ensure rsyslog is installed (Scored)
|
|
- - package_rsyslog_installed
|
|
-
|
|
- #### 4.2.1.2 Ensure rsyslog Service is enabled (Scored)
|
|
- - service_rsyslog_enabled
|
|
-
|
|
- #### 4.2.1.3 Ensure rsyslog default file permissions configured (Scored)
|
|
- - rsyslog_files_permissions
|
|
-
|
|
- #### 4.2.1.4 Ensure logging is configured (Not Scored)
|
|
- # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5519
|
|
-
|
|
- #### 4.2.1.5 Ensure rsyslog is configured to send logs to a remote
|
|
- #### log host (Scored)
|
|
- - rsyslog_remote_loghost
|
|
-
|
|
- #### 4.2.1.6 Ensure remote rsyslog messages are only accepted on
|
|
- #### designated log hosts (Not Scored)
|
|
- - rsyslog_nolisten
|
|
-
|
|
- ### 4.2.2 Configure journald
|
|
-
|
|
- #### 4.2.2.1 Ensure journald is configured to send logs to
|
|
- #### rsyslog (Scored)
|
|
- # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5520
|
|
-
|
|
- #### 4.2.2.2 Ensure journald is configured to compress large
|
|
- #### log files (Scored)
|
|
- # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5521
|
|
-
|
|
-
|
|
- #### 4.2.2.3 Ensure journald is configured to write logfiles to
|
|
- #### persistent disk (Scored)
|
|
- # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5522
|
|
-
|
|
- ### 4.2.3 Ensure permissions on all logfiles are configured (Scored)
|
|
- # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5523
|
|
-
|
|
- ## 4.3 Ensure logrotate is configured (Not Scored)
|
|
-
|
|
- # 5 Access, Authentication and Authorization
|
|
-
|
|
- ## 5.1 Configure cron
|
|
-
|
|
- ### 5.1.1 Ensure cron daemon is enabled (Scored)
|
|
- - service_crond_enabled
|
|
-
|
|
-
|
|
- ### 5.1.2 Ensure permissions on /etc/crontab are configured (Scored)
|
|
- # chown root:root /etc/crontab
|
|
- - file_owner_crontab
|
|
- - file_groupowner_crontab
|
|
- # chmod og-rwx /etc/crontab
|
|
- - file_permissions_crontab
|
|
-
|
|
- ### 5.1.3 Ensure permissions on /etc/cron.hourly are configured (Scored)
|
|
- # chown root:root /etc/cron.hourly
|
|
- - file_owner_cron_hourly
|
|
- - file_groupowner_cron_hourly
|
|
- # chmod og-rwx /etc/cron.hourly
|
|
- - file_permissions_cron_hourly
|
|
-
|
|
- ### 5.1.4 Ensure permissions on /etc/cron.daily are configured (Scored)
|
|
- # chown root:root /etc/cron.daily
|
|
- - file_owner_cron_daily
|
|
- - file_groupowner_cron_daily
|
|
- # chmod og-rwx /etc/cron.daily
|
|
- - file_permissions_cron_daily
|
|
-
|
|
- ### 5.1.5 Ensure permissions on /etc/cron.weekly are configured (Scored)
|
|
- # chown root:root /etc/cron.weekly
|
|
- - file_owner_cron_weekly
|
|
- - file_groupowner_cron_weekly
|
|
- # chmod og-rwx /etc/cron.weekly
|
|
- - file_permissions_cron_weekly
|
|
-
|
|
- ### 5.1.6 Ensure permissions on /etc/cron.monthly are configured (Scored)
|
|
- # chown root:root /etc/cron.monthly
|
|
- - file_owner_cron_monthly
|
|
- - file_groupowner_cron_monthly
|
|
- # chmod og-rwx /etc/cron.monthly
|
|
- - file_permissions_cron_monthly
|
|
-
|
|
- ### 5.1.7 Ensure permissions on /etc/cron.d are configured (Scored)
|
|
- # chown root:root /etc/cron.d
|
|
- - file_owner_cron_d
|
|
- - file_groupowner_cron_d
|
|
- # chmod og-rwx /etc/cron.d
|
|
- - file_permissions_cron_d
|
|
-
|
|
- ### 5.1.8 Ensure at/cron is restricted to authorized users (Scored)
|
|
-
|
|
-
|
|
- ## 5.2 SSH Server Configuration
|
|
-
|
|
- ### 5.2.1 Ensure permissions on /etc/ssh/sshd_config are configured (Scored)
|
|
- # chown root:root /etc/ssh/sshd_config
|
|
- - file_owner_sshd_config
|
|
- - file_groupowner_sshd_config
|
|
-
|
|
- # chmod og-rwx /etc/ssh/sshd_config
|
|
- - file_permissions_sshd_config
|
|
-
|
|
- ### 5.2.2 Ensure SSH access is limited (Scored)
|
|
-
|
|
-
|
|
- ### 5.2.3 Ensure permissions on SSH private host key files are
|
|
- ### configured (Scored)
|
|
- # TO DO: The rule sets to 640, but benchmark wants 600
|
|
- - file_permissions_sshd_private_key
|
|
- # TO DO: check owner of private keys in /etc/ssh is root:root
|
|
-
|
|
- ### 5.2.4 Ensure permissions on SSH public host key files are configured
|
|
- ### (Scored)
|
|
- - file_permissions_sshd_pub_key
|
|
- # TO DO: check owner of pub keys in /etc/ssh is root:root
|
|
-
|
|
- ### 5.2.5 Ensure SSH LogLevel is appropriate (Scored)
|
|
- - sshd_set_loglevel_info
|
|
-
|
|
- ### 5.2.6 Ensure SSH X11 forward is disabled (Scored)
|
|
- - sshd_disable_x11_forwarding
|
|
-
|
|
- ### 5.2.7 Ensure SSH MaxAuthTries is set to 4 or less (Scored)
|
|
- - sshd_max_auth_tries_value=4
|
|
- - sshd_set_max_auth_tries
|
|
-
|
|
- ### 5.2.8 Ensure SSH IgnoreRhosts is enabled (Scored)
|
|
- - sshd_disable_rhosts
|
|
-
|
|
- ### 5.2.9 Ensure SSH HostbasedAuthentication is disabled (Scored)
|
|
- - disable_host_auth
|
|
-
|
|
- ### 5.2.10 Ensure SSH root login is disabled (Scored)
|
|
- - sshd_disable_root_login
|
|
-
|
|
- ### 5.2.11 Ensure SSH PermitEmptyPasswords is disabled (Scored)
|
|
- - sshd_disable_empty_passwords
|
|
-
|
|
- ### 5.2.12 Ensure SSH PermitUserEnvironment is disabled (Scored)
|
|
- - sshd_do_not_permit_user_env
|
|
-
|
|
- ### 5.2.13 Ensure SSH Idle Timeout Interval is configured (Scored)
|
|
- # ClientAliveInterval 300
|
|
- - sshd_idle_timeout_value=5_minutes
|
|
- - sshd_set_idle_timeout
|
|
-
|
|
- # ClientAliveCountMax 0
|
|
- - var_sshd_set_keepalive=0
|
|
- - sshd_set_keepalive_0
|
|
-
|
|
- ### 5.2.14 Ensure SSH LoginGraceTime is set to one minute
|
|
- ### or less (Scored)
|
|
- # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5525
|
|
-
|
|
- ### 5.2.15 Ensure SSH warning banner is configured (Scored)
|
|
- - sshd_enable_warning_banner
|
|
-
|
|
- ### 5.2.16 Ensure SSH PAM is enabled (Scored)
|
|
- # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5526
|
|
-
|
|
- ### 5.2.17 Ensure SSH AllowTcpForwarding is disabled (Scored)
|
|
- - sshd_disable_tcp_forwarding
|
|
-
|
|
- ### 5.2.18 Ensure SSH MaxStartups is configured (Scored)
|
|
- - sshd_set_maxstartups
|
|
- - var_sshd_set_maxstartups=10:30:60
|
|
-
|
|
- ### 5.2.19 Ensure SSH MaxSessions is set to 4 or less (Scored)
|
|
- - sshd_set_max_sessions
|
|
- - var_sshd_max_sessions=4
|
|
-
|
|
- ### 5.2.20 Ensure system-wide crypto policy is not over-ridden (Scored)
|
|
- - configure_ssh_crypto_policy
|
|
-
|
|
- ## 5.3 Configure authselect
|
|
-
|
|
-
|
|
- ### 5.3.1 Create custom authselectet profile (Scored)
|
|
- # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5530
|
|
-
|
|
- ### 5.3.2 Select authselect profile (Scored)
|
|
- # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5531
|
|
-
|
|
- ### 5.3.3 Ensure authselect includes with-faillock (Scored)
|
|
- # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5532
|
|
-
|
|
- ## 5.4 Configure PAM
|
|
-
|
|
- ### 5.4.1 Ensure password creation requirements are configured (Scored)
|
|
- # NEEDS RULE: try_first_pass - https://github.com/ComplianceAsCode/content/issues/5533
|
|
- - accounts_password_pam_retry
|
|
- - var_password_pam_minlen=14
|
|
- - accounts_password_pam_minlen
|
|
- - var_password_pam_minclass=4
|
|
- - accounts_password_pam_minclass
|
|
-
|
|
- ### 5.4.2 Ensure lockout for failed password attempts is
|
|
- ### configured (Scored)
|
|
- - var_accounts_passwords_pam_faillock_unlock_time=900
|
|
- - var_accounts_passwords_pam_faillock_deny=5
|
|
- - accounts_passwords_pam_faillock_unlock_time
|
|
- - accounts_passwords_pam_faillock_deny
|
|
-
|
|
- ### 5.4.3 Ensure password reuse is limited (Scored)
|
|
- - var_password_pam_unix_remember=5
|
|
- - accounts_password_pam_unix_remember
|
|
-
|
|
- ### 5.4.4 Ensure password hashing algorithm is SHA-512 (Scored)
|
|
- - set_password_hashing_algorithm_systemauth
|
|
-
|
|
- ## 5.5 User Accounts and Environment
|
|
-
|
|
- ### 5.5.1 Set Shadow Password Suite Parameters
|
|
-
|
|
- #### 5.5.1 Ensure password expiration is 365 days or less (Scored)
|
|
- - var_accounts_maximum_age_login_defs=365
|
|
- - accounts_maximum_age_login_defs
|
|
-
|
|
- #### 5.5.1.2 Ensure minimum days between password changes is 7
|
|
- #### or more (Scored)
|
|
- - var_accounts_minimum_age_login_defs=7
|
|
- - accounts_minimum_age_login_defs
|
|
-
|
|
- #### 5.5.1.3 Ensure password expiration warning days is
|
|
- #### 7 or more (Scored)
|
|
- - var_accounts_password_warn_age_login_defs=7
|
|
- - accounts_password_warn_age_login_defs
|
|
-
|
|
- #### 5.5.1.4 Ensure inactive password lock is 30 days or less (Scored)
|
|
- # TODO: Rule doesn't check list of users
|
|
- # https://github.com/ComplianceAsCode/content/issues/5536
|
|
- - var_account_disable_post_pw_expiration=30
|
|
- - account_disable_post_pw_expiration
|
|
-
|
|
- #### 5.5.1.5 Ensure all users last password change date is
|
|
- #### in the past (Scored)
|
|
- # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5537
|
|
-
|
|
- ### 5.5.2 Ensure system accounts are secured (Scored)
|
|
- - no_shelllogin_for_systemaccounts
|
|
-
|
|
- ### 5.5.3 Ensure default user shell timeout is 900 seconds
|
|
- ### or less (Scored)
|
|
- - var_accounts_tmout=15_min
|
|
- - accounts_tmout
|
|
-
|
|
- ### 5.5.4 Ensure default group for the root account is
|
|
- ### GID 0 (Scored)
|
|
- # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5539
|
|
-
|
|
- ### 5.5.5 Ensure default user mask is 027 or more restrictive (Scored)
|
|
- - var_accounts_user_umask=027
|
|
- - accounts_umask_etc_bashrc
|
|
- - accounts_umask_etc_profile
|
|
-
|
|
- ## 5.6 Ensure root login is restricted to system console (Not Scored)
|
|
- - securetty_root_login_console_only
|
|
- - no_direct_root_logins
|
|
-
|
|
- ## 5.7 Ensure access to the su command is restricted (Scored)
|
|
- # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5541
|
|
-
|
|
- # System Maintenance
|
|
-
|
|
- ## 6.1 System File Permissions
|
|
-
|
|
- ### 6.1.1 Audit system file permissions (Not Scored)
|
|
- - rpm_verify_permissions
|
|
- - rpm_verify_ownership
|
|
-
|
|
- ### 6.1.2 Ensure permissions on /etc/passwd are configured (Scored)
|
|
- # chown root:root /etc/passwd
|
|
- - file_owner_etc_passwd
|
|
- - file_groupowner_etc_passwd
|
|
-
|
|
- # chmod 644 /etc/passwd
|
|
- - file_permissions_etc_passwd
|
|
-
|
|
- ### 6.1.3 Ensure permissions on /etc/shadow are configured (Scored)
|
|
- # chown root:root /etc/shadow
|
|
- - file_owner_etc_shadow
|
|
- - file_groupowner_etc_shadow
|
|
-
|
|
- # chmod o-rwx,g-wx /etc/shadow
|
|
- - file_permissions_etc_shadow
|
|
-
|
|
- ### 6.1.4 Ensure permissions on /etc/group are configured (Scored)
|
|
- # chown root:root /etc/group
|
|
- - file_owner_etc_group
|
|
- - file_groupowner_etc_group
|
|
-
|
|
- # chmod 644 /etc/group
|
|
- - file_permissions_etc_group
|
|
-
|
|
- ### 6.1.5 Ensure permissions on /etc/gshadow are configured (Scored)
|
|
- # chown root:root /etc/gshadow
|
|
- - file_owner_etc_gshadow
|
|
- - file_groupowner_etc_gshadow
|
|
-
|
|
- # chmod o-rwx,g-rw /etc/gshadow
|
|
- - file_permissions_etc_gshadow
|
|
-
|
|
- ### 6.1.6 Ensure permissions on /etc/passwd- are configured (Scored)
|
|
- # chown root:root /etc/passwd-
|
|
- - file_owner_backup_etc_passwd
|
|
- - file_groupowner_backup_etc_passwd
|
|
-
|
|
- # chmod 644 /etc/passwd-
|
|
- - file_permissions_backup_etc_passwd
|
|
-
|
|
- ### 6.1.7 Ensure permissions on /etc/shadow- are configured (Scored)
|
|
- # chown root:root /etc/shadow-
|
|
- - file_owner_backup_etc_shadow
|
|
- - file_groupowner_backup_etc_shadow
|
|
-
|
|
- # chmod 0000 /etc/shadow-
|
|
- - file_permissions_backup_etc_shadow
|
|
-
|
|
- ### 6.1.8 Ensure permissions on /etc/group- are configured (Scored)
|
|
- # chown root:root /etc/group-
|
|
- - file_owner_backup_etc_group
|
|
- - file_groupowner_backup_etc_group
|
|
-
|
|
- # chmod 644 /etc/group-
|
|
- - file_permissions_backup_etc_group
|
|
-
|
|
- ### 6.1.9 Ensure permissions on /etc/gshadow- are configured (Scored)
|
|
- # chown root:root /etc/gshadow-
|
|
- - file_owner_backup_etc_gshadow
|
|
- - file_groupowner_backup_etc_gshadow
|
|
-
|
|
- # chmod 0000 /etc/gshadow-
|
|
- - file_permissions_backup_etc_gshadow
|
|
-
|
|
- ### 6.1.10 Ensure no world writable files exist (Scored)
|
|
- - file_permissions_unauthorized_world_writable
|
|
-
|
|
- ### 6.1.11 Ensure no unowned files or directories exist (Scored)
|
|
- - no_files_unowned_by_user
|
|
-
|
|
- ### 6.1.12 Ensure no ungrouped files or directories exist (Scored)
|
|
- - file_permissions_ungroupowned
|
|
-
|
|
- ### 6.1.13 Audit SUID executables (Not Scored)
|
|
- - file_permissions_unauthorized_suid
|
|
-
|
|
- ### 6.1.14 Audit SGID executables (Not Scored)
|
|
- - file_permissions_unauthorized_sgid
|
|
-
|
|
- ## 6.2 User and Group Settings
|
|
-
|
|
- ### 6.2.2 Ensure no legacy "+" entries exist in /etc/passwd (Scored)
|
|
- - no_legacy_plus_entries_etc_passwd
|
|
-
|
|
- ### 6.2.4 Ensure no legacy "+" entries exist in /etc/shadow (Scored)
|
|
- - no_legacy_plus_entries_etc_shadow
|
|
-
|
|
- ### 6.2.5 Ensure no legacy "+" entries exist in /etc/group (Scored)
|
|
- - no_legacy_plus_entries_etc_group
|
|
-
|
|
- ### 6.2.6 Ensure root is the only UID 0 account (Scored)
|
|
- - accounts_no_uid_except_zero
|
|
-
|
|
- ### 6.2.7 Ensure users' home directories permissions are 750
|
|
- ### or more restrictive (Scored)
|
|
- - file_permissions_home_dirs
|
|
-
|
|
- ### 6.2.8 Ensure users own their home directories (Scored)
|
|
- # NEEDS RULE for user owner @ https://github.com/ComplianceAsCode/content/issues/5507
|
|
- - file_groupownership_home_directories
|
|
-
|
|
- ### 6.2.9 Ensure users' dot files are not group or world
|
|
- ### writable (Scored)
|
|
- # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5506
|
|
-
|
|
- ### 6.2.10 Ensure no users have .forward files (Scored)
|
|
- # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5505
|
|
-
|
|
- ### 6.2.11 Ensure no users have .netrc files (Scored)
|
|
- - no_netrc_files
|
|
-
|
|
- ### 6.2.12 Ensure users' .netrc Files are not group or
|
|
- ### world accessible (Scored)
|
|
- # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5504
|
|
-
|
|
- ### 6.2.13 Ensure no users have .rhosts files (Scored)
|
|
- - no_rsh_trust_files
|
|
-
|
|
- ### 6.2.14 Ensure all groups in /etc/passwd exist in
|
|
- ### /etc/group (Scored)
|
|
- # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5503
|
|
-
|
|
- ### 6.2.15 Ensure no duplicate UIDs exist (Scored)
|
|
- # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5502
|
|
-
|
|
- ### 6.2.16 Ensure no duplicate GIDs exist (Scored)
|
|
- # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5501
|
|
-
|
|
- ### 6.2.17 Ensure no duplicate user names exist (Scored)
|
|
- - account_unique_name
|
|
-
|
|
- ### 6.2.18 Ensure no duplicate group names exist (Scored)
|
|
- # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5500
|
|
-
|
|
- ### 6.2.19 Ensure shadow group is empty (Scored)
|
|
- # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5499
|
|
-
|
|
- ### 6.2.20 Ensure all users' home directories exist (Scored)
|
|
- - accounts_user_interactive_home_directory_exists
|
|
+ - cis_rhel8:all:l2_server
|
|
diff --git a/products/rhel8/profiles/cis_server_l1.profile b/products/rhel8/profiles/cis_server_l1.profile
|
|
new file mode 100644
|
|
index 00000000000..7b4518e15a5
|
|
--- /dev/null
|
|
+++ b/products/rhel8/profiles/cis_server_l1.profile
|
|
@@ -0,0 +1,22 @@
|
|
+documentation_complete: true
|
|
+
|
|
+metadata:
|
|
+ version: 1.0.1
|
|
+ SMEs:
|
|
+ - vojtapolasek
|
|
+ - yuumasato
|
|
+
|
|
+reference: https://www.cisecurity.org/benchmark/red_hat_linux/
|
|
+
|
|
+title: 'CIS Red Hat Enterprise Linux 8 Benchmark for Level 1 - Server'
|
|
+
|
|
+description: |-
|
|
+ This profile defines a baseline that aligns to the "Level 1 - Server"
|
|
+ configuration from the Center for Internet Security® Red Hat Enterprise
|
|
+ Linux 8 Benchmark™, v1.0.1, released 2021-05-19.
|
|
+
|
|
+ This profile includes Center for Internet Security®
|
|
+ Red Hat Enterprise Linux 8 CIS Benchmarks™ content.
|
|
+
|
|
+selections:
|
|
+ - cis_rhel8:all:l1_server
|
|
diff --git a/products/rhel8/profiles/cis_workstation_l1.profile b/products/rhel8/profiles/cis_workstation_l1.profile
|
|
new file mode 100644
|
|
index 00000000000..230e4c2f0ba
|
|
--- /dev/null
|
|
+++ b/products/rhel8/profiles/cis_workstation_l1.profile
|
|
@@ -0,0 +1,22 @@
|
|
+documentation_complete: true
|
|
+
|
|
+metadata:
|
|
+ version: 1.0.1
|
|
+ SMEs:
|
|
+ - vojtapolasek
|
|
+ - yuumasato
|
|
+
|
|
+reference: https://www.cisecurity.org/benchmark/red_hat_linux/
|
|
+
|
|
+title: 'CIS Red Hat Enterprise Linux 8 Benchmark for Level 1 - Workstation'
|
|
+
|
|
+description: |-
|
|
+ This profile defines a baseline that aligns to the "Level 1 - Workstation"
|
|
+ configuration from the Center for Internet Security® Red Hat Enterprise
|
|
+ Linux 8 Benchmark™, v1.0.1, released 2021-05-19.
|
|
+
|
|
+ This profile includes Center for Internet Security®
|
|
+ Red Hat Enterprise Linux 8 CIS Benchmarks™ content.
|
|
+
|
|
+selections:
|
|
+ - cis_rhel8:all:l1_workstation
|
|
diff --git a/products/rhel8/profiles/cis_workstation_l2.profile b/products/rhel8/profiles/cis_workstation_l2.profile
|
|
new file mode 100644
|
|
index 00000000000..c0d1698c2f0
|
|
--- /dev/null
|
|
+++ b/products/rhel8/profiles/cis_workstation_l2.profile
|
|
@@ -0,0 +1,22 @@
|
|
+documentation_complete: true
|
|
+
|
|
+metadata:
|
|
+ version: 1.0.1
|
|
+ SMEs:
|
|
+ - vojtapolasek
|
|
+ - yuumasato
|
|
+
|
|
+reference: https://www.cisecurity.org/benchmark/red_hat_linux/
|
|
+
|
|
+title: 'CIS Red Hat Enterprise Linux 8 Benchmark for Level 2 - Workstation'
|
|
+
|
|
+description: |-
|
|
+ This profile defines a baseline that aligns to the "Level 2 - Workstation"
|
|
+ configuration from the Center for Internet Security® Red Hat Enterprise
|
|
+ Linux 8 Benchmark™, v1.0.1, released 2021-05-19.
|
|
+
|
|
+ This profile includes Center for Internet Security®
|
|
+ Red Hat Enterprise Linux 8 CIS Benchmarks™ content.
|
|
+
|
|
+selections:
|
|
+ - cis_rhel8:all:l2_workstation
|
|
|
|
From e53bf4c6b479608b155bcfcc8426ac20ca4c9291 Mon Sep 17 00:00:00 2001
|
|
From: Alex Haydock <alex@alexhaydock.co.uk>
|
|
Date: Thu, 1 Jul 2021 16:35:19 +0100
|
|
Subject: [PATCH 02/55] Add CIS control file for RHEL 8
|
|
|
|
---
|
|
controls/cis_rhel8.yml | 758 +++++++++++++++++++++++++++++++++++++++++
|
|
1 file changed, 758 insertions(+)
|
|
create mode 100644 controls/cis_rhel8.yml
|
|
|
|
diff --git a/controls/cis_rhel8.yml b/controls/cis_rhel8.yml
|
|
new file mode 100644
|
|
index 00000000000..a84bb078e34
|
|
--- /dev/null
|
|
+++ b/controls/cis_rhel8.yml
|
|
@@ -0,0 +1,758 @@
|
|
+policy: 'CIS Benchmark for Red Hat Enterprise Linux 8'
|
|
+title: 'CIS Benchmark for Red Hat Enterprise Linux 8'
|
|
+id: cis_rhel8
|
|
+version: '1.0.1'
|
|
+source: https://www.cisecurity.org/cis-benchmarks/#red_hat_linux
|
|
+levels:
|
|
+ - id: l1_server
|
|
+ - id: l2_server
|
|
+ inherits_from:
|
|
+ - l1_server
|
|
+ - id: l1_workstation
|
|
+ - id: l2_workstation
|
|
+ inherits_from:
|
|
+ - l1_workstation
|
|
+
|
|
+controls:
|
|
+ - id: reload_dconf_db
|
|
+ title: Reload Dconf database
|
|
+ levels:
|
|
+ - l1_server
|
|
+ - l1_workstation
|
|
+ notes: <-
|
|
+ This is a helper rule to reload Dconf datbase correctly.
|
|
+ automated: yes
|
|
+ rules:
|
|
+ - dconf_db_up_to_date
|
|
+
|
|
+ - id: 1.1.1.1
|
|
+ title: Ensure mounting of cramfs filesystems is disabled (Automated)
|
|
+ levels:
|
|
+ - l1_workstation
|
|
+ - l1_server
|
|
+ automated: yes
|
|
+ rules:
|
|
+ - kernel_module_cramfs_disabled
|
|
+
|
|
+ - id: 1.1.1.2
|
|
+ title: Ensure mounting of vFAT filesystems is limited (Manual)
|
|
+ levels:
|
|
+ - l2_workstation
|
|
+ - l2_server
|
|
+ automated: no
|
|
+ related_rules:
|
|
+ - kernel_module_vfat_disabled
|
|
+
|
|
+ - id: 1.1.1.3
|
|
+ title: Ensure mounting of squashfs filesystems is disabled (Automated)
|
|
+ levels:
|
|
+ - l1_server
|
|
+ - l1_workstation
|
|
+ automated: yes
|
|
+ rules:
|
|
+ - kernel_module_squashfs_disabled
|
|
+
|
|
+ - id: 1.1.1.4
|
|
+ title: Ensure mounting of udf filesystems is disabled (Automated)
|
|
+ levels:
|
|
+ - l1_server
|
|
+ - l1_workstation
|
|
+ automated: yes
|
|
+ rules:
|
|
+ - kernel_module_udf_disabled
|
|
+
|
|
+ - id: 1.1.2
|
|
+ title: Ensure /tmp is configured (Automated)
|
|
+ levels:
|
|
+ - l1_server
|
|
+ - l1_workstation
|
|
+ automated: yes
|
|
+ rules:
|
|
+ - partition_for_tmp
|
|
+
|
|
+ - id: 1.1.3
|
|
+ title: Ensure nodev option set on /tmp partition (Automated)
|
|
+ levels:
|
|
+ - l1_server
|
|
+ - l1_workstation
|
|
+ automated: yes
|
|
+ rules:
|
|
+ - mount_option_tmp_nodev
|
|
+
|
|
+ - id: 1.1.4
|
|
+ title: Ensure nosuid option set on /tmp partition (Automated)
|
|
+ levels:
|
|
+ - l1_server
|
|
+ - l1_workstation
|
|
+ automated: yes
|
|
+ rules:
|
|
+ - mount_option_tmp_nosuid
|
|
+
|
|
+ - id: 1.1.5
|
|
+ title: Ensure noexec option set on /tmp partition (Automated)
|
|
+ levels:
|
|
+ - l1_server
|
|
+ - l1_workstation
|
|
+ automated: yes
|
|
+ rules:
|
|
+ - mount_option_tmp_noexec
|
|
+
|
|
+ - id: 1.1.6
|
|
+ title: Ensure separate partition exists for /var (Automated)
|
|
+ levels:
|
|
+ - l2_server
|
|
+ - l2_workstation
|
|
+ automated: yes
|
|
+ rules:
|
|
+ - partition_for_var
|
|
+
|
|
+ - id: 1.1.7
|
|
+ title: Ensure separate partition exists for /var/tmp (Automated)
|
|
+ levels:
|
|
+ - l2_server
|
|
+ - l2_workstation
|
|
+ automated: yes
|
|
+ rules:
|
|
+ - partition_for_var_tmp
|
|
+
|
|
+ - id: 1.1.8
|
|
+ title: Ensure nodev option set on /var/tmp partition (Automated)
|
|
+ levels:
|
|
+ - l1_server
|
|
+ - l1_workstation
|
|
+ automated: yes
|
|
+ rules:
|
|
+ - mount_option_var_tmp_nodev
|
|
+
|
|
+ - id: 1.1.9
|
|
+ title: Ensure nosuid option set on /var/tmp partition (Automated)
|
|
+ levels:
|
|
+ - l1_server
|
|
+ - l1_workstation
|
|
+ automated: yes
|
|
+ rules:
|
|
+ - mount_option_var_tmp_nosuid
|
|
+
|
|
+ - id: 1.1.10
|
|
+ title: Ensure noexec option set on /var/tmp partition (Automated)
|
|
+ levels:
|
|
+ - l1_server
|
|
+ - l1_workstation
|
|
+ automated: yes
|
|
+ rules:
|
|
+ - mount_option_var_tmp_noexec
|
|
+
|
|
+ - id: 1.1.11
|
|
+ title: Ensure separate partition exists for /var/log (Automated)
|
|
+ levels:
|
|
+ - l2_server
|
|
+ - l2_workstation
|
|
+ automated: yes
|
|
+ rules:
|
|
+ - partition_for_var_log
|
|
+
|
|
+ - id: 1.1.12
|
|
+ title: Ensure separate partition exists for /var/log/audit (Automated)
|
|
+ levels:
|
|
+ - l2_server
|
|
+ - l2_workstation
|
|
+ automated: yes
|
|
+ rules:
|
|
+ - partition_for_var_log_audit
|
|
+
|
|
+ - id: 1.1.13
|
|
+ title: Ensure separate partition exists for /home (Automated)
|
|
+ levels:
|
|
+ - l2_server
|
|
+ - l2_workstation
|
|
+ automated: yes
|
|
+ rules:
|
|
+ - partition_for_home
|
|
+
|
|
+ - id: 1.1.18
|
|
+ title: Ensure nodev option set on /home partition (Automated)
|
|
+ levels:
|
|
+ - l1_server
|
|
+ - l1_workstation
|
|
+ automated: yes
|
|
+ rules:
|
|
+ - mount_option_home_nodev
|
|
+
|
|
+ - id: 1.1.15
|
|
+ title: Ensure nodev option set on /dev/shm partition (Automated)
|
|
+ levels:
|
|
+ - l1_server
|
|
+ - l1_workstation
|
|
+ automated: yes
|
|
+ rules:
|
|
+ - mount_option_dev_shm_nodev
|
|
+
|
|
+ - id: 1.1.16
|
|
+ title: Ensure nosuid option set on /dev/shm partition (Automated)
|
|
+ levels:
|
|
+ - l1_server
|
|
+ - l1_workstation
|
|
+ automated: yes
|
|
+ rules:
|
|
+ - mount_option_dev_shm_nosuid
|
|
+
|
|
+ - id: 1.1.17
|
|
+ title: Ensure noexec option set on /dev/shm partition (Automated)
|
|
+ levels:
|
|
+ - l1_server
|
|
+ - l1_workstation
|
|
+ automated: yes
|
|
+ rules:
|
|
+ - mount_option_dev_shm_noexec
|
|
+
|
|
+ - id: 1.1.18
|
|
+ title: Ensure nodev option set on removable media partitions (Manual)
|
|
+ levels:
|
|
+ - l1_server
|
|
+ - l1_workstation
|
|
+ automated: no
|
|
+ rules:
|
|
+ - mount_option_nodev_removable_partitions
|
|
+
|
|
+ - id: 1.1.19
|
|
+ title: Ensure nosuid option set on removable media partitions (Manual)
|
|
+ levels:
|
|
+ - l1_server
|
|
+ - l1_workstation
|
|
+ automated: no
|
|
+ rules:
|
|
+ - mount_option_nosuid_removable_partitions
|
|
+
|
|
+ - id: 1.1.20
|
|
+ title: Ensure noexec option set on removable media partitions (Manual)
|
|
+ levels:
|
|
+ - l1_server
|
|
+ - l1_workstation
|
|
+ automated: no
|
|
+ rules:
|
|
+ - mount_option_noexec_removable_partitions
|
|
+
|
|
+ - id: 1.1.22
|
|
+ title: Disable Automounting (Automated)
|
|
+ levels:
|
|
+ - l1_server
|
|
+ - l2_workstation
|
|
+ automated: yes
|
|
+ rules:
|
|
+ - service_autofs_disabled
|
|
+
|
|
+ - id: 1.1.23
|
|
+ title: Disable USB Storage (Automated)
|
|
+ levels:
|
|
+ - l1_server
|
|
+ - l2_workstation
|
|
+ automated: yes
|
|
+ rules:
|
|
+ - kernel_module_usb-storage_disabled
|
|
+
|
|
+ - id: 1.2.1
|
|
+ title: Ensure Red Hat Subscription Manager connection is configured (Manual)
|
|
+ levels:
|
|
+ - l1_server
|
|
+ - l1_workstation
|
|
+ automated: no
|
|
+
|
|
+ - id: 1.2.2
|
|
+ title: Disable the rhnsd Daemon (Manual)
|
|
+ levels:
|
|
+ - l1_server
|
|
+ - l1_workstation
|
|
+ automated: no
|
|
+ related_rules:
|
|
+ - service_rhnsd_disabled
|
|
+
|
|
+ - id: 1.2.3
|
|
+ title: Ensure GPG keys are configured (Manual)
|
|
+ levels:
|
|
+ - l1_server
|
|
+ - l1_workstation
|
|
+ automated: no
|
|
+ related_rules:
|
|
+ - ensure_redhat_gpgkey_installed
|
|
+
|
|
+ - id: 1.2.4
|
|
+ title: Ensure gpgcheck is globally activated (Automated)
|
|
+ levels:
|
|
+ - l1_server
|
|
+ - l1_workstation
|
|
+ automated: yes
|
|
+ rules:
|
|
+ - ensure_gpgcheck_globally_activated
|
|
+
|
|
+ - id: 1.2.5
|
|
+ title: Ensure package manager repositories are configured (Manual)
|
|
+ levels:
|
|
+ - l1_server
|
|
+ - l1_workstation
|
|
+ automated: no
|
|
+
|
|
+ - id: 1.3.1
|
|
+ title: Ensure sudo is installed (Automated)
|
|
+ levels:
|
|
+ - l1_server
|
|
+ - l1_workstation
|
|
+ automated: yes
|
|
+ rules:
|
|
+ - package_sudo_installed
|
|
+
|
|
+ - id: 1.3.2
|
|
+ title: Ensure sudo commands use pty (Automated)
|
|
+ levels:
|
|
+ - l1_server
|
|
+ - l1_workstation
|
|
+ automated: yes
|
|
+ rules:
|
|
+ - sudo_add_use_pty
|
|
+
|
|
+ - id: 1.3.3
|
|
+ title: Ensure sudo log file exists (Automated)
|
|
+ levels:
|
|
+ - l1_server
|
|
+ - l1_workstation
|
|
+ automated: yes
|
|
+ rules:
|
|
+ - sudo_custom_logfile
|
|
+
|
|
+ - id: 1.4.1
|
|
+ title: Ensure AIDE is installed (Automated)
|
|
+ levels:
|
|
+ - l1_server
|
|
+ - l1_workstation
|
|
+ automated: yes
|
|
+ rules:
|
|
+ - package_aide_installed
|
|
+
|
|
+ - id: 1.4.2
|
|
+ title: Ensure filesystem integrity is regularly checked (Automated)
|
|
+ levels:
|
|
+ - l1_server
|
|
+ - l1_workstation
|
|
+ automated: yes
|
|
+ rules:
|
|
+ - aide_periodic_cron_checking
|
|
+
|
|
+ - id: 1.5.1
|
|
+ title: Ensure permissions on bootloader config are configured (Automated)
|
|
+ levels:
|
|
+ - l1_server
|
|
+ - l1_workstation
|
|
+ automated: yes
|
|
+ rules:
|
|
+ - file_owner_grub2_cfg
|
|
+ - file_groupowner_grub2_cfg
|
|
+ - file_permissions_grub2_cfg
|
|
+
|
|
+ - id: 1.5.1
|
|
+ title: Ensure bootloader password is set (Automated)
|
|
+ levels:
|
|
+ - l1_server
|
|
+ - l1_workstation
|
|
+ automated: yes
|
|
+ rules:
|
|
+ - grub2_password
|
|
+
|
|
+ - id: 1.5.3
|
|
+ title: Ensure authentication required for single user mode (Automated)
|
|
+ levels:
|
|
+ - l1_server
|
|
+ - l1_workstation
|
|
+ automated: yes
|
|
+ rules:
|
|
+ - require_singleuser_auth
|
|
+ - require_emergency_target_auth
|
|
+
|
|
+ - id: 1.6.1
|
|
+ title: Ensure core dumps are restricted (Automated)
|
|
+ levels:
|
|
+ - l1_server
|
|
+ - l1_workstation
|
|
+ automated: yes
|
|
+ rules:
|
|
+ - disable_users_coredumps
|
|
+ - sysctl_fs_suid_dumpable
|
|
+ - coredump_disable_backtraces
|
|
+ - coredump_disable_storage
|
|
+
|
|
+ - id: 1.6.2
|
|
+ title: Ensure address space layout randomization (ASLR) is enabled (Automated)
|
|
+ levels:
|
|
+ - l1_server
|
|
+ - l1_workstation
|
|
+ automated: yes
|
|
+ rules:
|
|
+ - sysctl_kernel_randomize_va_space
|
|
+
|
|
+ - id: 1.7.1.1
|
|
+ title: Ensure SELinux is installed (Automated)
|
|
+ levels:
|
|
+ - l2_server
|
|
+ - l2_workstation
|
|
+ automated: yes
|
|
+ rules:
|
|
+ - package_libselinux_installed
|
|
+
|
|
+ - id: 1.7.1.1
|
|
+ title: Ensure SELinux is installed (Automated)
|
|
+ levels:
|
|
+ - l2_server
|
|
+ - l2_workstation
|
|
+ automated: yes
|
|
+ rules:
|
|
+ - package_libselinux_installed
|
|
+
|
|
+ - id: 1.7.1.2
|
|
+ title: Ensure SELinux is not disabled in bootloader configuration (Automated)
|
|
+ levels:
|
|
+ - l2_server
|
|
+ - l2_workstation
|
|
+ automated: yes
|
|
+ rules:
|
|
+ - grub2_enable_selinux
|
|
+
|
|
+ - id: 1.7.1.3
|
|
+ title: Ensure SELinux policy is configured (Automated)
|
|
+ levels:
|
|
+ - l2_server
|
|
+ - l2_workstation
|
|
+ automated: yes
|
|
+ rules:
|
|
+ - var_selinux_policy_name=targeted
|
|
+ - selinux_policytype
|
|
+
|
|
+ - id: 1.7.1.4
|
|
+ title: Ensure the SELinux state is enforcing (Automated)
|
|
+ levels:
|
|
+ - l2_server
|
|
+ - l2_workstation
|
|
+ automated: yes
|
|
+ rules:
|
|
+ - var_selinux_state=enforcing
|
|
+ - selinux_state
|
|
+
|
|
+ - id: 1.7.1.5
|
|
+ title: Ensure no unconfined services exist (Automated)
|
|
+ levels:
|
|
+ - l2_server
|
|
+ - l2_workstation
|
|
+ automated: yes
|
|
+ rules:
|
|
+ - selinux_confinement_of_daemons
|
|
+
|
|
+ - id: 1.7.1.6
|
|
+ title: Ensure SETroubleshoot is not installed (Automated)
|
|
+ levels:
|
|
+ - l2_server
|
|
+ automated: yes
|
|
+ rules:
|
|
+ - package_setroubleshoot_removed
|
|
+
|
|
+ - id: 1.7.1.7
|
|
+ title: Ensure the MCS Translation Service (mcstrans) is not installed (Automated)
|
|
+ levels:
|
|
+ - l2_server
|
|
+ - l2_workstation
|
|
+ automated: yes
|
|
+ rules:
|
|
+ - package_mcstrans_removed
|
|
+
|
|
+ - id: 1.8.1.1
|
|
+ title: Ensure message of the day is configured properly (Automated)
|
|
+ levels:
|
|
+ - l1_server
|
|
+ - l1_workstation
|
|
+ automated: yes
|
|
+ rules:
|
|
+ - banner_etc_motd
|
|
+
|
|
+ - id: 1.8.1.2
|
|
+ title: Ensure local login warning banner is configured properly (Automated)
|
|
+ levels:
|
|
+ - l1_server
|
|
+ - l1_workstation
|
|
+ automated: yes
|
|
+ rules:
|
|
+ - banner_etc_issue
|
|
+
|
|
+ # NEEDS RULE
|
|
+ # https://github.com/ComplianceAsCode/content/issues/5225
|
|
+ - id: 1.8.1.3
|
|
+ title: Ensure remote login warning banner is configured properly (Automated)
|
|
+ levels:
|
|
+ - l1_server
|
|
+ - l1_workstation
|
|
+ automated: no
|
|
+
|
|
+ - id: 1.8.1.4
|
|
+ title: Ensure permissions on /etc/motd are configured (Automated)
|
|
+ levels:
|
|
+ - l1_server
|
|
+ - l1_workstation
|
|
+ automated: yes
|
|
+ rules:
|
|
+ - file_permissions_etc_motd
|
|
+
|
|
+ - id: 1.8.1.5
|
|
+ title: Ensure permissions on /etc/issue are configured (Automated)
|
|
+ levels:
|
|
+ - l1_server
|
|
+ - l1_workstation
|
|
+ automated: yes
|
|
+ rules:
|
|
+ - file_permissions_etc_issue
|
|
+
|
|
+ - id: 1.8.2
|
|
+ title: Ensure GDM login banner is configured (Automated)
|
|
+ levels:
|
|
+ - l1_server
|
|
+ - l1_workstation
|
|
+ automated: yes
|
|
+ rules:
|
|
+ - dconf_gnome_banner_enabled
|
|
+ - dconf_gnome_login_banner_text
|
|
+
|
|
+ - id: 1.9
|
|
+ title: Ensure updates, patches, and additional security software are installed (Manual)
|
|
+ levels:
|
|
+ - l1_server
|
|
+ - l1_workstation
|
|
+ automated: no
|
|
+ related_rules:
|
|
+ - security_patches_up_to_date
|
|
+
|
|
+ - id: 1.10
|
|
+ title: Ensure system-wide crypto policy is not legacy (Automated)
|
|
+ levels:
|
|
+ - l1_server
|
|
+ - l1_workstation
|
|
+ automated: yes
|
|
+ rules:
|
|
+ - configure_crypto_policy
|
|
+
|
|
+ # This rule works in conjunction with the configure_crypto_policy above.
|
|
+ # If a system is remediated to CIS Level 1, just the rule above will apply
|
|
+ # and will enforce the default value for var_system_crypto_policy (DEFAULT).
|
|
+ # If the system is remediated to Level 2 then this rule will be selected,
|
|
+ # and the value applied by the rule above will will be overridden to
|
|
+ # FUTURE through the var_system_crypto_policy variable.
|
|
+ - id: 1.11
|
|
+ title: Ensure system-wide crypto policy is FUTURE or FIPS (Automated)
|
|
+ levels:
|
|
+ - l2_server
|
|
+ - l2_workstation
|
|
+ automated: yes
|
|
+ rules:
|
|
+ - var_system_crypto_policy=future
|
|
+
|
|
+ - id: 2.1.1
|
|
+ title: Ensure xinetd is not installed (Automated)
|
|
+ levels:
|
|
+ - l1_server
|
|
+ - l1_workstation
|
|
+ automated: yes
|
|
+ rules:
|
|
+ - package_xinetd_removed
|
|
+
|
|
+ - id: 2.2.1.1
|
|
+ title: Ensure time synchronization is in use (Manual)
|
|
+ levels:
|
|
+ - l1_server
|
|
+ - l1_workstation
|
|
+ automated: no
|
|
+ related_rules:
|
|
+ - package_chrony_installed
|
|
+
|
|
+ - id: 2.1.1
|
|
+ title: Ensure chrony is configured (Automated)
|
|
+ levels:
|
|
+ - l1_server
|
|
+ - l1_workstation
|
|
+ automated: yes
|
|
+ rules:
|
|
+ - service_chronyd_enabled
|
|
+ - chronyd_specify_remote_server
|
|
+ - chronyd_run_as_chrony_user
|
|
+
|
|
+ - id: 2.2.2
|
|
+ title: Ensure chrony is configured (Automated)
|
|
+ levels:
|
|
+ - l1_server
|
|
+ automated: yes
|
|
+ rules:
|
|
+ - package_xorg-x11-server-common_removed
|
|
+ - xwindows_runlevel_target
|
|
+
|
|
+ - id: 2.2.3
|
|
+ title: Ensure rsync service is not enabled (Automated)
|
|
+ levels:
|
|
+ - l1_server
|
|
+ - l1_workstation
|
|
+ automated: yes
|
|
+ rules:
|
|
+ - service_rsyncd_disabled
|
|
+
|
|
+ - id: 2.2.4
|
|
+ title: Ensure Avahi Server is not enabled (Automated)
|
|
+ levels:
|
|
+ - l1_server
|
|
+ - l1_workstation
|
|
+ automated: yes
|
|
+ rules:
|
|
+ - service_avahi-daemon_disabled
|
|
+
|
|
+ - id: 2.2.5
|
|
+ title: Ensure SNMP Server is not enabled (Automated)
|
|
+ levels:
|
|
+ - l1_server
|
|
+ - l1_workstation
|
|
+ automated: yes
|
|
+ rules:
|
|
+ - service_snmpd_disabled
|
|
+
|
|
+ - id: 2.2.6
|
|
+ title: Ensure HTTP Proxy Server is not enabled (Automated)
|
|
+ levels:
|
|
+ - l1_server
|
|
+ - l1_workstation
|
|
+ automated: yes
|
|
+ rules:
|
|
+ - package_squid_removed
|
|
+
|
|
+ - id: 2.2.7
|
|
+ title: Ensure Samba is not enabled (Automated)
|
|
+ levels:
|
|
+ - l1_server
|
|
+ - l1_workstation
|
|
+ automated: yes
|
|
+ rules:
|
|
+ - service_smb_disabled
|
|
+
|
|
+ - id: 2.2.8
|
|
+ title: Ensure IMAP and POP3 server is not enabled (Automated)
|
|
+ levels:
|
|
+ - l1_server
|
|
+ - l1_workstation
|
|
+ automated: yes
|
|
+ rules:
|
|
+ - service_dovecot_disabled
|
|
+
|
|
+ - id: 2.2.9
|
|
+ title: Ensure HTTP server is not enabled (Automated)
|
|
+ levels:
|
|
+ - l1_server
|
|
+ - l1_workstation
|
|
+ automated: yes
|
|
+ rules:
|
|
+ - service_httpd_disabled
|
|
+
|
|
+ - id: 2.2.10
|
|
+ title: Ensure FTP Server is not enabled (Automated)
|
|
+ levels:
|
|
+ - l1_server
|
|
+ - l1_workstation
|
|
+ automated: yes
|
|
+ rules:
|
|
+ - service_vsftpd_disabled
|
|
+
|
|
+ - id: 2.2.11
|
|
+ title: Ensure DNS Server is not enabled (Automated)
|
|
+ levels:
|
|
+ - l1_server
|
|
+ - l1_workstation
|
|
+ automated: yes
|
|
+ rules:
|
|
+ - service_named_disabled
|
|
+
|
|
+ - id: 2.2.12
|
|
+ title: Ensure NFS is not enabled (Automated)
|
|
+ levels:
|
|
+ - l1_server
|
|
+ - l1_workstation
|
|
+ automated: yes
|
|
+ rules:
|
|
+ - service_nfs_disabled
|
|
+
|
|
+ - id: 2.2.13
|
|
+ title: Ensure RPC is not enabled (Automated)
|
|
+ levels:
|
|
+ - l1_server
|
|
+ - l1_workstation
|
|
+ automated: yes
|
|
+ rules:
|
|
+ - service_rpcbind_disabled
|
|
+
|
|
+ # NEEDS RULE
|
|
+ # https://github.com/ComplianceAsCode/content/issues/5231
|
|
+ - id: 2.2.14
|
|
+ title: Ensure RPC is not enabled (Automated)
|
|
+ levels:
|
|
+ - l1_server
|
|
+ - l1_workstation
|
|
+ automated: no
|
|
+
|
|
+ - id: 2.2.15
|
|
+ title: Ensure DHCP Server is not enabled (Automated)
|
|
+ levels:
|
|
+ - l1_server
|
|
+ - l1_workstation
|
|
+ automated: yes
|
|
+ rules:
|
|
+ - service_dhcpd_disabled
|
|
+
|
|
+ - id: 2.2.16
|
|
+ title: Ensure CUPS is not enabled (Automated)
|
|
+ levels:
|
|
+ - l1_server
|
|
+ - l2_workstation
|
|
+ automated: yes
|
|
+ rules:
|
|
+ - service_cups_disabled
|
|
+
|
|
+ # NEEDS RULE
|
|
+ # https://github.com/ComplianceAsCode/content/issues/5232
|
|
+ - id: 2.2.17
|
|
+ title: Ensure NIS Server is not enabled (Automated)
|
|
+ levels:
|
|
+ - l1_server
|
|
+ - l1_workstation
|
|
+ automated: no
|
|
+
|
|
+ - id: 2.2.18
|
|
+ title: Ensure mail transfer agent is configured for local-only mode (Automated)
|
|
+ levels:
|
|
+ - l1_server
|
|
+ - l1_workstation
|
|
+ automated: yes
|
|
+ rules:
|
|
+ - postfix_network_listening_disabled
|
|
+
|
|
+ - id: 2.3.1
|
|
+ title: Ensure NIS Client is not installed (Automated)
|
|
+ levels:
|
|
+ - l1_server
|
|
+ - l1_workstation
|
|
+ automated: yes
|
|
+ rules:
|
|
+ - package_ypbind_removed
|
|
+
|
|
+ - id: 2.3.2
|
|
+ title: Ensure telnet client is not installed (Automated)
|
|
+ levels:
|
|
+ - l1_server
|
|
+ - l1_workstation
|
|
+ automated: yes
|
|
+ rules:
|
|
+ - package_telnet_removed
|
|
+
|
|
+ - id: 2.3.3
|
|
+ title: Ensure LDAP client is not installed (Automated)
|
|
+ levels:
|
|
+ - l1_server
|
|
+ - l1_workstation
|
|
+ automated: yes
|
|
+ rules:
|
|
+ - package_openldap-clients_removed
|
|
|
|
From 7cb13c16162f057e8cf7d9f140c9b27abadce947 Mon Sep 17 00:00:00 2001
|
|
From: Alex Haydock <alex@alexhaydock.co.uk>
|
|
Date: Fri, 2 Jul 2021 20:47:49 +0100
|
|
Subject: [PATCH 03/55] Add RHEL 8 Sections 3 & 4 to CIS control file
|
|
|
|
---
|
|
controls/cis_rhel8.yml | 728 ++++++++++++++++++++++++++++++++++++++++-
|
|
1 file changed, 726 insertions(+), 2 deletions(-)
|
|
|
|
diff --git a/controls/cis_rhel8.yml b/controls/cis_rhel8.yml
|
|
index a84bb078e34..b63dc6cf9e1 100644
|
|
--- a/controls/cis_rhel8.yml
|
|
+++ b/controls/cis_rhel8.yml
|
|
@@ -712,8 +712,8 @@ controls:
|
|
rules:
|
|
- service_cups_disabled
|
|
|
|
- # NEEDS RULE
|
|
- # https://github.com/ComplianceAsCode/content/issues/5232
|
|
+ # NEEDS RULE
|
|
+ # https://github.com/ComplianceAsCode/content/issues/5232
|
|
- id: 2.2.17
|
|
title: Ensure NIS Server is not enabled (Automated)
|
|
levels:
|
|
@@ -756,3 +756,727 @@ controls:
|
|
automated: yes
|
|
rules:
|
|
- package_openldap-clients_removed
|
|
+
|
|
+ - id: 3.1.1
|
|
+ title: Ensure IP forwarding is disabled (Automated)
|
|
+ levels:
|
|
+ - l1_server
|
|
+ - l1_workstation
|
|
+ automated: yes
|
|
+ rules:
|
|
+ - sysctl_net_ipv4_ip_forward
|
|
+ - sysctl_net_ipv6_conf_all_forwarding
|
|
+
|
|
+ - id: 3.1.2
|
|
+ title: Ensure packet redirect sending is disabled (Automated)
|
|
+ levels:
|
|
+ - l1_server
|
|
+ - l1_workstation
|
|
+ automated: yes
|
|
+ rules:
|
|
+ - sysctl_net_ipv4_conf_all_send_redirects
|
|
+ - sysctl_net_ipv4_conf_default_send_redirects
|
|
+
|
|
+ - id: 3.2.1
|
|
+ title: Ensure source routed packets are not accepted (Automated)
|
|
+ levels:
|
|
+ - l1_server
|
|
+ - l1_workstation
|
|
+ automated: yes
|
|
+ rules:
|
|
+ - sysctl_net_ipv4_conf_all_accept_source_route
|
|
+ - sysctl_net_ipv4_conf_default_accept_source_route
|
|
+ - sysctl_net_ipv6_conf_all_accept_source_route
|
|
+ - sysctl_net_ipv6_conf_default_accept_source_route
|
|
+
|
|
+ - id: 3.2.2
|
|
+ title: Ensure ICMP redirects are not accepted (Automated)
|
|
+ levels:
|
|
+ - l1_server
|
|
+ - l1_workstation
|
|
+ automated: yes
|
|
+ rules:
|
|
+ - sysctl_net_ipv4_conf_all_accept_redirects
|
|
+ - sysctl_net_ipv4_conf_default_accept_redirects
|
|
+ - sysctl_net_ipv6_conf_all_accept_redirects
|
|
+ - sysctl_net_ipv6_conf_default_accept_redirects
|
|
+
|
|
+ - id: 3.2.3
|
|
+ title: Ensure secure ICMP redirects are not accepted (Automated)
|
|
+ levels:
|
|
+ - l1_server
|
|
+ - l1_workstation
|
|
+ automated: yes
|
|
+ rules:
|
|
+ - sysctl_net_ipv4_conf_all_secure_redirects
|
|
+ - sysctl_net_ipv4_conf_default_secure_redirects
|
|
+
|
|
+ - id: 3.2.4
|
|
+ title: Ensure suspicious packets are logged (Automated)
|
|
+ levels:
|
|
+ - l1_server
|
|
+ - l1_workstation
|
|
+ automated: yes
|
|
+ rules:
|
|
+ - sysctl_net_ipv4_conf_all_log_martians
|
|
+ - sysctl_net_ipv4_conf_default_log_martians
|
|
+
|
|
+ - id: 3.2.5
|
|
+ title: Ensure broadcast ICMP requests are ignored (Automated)
|
|
+ levels:
|
|
+ - l1_server
|
|
+ - l1_workstation
|
|
+ automated: yes
|
|
+ rules:
|
|
+ - sysctl_net_ipv4_icmp_echo_ignore_broadcasts
|
|
+
|
|
+ - id: 3.2.6
|
|
+ title: Ensure bogus ICMP responses are ignored (Automated)
|
|
+ levels:
|
|
+ - l1_server
|
|
+ - l1_workstation
|
|
+ automated: yes
|
|
+ rules:
|
|
+ - sysctl_net_ipv4_icmp_ignore_bogus_error_responses
|
|
+
|
|
+ - id: 3.2.7
|
|
+ title: Ensure Reverse Path Filtering is enabled (Automated)
|
|
+ levels:
|
|
+ - l1_server
|
|
+ - l1_workstation
|
|
+ automated: yes
|
|
+ rules:
|
|
+ - sysctl_net_ipv4_conf_all_rp_filter
|
|
+ - sysctl_net_ipv4_conf_default_rp_filter
|
|
+
|
|
+ - id: 3.2.8
|
|
+ title: Ensure TCP SYN Cookies is enabled (Automated)
|
|
+ levels:
|
|
+ - l1_server
|
|
+ - l1_workstation
|
|
+ automated: yes
|
|
+ rules:
|
|
+ - sysctl_net_ipv4_tcp_syncookies
|
|
+
|
|
+ - id: 3.2.8
|
|
+ title: Ensure TCP SYN Cookies is enabled (Automated)
|
|
+ levels:
|
|
+ - l1_server
|
|
+ - l1_workstation
|
|
+ automated: yes
|
|
+ rules:
|
|
+ - sysctl_net_ipv4_tcp_syncookies
|
|
+
|
|
+ - id: 3.2.9
|
|
+ title: Ensure IPv6 router advertisements are not accepted (Automated)
|
|
+ levels:
|
|
+ - l1_server
|
|
+ - l1_workstation
|
|
+ automated: yes
|
|
+ rules:
|
|
+ - sysctl_net_ipv6_conf_all_accept_ra
|
|
+ - sysctl_net_ipv6_conf_default_accept_ra
|
|
+
|
|
+ - id: 3.3.1
|
|
+ title: Ensure DCCP is disabled (Automated)
|
|
+ levels:
|
|
+ - l2_server
|
|
+ - l2_workstation
|
|
+ automated: yes
|
|
+ rules:
|
|
+ - kernel_module_dccp_disabled
|
|
+
|
|
+ - id: 3.3.2
|
|
+ title: Ensure SCTP is disabled (Automated)
|
|
+ levels:
|
|
+ - l2_server
|
|
+ - l2_workstation
|
|
+ automated: yes
|
|
+ rules:
|
|
+ - kernel_module_sctp_disabled
|
|
+
|
|
+ - id: 3.3.3
|
|
+ title: Ensure RDS is disabled (Automated)
|
|
+ levels:
|
|
+ - l2_server
|
|
+ - l2_workstation
|
|
+ automated: yes
|
|
+ rules:
|
|
+ - kernel_module_rds_disabled
|
|
+
|
|
+ - id: 3.3.4
|
|
+ title: Ensure TIPC is disabled (Automated)
|
|
+ levels:
|
|
+ - l2_server
|
|
+ - l2_workstation
|
|
+ automated: yes
|
|
+ rules:
|
|
+ - kernel_module_tipc_disabled
|
|
+
|
|
+ # NEEDS RULE
|
|
+ # This rule is currently quite opinionated and expects firewalld
|
|
+ # as the installed firewall package. But, as per the CIS control,
|
|
+ # this rule should also be satisfied by nftables or iptables.
|
|
+ - id: 3.4.1.1
|
|
+ title: Ensure a Firewall package is installed (Automated)
|
|
+ levels:
|
|
+ - l1_server
|
|
+ - l1_workstation
|
|
+ automated: yes
|
|
+ rules:
|
|
+ - package_firewalld_installed
|
|
+
|
|
+ - id: 3.4.2.1
|
|
+ title: Ensure firewalld service is enabled and running (Automated)
|
|
+ levels:
|
|
+ - l1_server
|
|
+ - l1_workstation
|
|
+ automated: yes
|
|
+ rules:
|
|
+ - service_firewalld_enabled
|
|
+
|
|
+ # NEEDS RULE
|
|
+ # https://github.com/ComplianceAsCode/content/issues/5238
|
|
+ - id: 3.4.2.2
|
|
+ title: Ensure iptables service is not enabled with firewalld (Automated)
|
|
+ levels:
|
|
+ - l1_server
|
|
+ - l1_workstation
|
|
+ automated: no
|
|
+
|
|
+ # NEEDS RULE
|
|
+ # https://github.com/ComplianceAsCode/content/issues/5239
|
|
+ - id: 3.4.2.3
|
|
+ title: Ensure nftables is not enabled with firewalld (Automated)
|
|
+ levels:
|
|
+ - l1_server
|
|
+ - l1_workstation
|
|
+ automated: no
|
|
+
|
|
+ - id: 3.4.2.4
|
|
+ title: Ensure firewalld default zone is set (Automated)
|
|
+ levels:
|
|
+ - l1_server
|
|
+ - l1_workstation
|
|
+ automated: yes
|
|
+ rules:
|
|
+ - set_firewalld_default_zone
|
|
+
|
|
+ - id: 3.4.2.5
|
|
+ title: Ensure network interfaces are assigned to appropriate zone (Manual)
|
|
+ levels:
|
|
+ - l1_server
|
|
+ - l1_workstation
|
|
+ automated: no
|
|
+
|
|
+ - id: 3.4.2.6
|
|
+ title: Ensure firewalld drops unnecessary services and ports (Manual)
|
|
+ levels:
|
|
+ - l1_server
|
|
+ - l1_workstation
|
|
+ automated: no
|
|
+
|
|
+ - id: 3.4.3.1
|
|
+ title: Ensure iptables are flushed with nftables (Manual)
|
|
+ levels:
|
|
+ - l1_server
|
|
+ - l1_workstation
|
|
+ automated: no
|
|
+
|
|
+ # NEEDS RULE
|
|
+ # https://github.com/ComplianceAsCode/content/issues/5244
|
|
+ - id: 3.4.3.2
|
|
+ title: Ensure an nftables table exists (Automated)
|
|
+ levels:
|
|
+ - l1_server
|
|
+ - l1_workstation
|
|
+ automated: no
|
|
+
|
|
+ # NEEDS RULE
|
|
+ # https://github.com/ComplianceAsCode/content/issues/5245
|
|
+ - id: 3.4.3.3
|
|
+ title: Ensure nftables base chains exist (Automated)
|
|
+ levels:
|
|
+ - l1_server
|
|
+ - l1_workstation
|
|
+ automated: no
|
|
+
|
|
+ # NEEDS RULE
|
|
+ # https://github.com/ComplianceAsCode/content/issues/5246
|
|
+ - id: 3.4.3.4
|
|
+ title: Ensure nftables loopback traffic is configured (Automated)
|
|
+ levels:
|
|
+ - l1_server
|
|
+ - l1_workstation
|
|
+ automated: no
|
|
+
|
|
+ - id: 3.4.3.5
|
|
+ title: Ensure nftables outbound and established connections are configured (Manual)
|
|
+ levels:
|
|
+ - l1_server
|
|
+ - l1_workstation
|
|
+ automated: no
|
|
+
|
|
+ # NEEDS RULE
|
|
+ # https://github.com/ComplianceAsCode/content/issues/5248
|
|
+ - id: 3.4.3.6
|
|
+ title: Ensure nftables default deny firewall policy (Automated)
|
|
+ levels:
|
|
+ - l1_server
|
|
+ - l1_workstation
|
|
+ automated: no
|
|
+
|
|
+ # NEEDS RULE
|
|
+ # https://github.com/ComplianceAsCode/content/issues/5249
|
|
+ - id: 3.4.3.7
|
|
+ title: Ensure nftables service is enabled (Automated)
|
|
+ levels:
|
|
+ - l1_server
|
|
+ - l1_workstation
|
|
+ automated: no
|
|
+
|
|
+ # NEEDS RULE
|
|
+ # https://github.com/ComplianceAsCode/content/issues/5250
|
|
+ - id: 3.4.3.8
|
|
+ title: Ensure nftables rules are permanent (Automated)
|
|
+ levels:
|
|
+ - l1_server
|
|
+ - l1_workstation
|
|
+ automated: no
|
|
+
|
|
+ # NEEDS RULE
|
|
+ # https://github.com/ComplianceAsCode/content/issues/5252
|
|
+ - id: 3.4.4.1.1
|
|
+ title: Ensure iptables default deny firewall policy (Automated)
|
|
+ levels:
|
|
+ - l1_server
|
|
+ - l1_workstation
|
|
+ automated: no
|
|
+
|
|
+ # NEEDS RULE
|
|
+ # https://github.com/ComplianceAsCode/content/issues/5253
|
|
+ - id: 3.4.4.1.2
|
|
+ title: Ensure iptables loopback traffic is configured (Automated)
|
|
+ levels:
|
|
+ - l1_server
|
|
+ - l1_workstation
|
|
+ automated: no
|
|
+
|
|
+ - id: 3.4.4.1.3
|
|
+ title: Ensure iptables outbound and established connections are configured (Manual)
|
|
+ levels:
|
|
+ - l1_server
|
|
+ - l1_workstation
|
|
+ automated: no
|
|
+
|
|
+ # NEEDS RULE
|
|
+ # https://github.com/ComplianceAsCode/content/issues/5255
|
|
+ - id: 3.4.4.1.4
|
|
+ title: Ensure iptables firewall rules exist for all open ports (Automated)
|
|
+ levels:
|
|
+ - l1_server
|
|
+ - l1_workstation
|
|
+ automated: no
|
|
+
|
|
+ # NEEDS RULE
|
|
+ # https://github.com/ComplianceAsCode/content/issues/7190
|
|
+ - id: 3.4.4.1.5
|
|
+ title: Ensure iptables is enabled and active (Automated)
|
|
+ levels:
|
|
+ - l1_server
|
|
+ - l1_workstation
|
|
+ automated: no
|
|
+
|
|
+ # NEEDS RULE
|
|
+ # https://github.com/ComplianceAsCode/content/issues/5257
|
|
+ - id: 3.4.4.2.1
|
|
+ title: Ensure ip6tables default deny firewall policy (Automated)
|
|
+ levels:
|
|
+ - l1_server
|
|
+ - l1_workstation
|
|
+ automated: no
|
|
+
|
|
+ # NEEDS RULE
|
|
+ # https://github.com/ComplianceAsCode/content/issues/5258
|
|
+ - id: 3.4.4.2.2
|
|
+ title: Ensure ip6tables loopback traffic is configured (Automated)
|
|
+ levels:
|
|
+ - l1_server
|
|
+ - l1_workstation
|
|
+ automated: no
|
|
+
|
|
+ - id: 3.4.4.2.3
|
|
+ title: Ensure ip6tables outbound and established connections are configured (Manual)
|
|
+ levels:
|
|
+ - l1_server
|
|
+ - l1_workstation
|
|
+ automated: no
|
|
+
|
|
+ # NEEDS RULE
|
|
+ # https://github.com/ComplianceAsCode/content/issues/7191
|
|
+ - id: 3.4.4.2.4
|
|
+ title: Ensure ip6tables firewall rules exist for all open ports (Automated)
|
|
+ levels:
|
|
+ - l1_server
|
|
+ - l1_workstation
|
|
+ automated: no
|
|
+
|
|
+ # NEEDS RULE
|
|
+ # https://github.com/ComplianceAsCode/content/issues/7192
|
|
+ - id: 3.4.4.2.5
|
|
+ title: Ensure ip6tables is enabled and active (Automated)
|
|
+ levels:
|
|
+ - l1_server
|
|
+ - l1_workstation
|
|
+ automated: no
|
|
+
|
|
+ - id: 3.5
|
|
+ title: Ensure wireless interfaces are disabled (Automated)
|
|
+ levels:
|
|
+ - l1_server
|
|
+ - l2_workstation
|
|
+ automated: yes
|
|
+ rules:
|
|
+ - wireless_disable_interfaces
|
|
+
|
|
+ - id: 3.6
|
|
+ title: Disable IPv6 (Manual)
|
|
+ levels:
|
|
+ - l2_server
|
|
+ - l2_workstation
|
|
+ automated: yes
|
|
+ rules:
|
|
+ - kernel_module_ipv6_option_disabled
|
|
+
|
|
+ - id: 4.1.1.1
|
|
+ title: Ensure auditd is installed (Automated)
|
|
+ levels:
|
|
+ - l2_server
|
|
+ - l2_workstation
|
|
+ automated: yes
|
|
+ rules:
|
|
+ - package_audit_installed
|
|
+
|
|
+ - id: 4.1.1.2
|
|
+ title: Ensure auditd service is enabled (Automated)
|
|
+ levels:
|
|
+ - l2_server
|
|
+ - l2_workstation
|
|
+ automated: yes
|
|
+ rules:
|
|
+ - service_auditd_enabled
|
|
+
|
|
+ - id: 4.1.1.3
|
|
+ title: Ensure auditing for processes that start prior to auditd is enabled (Automated)
|
|
+ levels:
|
|
+ - l2_server
|
|
+ - l2_workstation
|
|
+ automated: yes
|
|
+ rules:
|
|
+ - grub2_audit_argument
|
|
+
|
|
+ - id: 4.1.1.4
|
|
+ title: Ensure audit_backlog_limit is sufficient (Automated)
|
|
+ levels:
|
|
+ - l2_server
|
|
+ - l2_workstation
|
|
+ automated: yes
|
|
+ rules:
|
|
+ - grub2_audit_backlog_limit_argument
|
|
+
|
|
+ - id: 4.1.2.1
|
|
+ title: Ensure audit log storage size is configured (Automated)
|
|
+ levels:
|
|
+ - l2_server
|
|
+ - l2_workstation
|
|
+ automated: yes
|
|
+ rules:
|
|
+ - auditd_data_retention_max_log_file
|
|
+
|
|
+ - id: 4.1.2.2
|
|
+ title: Ensure audit logs are not automatically deleted (Automated)
|
|
+ levels:
|
|
+ - l2_server
|
|
+ - l2_workstation
|
|
+ automated: yes
|
|
+ rules:
|
|
+ - auditd_data_retention_max_log_file_action
|
|
+
|
|
+ - id: 4.1.2.3
|
|
+ title: Ensure system is disabled when audit logs are full (Automated)
|
|
+ levels:
|
|
+ - l2_server
|
|
+ - l2_workstation
|
|
+ automated: yes
|
|
+ rules:
|
|
+ - auditd_data_retention_action_mail_acct
|
|
+ - auditd_data_retention_admin_space_left_action
|
|
+ - auditd_data_retention_space_left_action
|
|
+ - var_auditd_action_mail_acct=root
|
|
+ - var_auditd_admin_space_left_action=halt
|
|
+ - var_auditd_space_left_action=email
|
|
+
|
|
+ - id: 4.1.3
|
|
+ title: Ensure changes to system administration scope (sudoers) is collected (Automated)
|
|
+ levels:
|
|
+ - l2_server
|
|
+ - l2_workstation
|
|
+ automated: yes
|
|
+ rules:
|
|
+ - audit_rules_sysadmin_actions
|
|
+
|
|
+ - id: 4.1.4
|
|
+ title: Ensure login and logout events are collected (Automated)
|
|
+ levels:
|
|
+ - l2_server
|
|
+ - l2_workstation
|
|
+ automated: yes
|
|
+ rules:
|
|
+ - audit_rules_login_events_faillock
|
|
+ - audit_rules_login_events_lastlog
|
|
+
|
|
+ - id: 4.1.5
|
|
+ title: Ensure session initiation information is collected (Automated)
|
|
+ levels:
|
|
+ - l2_server
|
|
+ - l2_workstation
|
|
+ automated: yes
|
|
+ rules:
|
|
+ - audit_rules_session_events
|
|
+
|
|
+ - id: 4.1.6
|
|
+ title: Ensure events that modify date and time information are collected (Automated)
|
|
+ levels:
|
|
+ - l2_server
|
|
+ - l2_workstation
|
|
+ automated: yes
|
|
+ rules:
|
|
+ - audit_rules_time_adjtimex
|
|
+ - audit_rules_time_clock_settime
|
|
+ - audit_rules_time_settimeofday
|
|
+ - audit_rules_time_stime
|
|
+ - audit_rules_time_watch_localtime
|
|
+
|
|
+ # NEEDS RULE
|
|
+ # -w /usr/share/selinux/ -p wa
|
|
+ # https://github.com/ComplianceAsCode/content/issues/5264
|
|
+ - id: 4.1.7
|
|
+ title: Ensure events that modify the system's Mandatory Access Controls are collected (Automated)
|
|
+ levels:
|
|
+ - l2_server
|
|
+ - l2_workstation
|
|
+ automated: yes
|
|
+ rules:
|
|
+ - audit_rules_mac_modification
|
|
+
|
|
+ - id: 4.1.8
|
|
+ title: Ensure events that modify the system's network environment are collected (Automated)
|
|
+ levels:
|
|
+ - l2_server
|
|
+ - l2_workstation
|
|
+ automated: yes
|
|
+ rules:
|
|
+ - audit_rules_networkconfig_modification
|
|
+
|
|
+ - id: 4.1.9
|
|
+ title: Ensure discretionary access control permission modification events are collected (Automated)
|
|
+ levels:
|
|
+ - l2_server
|
|
+ - l2_workstation
|
|
+ automated: yes
|
|
+ rules:
|
|
+ - audit_rules_dac_modification_chmod
|
|
+ - audit_rules_dac_modification_chown
|
|
+ - audit_rules_dac_modification_fchmod
|
|
+ - audit_rules_dac_modification_fchmodat
|
|
+ - audit_rules_dac_modification_fchown
|
|
+ - audit_rules_dac_modification_fchownat
|
|
+ - audit_rules_dac_modification_fremovexattr
|
|
+ - audit_rules_dac_modification_fsetxattr
|
|
+ - audit_rules_dac_modification_lchown
|
|
+ - audit_rules_dac_modification_lremovexattr
|
|
+ - audit_rules_dac_modification_lsetxattr
|
|
+ - audit_rules_dac_modification_removexattr
|
|
+ - audit_rules_dac_modification_setxattr
|
|
+
|
|
+ - id: 4.1.10
|
|
+ title: Ensure unsuccessful unauthorized file access attempts are collected (Automated)
|
|
+ levels:
|
|
+ - l2_server
|
|
+ - l2_workstation
|
|
+ automated: yes
|
|
+ rules:
|
|
+ - audit_rules_unsuccessful_file_modification_creat
|
|
+ - audit_rules_unsuccessful_file_modification_ftruncate
|
|
+ - audit_rules_unsuccessful_file_modification_open
|
|
+ - audit_rules_unsuccessful_file_modification_openat
|
|
+ - audit_rules_unsuccessful_file_modification_truncate
|
|
+ # Opinionated selection
|
|
+ - audit_rules_unsuccessful_file_modification_open_by_handle_at
|
|
+
|
|
+ - id: 4.1.11
|
|
+ title: Ensure events that modify user/group information are collected (Automated)
|
|
+ levels:
|
|
+ - l2_server
|
|
+ - l2_workstation
|
|
+ automated: yes
|
|
+ rules:
|
|
+ - audit_rules_usergroup_modification_group
|
|
+ - audit_rules_usergroup_modification_gshadow
|
|
+ - audit_rules_usergroup_modification_opasswd
|
|
+ - audit_rules_usergroup_modification_passwd
|
|
+ - audit_rules_usergroup_modification_shadow
|
|
+
|
|
+ - id: 4.1.12
|
|
+ title: Ensure successful file system mounts are collected (Automated)
|
|
+ levels:
|
|
+ - l2_server
|
|
+ - l2_workstation
|
|
+ automated: yes
|
|
+ rules:
|
|
+ - audit_rules_media_export
|
|
+
|
|
+ - id: 4.1.13
|
|
+ title: Ensure use of privileged commands is collected (Automated)
|
|
+ levels:
|
|
+ - l2_server
|
|
+ - l2_workstation
|
|
+ automated: yes
|
|
+ rules:
|
|
+ - audit_rules_privileged_commands
|
|
+
|
|
+ - id: 4.1.14
|
|
+ title: Ensure file deletion events by users are collected (Automated)
|
|
+ levels:
|
|
+ - l2_server
|
|
+ - l2_workstation
|
|
+ automated: yes
|
|
+ rules:
|
|
+ - audit_rules_file_deletion_events_rename
|
|
+ - audit_rules_file_deletion_events_renameat
|
|
+ - audit_rules_file_deletion_events_unlink
|
|
+ - audit_rules_file_deletion_events_unlinkat
|
|
+ # Opinionated selection
|
|
+ - audit_rules_file_deletion_events_rmdir
|
|
+
|
|
+ - id: 4.1.15
|
|
+ title: Ensure kernel module loading and unloading is collected (Automated)
|
|
+ levels:
|
|
+ - l2_server
|
|
+ - l2_workstation
|
|
+ automated: yes
|
|
+ rules:
|
|
+ - audit_rules_kernel_module_loading
|
|
+
|
|
+ # NEEDS RULE
|
|
+ # https://github.com/ComplianceAsCode/content/issues/5516
|
|
+ - id: 4.1.16
|
|
+ title: Ensure system administrator actions (sudolog) are collected (Automated)
|
|
+ levels:
|
|
+ - l2_server
|
|
+ - l2_workstation
|
|
+ automated: no
|
|
+
|
|
+ - id: 4.1.17
|
|
+ title: Ensure the audit configuration is immutable (Automated)
|
|
+ levels:
|
|
+ - l2_server
|
|
+ - l2_workstation
|
|
+ automated: yes
|
|
+ rules:
|
|
+ - audit_rules_immutable
|
|
+
|
|
+ - id: 4.2.1.1
|
|
+ title: Ensure rsyslog is installed (Automated)
|
|
+ levels:
|
|
+ - l1_server
|
|
+ - l1_workstation
|
|
+ automated: yes
|
|
+ rules:
|
|
+ - package_rsyslog_installed
|
|
+
|
|
+ - id: 4.2.1.2
|
|
+ title: Ensure rsyslog Service is enabled (Automated)
|
|
+ levels:
|
|
+ - l1_server
|
|
+ - l1_workstation
|
|
+ automated: yes
|
|
+ rules:
|
|
+ - service_rsyslog_enabled
|
|
+
|
|
+ - id: 4.2.1.3
|
|
+ title: Ensure rsyslog default file permissions configured (Automated)
|
|
+ levels:
|
|
+ - l1_server
|
|
+ - l1_workstation
|
|
+ automated: yes
|
|
+ rules:
|
|
+ - rsyslog_files_permissions
|
|
+
|
|
+ - id: 4.2.1.4
|
|
+ title: Ensure logging is configured (Manual)
|
|
+ levels:
|
|
+ - l1_server
|
|
+ - l1_workstation
|
|
+ automated: no
|
|
+
|
|
+ - id: 4.2.1.5
|
|
+ title: Ensure rsyslog is configured to send logs to a remote log host (Automated)
|
|
+ levels:
|
|
+ - l1_server
|
|
+ - l1_workstation
|
|
+ automated: yes
|
|
+ rules:
|
|
+ - rsyslog_remote_loghost
|
|
+
|
|
+ - id: 4.2.1.6
|
|
+ title: Ensure remote rsyslog messages are only accepted on designated log hosts. (Manual)
|
|
+ levels:
|
|
+ - l1_server
|
|
+ - l1_workstation
|
|
+ automated: no
|
|
+ related_rules:
|
|
+ - rsyslog_nolisten
|
|
+
|
|
+ # NEEDS RULE
|
|
+ # https://github.com/ComplianceAsCode/content/issues/5520
|
|
+ - id: 4.2.2.1
|
|
+ title: Ensure journald is configured to send logs to rsyslog (Automated)
|
|
+ levels:
|
|
+ - l1_server
|
|
+ - l1_workstation
|
|
+ automated: no
|
|
+
|
|
+ # NEEDS RULE
|
|
+ # https://github.com/ComplianceAsCode/content/issues/5521
|
|
+ - id: 4.2.2.2
|
|
+ title: Ensure journald is configured to compress large log files (Automated)
|
|
+ levels:
|
|
+ - l1_server
|
|
+ - l1_workstation
|
|
+ automated: no
|
|
+
|
|
+ # NEEDS RULE
|
|
+ # https://github.com/ComplianceAsCode/content/issues/5522
|
|
+ - id: 4.2.2.3
|
|
+ title: Ensure journald is configured to write logfiles to persistent disk (Automated)
|
|
+ levels:
|
|
+ - l1_server
|
|
+ - l1_workstation
|
|
+ automated: no
|
|
+
|
|
+ # NEEDS RULE
|
|
+ # https://github.com/ComplianceAsCode/content/issues/5523
|
|
+ - id: 4.2.3
|
|
+ title: Ensure permissions on all logfiles are configured (Automated)
|
|
+ levels:
|
|
+ - l1_server
|
|
+ - l1_workstation
|
|
+ automated: no
|
|
+
|
|
+ - id: 4.3
|
|
+ title: Ensure logrotate is configured (Manual)
|
|
+ levels:
|
|
+ - l1_server
|
|
+ - l1_workstation
|
|
+ automated: no
|
|
|
|
From e10bc6354fdbc73b0270e52673e0b688d21386a8 Mon Sep 17 00:00:00 2001
|
|
From: Alex Haydock <alex@alexhaydock.co.uk>
|
|
Date: Sat, 3 Jul 2021 12:08:31 +0100
|
|
Subject: [PATCH 04/55] Add RHEL 8 Section 5 to CIS control file
|
|
|
|
---
|
|
controls/cis_rhel8.yml | 460 +++++++++++++++++++++++++++++++++++++++++
|
|
1 file changed, 460 insertions(+)
|
|
|
|
diff --git a/controls/cis_rhel8.yml b/controls/cis_rhel8.yml
|
|
index b63dc6cf9e1..85c821bc60d 100644
|
|
--- a/controls/cis_rhel8.yml
|
|
+++ b/controls/cis_rhel8.yml
|
|
@@ -1480,3 +1480,463 @@ controls:
|
|
- l1_server
|
|
- l1_workstation
|
|
automated: no
|
|
+
|
|
+ - id: 5.1.1
|
|
+ title: Ensure cron daemon is enabled (Automated)
|
|
+ levels:
|
|
+ - l1_server
|
|
+ - l1_workstation
|
|
+ automated: yes
|
|
+ rules:
|
|
+ - service_crond_enabled
|
|
+
|
|
+ - id: 5.1.2
|
|
+ title: Ensure permissions on /etc/crontab are configured (Automated)
|
|
+ levels:
|
|
+ - l1_server
|
|
+ - l1_workstation
|
|
+ automated: yes
|
|
+ rules:
|
|
+ - file_groupowner_crontab
|
|
+ - file_owner_crontab
|
|
+ - file_permissions_crontab
|
|
+
|
|
+ - id: 5.1.3
|
|
+ title: Ensure permissions on /etc/cron.hourly are configured (Automated)
|
|
+ levels:
|
|
+ - l1_server
|
|
+ - l1_workstation
|
|
+ automated: yes
|
|
+ rules:
|
|
+ - file_groupowner_cron_hourly
|
|
+ - file_owner_cron_hourly
|
|
+ - file_permissions_cron_hourly
|
|
+
|
|
+ - id: 5.1.4
|
|
+ title: Ensure permissions on /etc/cron.daily are configured (Automated)
|
|
+ levels:
|
|
+ - l1_server
|
|
+ - l1_workstation
|
|
+ automated: yes
|
|
+ rules:
|
|
+ - file_groupowner_cron_daily
|
|
+ - file_owner_cron_daily
|
|
+ - file_permissions_cron_daily
|
|
+
|
|
+ - id: 5.1.5
|
|
+ title: Ensure permissions on /etc/cron.weekly are configured (Automated)
|
|
+ levels:
|
|
+ - l1_server
|
|
+ - l1_workstation
|
|
+ automated: yes
|
|
+ rules:
|
|
+ - file_groupowner_cron_weekly
|
|
+ - file_owner_cron_weekly
|
|
+ - file_permissions_cron_weekly
|
|
+
|
|
+ - id: 5.1.6
|
|
+ title: Ensure permissions on /etc/cron.monthly are configured (Automated)
|
|
+ levels:
|
|
+ - l1_server
|
|
+ - l1_workstation
|
|
+ automated: yes
|
|
+ rules:
|
|
+ - file_groupowner_cron_monthly
|
|
+ - file_owner_cron_monthly
|
|
+ - file_permissions_cron_monthly
|
|
+
|
|
+ - id: 5.1.7
|
|
+ title: Ensure permissions on /etc/cron.d are configured (Automated)
|
|
+ levels:
|
|
+ - l1_server
|
|
+ - l1_workstation
|
|
+ automated: yes
|
|
+ rules:
|
|
+ - file_groupowner_cron_d
|
|
+ - file_owner_cron_d
|
|
+ - file_permissions_cron_d
|
|
+
|
|
+ # NEEDS RULE
|
|
+ # https://github.com/ComplianceAsCode/content/issues/7195
|
|
+ - id: 5.1.8
|
|
+ title: Ensure at/cron is restricted to authorized users (Automated)
|
|
+ levels:
|
|
+ - l1_server
|
|
+ - l1_workstation
|
|
+ automated: no
|
|
+
|
|
+ - id: 5.2.1
|
|
+ title: Ensure permissions on /etc/ssh/sshd_config are configured (Automated)
|
|
+ levels:
|
|
+ - l1_server
|
|
+ - l1_workstation
|
|
+ automated: yes
|
|
+ rules:
|
|
+ - file_groupowner_sshd_config
|
|
+ - file_owner_sshd_config
|
|
+ - file_permissions_sshd_config
|
|
+
|
|
+ # NEEDS RULE
|
|
+ # https://github.com/ComplianceAsCode/content/issues/7196
|
|
+ - id: 5.2.2
|
|
+ title: Ensure SSH access is limited (Automated)
|
|
+ levels:
|
|
+ - l1_server
|
|
+ - l1_workstation
|
|
+ automated: no
|
|
+
|
|
+ # TODO
|
|
+ # Rule sets permissions to 0640 but benchmark wants it to be 0600
|
|
+ #
|
|
+ # TODO
|
|
+ # Check owner of private keys in /etc/ssh is root:root
|
|
+ - id: 5.2.3
|
|
+ title: Ensure permissions on SSH private host key files are configured (Automated)
|
|
+ levels:
|
|
+ - l1_server
|
|
+ - l1_workstation
|
|
+ automated: yes
|
|
+ rules:
|
|
+ - file_permissions_sshd_private_key
|
|
+
|
|
+ # TODO
|
|
+ # Check owner of public keys in /etc/ssh is root:root
|
|
+ - id: 5.2.4
|
|
+ title: Ensure permissions on SSH public host key files are configured (Automated)
|
|
+ levels:
|
|
+ - l1_server
|
|
+ - l1_workstation
|
|
+ automated: yes
|
|
+ rules:
|
|
+ - file_permissions_sshd_pub_key
|
|
+
|
|
+ - id: 5.2.5
|
|
+ title: Ensure SSH LogLevel is appropriate (Automated)
|
|
+ levels:
|
|
+ - l1_server
|
|
+ - l1_workstation
|
|
+ automated: yes
|
|
+ rules:
|
|
+ - sshd_set_loglevel_info
|
|
+
|
|
+ - id: 5.2.6
|
|
+ title: Ensure SSH X11 forwarding is disabled (Automated)
|
|
+ levels:
|
|
+ - l1_server
|
|
+ - l1_workstation
|
|
+ automated: yes
|
|
+ rules:
|
|
+ - sshd_disable_x11_forwarding
|
|
+
|
|
+ - id: 5.2.7
|
|
+ title: Ensure SSH MaxAuthTries is set to 4 or less (Automated)
|
|
+ levels:
|
|
+ - l1_server
|
|
+ - l1_workstation
|
|
+ automated: yes
|
|
+ rules:
|
|
+ - sshd_max_auth_tries_value=4
|
|
+ - sshd_set_max_auth_tries
|
|
+
|
|
+ - id: 5.2.8
|
|
+ title: Ensure SSH IgnoreRhosts is enabled (Automated)
|
|
+ levels:
|
|
+ - l1_server
|
|
+ - l1_workstation
|
|
+ automated: yes
|
|
+ rules:
|
|
+ - sshd_disable_rhosts
|
|
+
|
|
+ - id: 5.2.9
|
|
+ title: Ensure SSH HostbasedAuthentication is disabled (Automated)
|
|
+ levels:
|
|
+ - l1_server
|
|
+ - l1_workstation
|
|
+ automated: yes
|
|
+ rules:
|
|
+ - disable_host_auth
|
|
+
|
|
+ - id: 5.2.10
|
|
+ title: Ensure SSH root login is disabled (Automated)
|
|
+ levels:
|
|
+ - l1_server
|
|
+ - l1_workstation
|
|
+ automated: yes
|
|
+ rules:
|
|
+ - sshd_disable_root_login
|
|
+
|
|
+ - id: 5.2.11
|
|
+ title: Ensure SSH PermitEmptyPasswords is disabled (Automated)
|
|
+ levels:
|
|
+ - l1_server
|
|
+ - l1_workstation
|
|
+ automated: yes
|
|
+ rules:
|
|
+ - sshd_disable_empty_passwords
|
|
+
|
|
+ - id: 5.2.12
|
|
+ title: Ensure SSH PermitUserEnvironment is disabled (Automated)
|
|
+ levels:
|
|
+ - l1_server
|
|
+ - l1_workstation
|
|
+ automated: yes
|
|
+ rules:
|
|
+ - sshd_do_not_permit_user_env
|
|
+
|
|
+ - id: 5.2.13
|
|
+ title: Ensure SSH Idle Timeout Interval is configured (Automated)
|
|
+ levels:
|
|
+ - l1_server
|
|
+ - l1_workstation
|
|
+ automated: yes
|
|
+ rules:
|
|
+ - sshd_idle_timeout_value=5_minutes
|
|
+ - sshd_set_idle_timeout
|
|
+ - sshd_set_keepalive_0
|
|
+ - var_sshd_set_keepalive=0
|
|
+
|
|
+ # NEEDS RULE
|
|
+ # https://github.com/ComplianceAsCode/content/issues/5525
|
|
+ - id: 5.2.14
|
|
+ title: Ensure SSH LoginGraceTime is set to one minute or less (Automated)
|
|
+ levels:
|
|
+ - l1_server
|
|
+ - l1_workstation
|
|
+ automated: no
|
|
+
|
|
+ - id: 5.2.15
|
|
+ title: Ensure SSH warning banner is configured (Automated)
|
|
+ levels:
|
|
+ - l1_server
|
|
+ - l1_workstation
|
|
+ automated: yes
|
|
+ rules:
|
|
+ - sshd_enable_warning_banner
|
|
+
|
|
+ # NEEDS RULE
|
|
+ # https://github.com/ComplianceAsCode/content/issues/5526
|
|
+ - id: 5.2.16
|
|
+ title: Ensure SSH PAM is enabled (Automated)
|
|
+ levels:
|
|
+ - l1_server
|
|
+ - l1_workstation
|
|
+ automated: no
|
|
+
|
|
+ - id: 5.2.17
|
|
+ title: Ensure SSH AllowTcpForwarding is disabled (Automated)
|
|
+ levels:
|
|
+ - l2_server
|
|
+ - l2_workstation
|
|
+ automated: yes
|
|
+ rules:
|
|
+ - sshd_disable_tcp_forwarding
|
|
+
|
|
+ - id: 5.2.18
|
|
+ title: Ensure SSH MaxStartups is configured (Automated)
|
|
+ levels:
|
|
+ - l1_server
|
|
+ - l1_workstation
|
|
+ automated: yes
|
|
+ rules:
|
|
+ - sshd_set_maxstartups
|
|
+
|
|
+ - id: 5.2.19
|
|
+ title: Ensure SSH MaxSessions is set to 4 or less (Automated)
|
|
+ levels:
|
|
+ - l1_server
|
|
+ - l1_workstation
|
|
+ automated: yes
|
|
+ rules:
|
|
+ - sshd_set_max_sessions
|
|
+ - var_sshd_max_sessions=4
|
|
+
|
|
+ - id: 5.2.20
|
|
+ title: Ensure system-wide crypto policy is not over-ridden (Automated)
|
|
+ levels:
|
|
+ - l1_server
|
|
+ - l1_workstation
|
|
+ automated: yes
|
|
+ rules:
|
|
+ - configure_ssh_crypto_policy
|
|
+
|
|
+ # NEEDS RULE
|
|
+ # https://github.com/ComplianceAsCode/content/issues/5530
|
|
+ - id: 5.3.1
|
|
+ title: Create custom authselect profile (Automated)
|
|
+ levels:
|
|
+ - l1_server
|
|
+ - l1_workstation
|
|
+ automated: no
|
|
+
|
|
+ # NEEDS RULE
|
|
+ # https://github.com/ComplianceAsCode/content/issues/5531
|
|
+ - id: 5.3.2
|
|
+ title: Select authselect profile (Automated)
|
|
+ levels:
|
|
+ - l1_server
|
|
+ - l1_workstation
|
|
+ automated: no
|
|
+
|
|
+ # NEEDS RULE
|
|
+ # https://github.com/ComplianceAsCode/content/issues/5532
|
|
+ - id: 5.3.2
|
|
+ title: Ensure authselect includes with-faillock (Automated)
|
|
+ levels:
|
|
+ - l1_server
|
|
+ - l1_workstation
|
|
+ automated: no
|
|
+
|
|
+ # NEEDS RULE: try_first_pass
|
|
+ # https://github.com/ComplianceAsCode/content/issues/5533
|
|
+ - id: 5.4.1
|
|
+ title: Ensure password creation requirements are configured (Automated)
|
|
+ levels:
|
|
+ - l1_server
|
|
+ - l1_workstation
|
|
+ automated: yes
|
|
+ rules:
|
|
+ - accounts_password_pam_minclass
|
|
+ - accounts_password_pam_minlen
|
|
+ - accounts_password_pam_retry
|
|
+ - var_password_pam_minclass=4
|
|
+ - var_password_pam_minlen=14
|
|
+
|
|
+ - id: 5.4.2
|
|
+ title: Ensure lockout for failed password attempts is configured (Automated)
|
|
+ levels:
|
|
+ - l1_server
|
|
+ - l1_workstation
|
|
+ automated: yes
|
|
+ rules:
|
|
+ - accounts_passwords_pam_faillock_deny
|
|
+ - accounts_passwords_pam_faillock_unlock_time
|
|
+ - var_accounts_passwords_pam_faillock_deny=5
|
|
+ - var_accounts_passwords_pam_faillock_unlock_time=900
|
|
+
|
|
+ - id: 5.4.3
|
|
+ title: Ensure password reuse is limited (Automated)
|
|
+ levels:
|
|
+ - l1_server
|
|
+ - l1_workstation
|
|
+ automated: yes
|
|
+ rules:
|
|
+ - accounts_password_pam_unix_remember
|
|
+ - var_password_pam_unix_remember=5
|
|
+
|
|
+ - id: 5.4.4
|
|
+ title: Ensure password hashing algorithm is SHA-512 (Automated)
|
|
+ levels:
|
|
+ - l1_server
|
|
+ - l1_workstation
|
|
+ automated: yes
|
|
+ rules:
|
|
+ - set_password_hashing_algorithm_systemauth
|
|
+
|
|
+ - id: 5.5.1.1
|
|
+ title: Ensure password expiration is 365 days or less (Automated)
|
|
+ levels:
|
|
+ - l1_server
|
|
+ - l1_workstation
|
|
+ automated: yes
|
|
+ rules:
|
|
+ - accounts_maximum_age_login_defs
|
|
+ - var_accounts_maximum_age_login_defs=365
|
|
+
|
|
+ - id: 5.5.1.2
|
|
+ title: Ensure minimum days between password changes is 7 or more (Automated)
|
|
+ levels:
|
|
+ - l1_server
|
|
+ - l1_workstation
|
|
+ automated: yes
|
|
+ rules:
|
|
+ - accounts_minimum_age_login_defs
|
|
+ - var_accounts_minimum_age_login_defs=7
|
|
+
|
|
+ - id: 5.5.1.3
|
|
+ title: Ensure password expiration warning days is 7 or more (Automated)
|
|
+ levels:
|
|
+ - l1_server
|
|
+ - l1_workstation
|
|
+ automated: yes
|
|
+ rules:
|
|
+ - accounts_password_warn_age_login_defs
|
|
+ - var_accounts_password_warn_age_login_defs=7
|
|
+
|
|
+ # TODO
|
|
+ # Rule doesn't check list of users
|
|
+ - id: 5.5.1.4
|
|
+ title: Ensure inactive password lock is 30 days or less (Automated)
|
|
+ levels:
|
|
+ - l1_server
|
|
+ - l1_workstation
|
|
+ automated: yes
|
|
+ rules:
|
|
+ - account_disable_post_pw_expiration
|
|
+ - var_account_disable_post_pw_expiration=30
|
|
+
|
|
+ # NEEDS RULE
|
|
+ # https://github.com/ComplianceAsCode/content/issues/5537
|
|
+ - id: 5.5.1.5
|
|
+ title: Ensure all users last password change date is in the past (Automated)
|
|
+ levels:
|
|
+ - l1_server
|
|
+ - l1_workstation
|
|
+ automated: no
|
|
+
|
|
+ - id: 5.5.2
|
|
+ title: Ensure system accounts are secured (Automated)
|
|
+ levels:
|
|
+ - l1_server
|
|
+ - l1_workstation
|
|
+ automated: yes
|
|
+ rules:
|
|
+ - no_shelllogin_for_systemaccounts
|
|
+
|
|
+ - id: 5.5.3
|
|
+ title: Ensure default user shell timeout is 900 seconds or less (Automated)
|
|
+ levels:
|
|
+ - l1_server
|
|
+ - l1_workstation
|
|
+ automated: yes
|
|
+ rules:
|
|
+ - accounts_tmout
|
|
+ - var_accounts_tmout=15_min
|
|
+
|
|
+ # NEEDS RULE
|
|
+ # https://github.com/ComplianceAsCode/content/issues/5539
|
|
+ - id: 5.5.4
|
|
+ title: Ensure default group for the root account is GID 0 (Automated)
|
|
+ levels:
|
|
+ - l1_server
|
|
+ - l1_workstation
|
|
+ automated: no
|
|
+
|
|
+ - id: 5.5.5
|
|
+ title: Ensure default user umask is 027 or more restrictive (Automated)
|
|
+ levels:
|
|
+ - l1_server
|
|
+ - l1_workstation
|
|
+ automated: yes
|
|
+ rules:
|
|
+ - accounts_umask_etc_bashrc
|
|
+ - accounts_umask_etc_profile
|
|
+ - var_accounts_user_umask=027
|
|
+
|
|
+ - id: 5.6
|
|
+ title: Ensure root login is restricted to system console (Manual)
|
|
+ levels:
|
|
+ - l1_server
|
|
+ - l1_workstation
|
|
+ automated: no
|
|
+ related_rules:
|
|
+ - no_direct_root_logins
|
|
+ - securetty_root_login_console_only
|
|
+
|
|
+ # NEEDS RULE
|
|
+ # https://github.com/ComplianceAsCode/content/issues/5541
|
|
+ - id: 5.7
|
|
+ title: Ensure access to the su command is restricted (Automated)
|
|
+ levels:
|
|
+ - l1_server
|
|
+ - l1_workstation
|
|
+ automated: no
|
|
|
|
From 9aa351c0c0104ec07ee9f23ceb072233992b1a5a Mon Sep 17 00:00:00 2001
|
|
From: Alex Haydock <alex@alexhaydock.co.uk>
|
|
Date: Sat, 3 Jul 2021 12:33:15 +0100
|
|
Subject: [PATCH 05/55] Add RHEL 8 Section 6 to CIS control file
|
|
|
|
---
|
|
controls/cis_rhel8.yml | 325 +++++++++++++++++++++++++++++++++++++++++
|
|
1 file changed, 325 insertions(+)
|
|
|
|
diff --git a/controls/cis_rhel8.yml b/controls/cis_rhel8.yml
|
|
index 85c821bc60d..bc77e25d122 100644
|
|
--- a/controls/cis_rhel8.yml
|
|
+++ b/controls/cis_rhel8.yml
|
|
@@ -1940,3 +1940,328 @@ controls:
|
|
- l1_server
|
|
- l1_workstation
|
|
automated: no
|
|
+
|
|
+ - id: 6.1.1
|
|
+ title: Audit system file permissions (Manual)
|
|
+ levels:
|
|
+ - l1_server
|
|
+ - l1_workstation
|
|
+ automated: no
|
|
+ related_rules:
|
|
+ - rpm_verify_permissions
|
|
+ - rpm_verify_ownership
|
|
+
|
|
+ - id: 6.1.2
|
|
+ title: Ensure permissions on /etc/passwd are configured (Automated)
|
|
+ levels:
|
|
+ - l1_server
|
|
+ - l1_workstation
|
|
+ automated: yes
|
|
+ rules:
|
|
+ - file_groupowner_etc_passwd
|
|
+ - file_owner_etc_passwd
|
|
+ - file_permissions_etc_passwd
|
|
+
|
|
+ - id: 6.1.3
|
|
+ title: Ensure permissions on /etc/passwd- are configured (Automated)
|
|
+ levels:
|
|
+ - l1_server
|
|
+ - l1_workstation
|
|
+ automated: yes
|
|
+ rules:
|
|
+ - file_groupowner_backup_etc_passwd
|
|
+ - file_owner_backup_etc_passwd
|
|
+ - file_permissions_backup_etc_passwd
|
|
+
|
|
+ - id: 6.1.4
|
|
+ title: Ensure permissions on /etc/shadow are configured (Automated)
|
|
+ levels:
|
|
+ - l1_server
|
|
+ - l1_workstation
|
|
+ automated: yes
|
|
+ rules:
|
|
+ - file_owner_etc_shadow
|
|
+ - file_groupowner_etc_shadow
|
|
+ - file_permissions_etc_shadow
|
|
+
|
|
+ - id: 6.1.5
|
|
+ title: Ensure permissions on /etc/shadow- are configured (Automated)
|
|
+ levels:
|
|
+ - l1_server
|
|
+ - l1_workstation
|
|
+ automated: yes
|
|
+ rules:
|
|
+ - file_groupowner_backup_etc_shadow
|
|
+ - file_owner_backup_etc_shadow
|
|
+ - file_permissions_backup_etc_shadow
|
|
+
|
|
+ - id: 6.1.6
|
|
+ title: Ensure permissions on /etc/gshadow are configured (Automated)
|
|
+ levels:
|
|
+ - l1_server
|
|
+ - l1_workstation
|
|
+ automated: yes
|
|
+ rules:
|
|
+ - file_groupowner_etc_gshadow
|
|
+ - file_owner_etc_gshadow
|
|
+ - file_permissions_etc_gshadow
|
|
+
|
|
+ - id: 6.1.7
|
|
+ title: Ensure permissions on /etc/gshadow- are configured (Automated)
|
|
+ levels:
|
|
+ - l1_server
|
|
+ - l1_workstation
|
|
+ automated: yes
|
|
+ rules:
|
|
+ - file_groupowner_backup_etc_gshadow
|
|
+ - file_owner_backup_etc_gshadow
|
|
+ - file_permissions_backup_etc_gshadow
|
|
+
|
|
+ - id: 6.1.8
|
|
+ title: Ensure permissions on /etc/group are configured (Automated)
|
|
+ levels:
|
|
+ - l1_server
|
|
+ - l1_workstation
|
|
+ automated: yes
|
|
+ rules:
|
|
+ - file_groupowner_etc_group
|
|
+ - file_owner_etc_group
|
|
+ - file_permissions_etc_group
|
|
+
|
|
+ - id: 6.1.9
|
|
+ title: Ensure permissions on /etc/group- are configured (Automated)
|
|
+ levels:
|
|
+ - l1_server
|
|
+ - l1_workstation
|
|
+ automated: yes
|
|
+ rules:
|
|
+ - file_groupowner_backup_etc_group
|
|
+ - file_owner_backup_etc_group
|
|
+ - file_permissions_backup_etc_group
|
|
+
|
|
+ - id: 6.1.10
|
|
+ title: Ensure no world writable files exist (Automated)
|
|
+ levels:
|
|
+ - l1_server
|
|
+ - l1_workstation
|
|
+ automated: yes
|
|
+ rules:
|
|
+ - file_permissions_unauthorized_world_writable
|
|
+
|
|
+ - id: 6.1.11
|
|
+ title: Ensure no unowned files or directories exist (Automated)
|
|
+ levels:
|
|
+ - l1_server
|
|
+ - l1_workstation
|
|
+ automated: yes
|
|
+ rules:
|
|
+ - no_files_unowned_by_user
|
|
+
|
|
+ - id: 6.1.12
|
|
+ title: Ensure no ungrouped files or directories exist (Automated)
|
|
+ levels:
|
|
+ - l1_server
|
|
+ - l1_workstation
|
|
+ automated: yes
|
|
+ rules:
|
|
+ - file_permissions_ungroupowned
|
|
+
|
|
+ - id: 6.1.13
|
|
+ title: Audit SUID executables (Manual)
|
|
+ levels:
|
|
+ - l1_server
|
|
+ - l1_workstation
|
|
+ automated: no
|
|
+ rules:
|
|
+ - file_permissions_unauthorized_suid
|
|
+
|
|
+ - id: 6.1.14
|
|
+ title: Audit SGID executables (Manual)
|
|
+ levels:
|
|
+ - l1_server
|
|
+ - l1_workstation
|
|
+ automated: no
|
|
+ rules:
|
|
+ - file_permissions_unauthorized_sgid
|
|
+
|
|
+ # NEEDS RULE
|
|
+ # https://github.com/ComplianceAsCode/content/issues/7197
|
|
+ - id: 6.2.1
|
|
+ title: Ensure password fields are not empty (Automated)
|
|
+ levels:
|
|
+ - l1_server
|
|
+ - l1_workstation
|
|
+ automated: no
|
|
+
|
|
+ - id: 6.2.2
|
|
+ title: Ensure no legacy "+" entries exist in /etc/passwd (Automated)
|
|
+ levels:
|
|
+ - l1_server
|
|
+ - l1_workstation
|
|
+ automated: yes
|
|
+ rules:
|
|
+ - no_legacy_plus_entries_etc_passwd
|
|
+
|
|
+ # NEEDS RULE
|
|
+ # https://github.com/ComplianceAsCode/content/issues/7198
|
|
+ - id: 6.2.3
|
|
+ title: Ensure root PATH Integrity (Automated)
|
|
+ levels:
|
|
+ - l1_server
|
|
+ - l1_workstation
|
|
+ automated: no
|
|
+
|
|
+ - id: 6.2.4
|
|
+ title: Ensure no legacy "+" entries exist in /etc/shadow (Automated)
|
|
+ levels:
|
|
+ - l1_server
|
|
+ - l1_workstation
|
|
+ automated: yes
|
|
+ rules:
|
|
+ - no_legacy_plus_entries_etc_shadow
|
|
+
|
|
+ - id: 6.2.5
|
|
+ title: Ensure no legacy "+" entries exist in /etc/group (Automated)
|
|
+ levels:
|
|
+ - l1_server
|
|
+ - l1_workstation
|
|
+ automated: yes
|
|
+ rules:
|
|
+ - no_legacy_plus_entries_etc_group
|
|
+
|
|
+ - id: 6.2.6
|
|
+ title: Ensure root is the only UID 0 account (Automated)
|
|
+ levels:
|
|
+ - l1_server
|
|
+ - l1_workstation
|
|
+ automated: yes
|
|
+ rules:
|
|
+ - accounts_no_uid_except_zero
|
|
+
|
|
+ - id: 6.2.7
|
|
+ title: Ensure users' home directories permissions are 750 or more restrictive (Automated)
|
|
+ levels:
|
|
+ - l1_server
|
|
+ - l1_workstation
|
|
+ automated: yes
|
|
+ rules:
|
|
+ - file_permissions_home_dirs
|
|
+
|
|
+ # NEEDS RULE (for user ownership)
|
|
+ # https://github.com/ComplianceAsCode/content/issues/5507
|
|
+ - id: 6.2.8
|
|
+ title: Ensure users own their home directories (Automated)
|
|
+ levels:
|
|
+ - l1_server
|
|
+ - l1_workstation
|
|
+ automated: yes
|
|
+ rules:
|
|
+ - file_groupownership_home_directories
|
|
+
|
|
+ # NEEDS RULE
|
|
+ # https://github.com/ComplianceAsCode/content/issues/5506
|
|
+ - id: 6.2.9
|
|
+ title: Ensure users' dot files are not group or world writable (Automated)
|
|
+ levels:
|
|
+ - l1_server
|
|
+ - l1_workstation
|
|
+ automated: no
|
|
+
|
|
+ # NEEDS RULE
|
|
+ # https://github.com/ComplianceAsCode/content/issues/5505
|
|
+ - id: 6.2.10
|
|
+ title: Ensure no users have .forward files (Automated)
|
|
+ levels:
|
|
+ - l1_server
|
|
+ - l1_workstation
|
|
+ automated: no
|
|
+
|
|
+ - id: 6.2.11
|
|
+ title: Ensure no users have .netrc files (Automated)
|
|
+ levels:
|
|
+ - l1_server
|
|
+ - l1_workstation
|
|
+ automated: yes
|
|
+ rules:
|
|
+ - no_netrc_files
|
|
+
|
|
+ # NEEDS RULE
|
|
+ # https://github.com/ComplianceAsCode/content/issues/5504
|
|
+ - id: 6.2.12
|
|
+ title: Ensure users' .netrc Files are not group or world accessible (Automated)
|
|
+ levels:
|
|
+ - l1_server
|
|
+ - l1_workstation
|
|
+ automated: no
|
|
+
|
|
+ - id: 6.2.13
|
|
+ title: Ensure no users have .rhosts files (Automated)
|
|
+ levels:
|
|
+ - l1_server
|
|
+ - l1_workstation
|
|
+ automated: yes
|
|
+ rules:
|
|
+ - no_rsh_trust_files
|
|
+
|
|
+ # NEEDS RULE
|
|
+ # https://github.com/ComplianceAsCode/content/issues/5503
|
|
+ - id: 6.2.14
|
|
+ title: Ensure all groups in /etc/passwd exist in /etc/group (Automated)
|
|
+ levels:
|
|
+ - l1_server
|
|
+ - l1_workstation
|
|
+ automated: no
|
|
+
|
|
+ # NEEDS RULE
|
|
+ # https://github.com/ComplianceAsCode/content/issues/5502
|
|
+ - id: 6.2.15
|
|
+ title: Ensure no duplicate UIDs exist (Automated)
|
|
+ levels:
|
|
+ - l1_server
|
|
+ - l1_workstation
|
|
+ automated: no
|
|
+
|
|
+ # NEEDS RULE
|
|
+ # https://github.com/ComplianceAsCode/content/issues/5501
|
|
+ - id: 6.2.16
|
|
+ title: Ensure no duplicate GIDs exist (Automated)
|
|
+ levels:
|
|
+ - l1_server
|
|
+ - l1_workstation
|
|
+ automated: no
|
|
+
|
|
+ - id: 6.2.17
|
|
+ title: Ensure no duplicate user names exist (Automated)
|
|
+ levels:
|
|
+ - l1_server
|
|
+ - l1_workstation
|
|
+ automated: yes
|
|
+ rules:
|
|
+ - account_unique_name
|
|
+
|
|
+ # NEEDS RULE
|
|
+ # https://github.com/ComplianceAsCode/content/issues/5500
|
|
+ - id: 6.2.18
|
|
+ title: Ensure no duplicate group names exist (Automated)
|
|
+ levels:
|
|
+ - l1_server
|
|
+ - l1_workstation
|
|
+ automated: no
|
|
+
|
|
+ # NEEDS RULE
|
|
+ # https://github.com/ComplianceAsCode/content/issues/5499
|
|
+ - id: 6.2.19
|
|
+ title: Ensure shadow group is empty (Automated)
|
|
+ levels:
|
|
+ - l1_server
|
|
+ - l1_workstation
|
|
+ automated: no
|
|
+
|
|
+ - id: 6.2.20
|
|
+ title: Ensure shadow group is empty (Automated)
|
|
+ levels:
|
|
+ - l1_server
|
|
+ - l1_workstation
|
|
+ automated: yes
|
|
+ rules:
|
|
+ - accounts_user_interactive_home_directory_exists
|
|
|
|
From 9328919d45d46d2402e6a6cfb8bf726c8d24b7ec Mon Sep 17 00:00:00 2001
|
|
From: Alex Haydock <alex@alexhaydock.co.uk>
|
|
Date: Sat, 3 Jul 2021 12:36:01 +0100
|
|
Subject: [PATCH 06/55] Tweak RHEL8 CIS control file to satisfy yamllint
|
|
|
|
---
|
|
controls/cis_rhel8.yml | 9 +++++----
|
|
1 file changed, 5 insertions(+), 4 deletions(-)
|
|
|
|
diff --git a/controls/cis_rhel8.yml b/controls/cis_rhel8.yml
|
|
index bc77e25d122..161a2aac58e 100644
|
|
--- a/controls/cis_rhel8.yml
|
|
+++ b/controls/cis_rhel8.yml
|
|
@@ -1,3 +1,4 @@
|
|
+---
|
|
policy: 'CIS Benchmark for Red Hat Enterprise Linux 8'
|
|
title: 'CIS Benchmark for Red Hat Enterprise Linux 8'
|
|
id: cis_rhel8
|
|
@@ -1597,7 +1598,7 @@ controls:
|
|
- l1_workstation
|
|
automated: yes
|
|
rules:
|
|
- - file_permissions_sshd_private_key
|
|
+ - file_permissions_sshd_private_key
|
|
|
|
# TODO
|
|
# Check owner of public keys in /etc/ssh is root:root
|
|
@@ -1608,7 +1609,7 @@ controls:
|
|
- l1_workstation
|
|
automated: yes
|
|
rules:
|
|
- - file_permissions_sshd_pub_key
|
|
+ - file_permissions_sshd_pub_key
|
|
|
|
- id: 5.2.5
|
|
title: Ensure SSH LogLevel is appropriate (Automated)
|
|
@@ -1617,7 +1618,7 @@ controls:
|
|
- l1_workstation
|
|
automated: yes
|
|
rules:
|
|
- - sshd_set_loglevel_info
|
|
+ - sshd_set_loglevel_info
|
|
|
|
- id: 5.2.6
|
|
title: Ensure SSH X11 forwarding is disabled (Automated)
|
|
@@ -1626,7 +1627,7 @@ controls:
|
|
- l1_workstation
|
|
automated: yes
|
|
rules:
|
|
- - sshd_disable_x11_forwarding
|
|
+ - sshd_disable_x11_forwarding
|
|
|
|
- id: 5.2.7
|
|
title: Ensure SSH MaxAuthTries is set to 4 or less (Automated)
|
|
|
|
From 035dd0b7d79159f1c67ef53baf5a5d284ab79aed Mon Sep 17 00:00:00 2001
|
|
From: Alex Haydock <alex@alexhaydock.co.uk>
|
|
Date: Fri, 9 Jul 2021 00:11:57 +0100
|
|
Subject: [PATCH 07/55] Updates to address comments on RHEL 8 CIS PR
|
|
|
|
---
|
|
controls/cis_rhel8.yml | 45 +++++++++++++++++++++++++++++-------------
|
|
1 file changed, 31 insertions(+), 14 deletions(-)
|
|
|
|
diff --git a/controls/cis_rhel8.yml b/controls/cis_rhel8.yml
|
|
index 161a2aac58e..c93d6128ca4 100644
|
|
--- a/controls/cis_rhel8.yml
|
|
+++ b/controls/cis_rhel8.yml
|
|
@@ -170,7 +170,7 @@ controls:
|
|
rules:
|
|
- partition_for_home
|
|
|
|
- - id: 1.1.18
|
|
+ - id: 1.1.14
|
|
title: Ensure nodev option set on /home partition (Automated)
|
|
levels:
|
|
- l1_server
|
|
@@ -212,7 +212,7 @@ controls:
|
|
- l1_server
|
|
- l1_workstation
|
|
automated: no
|
|
- rules:
|
|
+ related_rules:
|
|
- mount_option_nodev_removable_partitions
|
|
|
|
- id: 1.1.19
|
|
@@ -221,7 +221,7 @@ controls:
|
|
- l1_server
|
|
- l1_workstation
|
|
automated: no
|
|
- rules:
|
|
+ related_rules:
|
|
- mount_option_nosuid_removable_partitions
|
|
|
|
- id: 1.1.20
|
|
@@ -230,9 +230,18 @@ controls:
|
|
- l1_server
|
|
- l1_workstation
|
|
automated: no
|
|
- rules:
|
|
+ related_rules:
|
|
- mount_option_noexec_removable_partitions
|
|
|
|
+ - id: 1.1.21
|
|
+ title: Ensure sticky bit is set on all world-writable directories (Automated)
|
|
+ levels:
|
|
+ - l1_server
|
|
+ - l1_workstation
|
|
+ automated: yes
|
|
+ rules:
|
|
+ - dir_perms_world_writable_sticky_bits
|
|
+
|
|
- id: 1.1.22
|
|
title: Disable Automounting (Automated)
|
|
levels:
|
|
@@ -348,7 +357,7 @@ controls:
|
|
- file_groupowner_grub2_cfg
|
|
- file_permissions_grub2_cfg
|
|
|
|
- - id: 1.5.1
|
|
+ - id: 1.5.2
|
|
title: Ensure bootloader password is set (Automated)
|
|
levels:
|
|
- l1_server
|
|
@@ -356,6 +365,7 @@ controls:
|
|
automated: yes
|
|
rules:
|
|
- grub2_password
|
|
+ - grub2_uefi_password
|
|
|
|
- id: 1.5.3
|
|
title: Ensure authentication required for single user mode (Automated)
|
|
@@ -397,15 +407,6 @@ controls:
|
|
rules:
|
|
- package_libselinux_installed
|
|
|
|
- - id: 1.7.1.1
|
|
- title: Ensure SELinux is installed (Automated)
|
|
- levels:
|
|
- - l2_server
|
|
- - l2_workstation
|
|
- automated: yes
|
|
- rules:
|
|
- - package_libselinux_installed
|
|
-
|
|
- id: 1.7.1.2
|
|
title: Ensure SELinux is not disabled in bootloader configuration (Automated)
|
|
levels:
|
|
@@ -469,6 +470,7 @@ controls:
|
|
automated: yes
|
|
rules:
|
|
- banner_etc_motd
|
|
+ - login_banner_text=usgcb_default
|
|
|
|
- id: 1.8.1.2
|
|
title: Ensure local login warning banner is configured properly (Automated)
|
|
@@ -478,6 +480,7 @@ controls:
|
|
automated: yes
|
|
rules:
|
|
- banner_etc_issue
|
|
+ - login_banner_text=usgcb_default
|
|
|
|
# NEEDS RULE
|
|
# https://github.com/ComplianceAsCode/content/issues/5225
|
|
@@ -495,6 +498,8 @@ controls:
|
|
- l1_workstation
|
|
automated: yes
|
|
rules:
|
|
+ - file_groupowner_etc_motd
|
|
+ - file_owner_etc_motd
|
|
- file_permissions_etc_motd
|
|
|
|
- id: 1.8.1.5
|
|
@@ -504,8 +509,19 @@ controls:
|
|
- l1_workstation
|
|
automated: yes
|
|
rules:
|
|
+ - file_groupowner_etc_issue
|
|
+ - file_owner_etc_issue
|
|
- file_permissions_etc_issue
|
|
|
|
+ # NEEDS RULE
|
|
+ # https://github.com/ComplianceAsCode/content/issues/7225
|
|
+ - id: 1.8.1.6
|
|
+ title: Ensure permissions on /etc/issue.net are configured (Automated)
|
|
+ levels:
|
|
+ - l1_server
|
|
+ - l1_workstation
|
|
+ automated: no
|
|
+
|
|
- id: 1.8.2
|
|
title: Ensure GDM login banner is configured (Automated)
|
|
levels:
|
|
@@ -515,6 +531,7 @@ controls:
|
|
rules:
|
|
- dconf_gnome_banner_enabled
|
|
- dconf_gnome_login_banner_text
|
|
+ - login_banner_text=usgcb_default
|
|
|
|
- id: 1.9
|
|
title: Ensure updates, patches, and additional security software are installed (Manual)
|
|
|
|
From 0d2d6a378e8ce767959ffbe8b1c41c9e5ca22d01 Mon Sep 17 00:00:00 2001
|
|
From: Alex Haydock <alex@alexhaydock.co.uk>
|
|
Date: Fri, 16 Jul 2021 14:21:02 +0100
|
|
Subject: [PATCH 08/55] Allow DEFAULT crypto policy for RHEL 8 CIS (conditional
|
|
on merge of #7226)
|
|
|
|
---
|
|
controls/cis_rhel8.yml | 1 +
|
|
1 file changed, 1 insertion(+)
|
|
|
|
diff --git a/controls/cis_rhel8.yml b/controls/cis_rhel8.yml
|
|
index c93d6128ca4..9140711fb66 100644
|
|
--- a/controls/cis_rhel8.yml
|
|
+++ b/controls/cis_rhel8.yml
|
|
@@ -550,6 +550,7 @@ controls:
|
|
automated: yes
|
|
rules:
|
|
- configure_crypto_policy
|
|
+ - var_system_crypto_policy=default
|
|
|
|
# This rule works in conjunction with the configure_crypto_policy above.
|
|
# If a system is remediated to CIS Level 1, just the rule above will apply
|
|
|
|
From 85befb58973da869943ad45b80b495c0061df01b Mon Sep 17 00:00:00 2001
|
|
From: Alex Haydock <alex@alexhaydock.co.uk>
|
|
Date: Fri, 16 Jul 2021 14:34:41 +0100
|
|
Subject: [PATCH 09/55] Update RHEL 8 CIS Section 2 rules
|
|
|
|
---
|
|
controls/cis_rhel8.yml | 12 ++++++------
|
|
1 file changed, 6 insertions(+), 6 deletions(-)
|
|
|
|
diff --git a/controls/cis_rhel8.yml b/controls/cis_rhel8.yml
|
|
index 9140711fb66..782dc7666f3 100644
|
|
--- a/controls/cis_rhel8.yml
|
|
+++ b/controls/cis_rhel8.yml
|
|
@@ -585,7 +585,7 @@ controls:
|
|
related_rules:
|
|
- package_chrony_installed
|
|
|
|
- - id: 2.1.1
|
|
+ - id: 2.2.1.2
|
|
title: Ensure chrony is configured (Automated)
|
|
levels:
|
|
- l1_server
|
|
@@ -597,13 +597,12 @@ controls:
|
|
- chronyd_run_as_chrony_user
|
|
|
|
- id: 2.2.2
|
|
- title: Ensure chrony is configured (Automated)
|
|
+ title: Ensure X Window System is not installed (Automated)
|
|
levels:
|
|
- l1_server
|
|
automated: yes
|
|
rules:
|
|
- - package_xorg-x11-server-common_removed
|
|
- - xwindows_runlevel_target
|
|
+ - xwindows_remove_packages
|
|
|
|
- id: 2.2.3
|
|
title: Ensure rsync service is not enabled (Automated)
|
|
@@ -639,7 +638,7 @@ controls:
|
|
- l1_workstation
|
|
automated: yes
|
|
rules:
|
|
- - package_squid_removed
|
|
+ - package_squid_disabled
|
|
|
|
- id: 2.2.7
|
|
title: Ensure Samba is not enabled (Automated)
|
|
@@ -707,7 +706,7 @@ controls:
|
|
# NEEDS RULE
|
|
# https://github.com/ComplianceAsCode/content/issues/5231
|
|
- id: 2.2.14
|
|
- title: Ensure RPC is not enabled (Automated)
|
|
+ title: Ensure LDAP server is not enabled (Automated)
|
|
levels:
|
|
- l1_server
|
|
- l1_workstation
|
|
@@ -748,6 +747,7 @@ controls:
|
|
automated: yes
|
|
rules:
|
|
- postfix_network_listening_disabled
|
|
+ - var_postfix_inet_interfaces=loopback-only
|
|
|
|
- id: 2.3.1
|
|
title: Ensure NIS Client is not installed (Automated)
|
|
|
|
From fc72716acbbb503abb094a36f0cb17ab3ee58de3 Mon Sep 17 00:00:00 2001
|
|
From: Alex Haydock <alex@alexhaydock.co.uk>
|
|
Date: Fri, 16 Jul 2021 15:03:09 +0100
|
|
Subject: [PATCH 10/55] Update RHEL 8 CIS Section 3 rules
|
|
|
|
---
|
|
controls/cis_rhel8.yml | 29 ++++++++++++++++++++---------
|
|
1 file changed, 20 insertions(+), 9 deletions(-)
|
|
|
|
diff --git a/controls/cis_rhel8.yml b/controls/cis_rhel8.yml
|
|
index 782dc7666f3..1d34337411f 100644
|
|
--- a/controls/cis_rhel8.yml
|
|
+++ b/controls/cis_rhel8.yml
|
|
@@ -785,6 +785,7 @@ controls:
|
|
rules:
|
|
- sysctl_net_ipv4_ip_forward
|
|
- sysctl_net_ipv6_conf_all_forwarding
|
|
+ - sysctl_net_ipv6_conf_all_forwarding_value=disabled
|
|
|
|
- id: 3.1.2
|
|
title: Ensure packet redirect sending is disabled (Automated)
|
|
@@ -804,9 +805,13 @@ controls:
|
|
automated: yes
|
|
rules:
|
|
- sysctl_net_ipv4_conf_all_accept_source_route
|
|
+ - sysctl_net_ipv4_conf_all_accept_source_route_value=disabled
|
|
- sysctl_net_ipv4_conf_default_accept_source_route
|
|
+ - sysctl_net_ipv4_conf_default_accept_source_route_value=disabled
|
|
- sysctl_net_ipv6_conf_all_accept_source_route
|
|
+ - sysctl_net_ipv6_conf_all_accept_source_route_value=disabled
|
|
- sysctl_net_ipv6_conf_default_accept_source_route
|
|
+ - sysctl_net_ipv6_conf_default_accept_source_route_value=disabled
|
|
|
|
- id: 3.2.2
|
|
title: Ensure ICMP redirects are not accepted (Automated)
|
|
@@ -816,9 +821,13 @@ controls:
|
|
automated: yes
|
|
rules:
|
|
- sysctl_net_ipv4_conf_all_accept_redirects
|
|
+ - sysctl_net_ipv4_conf_all_accept_redirects_value=disabled
|
|
- sysctl_net_ipv4_conf_default_accept_redirects
|
|
+ - sysctl_net_ipv4_conf_default_accept_redirects_value=disabled
|
|
- sysctl_net_ipv6_conf_all_accept_redirects
|
|
+ - sysctl_net_ipv6_conf_all_accept_redirects_value=disabled
|
|
- sysctl_net_ipv6_conf_default_accept_redirects
|
|
+ - sysctl_net_ipv6_conf_default_accept_redirects_value=disabled
|
|
|
|
- id: 3.2.3
|
|
title: Ensure secure ICMP redirects are not accepted (Automated)
|
|
@@ -828,7 +837,9 @@ controls:
|
|
automated: yes
|
|
rules:
|
|
- sysctl_net_ipv4_conf_all_secure_redirects
|
|
+ - sysctl_net_ipv4_conf_all_secure_redirects_value=disabled
|
|
- sysctl_net_ipv4_conf_default_secure_redirects
|
|
+ - sysctl_net_ipv4_conf_default_secure_redirects_value=disabled
|
|
|
|
- id: 3.2.4
|
|
title: Ensure suspicious packets are logged (Automated)
|
|
@@ -838,7 +849,9 @@ controls:
|
|
automated: yes
|
|
rules:
|
|
- sysctl_net_ipv4_conf_all_log_martians
|
|
+ - sysctl_net_ipv4_conf_all_log_martians_value=enabled
|
|
- sysctl_net_ipv4_conf_default_log_martians
|
|
+ - sysctl_net_ipv4_conf_default_log_martians_value=enabled
|
|
|
|
- id: 3.2.5
|
|
title: Ensure broadcast ICMP requests are ignored (Automated)
|
|
@@ -848,6 +861,7 @@ controls:
|
|
automated: yes
|
|
rules:
|
|
- sysctl_net_ipv4_icmp_echo_ignore_broadcasts
|
|
+ - sysctl_net_ipv4_icmp_echo_ignore_broadcasts_value=enabled
|
|
|
|
- id: 3.2.6
|
|
title: Ensure bogus ICMP responses are ignored (Automated)
|
|
@@ -857,6 +871,7 @@ controls:
|
|
automated: yes
|
|
rules:
|
|
- sysctl_net_ipv4_icmp_ignore_bogus_error_responses
|
|
+ - sysctl_net_ipv4_icmp_ignore_bogus_error_responses_value=enabled
|
|
|
|
- id: 3.2.7
|
|
title: Ensure Reverse Path Filtering is enabled (Automated)
|
|
@@ -866,7 +881,9 @@ controls:
|
|
automated: yes
|
|
rules:
|
|
- sysctl_net_ipv4_conf_all_rp_filter
|
|
+ - sysctl_net_ipv4_conf_all_rp_filter_value=enabled
|
|
- sysctl_net_ipv4_conf_default_rp_filter
|
|
+ - sysctl_net_ipv4_conf_default_rp_filter_value=enabled
|
|
|
|
- id: 3.2.8
|
|
title: Ensure TCP SYN Cookies is enabled (Automated)
|
|
@@ -876,15 +893,7 @@ controls:
|
|
automated: yes
|
|
rules:
|
|
- sysctl_net_ipv4_tcp_syncookies
|
|
-
|
|
- - id: 3.2.8
|
|
- title: Ensure TCP SYN Cookies is enabled (Automated)
|
|
- levels:
|
|
- - l1_server
|
|
- - l1_workstation
|
|
- automated: yes
|
|
- rules:
|
|
- - sysctl_net_ipv4_tcp_syncookies
|
|
+ - sysctl_net_ipv4_tcp_syncookies_value=enabled
|
|
|
|
- id: 3.2.9
|
|
title: Ensure IPv6 router advertisements are not accepted (Automated)
|
|
@@ -894,7 +903,9 @@ controls:
|
|
automated: yes
|
|
rules:
|
|
- sysctl_net_ipv6_conf_all_accept_ra
|
|
+ - sysctl_net_ipv6_conf_all_accept_ra_value=disabled
|
|
- sysctl_net_ipv6_conf_default_accept_ra
|
|
+ - sysctl_net_ipv6_conf_default_accept_ra_value=disabled
|
|
|
|
- id: 3.3.1
|
|
title: Ensure DCCP is disabled (Automated)
|
|
|
|
From 35206714177e9fac308589041449fc484254c29b Mon Sep 17 00:00:00 2001
|
|
From: Alex Haydock <alex@alexhaydock.co.uk>
|
|
Date: Tue, 20 Jul 2021 08:43:10 +0100
|
|
Subject: [PATCH 11/55] Update controls/cis_rhel8.yml
|
|
|
|
Co-authored-by: vojtapolasek <krecoun@gmail.com>
|
|
---
|
|
controls/cis_rhel8.yml | 2 +-
|
|
1 file changed, 1 insertion(+), 1 deletion(-)
|
|
|
|
diff --git a/controls/cis_rhel8.yml b/controls/cis_rhel8.yml
|
|
index 1d34337411f..2acf9aef28d 100644
|
|
--- a/controls/cis_rhel8.yml
|
|
+++ b/controls/cis_rhel8.yml
|
|
@@ -638,7 +638,7 @@ controls:
|
|
- l1_workstation
|
|
automated: yes
|
|
rules:
|
|
- - package_squid_disabled
|
|
+ - service_squid_disabled
|
|
|
|
- id: 2.2.7
|
|
title: Ensure Samba is not enabled (Automated)
|
|
|
|
From 0d1ff0c4d6ecdd1fcb3043d7e7237ef9159322ac Mon Sep 17 00:00:00 2001
|
|
From: Alex Haydock <alex@alexhaydock.co.uk>
|
|
Date: Fri, 30 Jul 2021 22:13:25 +0100
|
|
Subject: [PATCH 12/55] RHEL 8 CIS 1.5.1 is only partially automated currently
|
|
|
|
---
|
|
controls/cis_rhel8.yml | 2 +-
|
|
1 file changed, 1 insertion(+), 1 deletion(-)
|
|
|
|
diff --git a/controls/cis_rhel8.yml b/controls/cis_rhel8.yml
|
|
index 2acf9aef28d..e63fc57ddea 100644
|
|
--- a/controls/cis_rhel8.yml
|
|
+++ b/controls/cis_rhel8.yml
|
|
@@ -351,7 +351,7 @@ controls:
|
|
levels:
|
|
- l1_server
|
|
- l1_workstation
|
|
- automated: yes
|
|
+ automated: partially # This rule, as implemented here, does not check for a user.cfg file
|
|
rules:
|
|
- file_owner_grub2_cfg
|
|
- file_groupowner_grub2_cfg
|
|
|
|
From 60e7bde2e888abd847505e8f2179aadae8ee8e1a Mon Sep 17 00:00:00 2001
|
|
From: Alex Haydock <alex@alexhaydock.co.uk>
|
|
Date: Fri, 30 Jul 2021 22:19:14 +0100
|
|
Subject: [PATCH 13/55] Add EFI GRUB rules to RHEL 8 CIS control 1.5.1
|
|
|
|
---
|
|
controls/cis_rhel8.yml | 5 ++++-
|
|
1 file changed, 4 insertions(+), 1 deletion(-)
|
|
|
|
diff --git a/controls/cis_rhel8.yml b/controls/cis_rhel8.yml
|
|
index e63fc57ddea..2163655d9d3 100644
|
|
--- a/controls/cis_rhel8.yml
|
|
+++ b/controls/cis_rhel8.yml
|
|
@@ -353,8 +353,11 @@ controls:
|
|
- l1_workstation
|
|
automated: partially # This rule, as implemented here, does not check for a user.cfg file
|
|
rules:
|
|
- - file_owner_grub2_cfg
|
|
+ - file_groupowner_efi_grub2_cfg
|
|
- file_groupowner_grub2_cfg
|
|
+ - file_owner_efi_grub2_cfg
|
|
+ - file_owner_grub2_cfg
|
|
+ - file_permissions_efi_grub2_cfg
|
|
- file_permissions_grub2_cfg
|
|
|
|
- id: 1.5.2
|
|
|
|
From 3be000366701a2772c7fe3ba7807e63fd4c03b24 Mon Sep 17 00:00:00 2001
|
|
From: Alex Haydock <alex@alexhaydock.co.uk>
|
|
Date: Wed, 4 Aug 2021 16:11:38 +0100
|
|
Subject: [PATCH 14/55] Update controls/cis_rhel8.yml
|
|
|
|
Co-authored-by: vojtapolasek <krecoun@gmail.com>
|
|
---
|
|
controls/cis_rhel8.yml | 2 +-
|
|
1 file changed, 1 insertion(+), 1 deletion(-)
|
|
|
|
diff --git a/controls/cis_rhel8.yml b/controls/cis_rhel8.yml
|
|
index 2163655d9d3..aa9c2b6c809 100644
|
|
--- a/controls/cis_rhel8.yml
|
|
+++ b/controls/cis_rhel8.yml
|
|
@@ -1655,7 +1655,7 @@ controls:
|
|
- id: 5.2.6
|
|
title: Ensure SSH X11 forwarding is disabled (Automated)
|
|
levels:
|
|
- - l1_server
|
|
+ - l2_server
|
|
- l1_workstation
|
|
automated: yes
|
|
rules:
|
|
|
|
From c62def9e1764d06aacb75b50886c7f4d08fe751b Mon Sep 17 00:00:00 2001
|
|
From: Alex Haydock <alex@alexhaydock.co.uk>
|
|
Date: Wed, 4 Aug 2021 16:22:44 +0100
|
|
Subject: [PATCH 15/55] Explicitly set var_auditd_max_log_file_action
|
|
|
|
---
|
|
controls/cis_rhel8.yml | 1 +
|
|
1 file changed, 1 insertion(+)
|
|
|
|
diff --git a/controls/cis_rhel8.yml b/controls/cis_rhel8.yml
|
|
index aa9c2b6c809..af874fd789e 100644
|
|
--- a/controls/cis_rhel8.yml
|
|
+++ b/controls/cis_rhel8.yml
|
|
@@ -1234,6 +1234,7 @@ controls:
|
|
automated: yes
|
|
rules:
|
|
- auditd_data_retention_max_log_file_action
|
|
+ - var_auditd_max_log_file_action=keep_logs
|
|
|
|
- id: 4.1.2.3
|
|
title: Ensure system is disabled when audit logs are full (Automated)
|
|
|
|
From 860425b14b8637123b3f96aa9be319e9448f15a6 Mon Sep 17 00:00:00 2001
|
|
From: Alex Haydock <alex@alexhaydock.co.uk>
|
|
Date: Wed, 4 Aug 2021 16:31:20 +0100
|
|
Subject: [PATCH 16/55] Explicitly set the number of auditd logs to keep to 6
|
|
|
|
---
|
|
controls/cis_rhel8.yml | 1 +
|
|
1 file changed, 1 insertion(+)
|
|
|
|
diff --git a/controls/cis_rhel8.yml b/controls/cis_rhel8.yml
|
|
index af874fd789e..af1314325ab 100644
|
|
--- a/controls/cis_rhel8.yml
|
|
+++ b/controls/cis_rhel8.yml
|
|
@@ -1225,6 +1225,7 @@ controls:
|
|
automated: yes
|
|
rules:
|
|
- auditd_data_retention_max_log_file
|
|
+ - var_auditd_max_log_file=6
|
|
|
|
- id: 4.1.2.2
|
|
title: Ensure audit logs are not automatically deleted (Automated)
|
|
|
|
From 28cad027f42c4bf0f5570bf16766a7b1d402d5fe Mon Sep 17 00:00:00 2001
|
|
From: Alex Haydock <alex@alexhaydock.co.uk>
|
|
Date: Wed, 4 Aug 2021 16:36:48 +0100
|
|
Subject: [PATCH 17/55] The audit_rules_time_settimeofday rule does not
|
|
directly align with CIS
|
|
|
|
---
|
|
controls/cis_rhel8.yml | 3 +--
|
|
1 file changed, 1 insertion(+), 2 deletions(-)
|
|
|
|
diff --git a/controls/cis_rhel8.yml b/controls/cis_rhel8.yml
|
|
index af1314325ab..a81a9ef4605 100644
|
|
--- a/controls/cis_rhel8.yml
|
|
+++ b/controls/cis_rhel8.yml
|
|
@@ -1284,11 +1284,10 @@ controls:
|
|
levels:
|
|
- l2_server
|
|
- l2_workstation
|
|
- automated: yes
|
|
+ automated: partial # The CAC rule audit_rules_time_settimeofday uses additional parameters compared to the CIS benchmark and so is not used here. As a result, automated coverage is only partial for this control.
|
|
rules:
|
|
- audit_rules_time_adjtimex
|
|
- audit_rules_time_clock_settime
|
|
- - audit_rules_time_settimeofday
|
|
- audit_rules_time_stime
|
|
- audit_rules_time_watch_localtime
|
|
|
|
|
|
From fe542405de5e73479ca8377b80fbbb7ac32be1d7 Mon Sep 17 00:00:00 2001
|
|
From: Alex Haydock <alex@alexhaydock.co.uk>
|
|
Date: Wed, 4 Aug 2021 16:37:25 +0100
|
|
Subject: [PATCH 18/55] RHEL CIS control 4.1.7 is missing a rule to achieve
|
|
full automation
|
|
|
|
---
|
|
controls/cis_rhel8.yml | 2 +-
|
|
1 file changed, 1 insertion(+), 1 deletion(-)
|
|
|
|
diff --git a/controls/cis_rhel8.yml b/controls/cis_rhel8.yml
|
|
index a81a9ef4605..cba86f40c9e 100644
|
|
--- a/controls/cis_rhel8.yml
|
|
+++ b/controls/cis_rhel8.yml
|
|
@@ -1299,7 +1299,7 @@ controls:
|
|
levels:
|
|
- l2_server
|
|
- l2_workstation
|
|
- automated: yes
|
|
+ automated: partial
|
|
rules:
|
|
- audit_rules_mac_modification
|
|
|
|
|
|
From ed087900ecf7230d2797a483e07a753f1733317e Mon Sep 17 00:00:00 2001
|
|
From: Alex Haydock <alex@alexhaydock.co.uk>
|
|
Date: Wed, 4 Aug 2021 16:38:54 +0100
|
|
Subject: [PATCH 19/55] Remove opinionated rule from CIS 4.1.10 as it does not
|
|
align with the benchmark
|
|
|
|
---
|
|
controls/cis_rhel8.yml | 2 --
|
|
1 file changed, 2 deletions(-)
|
|
|
|
diff --git a/controls/cis_rhel8.yml b/controls/cis_rhel8.yml
|
|
index cba86f40c9e..6e8c5cf10f0 100644
|
|
--- a/controls/cis_rhel8.yml
|
|
+++ b/controls/cis_rhel8.yml
|
|
@@ -1345,8 +1345,6 @@ controls:
|
|
- audit_rules_unsuccessful_file_modification_open
|
|
- audit_rules_unsuccessful_file_modification_openat
|
|
- audit_rules_unsuccessful_file_modification_truncate
|
|
- # Opinionated selection
|
|
- - audit_rules_unsuccessful_file_modification_open_by_handle_at
|
|
|
|
- id: 4.1.11
|
|
title: Ensure events that modify user/group information are collected (Automated)
|
|
|
|
From 47bf486ddadd79bade733fd444f3aadca4a82ad7 Mon Sep 17 00:00:00 2001
|
|
From: Alex Haydock <alex@alexhaydock.co.uk>
|
|
Date: Wed, 4 Aug 2021 16:41:13 +0100
|
|
Subject: [PATCH 20/55] Use "partially" rather than "partial" for automation
|
|
key
|
|
|
|
---
|
|
controls/cis_rhel8.yml | 4 ++--
|
|
1 file changed, 2 insertions(+), 2 deletions(-)
|
|
|
|
diff --git a/controls/cis_rhel8.yml b/controls/cis_rhel8.yml
|
|
index 6e8c5cf10f0..829f0515cb0 100644
|
|
--- a/controls/cis_rhel8.yml
|
|
+++ b/controls/cis_rhel8.yml
|
|
@@ -1284,7 +1284,7 @@ controls:
|
|
levels:
|
|
- l2_server
|
|
- l2_workstation
|
|
- automated: partial # The CAC rule audit_rules_time_settimeofday uses additional parameters compared to the CIS benchmark and so is not used here. As a result, automated coverage is only partial for this control.
|
|
+ automated: partially # The CAC rule audit_rules_time_settimeofday uses additional parameters compared to the CIS benchmark and so is not used here. As a result, automated coverage is only partial for this control.
|
|
rules:
|
|
- audit_rules_time_adjtimex
|
|
- audit_rules_time_clock_settime
|
|
@@ -1299,7 +1299,7 @@ controls:
|
|
levels:
|
|
- l2_server
|
|
- l2_workstation
|
|
- automated: partial
|
|
+ automated: partially
|
|
rules:
|
|
- audit_rules_mac_modification
|
|
|
|
|
|
From 42e08ddcb1575fccf3ff0f0a4094a15fb445bdf1 Mon Sep 17 00:00:00 2001
|
|
From: Alex Haydock <alex@alexhaydock.co.uk>
|
|
Date: Wed, 4 Aug 2021 16:42:57 +0100
|
|
Subject: [PATCH 21/55] Disable automation for control 4.1.13 as it does not
|
|
align exactly with the benchmark
|
|
|
|
---
|
|
controls/cis_rhel8.yml | 5 +++--
|
|
1 file changed, 3 insertions(+), 2 deletions(-)
|
|
|
|
diff --git a/controls/cis_rhel8.yml b/controls/cis_rhel8.yml
|
|
index 829f0515cb0..76a7c8bbfa9 100644
|
|
--- a/controls/cis_rhel8.yml
|
|
+++ b/controls/cis_rhel8.yml
|
|
@@ -1373,8 +1373,9 @@ controls:
|
|
levels:
|
|
- l2_server
|
|
- l2_workstation
|
|
- automated: yes
|
|
- rules:
|
|
+ automated: no
|
|
+ related_rules:
|
|
+ # The rule below is almost correct but cannot be used as it does not set the perm=x flag.
|
|
- audit_rules_privileged_commands
|
|
|
|
- id: 4.1.14
|
|
|
|
From 769029ec6639f26afdbb9d595f67e692dec368c2 Mon Sep 17 00:00:00 2001
|
|
From: Alex Haydock <alex@alexhaydock.co.uk>
|
|
Date: Wed, 4 Aug 2021 16:44:03 +0100
|
|
Subject: [PATCH 22/55] Remove opinionated rule from CIS 4.1.14 as it does not
|
|
align with the benchmark
|
|
|
|
---
|
|
controls/cis_rhel8.yml | 2 --
|
|
1 file changed, 2 deletions(-)
|
|
|
|
diff --git a/controls/cis_rhel8.yml b/controls/cis_rhel8.yml
|
|
index 76a7c8bbfa9..e6a53516666 100644
|
|
--- a/controls/cis_rhel8.yml
|
|
+++ b/controls/cis_rhel8.yml
|
|
@@ -1389,8 +1389,6 @@ controls:
|
|
- audit_rules_file_deletion_events_renameat
|
|
- audit_rules_file_deletion_events_unlink
|
|
- audit_rules_file_deletion_events_unlinkat
|
|
- # Opinionated selection
|
|
- - audit_rules_file_deletion_events_rmdir
|
|
|
|
- id: 4.1.15
|
|
title: Ensure kernel module loading and unloading is collected (Automated)
|
|
|
|
From fe163c10596ab3e24fb805267cb762cc40fd5ed0 Mon Sep 17 00:00:00 2001
|
|
From: Alex Haydock <alex@alexhaydock.co.uk>
|
|
Date: Wed, 4 Aug 2021 16:47:53 +0100
|
|
Subject: [PATCH 23/55] Disable the rsyslog_files_permissions rule as it does
|
|
not align with the benchmark
|
|
|
|
---
|
|
controls/cis_rhel8.yml | 7 ++++---
|
|
1 file changed, 4 insertions(+), 3 deletions(-)
|
|
|
|
diff --git a/controls/cis_rhel8.yml b/controls/cis_rhel8.yml
|
|
index e6a53516666..327400abd65 100644
|
|
--- a/controls/cis_rhel8.yml
|
|
+++ b/controls/cis_rhel8.yml
|
|
@@ -1435,14 +1435,15 @@ controls:
|
|
rules:
|
|
- service_rsyslog_enabled
|
|
|
|
+ # NEEDS RULE
|
|
+ # The rsyslog_files_permissions rule is not sufficient
|
|
+ # https://github.com/ComplianceAsCode/content/issues/7332
|
|
- id: 4.2.1.3
|
|
title: Ensure rsyslog default file permissions configured (Automated)
|
|
levels:
|
|
- l1_server
|
|
- l1_workstation
|
|
- automated: yes
|
|
- rules:
|
|
- - rsyslog_files_permissions
|
|
+ automated: no
|
|
|
|
- id: 4.2.1.4
|
|
title: Ensure logging is configured (Manual)
|
|
|
|
From 404aef23030c6286f6b3d465ca84295c5252fe7c Mon Sep 17 00:00:00 2001
|
|
From: Alex Haydock <alex@alexhaydock.co.uk>
|
|
Date: Wed, 4 Aug 2021 16:52:17 +0100
|
|
Subject: [PATCH 24/55] Disable 4.2.1.5 and 5.2.3 as they do not align
|
|
perfectly with the benchmark
|
|
|
|
---
|
|
controls/cis_rhel8.yml | 19 ++++++++-----------
|
|
1 file changed, 8 insertions(+), 11 deletions(-)
|
|
|
|
diff --git a/controls/cis_rhel8.yml b/controls/cis_rhel8.yml
|
|
index 327400abd65..f5a8ce45848 100644
|
|
--- a/controls/cis_rhel8.yml
|
|
+++ b/controls/cis_rhel8.yml
|
|
@@ -1452,14 +1452,15 @@ controls:
|
|
- l1_workstation
|
|
automated: no
|
|
|
|
+ # NEEDS RULE
|
|
+ # The rsyslog_remote_loghost rule is not sufficient
|
|
+ # https://github.com/ComplianceAsCode/content/issues/7333
|
|
- id: 4.2.1.5
|
|
title: Ensure rsyslog is configured to send logs to a remote log host (Automated)
|
|
levels:
|
|
- l1_server
|
|
- l1_workstation
|
|
- automated: yes
|
|
- rules:
|
|
- - rsyslog_remote_loghost
|
|
+ automated: no
|
|
|
|
- id: 4.2.1.6
|
|
title: Ensure remote rsyslog messages are only accepted on designated log hosts. (Manual)
|
|
@@ -1617,19 +1618,15 @@ controls:
|
|
- l1_workstation
|
|
automated: no
|
|
|
|
- # TODO
|
|
- # Rule sets permissions to 0640 but benchmark wants it to be 0600
|
|
- #
|
|
- # TODO
|
|
- # Check owner of private keys in /etc/ssh is root:root
|
|
+ # NEEDS RULE
|
|
+ # The file_permissions_sshd_private_key rule is not aligned with the benchmark
|
|
+ # https://github.com/ComplianceAsCode/content/issues/7334
|
|
- id: 5.2.3
|
|
title: Ensure permissions on SSH private host key files are configured (Automated)
|
|
levels:
|
|
- l1_server
|
|
- l1_workstation
|
|
- automated: yes
|
|
- rules:
|
|
- - file_permissions_sshd_private_key
|
|
+ automated: no
|
|
|
|
# TODO
|
|
# Check owner of public keys in /etc/ssh is root:root
|
|
|
|
From 012d4f8df6c68e8a7a3c2efcd139a7f9ce8ab6bb Mon Sep 17 00:00:00 2001
|
|
From: Alex Haydock <alex@alexhaydock.co.uk>
|
|
Date: Wed, 4 Aug 2021 16:53:10 +0100
|
|
Subject: [PATCH 25/55] 5.2.4 is only partially automated
|
|
|
|
---
|
|
controls/cis_rhel8.yml | 2 +-
|
|
1 file changed, 1 insertion(+), 1 deletion(-)
|
|
|
|
diff --git a/controls/cis_rhel8.yml b/controls/cis_rhel8.yml
|
|
index f5a8ce45848..0e3fa99d32e 100644
|
|
--- a/controls/cis_rhel8.yml
|
|
+++ b/controls/cis_rhel8.yml
|
|
@@ -1635,7 +1635,7 @@ controls:
|
|
levels:
|
|
- l1_server
|
|
- l1_workstation
|
|
- automated: yes
|
|
+ automated: partially
|
|
rules:
|
|
- file_permissions_sshd_pub_key
|
|
|
|
|
|
From e5cfc29ca52446f494a539010af31e54af51d58a Mon Sep 17 00:00:00 2001
|
|
From: Alex Haydock <alex@alexhaydock.co.uk>
|
|
Date: Wed, 4 Aug 2021 16:55:32 +0100
|
|
Subject: [PATCH 26/55] Ensure var_sshd_set_keepalive variable gets used
|
|
properly
|
|
|
|
---
|
|
controls/cis_rhel8.yml | 2 +-
|
|
1 file changed, 1 insertion(+), 1 deletion(-)
|
|
|
|
diff --git a/controls/cis_rhel8.yml b/controls/cis_rhel8.yml
|
|
index 0e3fa99d32e..439b3265fe9 100644
|
|
--- a/controls/cis_rhel8.yml
|
|
+++ b/controls/cis_rhel8.yml
|
|
@@ -1721,7 +1721,7 @@ controls:
|
|
rules:
|
|
- sshd_idle_timeout_value=5_minutes
|
|
- sshd_set_idle_timeout
|
|
- - sshd_set_keepalive_0
|
|
+ - sshd_set_keepalive
|
|
- var_sshd_set_keepalive=0
|
|
|
|
# NEEDS RULE
|
|
|
|
From d21ea1b769d31bfbdcb97d1af5de9969be835ace Mon Sep 17 00:00:00 2001
|
|
From: Alex Haydock <alex@alexhaydock.co.uk>
|
|
Date: Thu, 5 Aug 2021 08:47:24 +0100
|
|
Subject: [PATCH 27/55] Align RHEL 8 Chrony configuration rule more closely
|
|
with CIS benchmark
|
|
|
|
---
|
|
controls/cis_rhel8.yml | 2 +-
|
|
1 file changed, 1 insertion(+), 1 deletion(-)
|
|
|
|
diff --git a/controls/cis_rhel8.yml b/controls/cis_rhel8.yml
|
|
index 439b3265fe9..92ac0dd85c5 100644
|
|
--- a/controls/cis_rhel8.yml
|
|
+++ b/controls/cis_rhel8.yml
|
|
@@ -595,9 +595,9 @@ controls:
|
|
- l1_workstation
|
|
automated: yes
|
|
rules:
|
|
- - service_chronyd_enabled
|
|
- chronyd_specify_remote_server
|
|
- chronyd_run_as_chrony_user
|
|
+ - var_multiple_time_servers=rhel
|
|
|
|
- id: 2.2.2
|
|
title: Ensure X Window System is not installed (Automated)
|
|
|
|
From ade74cf232a649645b91da9d7c007b1106e25fb4 Mon Sep 17 00:00:00 2001
|
|
From: Alex Haydock <alex@alexhaydock.co.uk>
|
|
Date: Thu, 5 Aug 2021 08:54:14 +0100
|
|
Subject: [PATCH 28/55] Set SSH loglevel to VERBOSE in RHEL 8 CIS controls file
|
|
|
|
---
|
|
controls/cis_rhel8.yml | 5 +++++
|
|
1 file changed, 5 insertions(+)
|
|
|
|
diff --git a/controls/cis_rhel8.yml b/controls/cis_rhel8.yml
|
|
index 92ac0dd85c5..565974817f1 100644
|
|
--- a/controls/cis_rhel8.yml
|
|
+++ b/controls/cis_rhel8.yml
|
|
@@ -1645,7 +1645,12 @@ controls:
|
|
- l1_server
|
|
- l1_workstation
|
|
automated: yes
|
|
+ # The CIS benchmark is not opinionated about which loglevel is selected
|
|
+ # here. Here, this profile uses VERBOSE by default, as it allows for
|
|
+ # the capture of login and logout activity as well as key fingerprints.
|
|
rules:
|
|
+ - sshd_set_loglevel_verbose
|
|
+ related_rules:
|
|
- sshd_set_loglevel_info
|
|
|
|
- id: 5.2.6
|
|
|
|
From 723681dedf1d88c4924684e34ea4c5e7fb8be24d Mon Sep 17 00:00:00 2001
|
|
From: Alex Haydock <alex@alexhaydock.co.uk>
|
|
Date: Thu, 5 Aug 2021 09:00:17 +0100
|
|
Subject: [PATCH 29/55] Disable SSH warning banner rule in RHEL 8 CIS (uses
|
|
wrong path)
|
|
|
|
---
|
|
controls/cis_rhel8.yml | 8 +++++---
|
|
1 file changed, 5 insertions(+), 3 deletions(-)
|
|
|
|
diff --git a/controls/cis_rhel8.yml b/controls/cis_rhel8.yml
|
|
index 565974817f1..53f024fffea 100644
|
|
--- a/controls/cis_rhel8.yml
|
|
+++ b/controls/cis_rhel8.yml
|
|
@@ -1738,14 +1738,16 @@ controls:
|
|
- l1_workstation
|
|
automated: no
|
|
|
|
+ # NEEDS RULE
|
|
+ # The current sshd_enable_warning_banner rule uses /etc/issue instead
|
|
+ # of the /etc/issue.net that the benchmark expects.
|
|
+ #
|
|
- id: 5.2.15
|
|
title: Ensure SSH warning banner is configured (Automated)
|
|
levels:
|
|
- l1_server
|
|
- l1_workstation
|
|
- automated: yes
|
|
- rules:
|
|
- - sshd_enable_warning_banner
|
|
+ automated: no
|
|
|
|
# NEEDS RULE
|
|
# https://github.com/ComplianceAsCode/content/issues/5526
|
|
|
|
From b0615c26dd852bf817aa919752f543802ff707b0 Mon Sep 17 00:00:00 2001
|
|
From: Alex Haydock <alex@alexhaydock.co.uk>
|
|
Date: Thu, 5 Aug 2021 09:00:48 +0100
|
|
Subject: [PATCH 30/55] Add explicit variable definition for SSH MaxStartups
|
|
rule in RHEL 8 CIS profile
|
|
|
|
---
|
|
controls/cis_rhel8.yml | 1 +
|
|
1 file changed, 1 insertion(+)
|
|
|
|
diff --git a/controls/cis_rhel8.yml b/controls/cis_rhel8.yml
|
|
index 53f024fffea..3345a37d098 100644
|
|
--- a/controls/cis_rhel8.yml
|
|
+++ b/controls/cis_rhel8.yml
|
|
@@ -1775,6 +1775,7 @@ controls:
|
|
automated: yes
|
|
rules:
|
|
- sshd_set_maxstartups
|
|
+ - var_sshd_set_maxstartups=10:30:60
|
|
|
|
- id: 5.2.19
|
|
title: Ensure SSH MaxSessions is set to 4 or less (Automated)
|
|
|
|
From 03504b065edbaa7f23352943adc3650e59771ba1 Mon Sep 17 00:00:00 2001
|
|
From: Alex Haydock <alex@alexhaydock.co.uk>
|
|
Date: Thu, 5 Aug 2021 09:19:43 +0100
|
|
Subject: [PATCH 31/55] Update SSH MaxSessions to match the value CIS audits
|
|
for vs the one in the control title
|
|
|
|
---
|
|
controls/cis_rhel8.yml | 9 ++++++++-
|
|
1 file changed, 8 insertions(+), 1 deletion(-)
|
|
|
|
diff --git a/controls/cis_rhel8.yml b/controls/cis_rhel8.yml
|
|
index 3345a37d098..3b6219f3296 100644
|
|
--- a/controls/cis_rhel8.yml
|
|
+++ b/controls/cis_rhel8.yml
|
|
@@ -1777,6 +1777,13 @@ controls:
|
|
- sshd_set_maxstartups
|
|
- var_sshd_set_maxstartups=10:30:60
|
|
|
|
+ # The title of this control does not appear to match the suggested audit and
|
|
+ # remediation in the CIS Benchmark version 1.0.1 - this profile uses the
|
|
+ # value from the audit and remediation sections of the benchmark rather than
|
|
+ # from the title.
|
|
+ #
|
|
+ # An upstream ticket has been opened about this issue:
|
|
+ # https://workbench.cisecurity.org/community/14/tickets/13414
|
|
- id: 5.2.19
|
|
title: Ensure SSH MaxSessions is set to 4 or less (Automated)
|
|
levels:
|
|
@@ -1785,7 +1792,7 @@ controls:
|
|
automated: yes
|
|
rules:
|
|
- sshd_set_max_sessions
|
|
- - var_sshd_max_sessions=4
|
|
+ - var_sshd_max_sessions=10
|
|
|
|
- id: 5.2.20
|
|
title: Ensure system-wide crypto policy is not over-ridden (Automated)
|
|
|
|
From 0ef85e84670e72afb2842414369b12a1c72cd273 Mon Sep 17 00:00:00 2001
|
|
From: Alex Haydock <alex@alexhaydock.co.uk>
|
|
Date: Thu, 5 Aug 2021 09:20:45 +0100
|
|
Subject: [PATCH 32/55] Fix rule ID for 5.3.3
|
|
|
|
---
|
|
controls/cis_rhel8.yml | 2 +-
|
|
1 file changed, 1 insertion(+), 1 deletion(-)
|
|
|
|
diff --git a/controls/cis_rhel8.yml b/controls/cis_rhel8.yml
|
|
index 3b6219f3296..55c8378529d 100644
|
|
--- a/controls/cis_rhel8.yml
|
|
+++ b/controls/cis_rhel8.yml
|
|
@@ -1823,7 +1823,7 @@ controls:
|
|
|
|
# NEEDS RULE
|
|
# https://github.com/ComplianceAsCode/content/issues/5532
|
|
- - id: 5.3.2
|
|
+ - id: 5.3.3
|
|
title: Ensure authselect includes with-faillock (Automated)
|
|
levels:
|
|
- l1_server
|
|
|
|
From 85c2fcf29b1c71f4528fabeed8c6556cf02312e7 Mon Sep 17 00:00:00 2001
|
|
From: Alex Haydock <alex@alexhaydock.co.uk>
|
|
Date: Thu, 5 Aug 2021 09:23:40 +0100
|
|
Subject: [PATCH 33/55] Remove misaligned rules from RHEL 8 CIS 5.4.2
|
|
|
|
---
|
|
controls/cis_rhel8.yml | 9 +++------
|
|
1 file changed, 3 insertions(+), 6 deletions(-)
|
|
|
|
diff --git a/controls/cis_rhel8.yml b/controls/cis_rhel8.yml
|
|
index 55c8378529d..c7f651994d6 100644
|
|
--- a/controls/cis_rhel8.yml
|
|
+++ b/controls/cis_rhel8.yml
|
|
@@ -1845,17 +1845,14 @@ controls:
|
|
- var_password_pam_minclass=4
|
|
- var_password_pam_minlen=14
|
|
|
|
+ # NEEDS RULE
|
|
+ # https://github.com/ComplianceAsCode/content/issues/7337
|
|
- id: 5.4.2
|
|
title: Ensure lockout for failed password attempts is configured (Automated)
|
|
levels:
|
|
- l1_server
|
|
- l1_workstation
|
|
- automated: yes
|
|
- rules:
|
|
- - accounts_passwords_pam_faillock_deny
|
|
- - accounts_passwords_pam_faillock_unlock_time
|
|
- - var_accounts_passwords_pam_faillock_deny=5
|
|
- - var_accounts_passwords_pam_faillock_unlock_time=900
|
|
+ automated: no
|
|
|
|
- id: 5.4.3
|
|
title: Ensure password reuse is limited (Automated)
|
|
|
|
From edbd2b2264252ab1a35f872b816947e289c7d4a5 Mon Sep 17 00:00:00 2001
|
|
From: Alex Haydock <alex@alexhaydock.co.uk>
|
|
Date: Thu, 5 Aug 2021 09:29:15 +0100
|
|
Subject: [PATCH 34/55] RHEL 8 CIS 5.4.1 is only partially automated
|
|
|
|
---
|
|
controls/cis_rhel8.yml | 5 +++--
|
|
1 file changed, 3 insertions(+), 2 deletions(-)
|
|
|
|
diff --git a/controls/cis_rhel8.yml b/controls/cis_rhel8.yml
|
|
index c7f651994d6..10816e1ba35 100644
|
|
--- a/controls/cis_rhel8.yml
|
|
+++ b/controls/cis_rhel8.yml
|
|
@@ -1830,14 +1830,15 @@ controls:
|
|
- l1_workstation
|
|
automated: no
|
|
|
|
- # NEEDS RULE: try_first_pass
|
|
+ # NEEDS RULE
|
|
+ # try_first_pass
|
|
# https://github.com/ComplianceAsCode/content/issues/5533
|
|
- id: 5.4.1
|
|
title: Ensure password creation requirements are configured (Automated)
|
|
levels:
|
|
- l1_server
|
|
- l1_workstation
|
|
- automated: yes
|
|
+ automated: partially
|
|
rules:
|
|
- accounts_password_pam_minclass
|
|
- accounts_password_pam_minlen
|
|
|
|
From e32f46528ef2c46986fca31e700b40949096d48f Mon Sep 17 00:00:00 2001
|
|
From: Alex Haydock <alex@alexhaydock.co.uk>
|
|
Date: Thu, 5 Aug 2021 09:37:15 +0100
|
|
Subject: [PATCH 35/55] Import logic for the "Ensure password reuse is limited"
|
|
rule from RHEL 7
|
|
|
|
---
|
|
controls/cis_rhel8.yml | 12 +++++++++---
|
|
1 file changed, 9 insertions(+), 3 deletions(-)
|
|
|
|
diff --git a/controls/cis_rhel8.yml b/controls/cis_rhel8.yml
|
|
index 10816e1ba35..0ea36362832 100644
|
|
--- a/controls/cis_rhel8.yml
|
|
+++ b/controls/cis_rhel8.yml
|
|
@@ -1861,9 +1861,15 @@ controls:
|
|
- l1_server
|
|
- l1_workstation
|
|
automated: yes
|
|
- rules:
|
|
- - accounts_password_pam_unix_remember
|
|
- - var_password_pam_unix_remember=5
|
|
+ notes: |-
|
|
+ Usage of pam_unix.so module together with "remember" option is deprecated and is not supported by this policy interpretation.
|
|
+ See here for more details about pam_unix.so:
|
|
+ https://bugzilla.redhat.com/show_bug.cgi?id=1778929
|
|
+ rules:
|
|
+ - accounts_password_pam_pwhistory_remember_password_auth
|
|
+ - accounts_password_pam_pwhistory_remember_system_auth
|
|
+ - var_password_pam_remember_control_flag=required
|
|
+ - var_password_pam_remember=5
|
|
|
|
- id: 5.4.4
|
|
title: Ensure password hashing algorithm is SHA-512 (Automated)
|
|
|
|
From c77bbff67b5e700b6785264bee3c973c343364d1 Mon Sep 17 00:00:00 2001
|
|
From: Alex Haydock <alex@alexhaydock.co.uk>
|
|
Date: Thu, 5 Aug 2021 09:41:13 +0100
|
|
Subject: [PATCH 36/55] RHEL 8 CIS 5.4.4 is only partially automated
|
|
|
|
---
|
|
controls/cis_rhel8.yml | 2 +-
|
|
1 file changed, 1 insertion(+), 1 deletion(-)
|
|
|
|
diff --git a/controls/cis_rhel8.yml b/controls/cis_rhel8.yml
|
|
index 0ea36362832..be46d870965 100644
|
|
--- a/controls/cis_rhel8.yml
|
|
+++ b/controls/cis_rhel8.yml
|
|
@@ -1876,7 +1876,7 @@ controls:
|
|
levels:
|
|
- l1_server
|
|
- l1_workstation
|
|
- automated: yes
|
|
+ automated: partially # The rule below does not check the /etc/pam.d/password-auth file mentioned in the benchmark.
|
|
rules:
|
|
- set_password_hashing_algorithm_systemauth
|
|
|
|
|
|
From be706084b1cae588b2799b38e9cea615ce8dc22f Mon Sep 17 00:00:00 2001
|
|
From: Alex Haydock <alex@alexhaydock.co.uk>
|
|
Date: Thu, 5 Aug 2021 09:42:57 +0100
|
|
Subject: [PATCH 37/55] RHEL 8 CIS 5.5.1.1 is only partially automated
|
|
|
|
---
|
|
controls/cis_rhel8.yml | 2 +-
|
|
1 file changed, 1 insertion(+), 1 deletion(-)
|
|
|
|
diff --git a/controls/cis_rhel8.yml b/controls/cis_rhel8.yml
|
|
index be46d870965..e41c2eb4dae 100644
|
|
--- a/controls/cis_rhel8.yml
|
|
+++ b/controls/cis_rhel8.yml
|
|
@@ -1885,7 +1885,7 @@ controls:
|
|
levels:
|
|
- l1_server
|
|
- l1_workstation
|
|
- automated: yes
|
|
+ automated: partially # The rule below does not validate whether all current users' PASS_MAX_DAYS setting conforms to the control.
|
|
rules:
|
|
- accounts_maximum_age_login_defs
|
|
- var_accounts_maximum_age_login_defs=365
|
|
|
|
From 075eb337ef12d1610626e6b92eb6b207f89e7054 Mon Sep 17 00:00:00 2001
|
|
From: Alex Haydock <alex@alexhaydock.co.uk>
|
|
Date: Thu, 5 Aug 2021 09:44:17 +0100
|
|
Subject: [PATCH 38/55] RHEL 8 CIS 5.5.1.2 is only partially automated
|
|
|
|
---
|
|
controls/cis_rhel8.yml | 2 +-
|
|
1 file changed, 1 insertion(+), 1 deletion(-)
|
|
|
|
diff --git a/controls/cis_rhel8.yml b/controls/cis_rhel8.yml
|
|
index e41c2eb4dae..0b2b3d04621 100644
|
|
--- a/controls/cis_rhel8.yml
|
|
+++ b/controls/cis_rhel8.yml
|
|
@@ -1895,7 +1895,7 @@ controls:
|
|
levels:
|
|
- l1_server
|
|
- l1_workstation
|
|
- automated: yes
|
|
+ automated: partially # The rule below does not validate whether all current users' PASS_MIN_DAYS setting conforms to the control.
|
|
rules:
|
|
- accounts_minimum_age_login_defs
|
|
- var_accounts_minimum_age_login_defs=7
|
|
|
|
From 1e3c17e5c1f81582bf891664dd7bc7c6000030b2 Mon Sep 17 00:00:00 2001
|
|
From: Alex Haydock <alex@alexhaydock.co.uk>
|
|
Date: Thu, 5 Aug 2021 09:47:22 +0100
|
|
Subject: [PATCH 39/55] RHEL 8 CIS 5.5.1.3 is only partially automated
|
|
|
|
---
|
|
controls/cis_rhel8.yml | 2 +-
|
|
1 file changed, 1 insertion(+), 1 deletion(-)
|
|
|
|
diff --git a/controls/cis_rhel8.yml b/controls/cis_rhel8.yml
|
|
index 0b2b3d04621..70312f6399a 100644
|
|
--- a/controls/cis_rhel8.yml
|
|
+++ b/controls/cis_rhel8.yml
|
|
@@ -1905,7 +1905,7 @@ controls:
|
|
levels:
|
|
- l1_server
|
|
- l1_workstation
|
|
- automated: yes
|
|
+ automated: partially # The rule below does not validate whether all current users' PASS_WARN_AGE setting conforms to the control.
|
|
rules:
|
|
- accounts_password_warn_age_login_defs
|
|
- var_accounts_password_warn_age_login_defs=7
|
|
|
|
From 97c5ff8a7096b04c2ebdac6af58047a9b0ee194b Mon Sep 17 00:00:00 2001
|
|
From: Alex Haydock <alex@alexhaydock.co.uk>
|
|
Date: Thu, 5 Aug 2021 09:47:54 +0100
|
|
Subject: [PATCH 40/55] RHEL 8 CIS 5.5.1.4 is only partially automated
|
|
|
|
---
|
|
controls/cis_rhel8.yml | 4 +---
|
|
1 file changed, 1 insertion(+), 3 deletions(-)
|
|
|
|
diff --git a/controls/cis_rhel8.yml b/controls/cis_rhel8.yml
|
|
index 70312f6399a..42dbf14c816 100644
|
|
--- a/controls/cis_rhel8.yml
|
|
+++ b/controls/cis_rhel8.yml
|
|
@@ -1910,14 +1910,12 @@ controls:
|
|
- accounts_password_warn_age_login_defs
|
|
- var_accounts_password_warn_age_login_defs=7
|
|
|
|
- # TODO
|
|
- # Rule doesn't check list of users
|
|
- id: 5.5.1.4
|
|
title: Ensure inactive password lock is 30 days or less (Automated)
|
|
levels:
|
|
- l1_server
|
|
- l1_workstation
|
|
- automated: yes
|
|
+ automated: partially # The rule below does not validate wheter all current users' INACTIVE setting conforms to the control.
|
|
rules:
|
|
- account_disable_post_pw_expiration
|
|
- var_account_disable_post_pw_expiration=30
|
|
|
|
From 2d5603c3e25f376b0351364c05b3eaccc5b36368 Mon Sep 17 00:00:00 2001
|
|
From: Alex Haydock <alex@alexhaydock.co.uk>
|
|
Date: Fri, 6 Aug 2021 15:17:53 +0100
|
|
Subject: [PATCH 41/55] Set SSH idle timeout to 15 minutes
|
|
|
|
---
|
|
controls/cis_rhel8.yml | 2 +-
|
|
1 file changed, 1 insertion(+), 1 deletion(-)
|
|
|
|
diff --git a/controls/cis_rhel8.yml b/controls/cis_rhel8.yml
|
|
index 42dbf14c816..e8e340e0c36 100644
|
|
--- a/controls/cis_rhel8.yml
|
|
+++ b/controls/cis_rhel8.yml
|
|
@@ -1724,7 +1724,7 @@ controls:
|
|
- l1_workstation
|
|
automated: yes
|
|
rules:
|
|
- - sshd_idle_timeout_value=5_minutes
|
|
+ - sshd_idle_timeout_value=15_minutes
|
|
- sshd_set_idle_timeout
|
|
- sshd_set_keepalive
|
|
- var_sshd_set_keepalive=0
|
|
|
|
From da63d392814f48f17436e975cf8ccc3215eb917c Mon Sep 17 00:00:00 2001
|
|
From: Alex Haydock <alex@alexhaydock.co.uk>
|
|
Date: Fri, 6 Aug 2021 16:12:47 +0100
|
|
Subject: [PATCH 42/55] RHEL 8 CIS 5.5.2 is only partially automated
|
|
|
|
---
|
|
controls/cis_rhel8.yml | 5 ++++-
|
|
1 file changed, 4 insertions(+), 1 deletion(-)
|
|
|
|
diff --git a/controls/cis_rhel8.yml b/controls/cis_rhel8.yml
|
|
index e8e340e0c36..2d534d95072 100644
|
|
--- a/controls/cis_rhel8.yml
|
|
+++ b/controls/cis_rhel8.yml
|
|
@@ -1929,12 +1929,15 @@ controls:
|
|
- l1_workstation
|
|
automated: no
|
|
|
|
+ # NEEDS RULE
|
|
+ # We are missing the component of this control which locks non-root system accounts
|
|
+ # https://github.com/ComplianceAsCode/content/issues/7352
|
|
- id: 5.5.2
|
|
title: Ensure system accounts are secured (Automated)
|
|
levels:
|
|
- l1_server
|
|
- l1_workstation
|
|
- automated: yes
|
|
+ automated: partially
|
|
rules:
|
|
- no_shelllogin_for_systemaccounts
|
|
|
|
|
|
From d07ec30f6cde2e6a3875170ced9004a81af6dee4 Mon Sep 17 00:00:00 2001
|
|
From: Alex Haydock <alex@alexhaydock.co.uk>
|
|
Date: Fri, 6 Aug 2021 16:17:13 +0100
|
|
Subject: [PATCH 43/55] RHEL 8 CIS 5.5.3 is only partially automated
|
|
|
|
---
|
|
controls/cis_rhel8.yml | 2 +-
|
|
1 file changed, 1 insertion(+), 1 deletion(-)
|
|
|
|
diff --git a/controls/cis_rhel8.yml b/controls/cis_rhel8.yml
|
|
index 2d534d95072..784af3e0fe9 100644
|
|
--- a/controls/cis_rhel8.yml
|
|
+++ b/controls/cis_rhel8.yml
|
|
@@ -1946,7 +1946,7 @@ controls:
|
|
levels:
|
|
- l1_server
|
|
- l1_workstation
|
|
- automated: yes
|
|
+ automated: partially # The remediation for this rule does not implement the "TMOUT" variable as readonly so does not align fully with the benchmark
|
|
rules:
|
|
- accounts_tmout
|
|
- var_accounts_tmout=15_min
|
|
|
|
From cd867062192bb635422d1f72261d4e8fbdc841e6 Mon Sep 17 00:00:00 2001
|
|
From: Alex Haydock <alex@alexhaydock.co.uk>
|
|
Date: Fri, 6 Aug 2021 16:21:39 +0100
|
|
Subject: [PATCH 44/55] RHEL 8 CIS 5.5.5 is only partially automated
|
|
|
|
---
|
|
controls/cis_rhel8.yml | 3 ++-
|
|
1 file changed, 2 insertions(+), 1 deletion(-)
|
|
|
|
diff --git a/controls/cis_rhel8.yml b/controls/cis_rhel8.yml
|
|
index 784af3e0fe9..045e219d90f 100644
|
|
--- a/controls/cis_rhel8.yml
|
|
+++ b/controls/cis_rhel8.yml
|
|
@@ -1965,9 +1965,10 @@ controls:
|
|
levels:
|
|
- l1_server
|
|
- l1_workstation
|
|
- automated: yes
|
|
+ automated: partially # The rules below do not take /etc/profile.d/* into account so are not perfectly aligned with the benchmark
|
|
rules:
|
|
- accounts_umask_etc_bashrc
|
|
+ - accounts_umask_etc_login_defs
|
|
- accounts_umask_etc_profile
|
|
- var_accounts_user_umask=027
|
|
|
|
|
|
From ec2d43b53d75627fd9ac33721fb8f04a5c2574df Mon Sep 17 00:00:00 2001
|
|
From: Alex Haydock <alex@alexhaydock.co.uk>
|
|
Date: Fri, 6 Aug 2021 16:23:32 +0100
|
|
Subject: [PATCH 45/55] RHEL 8 CIS 5.7 can be partially satisfied by
|
|
use_pam_wheel_for_su
|
|
|
|
---
|
|
controls/cis_rhel8.yml | 4 +++-
|
|
1 file changed, 3 insertions(+), 1 deletion(-)
|
|
|
|
diff --git a/controls/cis_rhel8.yml b/controls/cis_rhel8.yml
|
|
index 045e219d90f..84a3269afc6 100644
|
|
--- a/controls/cis_rhel8.yml
|
|
+++ b/controls/cis_rhel8.yml
|
|
@@ -1989,7 +1989,9 @@ controls:
|
|
levels:
|
|
- l1_server
|
|
- l1_workstation
|
|
- automated: no
|
|
+ automated: partially
|
|
+ rules:
|
|
+ - use_pam_wheel_for_su
|
|
|
|
- id: 6.1.1
|
|
title: Audit system file permissions (Manual)
|
|
|
|
From ca3b471ce283691f423a427c84845ab55860ecfa Mon Sep 17 00:00:00 2001
|
|
From: Alex Haydock <alex@alexhaydock.co.uk>
|
|
Date: Fri, 6 Aug 2021 16:31:56 +0100
|
|
Subject: [PATCH 46/55] Rules exist which satisfy RHEL 8 CIS 6.2.3
|
|
|
|
---
|
|
controls/cis_rhel8.yml | 7 ++++---
|
|
1 file changed, 4 insertions(+), 3 deletions(-)
|
|
|
|
diff --git a/controls/cis_rhel8.yml b/controls/cis_rhel8.yml
|
|
index 84a3269afc6..d02f2cbbf86 100644
|
|
--- a/controls/cis_rhel8.yml
|
|
+++ b/controls/cis_rhel8.yml
|
|
@@ -2154,14 +2154,15 @@ controls:
|
|
rules:
|
|
- no_legacy_plus_entries_etc_passwd
|
|
|
|
- # NEEDS RULE
|
|
- # https://github.com/ComplianceAsCode/content/issues/7198
|
|
- id: 6.2.3
|
|
title: Ensure root PATH Integrity (Automated)
|
|
levels:
|
|
- l1_server
|
|
- l1_workstation
|
|
- automated: no
|
|
+ automated: yes
|
|
+ rules:
|
|
+ - accounts_root_path_dirs_no_write
|
|
+ - root_path_no_dot
|
|
|
|
- id: 6.2.4
|
|
title: Ensure no legacy "+" entries exist in /etc/shadow (Automated)
|
|
|
|
From 92adfbb1ca271105aee1be7044b617227e0ef93e Mon Sep 17 00:00:00 2001
|
|
From: Alex Haydock <alex@alexhaydock.co.uk>
|
|
Date: Fri, 6 Aug 2021 16:34:47 +0100
|
|
Subject: [PATCH 47/55] Rules exist for RHEL 8 CIS 6.2.7 and 6.2.8 but without
|
|
OVAL checks or remediations
|
|
|
|
---
|
|
controls/cis_rhel8.yml | 6 +++---
|
|
1 file changed, 3 insertions(+), 3 deletions(-)
|
|
|
|
diff --git a/controls/cis_rhel8.yml b/controls/cis_rhel8.yml
|
|
index d02f2cbbf86..a3f3d4e6d4f 100644
|
|
--- a/controls/cis_rhel8.yml
|
|
+++ b/controls/cis_rhel8.yml
|
|
@@ -2196,8 +2196,8 @@ controls:
|
|
levels:
|
|
- l1_server
|
|
- l1_workstation
|
|
- automated: yes
|
|
- rules:
|
|
+ automated: no # The rule below exists, but does not have any OVAL checks or remediations.
|
|
+ related_rules:
|
|
- file_permissions_home_dirs
|
|
|
|
# NEEDS RULE (for user ownership)
|
|
@@ -2207,7 +2207,7 @@ controls:
|
|
levels:
|
|
- l1_server
|
|
- l1_workstation
|
|
- automated: yes
|
|
+ automated: no # The rule below exists, but does not have any OVAL checks or remediations.
|
|
rules:
|
|
- file_groupownership_home_directories
|
|
|
|
|
|
From 25b0bbb11fc07f16bada862c99eb01c2d76fb582 Mon Sep 17 00:00:00 2001
|
|
From: Alex Haydock <alex@alexhaydock.co.uk>
|
|
Date: Fri, 6 Aug 2021 16:35:23 +0100
|
|
Subject: [PATCH 48/55] Rules exist for RHEL 8 CIS 6.2.20 but without OVAL
|
|
checks or remediations
|
|
|
|
---
|
|
controls/cis_rhel8.yml | 6 +++---
|
|
1 file changed, 3 insertions(+), 3 deletions(-)
|
|
|
|
diff --git a/controls/cis_rhel8.yml b/controls/cis_rhel8.yml
|
|
index a3f3d4e6d4f..cfefd245300 100644
|
|
--- a/controls/cis_rhel8.yml
|
|
+++ b/controls/cis_rhel8.yml
|
|
@@ -2311,10 +2311,10 @@ controls:
|
|
automated: no
|
|
|
|
- id: 6.2.20
|
|
- title: Ensure shadow group is empty (Automated)
|
|
+ title: Ensure all users' home directories exist (Automated)
|
|
levels:
|
|
- l1_server
|
|
- l1_workstation
|
|
- automated: yes
|
|
- rules:
|
|
+ automated: no # The rule below exists, but does not have any OVAL checks or remediations.
|
|
+ related_rules:
|
|
- accounts_user_interactive_home_directory_exists
|
|
|
|
From c8d07e3ace333c4aa0098d64836596a4e4f7b772 Mon Sep 17 00:00:00 2001
|
|
From: Alex Haydock <alex@alexhaydock.co.uk>
|
|
Date: Fri, 6 Aug 2021 16:38:11 +0100
|
|
Subject: [PATCH 49/55] We cannot use audit_rules_kernel_module_loading because
|
|
it also checks for finit_module syscall
|
|
|
|
---
|
|
controls/cis_rhel8.yml | 6 +++++-
|
|
1 file changed, 5 insertions(+), 1 deletion(-)
|
|
|
|
diff --git a/controls/cis_rhel8.yml b/controls/cis_rhel8.yml
|
|
index cfefd245300..e8d3f24ccbb 100644
|
|
--- a/controls/cis_rhel8.yml
|
|
+++ b/controls/cis_rhel8.yml
|
|
@@ -1397,7 +1397,11 @@ controls:
|
|
- l2_workstation
|
|
automated: yes
|
|
rules:
|
|
- - audit_rules_kernel_module_loading
|
|
+ - audit_rules_kernel_module_loading_delete
|
|
+ - audit_rules_kernel_module_loading_init
|
|
+ - audit_rules_privileged_commands_insmod
|
|
+ - audit_rules_privileged_commands_modprobe
|
|
+ - audit_rules_privileged_commands_rmmod
|
|
|
|
# NEEDS RULE
|
|
# https://github.com/ComplianceAsCode/content/issues/5516
|
|
|
|
From b3a579bc7aed5519923ce99252210e4d88beda91 Mon Sep 17 00:00:00 2001
|
|
From: Alex Haydock <alex@alexhaydock.co.uk>
|
|
Date: Mon, 9 Aug 2021 11:49:56 +0100
|
|
Subject: [PATCH 50/55] Use only 'related_rules' and not 'rules' when a control
|
|
is not automated
|
|
|
|
---
|
|
controls/cis_rhel8.yml | 6 +++---
|
|
1 file changed, 3 insertions(+), 3 deletions(-)
|
|
|
|
diff --git a/controls/cis_rhel8.yml b/controls/cis_rhel8.yml
|
|
index e8d3f24ccbb..a624d06cb56 100644
|
|
--- a/controls/cis_rhel8.yml
|
|
+++ b/controls/cis_rhel8.yml
|
|
@@ -2128,7 +2128,7 @@ controls:
|
|
- l1_server
|
|
- l1_workstation
|
|
automated: no
|
|
- rules:
|
|
+ related_rules:
|
|
- file_permissions_unauthorized_suid
|
|
|
|
- id: 6.1.14
|
|
@@ -2137,7 +2137,7 @@ controls:
|
|
- l1_server
|
|
- l1_workstation
|
|
automated: no
|
|
- rules:
|
|
+ related_rules:
|
|
- file_permissions_unauthorized_sgid
|
|
|
|
# NEEDS RULE
|
|
@@ -2212,7 +2212,7 @@ controls:
|
|
- l1_server
|
|
- l1_workstation
|
|
automated: no # The rule below exists, but does not have any OVAL checks or remediations.
|
|
- rules:
|
|
+ related_rules:
|
|
- file_groupownership_home_directories
|
|
|
|
# NEEDS RULE
|
|
|
|
From 3f6766beb261a309eacb788bdd21fa54e800b43c Mon Sep 17 00:00:00 2001
|
|
From: Alex Haydock <alex@alexhaydock.co.uk>
|
|
Date: Tue, 10 Aug 2021 09:12:18 +0100
|
|
Subject: [PATCH 51/55] Correct value of SSH MaxSessions based on upstream
|
|
Draft Benchmark 1.1.0
|
|
|
|
---
|
|
controls/cis_rhel8.yml | 10 +++++-----
|
|
1 file changed, 5 insertions(+), 5 deletions(-)
|
|
|
|
diff --git a/controls/cis_rhel8.yml b/controls/cis_rhel8.yml
|
|
index a624d06cb56..bff2200ce12 100644
|
|
--- a/controls/cis_rhel8.yml
|
|
+++ b/controls/cis_rhel8.yml
|
|
@@ -1782,11 +1782,11 @@ controls:
|
|
- var_sshd_set_maxstartups=10:30:60
|
|
|
|
# The title of this control does not appear to match the suggested audit and
|
|
- # remediation in the CIS Benchmark version 1.0.1 - this profile uses the
|
|
- # value from the audit and remediation sections of the benchmark rather than
|
|
- # from the title.
|
|
+ # remediation in the CIS Benchmark version 1.0.1
|
|
+ #
|
|
+ # As noted in the ticket below, this is resolved in Draft Benchmark 1.1.0
|
|
+ # which confirms that '4' is the intended value for this control.
|
|
#
|
|
- # An upstream ticket has been opened about this issue:
|
|
# https://workbench.cisecurity.org/community/14/tickets/13414
|
|
- id: 5.2.19
|
|
title: Ensure SSH MaxSessions is set to 4 or less (Automated)
|
|
@@ -1796,7 +1796,7 @@ controls:
|
|
automated: yes
|
|
rules:
|
|
- sshd_set_max_sessions
|
|
- - var_sshd_max_sessions=10
|
|
+ - var_sshd_max_sessions=4
|
|
|
|
- id: 5.2.20
|
|
title: Ensure system-wide crypto policy is not over-ridden (Automated)
|
|
|
|
From e9ca1baec39ff010e63a99ac479e15b7fb73c352 Mon Sep 17 00:00:00 2001
|
|
From: Alex Haydock <alex@alexhaydock.co.uk>
|
|
Date: Wed, 11 Aug 2021 10:37:23 +0100
|
|
Subject: [PATCH 52/55] Control to disable IPv6 should not be automated
|
|
|
|
---
|
|
controls/cis_rhel8.yml | 4 +---
|
|
1 file changed, 1 insertion(+), 3 deletions(-)
|
|
|
|
diff --git a/controls/cis_rhel8.yml b/controls/cis_rhel8.yml
|
|
index bff2200ce12..29d972427cf 100644
|
|
--- a/controls/cis_rhel8.yml
|
|
+++ b/controls/cis_rhel8.yml
|
|
@@ -1177,9 +1177,7 @@ controls:
|
|
levels:
|
|
- l2_server
|
|
- l2_workstation
|
|
- automated: yes
|
|
- rules:
|
|
- - kernel_module_ipv6_option_disabled
|
|
+ automated: no
|
|
|
|
- id: 4.1.1.1
|
|
title: Ensure auditd is installed (Automated)
|
|
|
|
From a7b6c13f927d9494f65c314ea6f3ba71b9b350cb Mon Sep 17 00:00:00 2001
|
|
From: Alex Haydock <alex@alexhaydock.co.uk>
|
|
Date: Tue, 17 Aug 2021 13:09:48 +0100
|
|
Subject: [PATCH 53/55] Fix rules with missing CCEs for RHEL8
|
|
|
|
---
|
|
.../accounts-session/root_paths/root_path_no_dot/rule.yml | 1 +
|
|
.../uefi/file_groupowner_efi_grub2_cfg/rule.yml | 1 +
|
|
.../bootloader-grub2/uefi/file_owner_efi_grub2_cfg/rule.yml | 1 +
|
|
.../uefi/file_permissions_efi_grub2_cfg/rule.yml | 1 +
|
|
shared/references/cce-redhat-avail.txt | 4 ----
|
|
5 files changed, 4 insertions(+), 4 deletions(-)
|
|
|
|
diff --git a/linux_os/guide/system/accounts/accounts-session/root_paths/root_path_no_dot/rule.yml b/linux_os/guide/system/accounts/accounts-session/root_paths/root_path_no_dot/rule.yml
|
|
index 24a0feaf0aa..748d9d9d188 100644
|
|
--- a/linux_os/guide/system/accounts/accounts-session/root_paths/root_path_no_dot/rule.yml
|
|
+++ b/linux_os/guide/system/accounts/accounts-session/root_paths/root_path_no_dot/rule.yml
|
|
@@ -21,6 +21,7 @@ severity: unknown
|
|
|
|
identifiers:
|
|
cce@rhel7: CCE-80199-3
|
|
+ cce@rhel8: CCE-85914-0
|
|
|
|
references:
|
|
cis-csc: 11,3,9
|
|
diff --git a/linux_os/guide/system/bootloader-grub2/uefi/file_groupowner_efi_grub2_cfg/rule.yml b/linux_os/guide/system/bootloader-grub2/uefi/file_groupowner_efi_grub2_cfg/rule.yml
|
|
index 288b6706b03..f44e85a059a 100644
|
|
--- a/linux_os/guide/system/bootloader-grub2/uefi/file_groupowner_efi_grub2_cfg/rule.yml
|
|
+++ b/linux_os/guide/system/bootloader-grub2/uefi/file_groupowner_efi_grub2_cfg/rule.yml
|
|
@@ -25,6 +25,7 @@ severity: medium
|
|
|
|
identifiers:
|
|
cce@rhel7: CCE-83430-9
|
|
+ cce@rhel8: CCE-85915-7
|
|
|
|
references:
|
|
cis-csc: 12,13,14,15,16,18,3,5
|
|
diff --git a/linux_os/guide/system/bootloader-grub2/uefi/file_owner_efi_grub2_cfg/rule.yml b/linux_os/guide/system/bootloader-grub2/uefi/file_owner_efi_grub2_cfg/rule.yml
|
|
index edcda693591..a9468d00ddc 100644
|
|
--- a/linux_os/guide/system/bootloader-grub2/uefi/file_owner_efi_grub2_cfg/rule.yml
|
|
+++ b/linux_os/guide/system/bootloader-grub2/uefi/file_owner_efi_grub2_cfg/rule.yml
|
|
@@ -23,6 +23,7 @@ severity: medium
|
|
|
|
identifiers:
|
|
cce@rhel7: CCE-83429-1
|
|
+ cce@rhel8: CCE-85913-2
|
|
|
|
references:
|
|
cis-csc: 12,13,14,15,16,18,3,5
|
|
diff --git a/linux_os/guide/system/bootloader-grub2/uefi/file_permissions_efi_grub2_cfg/rule.yml b/linux_os/guide/system/bootloader-grub2/uefi/file_permissions_efi_grub2_cfg/rule.yml
|
|
index 6e636a7caf7..bc4fdcc7e04 100644
|
|
--- a/linux_os/guide/system/bootloader-grub2/uefi/file_permissions_efi_grub2_cfg/rule.yml
|
|
+++ b/linux_os/guide/system/bootloader-grub2/uefi/file_permissions_efi_grub2_cfg/rule.yml
|
|
@@ -21,6 +21,7 @@ severity: medium
|
|
|
|
identifiers:
|
|
cce@rhel7: CCE-83431-7
|
|
+ cce@rhel8: CCE-85912-4
|
|
|
|
references:
|
|
cis-csc: 12,13,14,15,16,18,3,5
|
|
diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt
|
|
index 3b24e19da06..179412e8961 100644
|
|
--- a/shared/references/cce-redhat-avail.txt
|
|
+++ b/shared/references/cce-redhat-avail.txt
|
|
@@ -42,10 +42,6 @@ CCE-85907-4
|
|
CCE-85908-2
|
|
CCE-85909-0
|
|
CCE-85911-6
|
|
-CCE-85912-4
|
|
-CCE-85913-2
|
|
-CCE-85914-0
|
|
-CCE-85915-7
|
|
CCE-85916-5
|
|
CCE-85917-3
|
|
CCE-85918-1
|
|
|
|
From b2a35c50c402267c8e77db287187e594fe917e77 Mon Sep 17 00:00:00 2001
|
|
From: Alex Haydock <alex@alexhaydock.co.uk>
|
|
Date: Tue, 17 Aug 2021 13:15:15 +0100
|
|
Subject: [PATCH 54/55] Add missing CIS references for RHEL 8 rules
|
|
|
|
---
|
|
.../services/ssh/ssh_server/sshd_set_loglevel_verbose/rule.yml | 1 +
|
|
.../disabling_xwindows/xwindows_remove_packages/rule.yml | 1 +
|
|
.../root_logins/use_pam_wheel_for_su/rule.yml | 1 +
|
|
.../root_paths/accounts_root_path_dirs_no_write/rule.yml | 1 +
|
|
.../accounts-session/root_paths/root_path_no_dot/rule.yml | 1 +
|
|
.../user_umask/accounts_umask_etc_login_defs/rule.yml | 1 +
|
|
6 files changed, 6 insertions(+)
|
|
|
|
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_loglevel_verbose/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_set_loglevel_verbose/rule.yml
|
|
index 2ffb01a3983..ee54a53dfd4 100644
|
|
--- a/linux_os/guide/services/ssh/ssh_server/sshd_set_loglevel_verbose/rule.yml
|
|
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_loglevel_verbose/rule.yml
|
|
@@ -27,6 +27,7 @@ identifiers:
|
|
|
|
references:
|
|
cis@rhel7: 5.3.5
|
|
+ cis@rhel8: 5.2.5
|
|
disa: CCI-000067
|
|
nerc-cip: CIP-007-3 R7.1
|
|
nist: AC-17(a),AC-17(1),CM-6(a)
|
|
diff --git a/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_remove_packages/rule.yml b/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_remove_packages/rule.yml
|
|
index c548b1e3ea2..935766db26d 100644
|
|
--- a/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_remove_packages/rule.yml
|
|
+++ b/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_remove_packages/rule.yml
|
|
@@ -41,6 +41,7 @@ identifiers:
|
|
|
|
references:
|
|
cis@rhel7: 2.2.2
|
|
+ cis@rhel8: 2.2.2
|
|
disa: CCI-000366
|
|
nist: CM-6(b)
|
|
srg: SRG-OS-000480-GPOS-00227
|
|
diff --git a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/use_pam_wheel_for_su/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/use_pam_wheel_for_su/rule.yml
|
|
index 984a8cf333e..616a0aa0052 100644
|
|
--- a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/use_pam_wheel_for_su/rule.yml
|
|
+++ b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/use_pam_wheel_for_su/rule.yml
|
|
@@ -24,6 +24,7 @@ identifiers:
|
|
|
|
references:
|
|
cis@rhel7: "5.7"
|
|
+ cis@rhel8: 5.7
|
|
cis@sle15: '5.6'
|
|
cis@ubuntu2004: '5.6'
|
|
ospp: FMT_SMF_EXT.1.1
|
|
diff --git a/linux_os/guide/system/accounts/accounts-session/root_paths/accounts_root_path_dirs_no_write/rule.yml b/linux_os/guide/system/accounts/accounts-session/root_paths/accounts_root_path_dirs_no_write/rule.yml
|
|
index 81c30174c71..057701075e5 100644
|
|
--- a/linux_os/guide/system/accounts/accounts-session/root_paths/accounts_root_path_dirs_no_write/rule.yml
|
|
+++ b/linux_os/guide/system/accounts/accounts-session/root_paths/accounts_root_path_dirs_no_write/rule.yml
|
|
@@ -23,6 +23,7 @@ identifiers:
|
|
references:
|
|
cis-csc: 11,3,9
|
|
cis@rhel7: 6.2.10
|
|
+ cis@rhel8: 6.2.3
|
|
cis@sle15: 6.2.4
|
|
cis@ubuntu2004: 6.2.3
|
|
cobit5: BAI10.01,BAI10.02,BAI10.03,BAI10.05
|
|
diff --git a/linux_os/guide/system/accounts/accounts-session/root_paths/root_path_no_dot/rule.yml b/linux_os/guide/system/accounts/accounts-session/root_paths/root_path_no_dot/rule.yml
|
|
index 748d9d9d188..c94de8fa3e6 100644
|
|
--- a/linux_os/guide/system/accounts/accounts-session/root_paths/root_path_no_dot/rule.yml
|
|
+++ b/linux_os/guide/system/accounts/accounts-session/root_paths/root_path_no_dot/rule.yml
|
|
@@ -26,6 +26,7 @@ identifiers:
|
|
references:
|
|
cis-csc: 11,3,9
|
|
cis@rhel7: 6.2.10
|
|
+ cis@rhel8: 6.2.3
|
|
cobit5: BAI10.01,BAI10.02,BAI10.03,BAI10.05
|
|
disa: CCI-000366
|
|
isa-62443-2009: 4.3.4.3.2,4.3.4.3.3
|
|
diff --git a/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_login_defs/rule.yml b/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_login_defs/rule.yml
|
|
index 46e81737199..51f8e51fa6a 100644
|
|
--- a/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_login_defs/rule.yml
|
|
+++ b/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_login_defs/rule.yml
|
|
@@ -25,6 +25,7 @@ references:
|
|
anssi: BP28(R35)
|
|
cis-csc: 11,18,3,9
|
|
cis@rhel7: 5.5.5
|
|
+ cis@rhel8: 5.5.5
|
|
cis@ubuntu2004: 5.4.4
|
|
cobit5: APO13.01,BAI03.01,BAI03.02,BAI03.03,BAI10.01,BAI10.02,BAI10.03,BAI10.05
|
|
disa: CCI-000366
|
|
|
|
From 379910b8185590bed1c620dcb07cbb28ee41ecd7 Mon Sep 17 00:00:00 2001
|
|
From: Alex Haydock <alex@alexhaydock.co.uk>
|
|
Date: Tue, 17 Aug 2021 13:25:45 +0100
|
|
Subject: [PATCH 55/55] Quote reference to avoid it being interpreted as an
|
|
integer
|
|
|
|
---
|
|
.../root_logins/use_pam_wheel_for_su/rule.yml | 2 +-
|
|
1 file changed, 1 insertion(+), 1 deletion(-)
|
|
|
|
diff --git a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/use_pam_wheel_for_su/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/use_pam_wheel_for_su/rule.yml
|
|
index 616a0aa0052..08677cbb7dc 100644
|
|
--- a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/use_pam_wheel_for_su/rule.yml
|
|
+++ b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/use_pam_wheel_for_su/rule.yml
|
|
@@ -24,7 +24,7 @@ identifiers:
|
|
|
|
references:
|
|
cis@rhel7: "5.7"
|
|
- cis@rhel8: 5.7
|
|
+ cis@rhel8: "5.7"
|
|
cis@sle15: '5.6'
|
|
cis@ubuntu2004: '5.6'
|
|
ospp: FMT_SMF_EXT.1.1
|